Stuck on preventing the plain-text client_secret from persisting in the Terraform state file while provisioning the nice_cxone provider. We are utilizing remote state storage, yet the sensitive credential remains visible to unauthorized personnel with state access, despite setting sensitive = true in the data source.
Is there a specific mechanism within the provider or a standard Terraform pattern to inject this secret at runtime via environment variables or a vault lookup without it being written to the .tfstate artifact?
The problem is that sensitive = true only masks console output, not the state file.
# Use environment variables instead of static values
provider "nice_cxone" {
client_id = var.cxone_client_id
client_secret = var.cxone_client_secret
}
# In .tfvars or CI/CD secrets
# cxone_client_secret = "REDACTED"
If I remember correctly, relying on variables alone is risky because state dumps can still leak them if not handled carefully. I prefer injecting the secret directly via environment variables in the CI/CD pipeline. This keeps it out of the state file entirely. Never store secrets in version control or remote state.
provider "nice_cxone" {
client_id = var.cxone_client_id
client_secret = getenv("CXONE_CLIENT_SECRET")
}