I’ve found that this plugin will solve the issue of not having passwords in your templates:
Just follow the examples on this page, then you can add:
custom:
cf-parameters:
password: foobar
...
resources:
Resources:
...
MyDb:
Type: "AWS::RDS::DBInstance"
Properties:
...
MasterUserPassword:
Ref: password
to your template, deploy, then unset the variable and you can commit it to your repo. From now on, every deploy will use the existing param. If you need to change the password, edit the above (but don’t commit), then remove the value after deploy.
It mentions you can use the environment variable as well, which makes the above process easier, but I did not test it.