Add safemodeadminpassword to locals in terraform

Trying to create an lab with one domain controller and im trying to join that vm to a new ad forest but im having trouble adding the SafeModeAdministratorPassword without adding the password as plaintext

The password is generated by random_password provider
resource “random_password” “rndm-pass-vm” {
length = 12
special = true
}

###KV Secret

resource “azurerm_key_vault_secret” “kv-sec-vm-pass” {
name = “kv-sec-vm-pass”
value = random_password.rndm-pass-vm.result
key_vault_id = azurerm_key_vault.kvne01.id
depends_on = [azurerm_key_vault.kvne01]
}

Is there a solution for this?

resource "azurerm_virtual_machine_extension" "dc01-ad" {
  name                       = "dc01-ad-ps1"
  virtual_machine_id         = azurerm_windows_virtual_machine.rgne1-vm01.id
  depends_on                 = [azurerm_managed_disk.dc01-ntds]
  publisher                  = "Microsoft.Compute"
  type                       = "CustomScriptExtension"
  type_handler_version       = "1.9"
  auto_upgrade_minor_version = true

  settings = <<SETTINGS
  {
    "commandToExecute": "powershell.exe -Command \"${local.powershell}\""
  }
  SETTINGS
}

locals {

  cmd01      = "Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools"
  cmd02      = "Install-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools"
  cmd03      = "Import-Module ADDSDeployment, DnsServer"
  cmd04      = "Install-ADDSForest -DomainName ${var.domain_name} -DomainNetbiosName ${var.domain_netbios_name} -DomainMode ${var.domain_mode} -ForestMode ${var.domain_mode} -DatabasePath ${var.database_path} -SysvolPath ${var.sysvol_path} -LogPath ${var.log_path} -NoRebootOnCompletion:$false -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString ${var.safe_mode_administrator_password} -AsPlainText -Force)"
  powershell = "${local.cmd01}; ${local.cmd02}; ${local.cmd03}; ${local.cmd04}"

}