Need some help troubleshooting something weird with the genesys cloud terraform provider. i am trying to manage an oauth client using the genesyscloud_oauth_client resource but every time i run terraform plan the client secret is showing up in the diff and obviously ends up in the .tfstate file as plain text. that is a massive security risk for our serverless event processing pipeline.
i tried using the sensitive argument like this:
resource "genesyscloud_oauth_client" "my_client" {
name = "lambda-event-bridge"
grant_types = ["client_credentials"]
client_secret = var.oauth_secret
sensitive = true
}
but it still dumps the value in the state file. i know terraform doesn’t encrypt state by default but is there a way to mask this specific field or use a data source instead so it doesn’t persist? i am using node 18 for my lambda handlers but this is purely infra code. anyone got a workaround for this?