I'm trying to find a solution for setting the master user password of an aws_db_instance from a pre-existing secret (which is currently in an existing Secrets Manager resource).
If I use password = data.aws_secretsmanager_secret_version.our_secret.secret_string, then the password is stored in the state file, which I don't want (as this state file is not secured, and is either pushed to git or stored on some S3 or something..).
If I use manage_master_user_password = true, then I can't specify my pre-existing secret: it's AWS that generates the password in this case, not me. Another problem with this is that AWS will create a new resource for the secret, which I don't want either.
Relying on tfvars is not an option either, as we need a single source of truth for the password (rather than scattered tfvars files) which is also secured (rather than plain text files).
Any idea how to accomplish this? Is there a way to somehow fetch the password from a secured single-source-of-truth container while keeping it out of the state file?