We are looking to implement a secure rotation strategy for our OAuth application client secrets in Genesys Cloud using the Terraform provider. The current setup involves a genesyscloud_oauth_client resource where the secret attribute is hardcoded in the state. If we update the secret value in the Terraform file and run terraform apply, the provider performs an update operation. However, there is a window where the old secret is invalidated before our downstream services can pick up the new credentials from our secret manager. This causes a brief period of 401 Unauthorized errors for any long-running processes that haven’t refreshed their tokens yet.
We have considered creating a second OAuth client and updating the references across all our genesyscloud_routing_integration and custom API connectors, but that introduces significant complexity in managing state and ensuring all dependent resources point to the correct client ID during the transition. Is there a supported pattern or API sequence (perhaps using the /api/v2/oauth/clients endpoints directly via a null_resource with local-exec) that allows us to provision a new secret alongside the old one, wait for propagation, and then revoke the old one? We need a deterministic way to handle this without breaking active sessions.