I’ve been trying to set up a basic dev environment for our routing rules using the Genesys Cloud Terraform provider, but I’m hitting a wall with the authentication part. The documentation suggests using the genesys_cloud_auth resource to handle the OAuth handshake, which is fine, but it feels really unsafe.
Here is the block I’m using:
resource "genesys_cloud_auth" "primary" {
client_id = var.gen_client_id
client_secret = var.gen_client_secret
env_name = "mypurecloud.ie"
}
The problem is that even though I’m pulling the secret from a variable file, it’s still getting written into the terraform.tfstate file in plain text. I checked the file and there it is, right under the genesys_cloud_auth.primary section. Since this state file is being committed to our internal Git repo for collaboration, that’s a major security red flag. We can’t have client secrets sitting in plain text in version control.
I’ve tried setting the secret in an environment variable (GEN_CLIENT_SECRET) and referencing it with var.gen_client_secret, but Terraform still caches the resolved value in the state. I read somewhere that you can use sensitive flags, but I’m not sure how to apply that to the genesys_cloud_auth resource itself to prevent it from logging the value during the plan or apply phase.
Is there a way to tell Terraform to treat this specific attribute as sensitive so it doesn’t dump it into the state file? Or is the recommended pattern to just use a local auth file and ignore the state file entirely? I’m a bit confused because other providers seem to handle this more gracefully.
Also, if I do manage to hide it from the state, will the provider still be able to refresh the token on subsequent runs without re-prompting or failing? It’s just frustrating that the default behavior seems to expose credentials so openly. Any help would be appreciated, I’ve been stuck on this for a couple of hours now.