Free AWS Security Whitepaper
    Toc Consulting Logo
    comparecloudformation-vs-terraform-vs-cdk
    DEVOPSPublished 2025-10-15Updated 2025-12-20
    AWS CloudFormationAWS CloudFormation
    vs
    HashiCorp TerraformHashiCorp Terraform
    vs
    AWS CDKAWS CDK

    CloudFormation vs Terraform vs CDK

    Infrastructure as Code in 2025 - what changed

    The IaC landscape shifted in 2025. Terraform moved to Business Source License (no longer open source), HashiCorp deprecated CDKTF in December 2025, and AWS CDK continues to mature. Here is the updated comparison with security implications for each approach.

    Service Overview

    AWS CloudFormation

    AWS CloudFormation

    AWS-native IaC

    No state file to manage - AWS tracks resource state internally

    TypeDeclarative (JSON/YAML)
    PricingFree (you pay for resources created)
    HashiCorp Terraform

    HashiCorp Terraform

    Multi-cloud IaC

    Multi-cloud, massive provider ecosystem, plan/apply workflow

    TypeDeclarative (HCL)
    PricingBSL license (free for most use) / Terraform Cloud from $0
    AWS CDK

    AWS CDK

    AWS IaC with real languages

    Write IaC in TypeScript, Python, Java - with IDE support and testing

    TypeImperative → CloudFormation
    PricingFree (synthesizes to CloudFormation)

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaCloudFormationHashiCorp TerraformCDK
    LanguageJSON / YAMLHCLTypeScript, Python, Java, C#, Go
    Multi-CloudNo (AWS only)YesNo (AWS only)
    State ManagementAWS-managed (no state file)State file (S3 + DynamoDB or Terraform Cloud)AWS-managed (synthesizes to CloudFormation)
    Drift DetectionYes (built-in)terraform plan (manual)Via CloudFormation
    LicenseProprietary (free AWS service)Business Source License (BSL)Apache 2.0 (synthesizes to CloudFormation)
    CDKTF SupportN/ADeprecated (Dec 2025)N/A
    Module EcosystemLimitedTerraform Registry (15K+ modules)Construct Hub (1,500+ constructs)
    Rollback on FailureAutomaticNo (manual terraform destroy)Automatic (via CloudFormation)

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou are AWS-only and want the safest, most managed approach
    THENCloudFormation or CDK
    WHYNo state file to secure, automatic rollback on failure, and drift detection built-in. CDK if you prefer TypeScript/Python over YAML.
    IFYou deploy to AWS, GCP, and Azure
    THENTerraform
    WHYThe only mature multi-cloud IaC tool with providers for all major clouds and 15K+ modules. Accept the BSL license and state file overhead.
    IFYour team already knows TypeScript and wants to test infrastructure
    THENCDK
    WHYWrite infrastructure in real languages with IDE autocomplete, compile-time checks, and unit tests. Higher-level constructs reduce boilerplate.
    IFYou need maximum community modules and flexibility
    THENTerraform
    WHYThe Terraform Registry has 15K+ modules. The ecosystem is unmatched despite the BSL license change.
    IFYou were using CDKTF (CDK for Terraform)
    THENMigrate to CDK or native Terraform
    WHYHashiCorp deprecated CDKTF in December 2025. Existing projects work but receive no updates or security patches.

    Security Insights

    Terraform state files contain secrets in plaintext

    The Terraform state file stores all resource attributes, including database passwords, API keys, and certificates in plaintext. Always use encrypted S3 backend with DynamoDB state locking.

    CDKTF deprecated - plan your migration

    HashiCorp deprecated CDKTF in December 2025. If you use it, existing deployments work but you receive no security patches or updates. Migrate to native Terraform HCL or AWS CDK.

    Terraform BSL license is not open source

    Since August 2023, Terraform uses the Business Source License (BSL). It is free for most use cases, but competitive hosting is restricted. OpenTofu is the open-source fork if this matters.

    IaC security scanning is essential

    Use checkov, tfsec, or cfn-nag to scan your templates before deployment. These tools catch public S3 buckets, unencrypted EBS volumes, and overly permissive security groups.

    Key Takeaways

    $ cat SUMMARY.md
    1.CloudFormation = safest (no state file, auto-rollback). CDK = same but with real languages.
    2.Terraform = multi-cloud but BSL license, state file security risk, no auto-rollback
    3.CDKTF deprecated Dec 2025 - migrate to CDK or native Terraform
    4.Terraform state files store secrets in plaintext - always encrypt with S3 + KMS
    5.Scan all IaC templates with checkov/tfsec/cfn-nag before deployment
    IaCCI/CDDevSecOpsAutomation

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch