The documentation for the genesyscloud_oauthclient resource says this:
“The secret value will be stored in the state file. It is recommended to use sensitive variables.”
I’ve tried setting sensitive = true on the variable, but when I run terraform plan, the secret is still visible in the output diff. It shows up as a plain string. This is a security issue. We can’t check the state file into our repo if the secret is readable.
Here is the resource block:
resource "genesyscloud_oauthclient" "my_client" {
name = "Test Client"
secret = var.oauth_secret
# sensitive = true # Tried this, doesn't help with the plan output
}
The variable definition:
variable "oauth_secret" {
type = string
sensitive = true
}
Is there a way to mask this in the Terraform output? Or do I have to use the API directly to rotate secrets instead of Terraform? The provider doesn’t seem to support ignoring the secret field in the state either. I’ve looked at the GitHub issues for the provider but haven’t found a clear fix. Just want to make sure I’m not missing a simple config option.
Setting sensitive = true on a variable doesn’t actually mask it in the plan output if the resource itself doesn’t declare that attribute as sensitive. Terraform’s logic here is stricter than most people expect. You’re dealing with a resource that likely hasn’t been updated to respect the sensitivity flag on the secret attribute properly, or you’re looking at the raw state file which stores everything in plain text regardless of the flag.
The real fix isn’t just about the Terraform config. It’s about how you handle the state and the secret lifecycle. First, stop storing the state in a local file if you’re pushing to a repo. Use a remote backend like S3 or Azure Blob with encryption at . That’s non-negotiable.
Second, if you absolutely must manage the secret via Terraform without exposing it in diffs, you have to use the external data source or a secret manager integration. But honestly, for Genesys Cloud OAuth clients, the safest pattern I’ve used in Node.js projects is to create the client via the API directly and then only manage the metadata in Terraform, or use ignore_changes on the secret field if you’re managing the rotation manually.
Here’s how you suppress the diff for the secret specifically:
resource "genesyscloud_oauthclient" "my_client" {
name = "My App Client"
lifecycle {
ignore_changes = [
secret
]
}
}
This tells Terraform to stop trying to track changes to the secret. You’ll manage the secret outside of Terraform. If you need to read it back, query the API. Don’t rely on the state file for secret retrieval. It’s a terrible practice. The sensitive flag is just a hint for the console, not a cryptographic shield. If you’re seeing the plain string in the plan, your provider version might be outdated. Check if genesyscloud provider v1.0+ has patched the attribute sensitivity. If not, the ignore_changes block is your only real option to keep the diff clean.