terraform VS aws-cloudformation-coverage-roadmap

When a change earns its way onto main, the train builds the container image one time and tags it by the commit SHA. That image is the artifact. It runs in dev immediately. And here's the part that makes promotion boring: shipping to prod doesn't rebuild anything. It re-points a config overlay (a Kustomize overlay, in practice, committed to the same repo) at the same SHA that's already running in dev. Same bytes, different environment. Promotion is a routing decision, not a build decision. The thing you tested in dev is the literal thing that runs in prod. Not a rebuild from the same commit and a hope. The same image. That cleanly splits two worlds that most setups jam into one giant deploy job. The slow-moving substrate (the cluster, the network, IAM, the shape of your manifests) changes on the order of a quarter and belongs to Terraform, ideally run through something like Terraform Cloud so applies are deliberate and auditable instead of run from someone's laptop. The fast-moving payload (image refs, rollouts, the things that change every commit) belongs to Git, reconciled continuously by a GitOps controller. Argo CD is the common one: it watches the repo, diffs the declared state against what's actually running in the cluster, and makes the cluster match. Change the overlay in Git, Argo CD notices and applies it. Flux does the same job if you prefer it. TF for the building, Git for the lights. The rule is simple: if it changes per release, Git owns it; if it changes per quarter, Terraform owns it. Match the tool to the rate of change and the six-hour deploy job that rewrites your infrastructure mid-flight just stops existing. One more piece falls out of this: tags are markers, not artifacts. The cluster never deploys a tag. The tag is a point-in-time anchor that says "this commit's state was live in prod," useful for audit, for rollback targeting, and for release notes. It records what shipped and when. Nothing reads it to decide what runs.

AWS EC2 / Azure VMs (Linux and Windows) — Dedicated job run terraform to provision and de-provision instances from packer templates.

Use an IaC tool like Terraform to define every resource declaratively, and a configuration management tool like Ansible for anything that runs on the instance itself.

⭐ hashicorp/terraform — 48,279 stars, 10,324 forks

Look, I don't know what else to tell 'ya, but in 2026 if you're getting "mysterious" charges from AWS after "deleting everything", you're simply not competent.

With a plethora of free billing tips from places like Duckbill https://www.duckbillhq.com/, to full-on repos like AWS-Nuke, https://github.com/ekristen/aws-nuke , down to AWS's own account monitoring and management services like Control Tower https://aws.amazon.com/controltower/, and Config https://aws.amazon.com/config/ , and full IAC ecosystems like Terraform https://developer.hashicorp.com/terraform or OpenTofu https://opentofu.org/ , you are not leveraging all the cost-management capabilities of the modern cloud.

Terraform has been iterating a lot more in the past few months introducing features or updates to the core binary which were always desired. Looking at the release notes of v1.15.0-alpha20260204 version , you see a few gems.

Having pre-execution options like in Terraform makes agent operations easier.

There's a Terraform GitHub issue that's been open for years: people want to customize modules without forking them. Add a lifecycle block. Tweak a tag. Simple stuff.

You’re integrating Puppet with other tooling (Terraform, CI/CD, internal platforms).

AWS SAM CLI, the command-line tool for building and deploying serverless applications, now supports AWS CloudFormation Language Extensions. The one I am most excited about is Fn::ForEach, which brings dynamic looping to your YAML templates, but it's close. If you, like me, have been copy-pasting resource definitions to infinity, that stops today.

We obtain the runtime ID property from the created AgentCore Runtime in the RuntimeWithMCPStack stack. The next part is to configure the outbound authentication. This means to configure how the Agentcore Gateway MCP target authenticates with the AgentCore Runtime with the MCP protocol. For this, we need to use AgentCore Identity. As described in the following issue, it's currently not possible to create the AgentCore Identity with CloudFormation. That's why CDK also can't provide this functionality. That's why we need to create it manually and then provide the configuration for this stack. Let's secure it with the existing OAuth Client. Let's go to AgentCore Identity and click on "Add Outbound Auth" -> "Add OAuth Client". Then select "Custom Provider" -> "Discovery URL" :

AWS CloudFormation is an IaC service that helps users automate, scale, and manage their environments efficiently. On the other hand, GitOps has become one of the standard ways of ensuring the IaC configuration stored in code repositories is deployed live on the correct systems.

The AWS Cloud Development Kit (CDK) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. It contains pre-written modular and reusable cloud components known as constructs. Constructs are the basic building blocks representing one or more AWS CloudFormation resources and their configuration.

Website: https://aws.amazon.com/cloudformation/

When you deploy a cloud sandbox, Amplify creates an AWS CloudFormation stack following the naming convention of amplify--<$(whoami)>-sandbox in your AWS account with the resources configured in your amplify/ folder.

Getting everything to work with CloudFormation and using best practices took me a while as a different setting could completely lock up the creation of a database. I also ran into issues where the RDS Proxy was created and had no errors in the console but it turned out that, using CLI tools, the network config was broken which was the reason I couldn't connect. To save you from this pain, I created a demo that sets up Lambda with RDS Aurora & Proxy making use of security best practices like a managed password and IAM authentication.

CloudFormation,

CloudFormation is an IaC AWS-native service that helps you model and configure your resources declaratively. Using CloudFormation, you can manage and operate your AWS infrastructure efficiently, so you can spend less time managing infrastructure.

Basic knowledge of AWS and CloudFormation