Best practice for granting KMS decrypt for aurora-postgres-resources

[rauthur]

Following https://github.com/cloudposse-terraform-components/aws-aurora-postgres-resources it seems that the KMS key for the password for any additional users created will be taken from the aurora-postgres module. It doesn't appear to me that this can be configured to be a different key.

What is the best practice for sharing the ability to decrypt an additional user's password from the parameter store with an ECS execution role? I may be missing something, but I don't also want to grant the execution role the ability to decrypt the admin password stored under the same KMS key.

[GabisCampana]

@goruha @milldr