Looking for advice on state drift issues when managing SSO OIDC settings via Terraform.
The environment is AU-1 BYOC. Provider version is genesyscloud v1.68.4.
The specific resource is genesyscloud_organization_authentication.
The Terraform apply completes successfully.
The configuration is applied to the tenant.
However, the next terraform plan immediately shows a diff.
The drift occurs on the client_secret field.
The value is masked in the state file, but the plan indicates a change.
The API response from GET /api/v2/organization/authentication/oidc returns the expected configuration.
The secret is not actually changed in the UI.
This causes constant noise in our CI/CD pipeline.
GitHub Actions reports a failed plan due to unexpected changes.
We are using OIDC for SSO integration.
The client_id is static.
The issuer_url is static.
Only the secret seems to trigger the drift.
We tried using the ignore_changes lifecycle block.
This hides the drift but risks manual changes being overwritten.
This is not a secure approach for compliance.
We need a deterministic way to handle secrets in state.
The GC CLI shows the same configuration.
The issue persists across multiple environments.
Dev, Stage, and Prod all show this behavior.
Is this a known limitation of the provider?
Or is there a specific flag to stabilize the secret comparison?
We cannot ignore the drift in production.
Audit logs require clean state files.
Any workaround for OIDC secret handling?
Please share HCL snippets if possible.
Thanks.