How do you handle sensitive values like passwords in Terraform without exposing them in state?

Terraform state files contain sensitive values in plaintext — this is a known limitation. Mitigations:

• Mark as sensitive: sensitive = true on variables and outputs prevents them from appearing in CLI output.
• Avoid storing in state: Use AWS Secrets Manager or Vault to generate and store secrets externally. Reference via data source or environment variable.
• Encrypt state: S3 backend with server-side encryption (SSE-KMS).
• Restrict access: The S3 bucket containing state should have strict IAM policies — only CI/CD roles should have access.