I’m setting up our WFM integration infrastructure using the Genesys Cloud Terraform provider. I need to create a new OAuth client for a backend service that pulls adherence data. The documentation suggests using the gen_cloud_oauth_client resource. Here is the basic configuration I’m using.
resource "gen_cloud_oauth_client" "wfm_reader" {
name = "WFM Adherence Reader"
description = "Used for pulling WFM metrics via API"
secret = "super_secret_key_123"
}
The problem is that the secret value is being stored in plain text in the terraform.tfstate file. This is a security risk for our environment. We have strict compliance requirements regarding how credentials are stored. I tried using a local variable to mask it, but Terraform still writes the resolved value to the state file.
+ resource "gen_cloud_oauth_client" "wfm_reader" {
+ description = "Used for pulling WFM metrics via API"
+ name = "WFM Adherence Reader"
+ secret = (sensitive value)
}
The plan output shows it as sensitive, which is good, but the actual state file contains the raw string. I checked the provider docs and didn’t see a secret_key attribute that references a vault or external secret manager. Is there a way to generate the secret dynamically and not store it? Or should I be using the API directly to handle the secret creation and just manage the client ID in Terraform? I don’t want to commit the state file to our repo. Any help would be appreciated.