Need to manage Genesys Cloud OAuth clients without the secret ending up in the tfstate file. The genesyscloud_oauth_client resource requires the secret argument, which writes it to plaintext state immediately.
Tried using sensitive = true on the attribute and the ignore_changes lifecycle rule, but the secret still persists in the state file or prevents updates.
Is there a way to handle this via the API directly in a post-provision hook, or is there a provider pattern I’m missing?