Running into a security headache with the genesyscloud Terraform provider (v1.58.0). We’re managing OAuth clients via the genesyscloud_oauth_client resource, and the secret attribute is persisting in the .tfstate file in plaintext. This is a hard no for our compliance team.
Here’s the resource block:
resource "genesyscloud_oauth_client" "main_client" {
name = "My Custom Integration"
scopes = ["webchat:write", "conversations:write"]
secret = var.oauth_client_secret # This gets written to state
redirect_uris = ["https://example.com/callback"]
}
I’ve tried adding sensitive = true to the variable definition, which masks it in CLI output, but the value is still baked into the state JSON. The docs mention using ignore_changes or external data sources, but I’m not seeing a clean way to handle the initial creation without exposing the secret.
Has anyone successfully implemented a pattern where the secret is injected at runtime or managed outside Terraform state? We’re considering using the Genesys REST API directly for the secret update step, but that feels like a workaround. Looking for best practices here.