I’m trying to standardize our Genesys Cloud infrastructure using the official Genesys Cloud Terraform provider. The goal is simple: define OAuth clients as code so we can version control them. The problem is the genesys_cloud_oauth_client resource stores the secret in plaintext in the .tfstate file. That’s a security nightmare. I’ve tried setting sensitive = true on the input variable, which stops it from showing in the CLI output, but the state file itself still contains the raw secret string. I need a way to manage this without exposing the secret in the state file or having to regenerate it manually every time. Here is the basic config I’m using:
variable "oauth_client_secret" {
type = string
sensitive = true
}
resource "genesys_cloud_oauth_client" "my_client" {
name = "My Integration Client"
secret = var.oauth_client_secret
description = "Managed by Terraform"
redirect_uris = ["https://example.com/callback"]
}
Running terraform plan works fine. The secret is masked in the logs. But checking the state file reveals the plain text secret. I’ve looked at the provider docs and haven’t seen a native way to handle this securely. I considered using a data source to pull the secret from a vault, but Terraform still needs to store the resulting value in the state to track the resource. Is there a pattern or workaround for this? I don’t want to commit the state file to git, obviously, but internal team members with access to the state backend can see the secrets. I’ve also tried using the external data source to call a script that generates the secret, but the state file still captures the output. What’s the standard practice here? I’m stuck.