What’s the best way to lock down an OAuth client to specific divisions when provisioning via Terraform? I’m building a module for a multi-tenant BPO setup where each client gets their own org, but they need shared access to some common resources. The genesyscloud_oauth_client resource doesn’t seem to have a direct attribute for division IDs, which feels like a gap.
I tried setting the client_type to CONFIDENTIAL and adding a division_id in the options map, but that just gets ignored by the provider. The client ends up with global access, which isn’t what we want. Here’s the snippet I’m working with:
resource "genesyscloud_oauth_client" "bpo_client" {
name = "BPO Integration Client"
client_type = "CONFIDENTIAL"
options = {
division_id = "some-division-id"
}
}
The docs mention using the /api/v2/oauth/clients endpoint to update scopes, but I haven’t found a Terraform resource that maps to that. Do I need to use a null_resource with a local-exec script to hit the API directly after the client is created? Or is there a hidden argument in the provider I’m missing? I don’t want to manage this drift manually if I can help it.