We’re provisioning a new Genesys Cloud OAuth client through the CX as Code provider and the plaintext secret keeps dumping straight into the .tfstate file. The HCL block looks standard enough.
resource "genesyscloud_oauth_client" "ui_analytics_client" {
name = "Queue-Layout-Integration"
secret = var.oauth_client_secret
type = "confidential"
sensitive = true
}
Running terraform plan masks the value just fine, but terraform state pull pulls the raw string right out. We’ve tried wrapping the variable in a local sensitive block, switching to a remote backend with encryption at rest, and even pointing it at an external vault via the external data source. Nothing stops the provider from caching the decrypted string during the creation step. The dashboard UI won’t refresh the token rotation schedule until we redeploy, so we can’t just destroy the resource and start over.
Checked the provider documentation and it mentions state encryption, but that doesn’t actually strip the attribute from the JSON payload. We’re hitting a 403 on the subsequent /api/v2/oauth/clients call when the state file gets synced to the shared repo, which makes total sense. The terraform console output shows the attribute still tagged as a string type. Anyone know the exact syntax to force the provider to drop the secret from the state entirely? We’ve been spinning our wheels on this for two days. The admin UI queue metrics are already lagging because the integration isn’t authenticating properly. Still waiting on the state override config. The queue dashboard just keeps timing out.