What is Terraform's approach to secret management with Vault?

HashiCorp Vault integrates tightly with Terraform for secret management. Vault Provider: Terraform can read secrets from Vault: data "vault_generic_secret" "db_creds" { path = "secret/database/prod" }. Use the secret: resource "aws_db_instance" "main" { password = data.vault_generic_secret.db_creds.data["password"] }. Dynamic credentials: Vault's AWS secrets engine generates short-lived AWS credentials — Terraform can use these instead of long-lived IAM keys. Vault as Terraform Cloud backend: store Terraform state in Vault's storage backend. Security concerns: Vault secrets read by Terraform are stored in state — encrypt state and restrict access. Vault Agent: run Vault Agent as a sidecar to inject secrets into environment variables before Terraform runs, avoiding the secret ever appearing in state. This pattern is common in Kubernetes-based Terraform execution where Vault is the company-wide secrets manager.