We have a terraformed setup, mostly. But the IAM user, group, and policies for airflow to connect to aws, e.g. for the EcsOperator, are not terraformed.
A desirable state for me would be: terraformed IAM user, where the aws connection information, including access key ID and secret, are seeded into the airflow connections. Ideally where secrets remain encrypted, e.g. not injected into the airflow container image as part of the docker build process.
Currently: Our CI tools builds and deploys our astronomer airflow container to astronomer cloud, and I have manually added aws connection info through the airflow connections UI. I manually maintain the user and group policies to enable containers started by airflow to have the correct permissions.