Running into a snag with the Genesys Cloud Terraform provider. We’re managing OAuth clients via genesyscloud_oauth_client, but the secret value is persisting in the .tfstate file in plaintext. That’s a security issue we can’t ignore.
Here’s the resource block:
resource "genesyscloud_oauth_client" "main" {
name = "MyApp"
secret = var.oauth_secret
redirect_uris = ["https://myapp.com/callback"]
}
I’ve tried wrapping the secret in sensitive = true on the variable, but the state file still holds the raw string. There’s no ignore_changes meta-argument that works for secrets in this provider, and random_password doesn’t integrate well with the OAuth client creation flow. Is there a pattern to rotate the secret via API after Terraform applies, or a way to mask it in the state? The docs are silent on this.