[ben509]

Not a great article. Most of the content is far better explained in the AWS docs.

To summarize their best practices:

* don't put creds in templates

* reference other parameters outside of the template, e.g. in Systems Manager Parameter Store

* make your code readable

* add comments

* check your code

Except for the second, all of those are fine practices for maintaining any code.

The one best practice that's actually relevant to CF is to store parameters in SSM. Yet, they mention that drift is a problem with CloudFormation. So... why do you want to store parameters to your stack in a service that allows them to change independently of the stack?

Maybe there's an argument for doing this, but they don't explain it. It's just a "best practice."

They don't mention a major use case for CF, namely CI/CD. The article finishes up with a pitch for their template designer.

[throwaway894345]

Man, I don't miss CloudFormation. If you want to do anything interesting at all (like being able to spin up turn-key ad-hoc stacks for developers that are mostly the same as your main environments), then you have to parameterize everything, and passing data around CloudFormation templates is just awful--what you want is functions and data structures but CloudFormation gives you "nested-stacks" and you have to encode most of your data structures as strings and "parse them out" with the YAML builtin functions that they provide (e.g., `{"Fn::Split": "foo,bar,baz"}` will evaluate to `["foo", "bar", "baz"]`, but good luck if you want a list of objects). Each stack also has a limit on the number of parameters you can pass, and since you can't really pass struct-like data (e.g., `"Foo": {"bar": "baz", "qux": "..."}`) you end up flattening that struct into N parameters (e.g., `"FooBar": "Baz", "FooQux": "..."`). You can try to plumb things through SSM or SecretsManager, but each stack also limits the number of parameters you can pass there as well.

Basically, CloudFormation is like the shittiest programming language you've ever encountered. People will argue that it's supposed to be simple because it's just YAML, but that's bogus--we clearly need to be able to do complex things in this space or else CF wouldn't provide these hacky functions. We pretty clearly need some sort of expression language if not something more robust, since that's the direction all of these "it's just YAML!" tools are going (CloudFormation, Terraform, etc). CloudFormation might actually make a decent "assembly language" for an infrastructure-as-code backend (although extending CloudFormation for third party services was still far too difficult last I checked--basically you had to run your own lambdas) that some higher-level tools might generate, but it's a mess for anything that isn't a toy.

[otterley]

AWS solutions architect here! (Opinions are my own and not necessarily those of my employer.)

Many of us now believe that CloudFormation is best described as the assembly language of AWS infrastructure: you can hand-code it, but it's challenging and verbose, and there's a lot of detail you have to get involved in.

CDK is the high-level solution to this challenge. With CDK you describe your infrastructure in terms of high-level constructs such as classes. Your stacks are described as applications instead of YAML templates. You can use many different programming languages including TypeScript and Python, and code is reusable. You can even vendor custom construct libraries to share within your org, or openly via npm.

I've become a convert since CDK came out - it's been ages since I've handwritten CloudFormation templates.

https://aws.amazon.com/cdk/

[throwaway894345]

Yeah, I haven't given CDK a good shot yet. I did write something like it (for Python) before CDK existed, and it was very nice. I'd like to play with CDK, but I'm no longer working on AWS systems but rather GCP/Terraform. Best of luck to the CDK folks!

[twg_jack]

I'll second CDK -- love it and it's so much easier than writing raw CFN.

[devonbleak]

Yeah JSON/YAML is (mostly) great for data that needs to be parseable by machines and humans but trying to make a language out of it is horrible.

Raw HCL2/Terraform is marginally better IMO with being able to pass around more complex structs and function calls that don't have to be expressed as JSON dicts, but still remaining declarative to be able to create a dependency graph internally.

All of this is why CDK now exists to be able to express these things as TypeScript or Python and spit out the corresponding CFN or TF.

It's also worth noting that AWS added support for additional providers a while back so the CustomResource+Lambda you're describing isn't the only way to interact with non-AWS APIs.

I'm actually curious what you're using - you've shit all over a bunch of things without providing any real alternative.

[dragonwriter]

> Basically, CloudFormation is like the shittiest programming language you've ever encountered

CF json/yaml is essentially declarative asm for AWS resources.

CDK is how you use popular higher level languages to generate it, and there are some friendlier-than-raw-CF options in between (like SAM).

[throwaway894345]

SAM is limited and I didn't care for it. I believe CDK is the way to go; I just haven't had much chance to play around with it yet. I suspect it doesn't solve the problem that extensions are lambdas, but it's a welcome development. I believe Terraform now has a CDK as well.

[chriswarbo]

I agree. I'm sorely tempted to introduce Dhall or CUE at work, but it might be a bit of leap for colleagues.

[throwaway894345]

I wrote a prototype thing that was like Troposphere but better (everything was generated from CloudFormation spec JSON files, no stitching together things by string IDs, etc). Also unlike CDK, there was no inheritance (I haven't used CDK that much, but inheritance-based systems seem to be universally awful, so I'm skeptical). It can be pretty nice.

[dragonwriter]

> Not a great article

Well, duh, it's a Stackery ad posing as an CF best practices article; if the superficial meat was any good, it would distract attention from the ad.