Skip to content

Create or import virtually any Terraform resource in CloudFormation


Notifications You must be signed in to change notification settings


Repository files navigation



Create, import and manage (virtually) any Terraform resource in (virtually) any provider on AWS CloudFormation (via custom resources).

Why would somebody want this?

  • Cloudformation devotees: Stop feeling jealous that Terraform has more features.
  • Configure your postgres RDS instance with database (privileges, databases, schema, etc)
  • Use tfbridge to bring existing resources under CloudFormation management.
  • Leverage your existing CloudFormation skills to deploy to multiple providers: combine Github, Netlify and AWS in one template.
  • Skip waiting for the CloudFormation team to provide native support for new services and features.
  • Terraform users: No longer need to mess with TF state files; state is handled by Cloudformation.

What it is

tfbridge is a bunch of Cloudformation custom resources backed by serverless functions. It is fairly provider agnostic so that it's easier to support as many of them as possible.


  • Multi-provider. See latest release for the full list.
  • Terraform data sources
  • Import resources (just like in Terraform)
    • Strict mode: tfbridge can check that you declared all properties correctly.
  • full support for provider options
  • variable interpolation e.g ${var.self.whatever}.


  1. Deploy the stack using the template on the releases page. It shows how to create the serverless functions that can provision resources in the supported providers. Use the parameters to pass in your credentials to the various providers, e.g your digital ocean access token. Note the function names of the deployed resources. You will use it in the next step.
  2. Next, create custom resources in the following format. The next section has some examples:
  • resource:
    Type: Custom::TfBridge-resource-$RESOURCE
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:$STACK_NAME-$PROVIDER
    param1: val1 # as documented in the resource's Terraform docs.
    param2: val2
  • data source:
  Type: Custom::TfBridge-data-$DATA_SOURCE
    ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:$STACK_NAME-$DATA_SOURCE
    param1: val1 # as documented in the data source's Terraform docs.
    param2: val2
  1. Optional: To deploy to same providers using different credentials, relaunch a new stack using the same template in the first step. Supply it with new credentials or edit the template to customise it further.


Terraform's resources returns several attributes, e.g A github_repository returns full_name, git_clone_url, etc. In Terraform, you would refer to them as ${github_repository.my_repo.git_clone_url. With tfbridge, you do it as such: !GetAtt MyRepo.git_clone_url.

Example resources

You can try the following snippets. They are intended to work as similarly to the original Terraform project as much as possible:

An HTTP data source:

    Type: Custom::TfBridge-data-http
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:tfbridge-http
      # as documented here
        Accept: application/json

A Netlify site:

    Type: Custom::TfBridge-resource-netlify_site
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:tfbridge-netlify
      # as documented here
      #name: some-custom-name
        - command: gulp build
          dir: dist/
          provider: github
          repo_branch: master
          repo_path: jeshan/cloudformation-checklist

Importing an existing AWS IAM user. Set TFBRIDGE_MODE = Import and TFBRIDGE_ID to the ID of the resource to be imported:

    Type: Custom::TfBridge-resource-aws_iam_user
      TFBRIDGE_MODE: Import
      TFBRIDGE_ID: some_user_name_to_import
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:tfbridge-aws

Importing the same user, but this time strictly checking that all properties have been properly mapped. Set TFBRIDGE_MODE to ImportStrict:

    Type: Custom::TfBridge-resource-aws_iam_user
      TFBRIDGE_MODE: ImportStrict
      TFBRIDGE_ID: some_user_name_to_import
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:tfbridge-aws
      arn: !Sub arn:aws:iam::${AWS::AccountId}:user/some_user_name_to_import
      id: some_user_name_to_import
      name: some_user_name_to_import
      path: /
      unique_id: AIDAV5PA7X6CGFEXAMPLE

When in doubt, check the relevant Terraform docs.

Configuring the providers

tfbridge leverages configuration features already supported by Terraform. Since TF resources are configurable via environment variables, you can configure their respective serverless function with environment variables. To know the full list of available env vars, check the provider.go file for them. e.g NETLIFY_TOKEN is the env var to set for Netlify:


  • If you don't see your favourite provider, raise an issue with this link

  • Please remember that this is still experimental software. Do not use it in production yet.


Code is released under the Simplified BSD Licence. Fork and hack away!

Install Go 1.12 locally. Run to compile code for the various providers. Example resources that you can deploy to test is found on this page or in the custom-resources.yaml template.

You can deploy a similar deployment pipeline via the templates/infrastructure.yaml file. The Codebuild project in it contains the exact build steps. In case you can't build successfully, check the exact steps in it. Otherwise, raise an issue.