I think it's security risk to store secrets in CloudFormation templates, even in private repositories. You may store all secrets directly in AWS Secrets Manager and use secret references in your CloudFormation when needed. As for version control, there is AWS Secrets Manager's built-in configuration.