Ran into a weird issue today with the Genesys Cloud Terraform Provider when provisioning new OAuth clients via genesyscloud_oauth_client.
I am building a secure CX as Code pipeline for our React agent desktop integration. The requirement is strict: no secrets in state.
I have configured the resource with sensitive = true on the client_secret attribute in my local module. However, upon running terraform plan, the diff output explicitly shows the generated secret value in plain text within the state file diff. This violates our security policy for US/Pacific dev environments.
Here is my current configuration snippet:
resource "genesyscloud_oauth_client" "agent_desktop_client" {
name = "react-desktop-sdk"
client_type = "public"
# Attempting to mask output
client_secret = random_password.oauth_secret.result
# This flag is supposed to hide values in logs and state
sensitive = true
allowed_origins = ["https://app.example.com"]
}
resource "random_password" "oauth_secret" {
length = 32
special = false
}
According to the Genesys Docs, the sensitive attribute should prevent the value from being written to the state file or displayed in logs. Yet, terraform show reveals the hash, and the plan output leaks the actual string before hashing.
I have tried:
- Using
random_passwordwithkeepersto force regeneration. - Setting
lifecycle { ignore_changes = [client_secret] }but this breaks subsequent updates. - Passing the secret via environment variables using
TF_VARbut the provider does not support external secret injection for this resource type.
The API endpoint POST /api/v2/oauth/clients returns the secret in the 201 response body. The provider seems to cache this response directly into the state.
How do you handle OAuth client secret management in Terraform for Genesys Cloud without exposing the secret in the terraform.tfstate file? Is there a workaround using a null resource or external data source?