# Terraform vs CloudFormation decision matrix (enterprise AWS)

Pick **Terraform/OpenTofu** vs **native CloudFormation/StackSets** by team shape, org rollout needs,
and whether AWS-only day-zero coverage beats multi-cloud portability.

> Reflects **July 2026** patterns: CFN Hooks via StackSets, Application Composer for visual IaC,
> Terraform AWS provider 5.x, OpenTofu 1.8+ as HashiCorp fork.

## 1. "What is the primary constraint?"

| Constraint | Default tool | Escalate when |
|------------|--------------|---------------|
| Multi-cloud or SaaS vendor portability | **Terraform/OpenTofu** | AWS-only shop with no Azure/GCP roadmap |
| Org-wide guardrails (Hooks, SCPs) | **CloudFormation StackSets** | Single-account startup |
| Developer velocity (loops, modules) | **Terraform** or **CDK→CFN** | Pure YAML teams prefer CFN |
| GovCloud / FedRAMP packaging | **CloudFormation** (native partition) | Terraform with partition-aware providers |
| Drift detection built-in | **CloudFormation** (stack drift) | Terraform + drift detection in CI |
| State file operational burden | **CloudFormation** (no remote state) | Mature S3+DynamoDB lock discipline |

**Opinionated default:** **Terraform/OpenTofu** for application teams shipping daily; **CloudFormation StackSets** for platform/security baseline every account must inherit.

## 2. "When NOT to use Terraform"

| Situation | Use CloudFormation instead |
|-----------|----------------------------|
| Mandatory org-wide Hooks deployment | StackSets + service-managed permissions |
| Team cannot operate remote state securely | CFN — no state bucket to leak |
| CDK already standard; synth to CFN | Keep CDK — don't add Terraform layer |
| "We might leave AWS someday" with no date | Portability theater — pick one |

## 3. "When NOT to use CloudFormation"

| Situation | Use Terraform instead |
|-----------|----------------------|
| Complex conditionals and dynamic blocks | HCL/for_each beats YAML macros |
| Third-party + AWS in one stack | Terraform multi-provider |
| Existing Terraform estate > 500 resources | Migration cost exceeds CFN benefit |
| Rapid module sharing across repos | Terraform Registry / private modules |

## 4. Hybrid pattern (common at scale)

```
Platform team:  CFN StackSets → baseline (Config, GuardDuty, CloudTrail)
App teams:      Terraform/OpenTofu → application stacks
CDK (optional): Synthesizes to CFN for AWS-native services day-zero
```

## Related posts

- [Terraform vs AWS CDK](/blog/terraform-vs-aws-cdk-infrastructure-as-code-decision-guide/)
- [CloudFormation best practices](/blog/aws-cloudformation-best-practices-infrastructure-as-code/)
- [Terraform vs OpenTofu vs Pulumi](/blog/terraform-opentofu-vs-pulumi-aws-2026/)
