Which option helps to keep secrets out of Terraform configuration files?

Marking the variable as sensitive in Terraform is the appropriate approach to keep secrets out of configuration files. When a variable is designated as sensitive, Terraform treats it specially, ensuring that its value is not displayed in the command line output or in the state file when it is generated. This added layer of security helps to minimize the risk of exposure of sensitive information, such as passwords or API keys, which could otherwise be inadvertently shared or logged.

This practice encourages good security hygiene, as it aligns with the principle of least privilege, ensuring that sensitive information is managed appropriately throughout the deployment lifecycle. By marking variables as sensitive, Terraform provides better governance over how such data is treated, allowing for enhanced security postures in infrastructure management.