We’ve been migrating our Genesys Cloud infrastructure definitions to Terraform using the official genesyscloud provider. Everything is working well for queues, users, and integrations, but we’ve hit a wall with the genesyscloud_oauth_client resource. The documentation states that the client_secret argument is sensitive, yet when I run terraform plan or inspect the .tfstate file, the actual secret string is still visible in the resource attributes block.
Here is the configuration snippet we are using:
resource "genesyscloud_oauth_client" "primary_client" {
name = "Internal Integration Client"
description = "Used for internal API calls"
grant_types = ["client_credentials"]
client_secret = var.oauth_client_secret # This variable is sourced from HashiCorp Vault
}
Even though var.oauth_client_secret is marked as sensitive in our variables file, the state file ends up looking like this:
{
"type": "genesyscloud_oauth_client",
"attributes": {
"client_secret": "some_long_obfuscated_string_here",
...
}
}
This is a major compliance risk for us since our state files are stored in S3 and accessible by the DevOps team. We need the secret to be ephemeral or masked entirely in the state, similar to how AWS handles it with some resources. Is there a specific lifecycle block or argument we are missing? Or does the Genesys provider simply not support true state masking for this field yet? We’ve tried using terraform apply -auto-approve to see if it behaves differently during apply, but the state drift check still exposes it.