What are some good practices on managing secrets via AWS Secret Manager? If we go with IaC (i.e. Pulumi), we can perhaps start with adding the secret in GitHub Action secrets, and create those Secret resource including the secret strings via Pulumi. But that adds complexity because same secret is now in multiple places (GitHub and AWS). But I also want to avoid manually managing secrets via AWS Console.
Any suggestion?