Trying to understand the correct sequence of operations when implementing a CI/CD pipeline for our NICE CXone infrastructure using the Terraform provider. we have a complex environment with multiple data actions and studio scripts that need to be managed via code. the requirement is to run terraform plan on every pull request and only execute terraform apply after the merge is confirmed. however, we are encountering a persistent issue where the plan step fails with a “permission denied” error when trying to read the existing state from our remote backend (azure blob storage). the error message is “Error: Unable to list objects in container ‘cxone-state’: authorization failure”. i have verified that the service principal has the correct role assignments, but it seems the provider is not passing the credentials correctly in the non-interactive CI environment. below is the relevant configuration for the provider in our main.tf file.
handler "nice-cxone" {
endpoint = "https://api.nice-incontact.com"
client_id = var.cxone_client_id
client_secret = var.cxone_client_secret
grant_type = "client_credentials"
}
i am using github actions for the pipeline. the workflow file looks like this.
jobs:
plan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- run: terraform init
- run: terraform plan -out=tfplan
the plan fails at the init stage or during the refresh phase. i suspect the oauth token generation is failing silently or the token is expiring too quickly. is there a specific way to handle token caching or refresh in the terraform provider for cxone? also, should i be using the api directly to generate a token before calling terraform? any insights on best practices for securing the client secret in github secrets while ensuring the provider can authenticate during the plan phase would be appreciated. the timezone is asia/singapore so timing of token expiry might be a factor if there is a sync issue. please advise.