We’re trying to set up a GitHub Actions workflow to push our Genesys Cloud org config using the CX as Code Terraform provider. The standard genesyscloud provider block expects a client ID and secret, which works fine locally with our dev credentials. But for the pipeline, spinning up a new short-lived OAuth token every run feels messy and we’ve hit rate limit warnings in the logs when it times out.
I found the endpoint for generating long-lived tokens at /api/v2/oauth/longlivedtokens. I can call it manually with Postman using a user grant token and get back a valid API key. The issue is getting that key into Terraform state or variables securely without hardcoding it.
Is the pattern here to use a separate service account with api.admin scopes to generate the token once, store it in GitHub Secrets, and then just pass that static token to the provider? Or is there a way to have the provider handle the refresh automatically in a headless environment?
Here’s what I’m trying in the provider config:
provider "genesyscloud" {
api_key = var.genesis_api_key
api_secret = var.genesis_api_secret
}
If I use the long-lived token here, do I need to worry about the token expiring mid-apply? The docs are vague on the TTL for these tokens when used by service accounts.