Hey folks,
I’ve got a bit of a blocker with our Terraform setup for Genesys Cloud. We’re using the official provider to manage some flows and users, but the OAuth client secret is ending up in plaintext in the terraform.tfstate file. Obviously, that’s a no-go for our security team.
I know the provider has a genesyscloud_oauth_client resource, but when I apply it, the secret gets stored in the state. I’ve tried using sensitive = true on the attribute, which stops it from showing up in the console output during apply, but it’s still sitting there in the JSON state file on disk.
Here’s the snippet I’m using:
resource "genesyscloud_oauth_client" "my_client" {
name = "terraform-integration"
secret = var.oauth_secret # This is passed via environment variable
# Attempting to hide it
lifecycle {
prevent_destroy = false
}
}
Is there a way to use the genesyscloud_oauth_client resource without the secret persisting in the state, or am I just supposed to manage the OAuth client manually outside of Terraform and just reference the client ID? I don’t want to manage two sources of truth if I can help it.
Also, just to be clear, I’m not talking about the user credentials for the provider block itself, but the actual OAuth client definition resource.