I just found out that CloudFormation allows us to reference values from Parameter Store and Secrets Manager in two different ways. The first method involves using a special parameter type in the 'Parameters' section, where you define parameters that can reuse secrets throughout your stack, ensuring they don't show up in logs with the NoEcho option. On the other hand, the second method incorporates dynamic references directly inline, fetching the most up-to-date secret whenever the resources are created or updated. I'm wondering, when should I opt for one method over the other?
3 Answers
Both methods work, but they handle things differently. Using a parameter type is like creating a variable for the secret, which is great for reuse in multiple places without exposing it in logs. But remember, it only fetches the value when you update the stack. Conversely, with dynamic references, you plug the secret directly inline, allowing CloudFormation to grab the latest value every time the resource is created or updated. So, if you need to reuse the secret or want stack-level control, go for the parameter type. Use dynamic references for one-off secrets linked to a resource.
Just to clarify, a static parameter fetches the value only upon stack creation or updates, while a dynamic reference retrieves the current value, making it great for scenarios where credentials change frequently or for ensuring you always have the latest secrets.
I've used both methods, and I've noticed an interesting difference: dynamic references only fetch the value when the resource is first created. If the parameter changes later, it won't automatically update with the new value during subsequent stack updates. However, with the parameter type, if it changes, it can reflect the updated secret the next time you update the stack, so I'm leaning more toward using that for my templates.
Exactly! If you don’t set a version number with your dynamic reference and update the SSM parameter, you’ll need to run updateStack again to get the updated value. Plus, remember to provide a version number in your parameters section if you use dynamic references.