$ aws-secrets-dumper --target secretsmanager -prefix production/ dump > secrets.yml

$ sops --encrypt --kms $KMS_KEY_ARN secrets.yml > secrets.encrypted.yml

$ aws-secrets-dumper --target ssm -prefix production/ tf | tee secrets.tf
data "sops_file" "ssm_parameters" {
  source_file = "secrets.encrypted.yml"
}

locals {
  ssm_parameters = nonsensitive(
    distinct([
      for key in keys(data.sops_file.ssm_parameters.data) : split(".", key)[0]
    ])
  )
}

resource "aws_ssm_parameter" "parameter" {
  for_each    = toset(local.ssm_parameters)
  name        = "production/${each.key}"
  description = each.value.description
  type        = "SecureString"
  value       = data.sops_file.ssm_parameters.data["${each.value}.value"]
}

import {
  id = "production/SOME_SECRET"
  to = aws_ssm_parameter.parameter["SOME_SECRET"]
}

import {
  id = "production/THAT_ID"
  to = aws_ssm_parameter.parameter["THAT_ID"]
}

$ aws-secrets-dumper -help
NAME:
   aws-secrets-dumper - Management migration helper for secrets on AWS SSM Parameter Store and AWS Secrets Manager with terraform

USAGE:
   main [global options] command [command options] [arguments...]

COMMANDS:
   version  show version
   dump     dump yaml formatted secrets to stdout
   tf       output terraform resource denifition(s) to stdout
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --target value   'ssm' or 'secretsmanager
   --prefix value   secret name prefix
   --remove-prefix  remove prefix from key in dump result (default: false)
   --help, -h       show help (default: false)