We’ve been moving our Central support queue configuration into Terraform using the Genesys Cloud provider. I’m trying to set up a new OAuth client for our custom adherence webhook, but I’m running into a blocker with security compliance.
The issue is that the genesyscloud_oauth_client resource seems to store the client_secret in the Terraform state file in plain text. We can’t have that committed to our repo or stored in our CI/CD pipeline storage without encryption, and I’m not sure how to handle it properly.
Here is the resource I’m defining:
resource "genesyscloud_oauth_client" "adherence_client" {
name = "Central-WFH-Webhook"
description = "Client for adherence tracking webhook"
redirect_uris = ["https://our-internal-tool.example.com/callback"]
client_secret = "super-secret-value-123"
scope = ["webhook:write"]
}
I’ve tried using a local variable or passing it from a sensitive variable, but terraform plan still shows the value in the diff output, and it ends up in the *.tfstate file. I know I should use a secret manager, but I’m not sure if the Genesys provider supports fetching the secret at apply time or if I need to use the API directly after creation.
Is there a way to mask the secret in the state file? Or should I just create the client via the API and then only manage the client ID in Terraform? I’m worried about drift if I don’t manage the whole resource.
I’ve looked at the provider docs but I don’t see a sensitive attribute option for this field.