Running into a bit of a snag with our TF setup for Genesys Cloud. We’re using the genesyscloud provider, which requires client_id and client_secret to authenticate. The problem is the secret ends up in the terraform.tfstate file in plain text. That’s a no-go for our security team, especially since the state file gets pushed to S3.
I’ve tried marking the secret as sensitive in the provider block:
provider "genesyscloud" {
client_id = var.genesys_client_id
client_secret = var.genesys_client_secret
}
variable "genesys_client_secret" {
type = string
sensitive = true
}
But terraform show still dumps the value, and the state file isn’t encrypted by default in our CI pipeline. I know I can use remote state with encryption, but I’d rather not store the secret in state at all if possible. Is there a way to fetch the token dynamically at runtime so the provider doesn’t need the secret in the config? Or should I be using the genesyscloud_oauth data source differently? Feels like I’m missing a pattern here.