We’ve got a Terraform module spinning up a custom DFO channel. The nice_cxone_oauth_client resource works fine, but the client_secret is ending up in plaintext in the .tfstate file. That’s a no-go for our security audit.
hcl
resource "nice_cxone_oauth_client" "dfo_client" {
name = "prod-dfo-client"
secret = var.oauth_secret
redirect_uris = ["https://app.example.com/callback"]
}
I tried using sensitive = true on the variable, but Terraform still writes the value to the state. The docs for the NICE CXone provider don’t mention any special handling for secrets. Is there a way to encrypt the state or exclude specific attributes from being stored? Or should I just stop using Terraform for this and hit the /api/v2/oauth/clients endpoint directly with a script that handles the secret in memory? Feels like a gap in the provider implementation.