Is there a way to only have an encrypted version of my RDS password in my Terraform code and for AWS to decrypt it for RDS so you use the decrypted password to login to the RDS?
So set my rds password variable value to the encrypted password and when terraform builds the RDS I login in with is the unencrypted password?
If I am understanding your question correctly, what you are describing sounds like a perfect use case for SSM. You can store your RDS password as a secure string parameter encrypted by KMS, then reference it in you terraform file as a data source with decryption. With this method, you only have to reference your decrypted password, and never directly store the encrypted or plain text in your tf file.
data "aws_ssm_parameter" "foo" {
name = "foo"
with_decryption = true
}
