Extracting secret environment variables from Terraform Cloud

provider.tf

terraform {
  backend "remote" {
    hostname     = "app.terraform.io"
    organization = "secret-org"
    
    workspaces {
      name = "secret-workspace"
    }
  }
  
  required_providers {
    external = {
      source = "hashicorp/external"
      version = "2.2.2"
    }
  }
}

provider "external" {}

secret.sh

#!/bin/bash
echo "{\"value\":\"$MY_SECRET_VARIABLE\"}"

secret.tf

data "external" "secret" {
  program = ["${path.module}/secret.sh"]
}

output "secret" {
  value = data.external.secret.result.value
}

Changes to Outputs:
  + secret = {
      + id          = "-"
      + program     = [
          + "./secret.sh",
        ]
      + query       = null
      + result      = {
          + "value" = "hunter3"
        }
      + working_dir = null
    }