I'm using Terraform with Digital Ocean from a linux desktop, but the same problem exists with other service providers: you need to provide some kind of secret for authentication, but you don't want the secret to be in your terraform files where they can accidentally be checked into revision control, thus shared with a thousand of your closest friends and hackers, not to mention search engines.
Most Terraform tutorials and such suggest you put the secret into an environment variable, and then run terraform with something like "terraform plan -var "do_pat=${DO_PAT}" " That works, but now you need to add a parameter to terraform every time you run it. Probably not a big deal when you're using automated CI/CD-type stuff, but if you're running things manually, it's a pain.
If you dig just a little deeper