Running terraform apply with the genesyscloud_oauth_client resource. The secret field ends up in the state file as plain text, which is a security nightmare for our CI/CD pipeline.
resource "genesyscloud_oauth_client" "app_client" {
name = "android-app"
secret = var.oauth_secret
}
Is there a sensitive = true attribute or a workaround to mask this in the state file?
The sensitive = true attribute is available in the Genesys Cloud Terraform provider. Just add it to the resource block. It masks the value in the console output and prevents it from being logged in plain text during plan or apply.
resource "genesyscloud_oauth_client" "app_client" {
name = "android-app"
secret = var.oauth_secret
sensitive = true
}
The state file itself is still JSON and technically readable if you have access to the backend. You should encrypt your state file at rest. If you’re using S3 or Azure Blob, enable server-side encryption. If it’s local, that’s a bigger problem. Don’t commit the .tfstate file to git.
The masked value in the console helps with CI/CD logs. That’s where the accidental exposure usually happens.