Update the secrets configuration in app-config's environment-variables.tf to add an additional optional property version which is relevant if managed_by = "code".
Update modules/secret to accept an optional version variable as input
Use the version variable as an input into the keepers map for random_password which can be used to rotate the secret when the version changes
https://github.com/navapbc/template-infra/issues/562 adds the ability to generate secrets. This ticket builds on that to add the ability to rotate the secrets.
Design and implementation
versionwhich is relevant ifmanaged_by = "code".versionvariable as input