We’ve got a Terraform module spinning up Genesys Cloud resources using the official provider. Everything works fine except the OAuth client configuration. The docs say to use the genesyscloud_oauthclient resource, but whenever I run terraform plan, the diff shows the secret field being read into the state. This is a huge security risk since our state files are stored in S3 and accessible to a few teams.
I tried using the sensitive = true flag on the variable, but the provider still seems to fetch the value and store it in the state file in plain text (or at least visible in the plan output). Is there a way to prevent the secret from being written to the state? Or should I be managing the OAuth client creation outside of Terraform entirely?
Here’s the relevant config snippet:
variable "oauth_secret" {
type = string
sensitive = true
}
resource "genesyscloud_oauthclient" "main" {
name = "My App"
client_id = var.oauth_client_id
secret = var.oauth_secret
redirect_uris = ["https://example.com/callback"]
}
When I check the state file manually, I see the secret value. This defeats the purpose of marking it sensitive. We need a way to either mask it in the state or not store it at all. The provider doesn’t seem to have an ignore_changes option for the secret field that works as expected. Any ideas on how to handle this securely? We’re using Terraform 1.5.0 and the provider version 1.28.0.