Hey folks,
We’ve been migrating our CXone infrastructure to Terraform using the official Nice CXone provider. It’s going mostly smooth, but I’m hitting a snag with how we handle the OAuth client credentials. Right now, we’re passing the client_id and client_secret directly into the provider block like this:
provider "nice_cxone" {
region = var.cxone_region
client_id = var.cxone_client_id
client_secret = var.cxone_client_secret
}
The problem is obvious. When we run terraform plan or apply, the client_secret ends up in the state file in plaintext. We store our state in an S3 bucket with versioning enabled, so even if we delete it, the secret is sitting there in the history. That’s a huge security risk, especially since this state file gets accessed by the CI/CD pipeline and a few devs.
I’ve tried using sensitive = true on the variables in our variables.tf:
variable "cxone_client_secret" {
type = string
sensitive = true
}
But while that hides the value in the CLI output, the state file still contains the actual string. I checked the Terraform docs, and it seems like the state file is meant to track the exact configuration, so it stores the literal value regardless of the sensitive flag.
Has anyone found a clean way to manage these secrets without them leaking into the state? I was thinking about using a data source to pull the secret from AWS Secrets Manager at runtime, but I’m not sure if the CXone provider supports passing a reference or if it strictly needs the string value. Or maybe there’s a way to use a remote backend that encrypts the state more securely? We’re using AWS S3 with KMS encryption, but the data is still readable if someone gets access to the bucket.
Any ideas on how to keep the secret out of the state file entirely? We can’t risk having it exposed if the S3 bucket gets compromised.