Using the nice-cxone provider to spin up OAuth clients. The secret gets saved in plain text in the state file. That’s a no-go for us. Tried the sensitive flag but it just obfuscates the output, doesn’t stop it from hitting the backend. Any way to force a random password generation inside the resource block so the secret isn’t part of the config or state? Or should I be using a separate secrets manager lookup?
You can’t really hide the secret from the state file itself if the provider manages the lifecycle. Terraform needs to know what it created to update or destroy it later. The sensitive flag is just for output masking, not storage encryption.
The standard move here is to use a data source to pull the secret from a secrets manager like AWS Secrets Manager or HashiCorp Vault. That way, the secret never touches your codebase or the state file in plaintext. You just pass the reference.
Here’s how you’d wire it up with the AWS provider:
data "aws_secretsmanager_secret_version" "oauth_secret" {
secret_id = "my-app/oauth-client-secret"
}
resource "nice_cxone_oauth_client" "this" {
name = "MyApp"
client_secret = data.aws_secretsmanager_secret_version.oauth_secret.secret_string
# ... other config
}
Make sure your Terraform execution role has permission to read that specific secret. If you’re not using a secrets manager, you’re stuck with the state file being the source of truth, which means you need strict access controls on your backend storage.