Azure Keyvault Secret Maintenance & State

Hi All,

What’s the best way to manage Azure Keyvault secret?
We have Terraform template that defines some “static” secrets, like connectionstring, DB Credentials, etc.

At the same time, we also have some dynamic secrets that keep growing/changing every couple of weeks (vendor SFTP Creds, API Keys, etc.)

My understanding is if we have mixed secrets, eventually, when we run TF APPLY again in the future, the dynamic secrets will be removed, because it’s different from the state file.
But at the same time, we prefer not to manage the dynamic password via TF template as they are not infra-related.

Any suggestions?