How to generate locally a sensitive file without having anything in the state?

This is what I’ve been using so far to generate a local file with some sensitive content

Terraform Configuration

# Terraform Cloud Remote Backend

variable "domain_join_username" {
  type        = string
  sensitive   = true

variable "domain_join_password" {
  type        = string
  sensitive   = true

resource "local_sensitive_file" "packer_secrets" {
  filename = "../packer/secrets.pkrvars.hcl"
  content = templatefile("./templates/packer-secret-vars.tpl", {
    software_container_url =
    sas_token              =
    domain_join_username   = var.domain_join_username
    domain_join_password   = var.domain_join_password

But I have realised that its content gets tracked in my Remote Backend (TF Cloud).

What other options do I have to achieve this, without leaking sensitive data in my remote state?

This is an example of something that is better done completely outside of Terraform.

Terraform has a fair amount of flexibility in defining resources, but it’s not a general purpose programming language, and this is a case where it’s not the right tool for the job.