I just learned that CloudFormation can refer to Parameter Store and Secrets Manager values in two primary ways: through a special parameter type in the `Parameters` section and using a dynamic reference inline. I'm curious about the differences between these two methods in terms of when to use each. Can anyone break it down for me?
2 Answers
I've used both methods before, and noticed that with the dynamic reference (option 2), the value is only retrieved the first time; if the parameter changes, it won't update the resource on subsequent CloudFormation updates. However, option 1 handles updates correctly, so that’s why I lean towards it in my templates now.
Both methods work well, but they have different implications for how CloudFormation handles them. Using a parameter type is like creating a variable for your stack—it's reusable and keeps secrets hidden from logs, which is great for security. However, it only resolves when you update the entire stack.
On the other hand, the dynamic reference approach drops the secret pointer directly into your resource definition, fetching it fresh whenever the resource is created or updated. This is ideal for situations where you always want the latest password, but it’s less reusable.
**Rule of thumb:** Use parameter types for reusable secrets at the stack level, and go with dynamic references for one-off secrets tied to specific resources.
This is the way!
Exactly! If you don't specify a version number in your dynamic reference and change the SSM parameter, you need to update the stack to get the new value. Also, always providing a version is essential when referencing in the parameters section.