It appears the current implementation requires the lambda to get the database password from Secrets Manager. In a private VPC, this requires adding VPC endpoints to the VPC to allow the lambda to contact secrets manager. These endpoints are not exactly cheap, especially if supporting the Flyway lambda is the only use for them. It sure would be nice to be able to put the database password in either the event or in an environment variable to avoid having to set up and pay for VPC endpoints.
It appears the current implementation requires the lambda to get the database password from Secrets Manager. In a private VPC, this requires adding VPC endpoints to the VPC to allow the lambda to contact secrets manager. These endpoints are not exactly cheap, especially if supporting the Flyway lambda is the only use for them. It sure would be nice to be able to put the database password in either the event or in an environment variable to avoid having to set up and pay for VPC endpoints.