We’re using the genesyscloud Terraform provider to manage our CXone infrastructure. Running into a security blocker with OAuth client resources. The provider documentation says to use genesyscloud_oauth_client, but the state file ends up containing the raw client secret in plaintext.
resource "genesyscloud_oauth_client" "main" {
name = "Integration Client"
redirect_uris = ["https://example.com/callback"]
client_secret = var.oauth_secret
}```
Even though `var.oauth_secret` is passed from a secure vault, the state file (`terraform.tfstate`) writes the resolved value. This is a hard no for our audit team. I know Terraform doesn't encrypt state by default, but other providers have ways to handle sensitive fields or mark them as sensitive so they don't show up in diffs or plan outputs.
I tried adding `sensitive = true` to the variable, but that only masks the output in the CLI. The state file still has the value. Is there a pattern or workaround in this provider to keep the secret out of the state file entirely? Or do we have to manage the OAuth client via the REST API outside of IaC and just reference the ID in Terraform? That feels messy but might be the only option.