Is there a way to use secrets from AWS Secrets Manager or Systems Manager Parameter Store? If a customer already manages their secrets in either of them, duplicating the secrets inside of pulumi wouldn't be a great UX, but I'd also love to avoid a scenario where pulumi would get the secrets but then store them in clear text in state (something that terraform likes to do)

You can do this today by using the AWS SDK to read secrets, then using

pulumi.secret

to ensure those values get encrypted in the state file. See https://blog.pulumi.com/managing-secrets-with-pulumi for details on the latter. Note that this is something that goes beyond what Terraform currently supports. We are also considering making some of this more first-class, so that you could pull configuration values directly from Secrets Managaer or other cloud secrets stores instead from Pulumi config. We’re tracking that in https://github.com/pulumi/pulumi/issues/1547. But it should be possible to do this already manually today.