I recently discovered that CloudFormation allows for referencing Parameter Store and Secrets Manager values in two main ways. One way is by defining a special parameter type within the `Parameters` section of the template, where you can set things like `NoEcho` to keep values hidden in logs. The other way is using a dynamic reference directly in the resource properties. Both methods fetch values during runtime, but I'm curious about the situations in which each method is preferable. Can anyone explain the differences and provide some guidance?
3 Answers
For static parameters, the value gets fetched only at stack creation or updates, while dynamic references obtain the current value from Parameter Store or Secrets Manager. This makes dynamic references great for rotating credentials or ensuring that you always have the latest secrets.
Both methods work well, but they differ in how CloudFormation manages them. Using a parameter type is like giving your stack a variable for the secret, which is handy if you need to reuse it across multiple resources or if you want `NoEcho` to hide it in logs. However, remember that it's only resolved during stack updates.
On the other hand, a dynamic reference pulls the secret value directly when the resource is created or updated. This is ideal for cases where you want the latest password. So, if you need reusability or stack-level control, go with the parameter type. For one-off secrets tied to a specific resource, use the dynamic reference.
I've tried both options and I've noticed that with the dynamic reference, it only retrieves the value the first time. If the parameter changes later, it doesn't update automatically during a stack update, unlike the parameter type which does provide updates. So, I mostly stick to the parameter type for my templates.
You're right! If you don't specify a version number in your dynamic reference and change the SSM parameter, you'll need to run an updateStack to fetch the updated value. Just remember to include a version number if you're referencing it in the parameters section!
This is definitely the way to go!