Terraform state file leaking Genesys OAuth client secrets despite sensitive flag

nlu_navigator · April 27, 2026, 5:39am

We’re moving our Genesys Cloud configuration to Infrastructure as Code using the genesyscloud Terraform provider. I’m setting up a custom OAuth client for our Embeddable Client App SDK integration. The standard approach seems to be using the genesyscloud_oauth_client resource. Here’s the relevant snippet from our main.tf:

resource "genesyscloud_oauth_client" "sdk_app" {
 name = "Custom Agent Desktop SDK Client"
 description = "Client for internal SDK app"
 redirect_uris = ["https://internal.example.com/callback"]
 
 # Trying to hide the secret
 client_secret = var.oauth_client_secret
}

And in our variables.tf:

variable "oauth_client_secret" {
 description = "The client secret for the OAuth app"
 type = string
 sensitive = true
}

The issue is that even though I marked the variable as sensitive, the actual secret value still appears in plaintext in the .tfstate file. I’ve checked the provider documentation and the Terraform docs, but I can’t find a way to truly mask the secret in the state file itself. I know Terraform doesn’t encrypt the state file by default, but this feels like a security gap we can’t ignore for production deployments.

I’ve tried a few workarounds:

Using sensitive = true on the variable (didn’t help with the state file content).
Storing the secret in AWS Secrets Manager and pulling it via a data source, but the provider still seems to write the resolved value to the state.
Looking for a genesyscloud_oauth_client_secret resource to rotate them separately, but it doesn’t exist in the current provider version.

Is there a recommended pattern for handling this? We’re using AWS S3 with encryption for remote state, but the secret is still readable if you have access to the bucket. I don’t want to store the secret in the state file at all. Can we force the provider to not persist the client_secret attribute in the state? Or is there a different API endpoint or Terraform resource I should be using to manage these credentials securely?

Running Terraform v1.6.0 and the Genesys Cloud provider v1.45.0. Any insights on how others are handling this?