How do you handle sensitive values in Terraform?

Sensitive values in Terraform require careful handling. Variable sensitivity: mark variables with sensitive = true — their values are redacted in plan output and logs but still stored in state. Output sensitivity: similarly mark outputs as sensitive = true. State file security: state files contain all sensitive values in plain text — encrypt your remote backend (S3 server-side encryption, Azure storage encryption), restrict access with IAM/RBAC, and never commit state to Git. Secrets injection: do not hardcode secrets in tfvars files. Instead, inject via environment variables (TF_VAR_db_password=$SECRET) sourced from a vault. Use the Vault provider or AWS Secrets Manager data source to read secrets at plan time. SOPS: encrypt tfvars files at rest. The Terraform provider documentation often has specific guidance for managing service credentials securely.