diff --git a/aws/proposals/oracle-secret-rotation/README.md b/aws/proposals/oracle-secret-rotation/README.md
index b1028387..55e402ca 100644
--- a/aws/proposals/oracle-secret-rotation/README.md
+++ b/aws/proposals/oracle-secret-rotation/README.md
@@ -27,3 +27,11 @@ Create script (python, powershell) to pull secret with AWS CLI or SDK:
   get-oracle-password --rds-instance NAME --database NAME --username NAME
 
 outputs password
+
+## Deployment
+
+* use SAM (TF resource) once per region for the Lambda stuff
+  * prefix of ent-oracle-user-secret-rotation (maybe)
+* create module to create the secret (using the form above) and inputs of all the other things
+  * perhaps with the starter password too?  or generate it and have an admin add it?
+