Stumbled on a weird bug today with the Genesys Cloud Terraform provider where my OAuth client secrets are persisting in plaintext within the terraform.tfstate file, despite marking them as sensitive in the variable definitions.
I am building a Django backend that pushes real-time analytics data to a PostgreSQL store using Celery workers. To automate the deployment of the OAuth clients required for these workers, I am using the genesyscloud provider. The issue is critical because our state file is stored in an S3 bucket with versioning, and having raw secrets in the JSON state is a massive security hole.
Here is the relevant Terraform configuration:
variable "oauth_client_secret" {
type = string
sensitive = true
}
resource "genesyscloud_oauth_client" "analytics_worker" {
name = "Analytics Worker Client"
secret = var.oauth_client_secret
grant_types = ["client_credentials"]
redirect_uris = ["https://my-internal-app.local/callback"]
}
When I run terraform plan, it correctly masks the value. However, after terraform apply, inspecting the state file reveals:
"attributes": {
"secret": "SuperSecretKey123!"
}
This defeats the purpose of sensitive = true. I need the state file to store a placeholder or hash, or better yet, not store it at all, while still allowing Terraform to manage the resource lifecycle.
- Tried setting
sensitive = trueon both the variable and the resource attribute, which only masks output during plan/apply but does not encrypt the state file. - Attempted to use the
externaldata source to pull the secret from AWS Secrets Manager, but the Genesys Cloud provider still writes the resolved value into the state upon creation.
How do other advanced users handle this? Is there a way to force the provider to ignore the secret in state or use a remote backend encryption that actually works with this provider?