I just found out that CloudFormation allows us to reference values from Parameter Store and Secrets Manager in two different ways. The first method involves using a special parameter type in the 'Parameters' section, where you define parameters that can reuse secrets throughout your stack, ensuring they don't show up in logs with the NoEcho option. On the other hand, the second method incorporates dynamic references directly inline, fetching the most up-to-date secret whenever the resources are created or updated. I'm wondering, when should I opt for one method over the other?
2 Answers
Just to clarify, a static parameter fetches the value only upon stack creation or updates, while a dynamic reference retrieves the current value, making it great for scenarios where credentials change frequently or for ensuring you always have the latest secrets.
I've used both methods, and I've noticed an interesting difference: dynamic references only fetch the value when the resource is first created. If the parameter changes later, it won't automatically update with the new value during subsequent stack updates. However, with the parameter type, if it changes, it can reflect the updated secret the next time you update the stack, so I'm leaning more toward using that for my templates.
Exactly! If you don’t set a version number with your dynamic reference and update the SSM parameter, you’ll need to run updateStack again to get the updated value. Plus, remember to provide a version number in your parameters section if you use dynamic references.