We’ve been migrating our Genesys Cloud org config to Terraform using the official genesyscloud provider. Everything works fine until we try to manage OAuth clients. The genesyscloud_oauth_client resource requires the client_secret to be set during creation. Obviously, I don’t want this plaintext secret sitting in my terraform.tfstate file, especially since that file gets committed to our git repo for CI/CD tracking.
I tried using the sensitive attribute on the variable, but that only hides it in the CLI output, not the state file itself. The state file still contains the raw string. I also looked into using the genesyscloud_oauth_client_secret resource to rotate it, but you need the initial secret to create the client first. It’s a chicken-and-egg problem.
Here’s the basic resource definition I’m using:
resource "genesyscloud_oauth_client" "my_app" {
name = "Terraform-Managed-App"
description = "Managed via IaC"
client_type = "confidential"
grant_types = ["client_credentials"]
scopes = ["analytics:report:read"]
# This ends up in the state file as plaintext
client_secret = var.oauth_client_secret
}
I’ve seen some workarounds involving external data sources or remote state backends with encryption, but nothing specific to the Genesys provider. Is there a way to tell the provider to omit the secret from the state after creation? Or maybe a way to import an existing client and update it without re-creating the secret? The docs don’t mention a write-only attribute for this field. I’m worried about compliance audits if someone gets access to the raw state file. We’re using Terraform 1.5.7 and the provider version 1.45.0. Any ideas on how to keep the state file clean?