We are managing a multi-tenant BPO environment where each client operates within its own division in Genesys Cloud. The current Terraform configuration creates a single OAuth application that requires broad read/write permissions across all divisions. This setup creates security concerns since we want to restrict access so each client can only interact with their respective division data.
The goal is to scope the OAuth client to specific divisions during the Terraform apply process. We have attempted to use the genesyscloud_oauth_client resource with the divisions attribute, but the documentation is sparse on how this interacts with the underlying API permissions.
Here is the current resource definition:
resource "genesyscloud_oauth_client" "bpo_client" {
name = "BPO Client OAuth"
client_type = "confidential"
divisions = [genesyscloud_routing_division.client_div.id]
scopes = [
"conversation:read",
"routing:queue:read"
]
}
When we apply this configuration, the Terraform plan succeeds, but subsequent API calls using the generated client credentials result in a 403 Forbidden error when attempting to access resources in the specified division. The error response indicates that the client lacks the necessary divisional scope, even though the division ID is explicitly listed in the resource.
We have verified that the division ID is correct and that the OAuth client has been assigned the correct scopes at the global level. The issue seems to be related to how the division scoping is applied during the client creation process.
Has anyone successfully implemented division-scoped OAuth clients using the Terraform provider? Are there additional attributes or configuration steps required to ensure the division restrictions are properly enforced? We are also open to alternative approaches if the current method is not supported by the provider.