Not a great article. Most of the content is far better explained in the AWS docs.
To summarize their best practices:
* don't put creds in templates
* reference other parameters outside of the template, e.g. in Systems Manager Parameter Store
* make your code readable
* add comments
* check your code
Except for the second, all of those are fine practices for maintaining any code.
The one best practice that's actually relevant to CF is to store parameters in SSM. Yet, they mention that drift is a problem with CloudFormation. So... why do you want to store parameters to your stack in a service that allows them to change independently of the stack?
Maybe there's an argument for doing this, but they don't explain it. It's just a "best practice."
They don't mention a major use case for CF, namely CI/CD. The article finishes up with a pitch for their template designer.
Man, I don't miss CloudFormation. If you want to do anything interesting at all (like being able to spin up turn-key ad-hoc stacks for developers that are mostly the same as your main environments), then you have to parameterize everything, and passing data around CloudFormation templates is just awful--what you want is functions and data structures but CloudFormation gives you "nested-stacks" and you have to encode most of your data structures as strings and "parse them out" with the YAML builtin functions that they provide (e.g., `{"Fn::Split": "foo,bar,baz"}` will evaluate to `["foo", "bar", "baz"]`, but good luck if you want a list of objects). Each stack also has a limit on the number of parameters you can pass, and since you can't really pass struct-like data (e.g., `"Foo": {"bar": "baz", "qux": "..."}`) you end up flattening that struct into N parameters (e.g., `"FooBar": "Baz", "FooQux": "..."`). You can try to plumb things through SSM or SecretsManager, but each stack also limits the number of parameters you can pass there as well.
Basically, CloudFormation is like the shittiest programming language you've ever encountered. People will argue that it's supposed to be simple because it's just YAML, but that's bogus--we clearly need to be able to do complex things in this space or else CF wouldn't provide these hacky functions. We pretty clearly need some sort of expression language if not something more robust, since that's the direction all of these "it's just YAML!" tools are going (CloudFormation, Terraform, etc). CloudFormation might actually make a decent "assembly language" for an infrastructure-as-code backend (although extending CloudFormation for third party services was still far too difficult last I checked--basically you had to run your own lambdas) that some higher-level tools might generate, but it's a mess for anything that isn't a toy.
Imagine CF being Terraform + Terraform Cloud (only free!) - but more reliable and having real changesets with more predictable behavior and the state being the true AWS state, not some projection of it within Terraform.
Honestly, I really like CFN, but raw templates are a bit of a disaster... Most of the rest of my infrastructure is powershell, so I acutally write the templates inline in Powershell something like this:
New-AWSTemplate -Resources @{
$OAI = @{
Type = "AWS::CloudFront::CloudFrontOriginAccessIdentity"
Properties = @{
CloudFrontOriginAccessIdentityConfig = @{
Comment = "Access to the bucket"
}
}
}
....
}
If I were doing something without that context I'd likely use Javascript, and just stitch together template structures
I've tried out CDK but honestly it seems very opaque and hard to understand, I want to give it another shot but it just doesn't seem to be a direct translation from CFN templates...
Having written more CFN than I care to remember CDK is a breath of fresh air. It has a multi-level API that deals with the relationships between resources in a much cleaner way than plain CFN. However, at the lowest level you can still write basically CFN in code. But CDK has so much more. It includes multi-language support, unit testing, compile time checking for errors, etc.
Reading CDK's introduction page, it seems that, similar to CloudFormation, it uses pre-made components, just at a higher level. Those components are then translated into a CloudFormation template[0]. Is that correct?
Might it be more accurate to state that CDK is a higher level version of CloudFormation, that abstracts away unimportant details?
I couldn't agree more. Cloudformation is a nightmare in my opinion and never should have seen public release. CDK is what Cloudformation always should have been.
CDK is the first time I experienced the benefits of TypeScript. If nothing else it’s a great playground to learn that stack. Testing stacks in the CDK is pretty rad.
ben509|4 years ago
To summarize their best practices:
* don't put creds in templates
* reference other parameters outside of the template, e.g. in Systems Manager Parameter Store
* make your code readable
* add comments
* check your code
Except for the second, all of those are fine practices for maintaining any code.
The one best practice that's actually relevant to CF is to store parameters in SSM. Yet, they mention that drift is a problem with CloudFormation. So... why do you want to store parameters to your stack in a service that allows them to change independently of the stack?
Maybe there's an argument for doing this, but they don't explain it. It's just a "best practice."
They don't mention a major use case for CF, namely CI/CD. The article finishes up with a pitch for their template designer.
throwaway894345|4 years ago
Basically, CloudFormation is like the shittiest programming language you've ever encountered. People will argue that it's supposed to be simple because it's just YAML, but that's bogus--we clearly need to be able to do complex things in this space or else CF wouldn't provide these hacky functions. We pretty clearly need some sort of expression language if not something more robust, since that's the direction all of these "it's just YAML!" tools are going (CloudFormation, Terraform, etc). CloudFormation might actually make a decent "assembly language" for an infrastructure-as-code backend (although extending CloudFormation for third party services was still far too difficult last I checked--basically you had to run your own lambdas) that some higher-level tools might generate, but it's a mess for anything that isn't a toy.
dragonwriter|4 years ago
Well, duh, it's a Stackery ad posing as an CF best practices article; if the superficial meat was any good, it would distract attention from the ad.
ManuelKiessling|4 years ago
But I may be ignorant and would love to hear if and how CF beats TF.
nikolay|4 years ago
simlevesque|4 years ago
Arelius|4 years ago
I've tried out CDK but honestly it seems very opaque and hard to understand, I want to give it another shot but it just doesn't seem to be a direct translation from CFN templates...
ipsocannibal|4 years ago
twalla|4 years ago
1. Don't
logicslave|4 years ago
Varriount|4 years ago
Might it be more accurate to state that CDK is a higher level version of CloudFormation, that abstracts away unimportant details?
[0] https://aws.amazon.com/cdk/
cbdumas|4 years ago
jchanimal|4 years ago
mikeyjk|4 years ago
nikolay|4 years ago