Terraform v1.10 added ephemeral resources that are not persisted in state, and v1.11 then added support for write-only resource attributes. To make use of this new resource type, resources must take a write-only input for applicable variables.

To make use of this in mongodbatlas_database_user, I propose adding an alternative password_wo input that is mutually exclusive with the existing password input, along with a supplementary password_wo_version value that will trigger a change if required (this is the pattern used in aws_secretsmanager_secret_version).

The database user could then be configured as such, without the password being present in the terraform state:

variable "password_version" {
  description = "Used to track changes to the password"
  type        = number
  default     = 0
}


ephemeral "random_password" "example" {
  length           = 16
  special          = true
  override_special = "!#$%&*()-_=+[]"
}

resource "mongodbatlas_database_user" "example" {
  username    = "example"

  password_wo         = ephemeral.random_password.example.result
  password_wo_version = var.password_version
  ...
}