How do you obfuscate SSM parameters injected into Lambda environment variables?

I am trying to use Securing environment variables (for lambdas). I can do this with the Terraform AWS provider but any value I set to the environment variables gets exposed in both terraform plan and the statefile. So the next step I tried to take was to use AWS SSM Parameters to hold the value I want injected into the environment variables. In Cloudformation, you are able to references the SSM parameter from a special template string. However, in Terraform you must reference the raw decrypted value of the SSM parameter. Instead, I’d prefer to supply the resolve hints instead and have the state file and plan only contain a reference to the ssm parameter instead of the raw value.

Am I overlooking something?