So, #AWS #cloudformation vs #AWSCLI. Looks to be ending up the same as Azure #ARM vs #AzureCLI. If you already have the template, and deploy it once, it is good. But developing CLI scripts is quicker (debug one step at a time, rather than all at once). And templates run into the same dead ends: e.g. decides it needs to recreate the entire subnet, so it attempts to, but runs into an IP address conflict with the existing one, and the whole thing stops. There are things/changes that declarative approaches just can't do, and you need to use migrations (CLI scripts).