I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.
SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/
It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."
Is there really no way to use CloudFormation to securely manage secrets as code?