Running into a security issue with the genesyscloud Terraform provider. We’re managing OAuth clients via genesyscloud_oauth_client, and while the secret field is marked as sensitive, it’s still ending up in the terraform.tfstate file in plain text. This is a hard no for our compliance team.
I’ve tried wrapping the secret in var.oauth_secret and passing it through locals, but the provider seems to fetch the current state or write it back during refresh. Here’s the resource block:
resource "genesyscloud_oauth_client" "api_client" {
name = "terraform-api-client"
type = "CONFIDENTIAL"
secret = var.oauth_client_secret
redirect_uris = ["https://example.com/callback"]
}
Is there a way to tell the provider to skip writing the secret to state, or should I be managing the client lifecycle outside of Terraform and just importing the ID? The docs aren’t clear on sensitive field handling for this specific resource.