We’ve been running our Genesys Cloud org config through the CX as Code Terraform provider for a few months now. It’s working well, but the security team just flagged our state file. The genesyscloud provider block requires a client_id and client_secret to authenticate. When I run terraform plan or apply, the state file gets updated, and the client_secret ends up sitting right there in plaintext in the remote backend (we’re using S3). I know Terraform has sensitive data handling, but I’m not sure how to apply it here without breaking the provider initialization.
Here’s the current setup:
provider "genesyscloud" {
client_id = var.genesys_client_id
client_secret = var.genesys_client_secret
base_url = "https://api.mypurecloud.com"
}
I tried marking the variable as sensitive in terraform.tfvars:
variables {
client_secret {
type = string
sensitive = true
}
}
That hides the value in CLI output, which is nice, but the state file still contains the actual secret string. I read about using a data source to fetch secrets from AWS Secrets Manager, like this:
data "aws_secretsmanager_secret_version" "genesys_secret" {
secret_id = "prod/genesys/oauth"
}
locals {
genesys_client_secret = jsondecode(data.aws_secretsmanager_secret_version.genesys_secret.secret_string)["client_secret"]
}
And then passing local.genesys_client_secret to the provider. The issue is, even with this, the local value seems to persist in the state or at least the dependency graph feels heavy. Is there a way to configure the provider to use environment variables instead? I know the docs mention GENESYS_CLOUD_CLIENT_SECRET, but I’m not sure if the provider respects that over the explicit block argument. Also, does using env vars prevent the secret from ever touching the state file, or does Terraform still cache it somewhere? Any pointers on the cleanest way to handle this would be appreciated. We don’t want to store credentials in state.