Running into a security snag with the genesyscloud Terraform provider. We’re provisioning OAuth clients for our microservices, but the secret field ends up in plain text in the .tfstate file. I know the provider supports sensitive = true on the data source, but that only masks the output in the console, not the state file itself.
Here’s the snippet causing the leak:
resource "genesyscloud_oauth_client" "api_service" {
name = "internal-api"
grant_type = "client_credentials"
secret = var.oauth_client_secret # This persists in state
}
I’ve tried using remote_state with encryption at rest, but the team wants to avoid storing secrets in state entirely. The official docs mention using genesyscloud_oauth_client_secret as a separate resource, but it still references the client ID and seems to store the generated secret somewhere. Is there a pattern for injecting the secret at runtime via environment variables or a secrets manager without Terraform ever seeing the value? Or is the only option to exclude the state file from version control and rely on IAM policies, which feels weak for a shared repo.