I've been diving into CloudFormation and learned that there are two ways to reference Parameter Store or Secrets Manager values. One way is by using a special parameter type in the Parameters section, which acts like a variable pointing to your secret. The other way is through a dynamic reference inline that fetches the secret directly during resource creation or updates. I get that both fetch the values at runtime, but I'm curious: when should I prefer one method over the other?
2 Answers
I've used both methods, and here's what I've noticed: when using dynamic references, the value is only retrieved the first time. So if the parameter changes later, it won’t update unless you explicitly run an updateStack. This isn't the case with parameter types, which are resolved during updates, making them more reliable for templates.
Both methods are valid, but they handle fetching secrets differently. The parameter type acts like a variable for your stack, which is reusable in multiple places and keeps the value hidden from logs due to NoEcho. The downside is that it only resolves when you update the stack. On the other hand, the dynamic reference is directly inline and fetches the latest value every time the resource is created or updated. So, if you need a secret tied to a specific resource and want to always have the most current password, go for the dynamic reference. But if you're reusing a secret frequently, the parameter type is your best bet.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux