Cloudformation when to use getatt, ref, vs ${}
This drawing may help clarify the uses:
CloudFormation Ref and GetAtt cheatsheet is a very handy webpage that can be used to quickly reference what you can get via a Ref and GetAtt for most CloudFormation resources. You can use a Ref for a logical resource's default value (including inside a Sub using the ${NAME} method) as well as for a parameter of the stack. GetAtt is only useful for logical resources of the stack.
Ref can be used for two things:
- To return the value of a parameter that you passed in via the parameters section of the template.
- When you ref the logical ID of another resource in your template, Ref returns what you could could consider as a default attribute for that type of resource. So using ref for an EC2 instance will return the instance ID, Ref'ing an s3 bucket resource, it will return the bucket name. You can look at the bottom of each cloudformation resources page in the AWS docs to see what this value will be (See Return Values section: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html)
GetAtt is essentially the same as the 2nd function of Ref above, it also returns an attribute of the resource that you created within your resource, but while ref returns only a default attribute, GetAtt allows you to choose from different attributes to return.
Example, GetAtt for an EC2 instance gives you the option to return the AvailabilityZone, PrivateDnsName, PublicDNSName, etc of an instance - whereas Ref will only return the InstanceID. The different attributes you can return are different per resource type. You can also look at the bottom of each cloudformation resources page in the AWS docs to see what attributes you can all return (See Return Values section: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html)
${} is another way to reference parameters passed in through the parameters section of the template.
All of this is in the AWS documentation though.