Managing aws infrastructure other than ec2 instances/elb

I’m looking for info/thoughts about how people manage their aws infrastructure. We are currently using chef provisioning to manage ec2 instances and elbs. Works great so far. The rest is done using cloudformation. One problem I’ve run into already is managing security groups. Our provisioning config specifies sgs(and other aws infra) to use with instances. If sgs get changed/created via the CF stuff then the config in CP cookbook needs to be updated. I guess we could write some code to automate extracting sgs from aws and update the CP cookbook automatically but that doesn’t seem ideal. According to my coworkers our aws infra isn’t going to change much but I don’t buy that. If we wanted to bring up a new vpc with all the same infra and instances, it would be hard to do so the way we use CF and CP cookbook now.

I searched on this mailing list for ‘security group’ and found people asking similar question. No good answer/solution was posted and posts are almost 2yrs old in some cases. I looked a little at Terraform but didn’t find glowing reviews. Anyone have any updates/solutions that work well for them?