I just learned that CloudFormation can refer to Parameter Store and Secrets Manager values in two primary ways: through a special parameter type in the `Parameters` section and using a dynamic reference inline. I'm curious about the differences between these two methods in terms of when to use each. Can anyone break it down for me?
1 Answer
Both methods work well, but they have different implications for how CloudFormation handles them. Using a parameter type is like creating a variable for your stack—it's reusable and keeps secrets hidden from logs, which is great for security. However, it only resolves when you update the entire stack.
On the other hand, the dynamic reference approach drops the secret pointer directly into your resource definition, fetching it fresh whenever the resource is created or updated. This is ideal for situations where you always want the latest password, but it’s less reusable.
**Rule of thumb:** Use parameter types for reusable secrets at the stack level, and go with dynamic references for one-off secrets tied to specific resources.
This is the way!