how to keep passwords out of terraform code file

Depending on how your deployment is setup. You can generate a password (random_password) and store it securely in a keyvault and reference it further on when deploying your SQL. You can also reference an existing keyvault secret to be your password.

Some links related to this from Terraform:

Creation of key vault in Terraform:

Fetch the secret from an existing Azure Key Vault:

Information related to Azure Key Vault can be found here: