Running into a security red flag with the Genesys Cloud Terraform provider. We’re trying to automate our OAuth client setup using genesyscloud_oauth_client, but the provider seems to store the raw client secret in the .tfstate file even when using sensitive = true on the variable. The state file is encrypted at rest, but I’d prefer the secret not to be in there at all for audit reasons.
Here’s the snippet I’m using:
resource "genesyscloud_oauth_client" "main_client" {
name = "terraform-client"
scopes = ["routing:queue:view"]
secret = var.oauth_secret
}
variable "oauth_secret" {
type = string
sensitive = true
}
The apply works fine, but terraform state show reveals the plaintext secret. Is there a way to force the provider to omit this from state, or do I have to manage the secret rotation via API calls outside of Terraform?