Terraform VS CloudFormation: Which tool to deploy on AWS?

Terraform VS CloudFormation: Which tool to deploy on AWS?

Terraform or CloudFormation, the two tools are often pitted against each other, asking DevOps to decide and choose one tool or the other. However, from my point of view, these two tools do not necessarily address the same needs.

Asking the question of one's exact need

Before knowing which tool to go to, it is important to know the exact need to be addressed:

  • Do I want to deploy only on AWS?
  • Do I need to interface with existing tools (especially CI/CD)?
  • Do I want to host the deployment solution myself or depend on a managed service?
  • Do I already use other tools from the HashiCorp ecosystem (Nomad, Packer, Consul or Vault for example)?

Indeed, with these questions you can already target the tool you want to use more easily.

Terraform: Infrastructure as Code tool from HashiCorp

Terraform is an open source tool, created by HashiCorp, specialized in automation tools.

It makes it easier to deploy on Amazon, but not only, Terraform manages dozens of providers allowing to deploy with the same tool on GCP/Azure/AWS or on bare-metal.

Terraform can also handle a hybrid deployment on several clouds and/or data centres.

Within Amazon, Terraform can deploy simultaneously on several AWS accounts. It is also possible to extend the possibilities of Terraform by developing its own plugins (in GoLang).

The perfect tool? No, like all tools, it also has its flaws. First of all, it uses its own language, HCL (for HashiCorp Language), which looks (from afar) like JSON. Secondly, Terraform does not know how to handle all the subtleties of some Amazon services, and at a latency (even low), when a new service arrives, or new functionalities are implemented by Amazon. This is an important point to take into account when choosing the tool, because we can have regressions due to these points on productive environments!

Finally, Terraform requires a machine to work, where CloudFormation is a simple service from Amazon. This means that there is an additional MCO and run cost to take into account.

CloudFormation: Infrastructure as Code Service from Amazon

CloudFormation is a service of Amazon, maintained entirely by the latter.

It allows to easily deploy resources in Amazon, entirely maintained and updated by Amazon, it allows to dispense with the MCO of the solution.

Moreover, the use of CloudFormation is free (only resources deployed via CloudFormation are charged). CloudFormation allows you to use templates in YAML or JSON format in the same way. The use of these standardized formats makes it possible to quickly get to grips with the tool. CloudFormation is updated by Amazon, in a transparent way, and without service interruption.

Just like Terraform, CloudFormation also has flaws. For example, I find the interpolation of variables less thorough than Terraform and less readable, the YAML/JSON formats do not necessarily lend themselves to it as well as the HCL. CloudFormation also creates a strong grip with AWS, which is not necessarily wanted, and pushes to go more and more into AWS, and only AWS. The fact that CloudFormation is updated only by Amazon can also create unmanaged regressions, since we depend entirely on Amazon. I take as an example a bug that is currently present when destroying lambda deployed in a mail order store, which can remain stuck in destruction for several minutes (or even hours).

Terraform VS CloudFormation : David vs Goliath?

On paper, one would think that a company that is small compared to Amazon is going to be a direct loser (like fighting against any of the GAFAMs). Nevertheless, HashiCorp has been able to federate a lot of users over the years and has a huge community behind it. This community allows to have a strong reactivity on bugs or additions of new features. Moreover, the fact that HashiCorp has been able to interface its tools with each other allows tools such as Consul or Vault to connect naturally to Terraform. HashiCorp has now been present in the DevOps landscape for several years, which can also be reassuring, especially with their commercial solution, Atlas, which I won't talk about here.

On the other hand, CloudFormation has the advantage of being maintained by AWS, whose expertise in the field of the cloud is no longer to be proven. In addition, as I mentioned, CloudFormation has the advantage of being updated by AWS, often in "shadow" mode in advance, since Amazon knows its own announcements in advance. In case of deployment concerns, it is also the assurance of being able to directly address the issue with AWS support, rather than with a community, which as efficient as it is, has no SLA to ensure.

In conclusion

As I mentioned, the two tools do not necessarily address the same needs and require some thought beforehand to avoid choosing a tool that overly restricts DevOps. From my point of view, both tools are very good, and both allow reliable deployment on productive environments on AWS. Nevertheless, I have a preference for Terraform, which is more versatile than CloudFormation, from my point of view.