AWS Cloudformation - Is it mutable or immutable infrastructure?

Question

I am trying to understand mutable vs immutable infrastructure and wondering which one cloudformation provides. When cloudformation stacks are updated, which paradigm does it follow, immutable or mutable infrastructure ?

Every aws resource has a set of properties, some of them can be updated without any interruption and for some if updated resource is replaced. e.g. for ALB if scheme (public vs internal) is changed then new ALB is created but if security groups attached are updated that is done without any interruption. So changing security groups in this case, isn't it mutable infrastructure ?

Answer 1

Basically all IaC tools I know of try to update resource properties over replacing the whole resource. Usually whether or not a setting update requires replacement is a limitation set by the underlying API's in use. If there is no API for the 'update' , as is the case with the ALB scheme, the only real way to implement the change is by creating a new resource.

So in that sense, it tries to be 'mutable' whenever it can. If it can't, then a new resource has to be created.

Edit: as per discussion in the comments below, some extra info on immutable infra:

When people talk about immutable infra they mainly mean the application layer nowadays. In a classical three tier model (load balancer, app layer, data layer), the immutabillity mainly concerns the app layer. All other services are managed nowadays in AWS so you can't log into them and change things any more. You're often fine if you use autoscaling groups for EC2 or containers like ECS or EKS. They are spun up and once spun up they are not altered any more. They don't contain state, so they can just be thrown away and recreated without problems. In other words, having immutable infra is very much related to stateless app layers nowadays.