We’ve got a pipeline that spins up OAuth clients for our Node.js integrations using the genesyscloud_oauth_client resource. The rotation logic is straightforward in the JS SDK, but handling the secrets in Terraform feels a bit sketchy right now.
The provider docs say to use sensitive = true on the secret attribute, which helps with the console output, but I’m noticing the hashed secret is still sitting in the .terraform.tfstate file in plain sight (well, hashed but readable).
resource "genesyscloud_oauth_client" "integration_client" {
name = "integration-bot-v2"
description = "Internal integration"
secret = var.oauth_secret
sensitive = true
# ... scopes and other config
}
Is there a way to exclude the secret hash from the state file entirely? Or am I just supposed to treat the state file as highly confidential and lock it down? We’re storing state in S3 with encryption, but having the secret hash there feels like a single point of failure if someone gets read access to the bucket.
Tried setting lifecycle { ignore_changes = [secret] } but that breaks the rotation flow since Terraform doesn’t detect the drift. We need the rotation to trigger new secrets every 90 days.