Hitting a wall with the Genesys Cloud Terraform provider. The genesyscloud_oauth_client resource stores the secret in plain text in the state file. That’s a security risk. Tried setting sensitive = true on the attribute, but the plan still shows the diff. Is there a way to suppress the secret from the state entirely? Or do I need to manage the client creation via API and just import the ID?
resource "genesyscloud_oauth_client" "example" {
name = "test"
secret = "shhh"
}I ran into this exact issue last quarter. The sensitive = true flag only masks the output in the console, it doesn’t stop Terraform from writing the value to the .tfstate file. That’s by design for most providers.
You can’t hide it in the state if you’re creating the resource via Terraform. The provider needs to know the value to manage the lifecycle.
The workaround is to create the OAuth client outside of Terraform. Use the API or the admin portal. Then, just reference the ID in your config.
data "genesyscloud_oauth_client" "existing" {
id = "your-oauth-client-id-here"
}
resource "genesyscloud_routing_queue" "main" {
name = "Support Queue"
# Reference the client ID for any integrations that need it
oauth_client_id = data.genesyscloud_oauth_client.existing.id
}
This keeps the secret out of your state file entirely. You’ll need to manage the client’s lifecycle manually, but that’s the only secure way to handle it with the current provider version.
Just make sure you rotate the secret in the portal if it gets compromised. Terraform won’t help you there.
The suggestion above is spot on. I just created the client via the API to keep the secret out of state entirely. Then I import it into Terraform so I don’t manage the lifecycle there. Here’s the curl command I used to generate it first.
curl -X POST https://api.mypurecloud.com/api/v2/oauth/clients \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Tf-Client", "grantType": "client_credentials"}'