Add safemodeadminpassword to locals in terraform

Trying to create a lab with one domain controller and I'm trying to join that VM to a new ad forest but I'm having trouble adding the SafeModeAdministratorPassword without adding the password as plaintext

The password is generated by random_password provider:

resource "random_password" "rndm-pass-vm" {
  length  = 12
  special = true
}

resource "azurerm_key_vault_secret" "kv-sec-vm-pass" {
  name         = "kv-sec-vm-pass"
  value        = random_password.rndm-pass-vm.result
  key_vault_id = azurerm_key_vault.kvne01.id
  depends_on   = [azurerm_key_vault.kvne01]
}

resource "azurerm_virtual_machine_extension" "dc01-ad" {
  name                       = "dc01-ad-ps1"
  virtual_machine_id         = azurerm_windows_virtual_machine.rgne1-vm01.id
  depends_on                 = [azurerm_managed_disk.dc01-ntds]
  publisher                  = "Microsoft.Compute"
  type                       = "CustomScriptExtension"
  type_handler_version       = "1.9"
  auto_upgrade_minor_version = true

  settings = <<SETTINGS
  {
    "commandToExecute": "powershell.exe -Command \"${local.powershell}\""
  }
  SETTINGS
}

locals {

  cmd01      = "Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools"
  cmd02      = "Install-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools"
  cmd03      = "Import-Module ADDSDeployment, DnsServer"
  cmd04      = "Install-ADDSForest -DomainName ${var.domain_name} -DomainNetbiosName ${var.domain_netbios_name} -DomainMode ${var.domain_mode} -ForestMode ${var.domain_mode} -DatabasePath ${var.database_path} -SysvolPath ${var.sysvol_path} -LogPath ${var.log_path} -NoRebootOnCompletion:$false -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString ${var.safe_mode_administrator_password} -AsPlainText -Force)"
  powershell = "${local.cmd01}; ${local.cmd02}; ${local.cmd03}; ${local.cmd04}"

}

If your resources declaration it's OK, you need to create a file named variables.tf and insert the following code:

variable "safe_mode_administrator_password" {
  type        = string
  description = "The password for the Safe Mode Administrator account."
  sensitive   = true
}

The declaration of the variable as sensitive it's a recommendation to protect the secret: https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-variables

And you can check running:

terraform plan

That will show you the next screen:

And you can continue to execute the terraform apply command.

Update:

To generate the password and use it inside de command, you can declare on the locals block:

resource "random_password" "rndm-pass-vm" {
  length  = 12
  special = true
}

locals {
  generated_password = random_password.rndm-pass-vm.result
  cmd01      = "Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools"
  cmd02      = "Install-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools"
  cmd03      = "Import-Module ADDSDeployment, DnsServer"
  cmd04      = "Install-ADDSForest -DomainName 'test.domain' -DomainNetbiosName 'test' -NoRebootOnCompletion:$false -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString ${local.generated_password} -AsPlainText -Force)"
  powershell = "${local.cmd01}; ${local.cmd02}; ${local.cmd03}; ${local.cmd04}"
}

And update the command to use it:

... -SafeModeAdministratorPassword (ConvertTo-SecureString ${local.generated_password} -AsPlainText -Force)" ...