I recently discovered how CloudFormation allows you to reference values from Parameter Store and Secrets Manager in two main ways: by using a special parameter type in the Parameters section or by using a dynamic reference inline. Using the parameter type can help when you want to reuse a value or keep it secure with NoEcho, but it only fetches that value when the stack is updated. On the other hand, the dynamic reference fetches the latest value whenever a resource is created or updated, which is handy for getting the most current password. I'd like to know when it's better to use one method over the other. What do you all think?
3 Answers
A static parameter fetches its value only when the stack is created or updated, while a dynamic reference grabs the latest value from Parameter Store or Secrets Manager. This flexibility is excellent for cases where you need to rotate credentials or always want to ensure you have the most up-to-date secrets.
Both methods work fine, but they have different use cases. Using the parameter type is like having a variable for your secret, which is great if you need to use it multiple times or want to keep it hidden from logs using NoEcho. However, keep in mind it's only resolved when you update the stack. On the flip side, a dynamic reference means you include the secret directly in the resource definition. This updates every time the resource is created or modified, making it ideal for cases where you want to ensure you're always getting the latest password. A good rule of thumb is to use the parameter type for reusability, while dynamic references are better for one-off secrets tied to specific resources.
I've used both, and I've noticed an important distinction. With the dynamic reference, the parameter value is only pulled the first time and doesn't update on subsequent stack updates if the original value changes—correct me if I'm wrong! Using the parameter type, however, seems to fetch the current value each time, so I'm leaning towards that for my templates for now.
Exactly! If you omit the version number in your dynamic reference and change the SSM parameter, you’ll need to run an updateStack to get the new value. Also, including a version number in a dynamic reference within the parameters section is a must.
This is the way!