EC2 AWS Launch Template Resource - User Data Storage

I am trying to understand how the “user_data” property is stored within the “aws_launch_template” Resource, how can I pass variables within it securely and without them expiring.

To expand upon that, if I used String Interpolation to specify in the Terraform scripts “user_data” property to inject a variable into an environment variable within a generated EC2 (by the Autoscaling Group), where does that Interpolation “user_data” get stored?

If I inject a token within a EC2 instances environment variable for my application to access a database or an API, how do I update that value within the “user_data” property for future scale initiated EC2 instances to use?

Is the simpler option to redeploy and let Terraform notice the difference in the state and update accordingly (then manually connect to already deployed instances and change the environment variable from within)?

Even if I did secure database / API tokens in a third party service or AWS storage, how would I correctly / securely connect to that service though a generated EC2 instance? Wouldn’t that lead to the same problem, just with an extra step?