Terraform vs CloudFormation
AWS CloudFormation is an infrastructure templating, or infrastructure as code (IaC) service provided free of charge by AWS. It enables users the ability to describe groups of AWS infrastructure and services in a declarative manner. HashiCorp Terraform addresses similar needs, including an IaC declarative approach, but in a cloud agnostic way. This article compares the two products/services at a high level so the reader can determine which is a better fit for their needs.
CloudFormation is a SaaS only offering that targets AWS exclusively. It employs an active management strategy, performing automated scaling and healing. As you might expect, it has extensive support for not only EC2 infrastructure, but a wide variety of AWS services. It is provided free of charge. It is closed source.
Terraform has historically been a CLI only tool, targeting all major public clouds. Recently, it has been offered as a SaaS product as well. It employs a passive management strategy, performing tasks based on user requests. The enterprise version has support for multi-tenancy and deployment policies. It is an open source product, governed by HashiCorp.
Declarative vs Imperative
Both products take a declarative approach to composing infrastructure. For the purpose of this article, ‘declarative’ refers to an approach to programming that defines the desired end state, as opposed to ‘imperative’ which describes each step in detail to achieve the end state. Most tooling in this space has gone the declarative route, because it abstracts resources at a level that users are comfortable with, and has a lower barrier of entry.
Depth vs Breadth
CloudFormation is a service that focuses exclusively on AWS, and has tremendous depth of coverage in terms of AWS services and infrastructure. This focus, and the scale of AWS itself, keeps CloudFormation well synchronized with changes and additions to AWS. The Terraform orchestration tool, on the other hand, takes a cloud agnostic approach with relatively shallow support for individual clouds, at least compared to native orchestration solutions for each cloud.
Active vs Passive Management
Terraform is a command oriented tool, which evaluates resource state deltas (vs desired state) in cloud platforms when commanded. To evaluate the state of a deployment, Terraform applies health check logic to each resource under management and then produces a remediation plan from the results.
CloudFormation provides active management via auto-scaling policies EC2 health checks, and Amazon CloudWatch metrics collection. Rather than be activated by a command, Cloudformation is continuously monitored. As such, much larger deployments can be maintained, and responsiveness is good at high scale. Scaling group policy is configurable with regards to instance placement, instance limits, and load balancer health check coordination.
Open vs Closed
Terraform is an open source product first released by HashiCorp in 2014. As such, its implementation can be examined, patched, and enhanced ( notwithstanding HashiCorp approval ). Like all open source, this means limitations are out in the open (security or otherwise), and high priority changes/fixes can be made by the public if needed.
CloudFormation is a free but proprietary SaaS offering. The implementation is not available for examination or modification except by Amazon staff. Like all traditional software products, this means that the quality of the underlying implementation is a trade secret of AWS, and change prioritization is set by AWS.
Compliance Support vs Compliance Tool
Terraform supports “policy as code” for compliance, via integration with its Sentinel framework. It uses a proprietary policy definition language to encode policies. The support for policies is provided in the enterprise and SaaS product versions. Policies are applied between the plan and apply operational phases. They can be grouped and applied to user workspaces by users with sufficient permissions.
CloudFormation provides an open source CLI tool called CloudFormation Guard. CloudFormat itself doesn’t support policies, but invites the user to bake Guard into their CI pipelines. Like Terraform, it has a proprietary language for defining policies. Whereas the Terraform policy language is modeled after a traditional programming language, the Guard language is modeled after firewall rules, each executed in sequence to detect rule violations.
CloudFormation and Terraform are both cloud infrastructure automation tools that take a declarative approach to defining deployments. CloudFormation is a closed source SaaS product and focussed entirely on the AWS ecosystem and has deep coverage of it. Terraform is cloud agnostic and open source. Both tools support the IaC paradigm, being able to absorb modification to cloud templates and rendering them in the cloud. Since CloudFormation is AWS only, the comparison of the two is meaningless outside of that context. If you’re an AWS shop, and you will be for eternity, then using Terraform probably doesn’t make sense. If you are multi-cloud, then CloudFormation is useless.
If you are operating a multi/hybrid cloud organization that includes AWS, then using Terraform is suboptimal. Ideally you would use CloudFormation for AWS needs, and Terraform for others. Fortunately, Cloudify supports the optimum strategy, having plugin support for both Terraform and CloudFormation (along with direct AWS support). In a single blueprint, both native Terraform and CloudFormation descriptors can be managed, enabling each to do what it does best.
For more comparisons see: