Working on our CX as Code pipeline. When I create a genesyscloud_oauth_client resource, the secret attribute ends up in the .tfstate file in plain text. This is a security risk for our repo.
I tried using sensitive = true on the variable, but the state file still holds the value. The Genesys API requires the secret to be sent in the body for updates, but I don’t want it stored locally.
Is there a way to force Terraform to mask this in the state or use a data source that doesn’t persist the secret?
sensitive = true doesn’t encrypt the state file. It just stops it from printing to stdout during plan or apply. The value is still sitting there in base64 encoded JSON in .tfstate. If you’re worried about the repo, you’re already in trouble if that file is checked in.
The docs for the provider don’t have a magic switch for this because Terraform’s state management is separate from the API call. You have to move the secret out of the state entirely or encrypt the state at rest.
Option 1: Use a remote backend with encryption.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "genesys/oauth/state.tfstate"
region = "eu-west-1"
encrypt = true
dynamodb_table = "terraform-locks"
}
}
This keeps the plain text secret off your local disk and encrypts it in S3.
Option 2: Don’t manage the secret in Terraform at all.
Create the OAuth client once via the API or UI, export the secret to a secret manager (AWS Secrets Manager, Azure Key Vault, etc.), and reference that in your code. Terraform should only manage the client_id and the scopes.
The provider docs state: “The secret attribute is required on creation but not needed for updates if the client ID remains the same.” You can use ignore_changes to stop Terraform from trying to read/write it after the initial apply.
resource "genesyscloud_oauth_client" "main" {
name = "My App"
description = "Managed by Terraform"
grant_types = ["client_credentials"]
secret = var.oauth_secret # Only used on create
lifecycle {
ignore_changes = [secret]
}
}
Just make sure var.oauth_secret is passed in from a secret manager or CI/CD environment variable. Don’t hardcode it.