Terraform: Hiding OAuth client secrets from state file?

js_phantom · January 30, 2026, 8:58pm

How do you handle genesyscloud_oauth_client secrets in Terraform without them leaking into the .tfstate? The client_secret attribute is plain text in the state by default. I’ve tried sensitive = true on the resource, but it only masks CLI output, not the actual JSON state file. Is there a pattern to rotate these without persisting the secret in state, or are we just accepting the risk? Here’s the block:

resource "genesyscloud_oauth_client" "main" {
 name = "api-client"
 client_secret = "super-secret"
}

studio_snippet · January 30, 2026, 10:45pm

The state file stores computed values, so sensitive only hides CLI output. You need to manage the secret externally. Create the client via API or UI, then use a data source in Terraform to fetch the ID. This keeps the secret out of state entirely.

data "genesyscloud_oauth_client" "existing" {
 name = "my-client"
}

resource "genesyscloud_oauth_client_scope" "scopes" {
 oauth_client_id = data.genesyscloud_oauth_client.existing.id
 # ...
}