I’m refactoring our CXone infrastructure as code and I’m stuck on how to handle the client_secret for OAuth applications. The current provider forces me to pass the secret directly into the resource block. This means the plain text secret ends up in the Terraform state file. We don’t want that sitting in our backend storage. I’ve tried using the sensitive flag on the variable, but it only masks the output in the CLI. The state file itself still contains the value if you open it up.
I checked the provider documentation but I don’t see a way to inject the secret at runtime or reference a secret manager directly in the resource definition. Is there a pattern for this? I’d rather not store the secrets in the state file at all. Maybe I’m missing a configuration option in the cxone_application resource block. Here is what I’m currently using: