Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The reason they do that is because then you can do things like extract envvar values from secrets.


Pedantically, there's nothing stopping them from doing it the way CFN does it: dispatching on the value's type:

  env:
    AWS_REGION: us-east-1
    AWS_SECRET_ACCESS_KEY:
      valueFrom: ...
CFN even goes as far as having two ways to pull off that stunt, magic prefixes and objects

  Properties:
    ImageId: !Ref MyAwesomeAmi
    # or
    ImageId:
      Ref: MyAwesomeAmi
    # or cursed "{{resolve" syntax
    ImageId: !Join
      - ''
      - - '{{resolve:ssm:/aws/service/bottlerocket/aws-k8s-'
        - Ref: EksVersion
        - '/x86_64/latest/image_id}}'
    # which ends up being "ImageId: '{{resolve:ssm:/aws/service/bottlerocket/aws-k8s-1.31/x86_64/latest/image_id}}'" and then *that* gets replaced by the CFN service at provisioning time




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: