how to keep passwords out of terraform code file

Depending on how your deployment is setup. You can generate a password (random_password) and store it securely in a keyvault and reference it further on when deploying your SQL. You can also reference an existing keyvault secret to be your password.

Some links related to this from Terraform:

Creation of key vault in Terraform: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html

Fetch the secret from an existing Azure Key Vault: https://www.terraform.io/docs/providers/azurerm/d/key_vault_secret.html

Information related to Azure Key Vault can be found here: https://azure.microsoft.com/en-us/services/key-vault/