The Terraform state goal is to track resources last deployed state.
For Vault, it doesn't matter as the current provider write objects
using a create-or-update API, so the policies, auth methods and kv
objects can be reprovisionned without breaking anything.
Also, Vault recommends secret rotation, we've an opportunity here
to easily do that by creating with make rotate an atomic transaction
where we update all secret_id through Terraform then update
the configuration files with Salt.
Finally, secrets need to be stored in Vault, not Terraform state,
so it makes sense to discard state as temporary working file for
this specific workflow.