We’re refactoring our Genesys Cloud setup using the Terraform provider. I’m hitting a wall with the genesyscloud_oauth_client resource. The docs say to use sensitive = true on the client_secret attribute, but that flag only seems to mask the output in the CLI logs. The actual secret still ends up in plaintext in the terraform.tfstate file, which is a huge security risk for our repo.
Here’s the config I’m testing:
resource "genesyscloud_oauth_client" "custom_app" {
name = "Embeddable SDK Client"
client_secret = var.oauth_secret
sensitive = true
}
I’ve tried importing the state and manually redacting the value, but terraform plan detects a drift and wants to update it every time. We need a way to manage this without storing the raw secret in the state file. Is there a workaround using remote state encryption or a specific provider feature I’m missing? The standard AWS provider handles this better with KMS keys, but I don’t see an equivalent for Genesys. I’ve checked the provider source code and it doesn’t look like it supports automatic encryption of sensitive fields in the state backend. Any ideas?