Chalice: Not overwriting environment variables on deploy.

you should likely be using secrets manager or parameter store for secrets / sensitive data and then referencing then by key in an env var, chalice is provisioning and managing the environment variables.

Makes sense @kapilt . Is there any other option without using another AWS service? If not, I think we're going with that one.
The question, at least for me, remains: from the software perspective, why is _reseting_ better than keeping the stored values?

its a single resource config, if your provisioning and managing a resource, patching it in place means you now have multiple sources of truth for how that resource is configured which is generally not a good thing (ie reproducing is harder, dealing with conflicts, etc). its also a single api call in the api to update function configuration which includes environment variables, which defaults to replace of existing configuration.

you should likely be using secrets manager or parameter store for secrets / sensitive data and then referencing then by key in an env var, chalice is provisioning and managing the environment variables.

@kapilt And where should we store the access key id/secret access key used to connect to secrets manager? Or can boto3 connect to secrets manager using the Lambda's runtime role without requiring access key id/secret access key? If you're suggesting that we store those in env var, that leads us back to the issue of having secrets in a file (chalice/config.json) that needs to be versioned...