We’re trying to manage our Genesys Cloud OAuth client credentials using the Terraform provider, but I’m hitting a wall with security compliance. The genesyscloud_auth_client resource requires a secret attribute. When I run terraform apply, the secret gets written to the terraform.tfstate file in plain text. Our security team flagged this immediately. They don’t want secrets in state, period.
I’ve tried using a local variable to hold the secret and referencing it in the resource, but Terraform still persists the resolved value to the state file. I also looked into using the sensitive flag, like this:
resource "genesyscloud_auth_client" "main" {
name = "MyApp"
secret = var.oauth_secret
# Tried adding sensitive = true here but it's not a valid arg for the provider
}
The provider documentation doesn’t mention a way to mask or exclude the secret from the state. I know we can encrypt the state file itself using S3 and KMS, but that feels like a band-aid if the raw value is still sitting there inside the JSON blob. Is there a workaround? Maybe a way to import the client with an existing secret so Terraform doesn’t manage it? Or is there a different resource or API call we should be using instead? We need a clean way to handle this without exposing the secret in the state file. I’ve been digging through the provider source code but it’s not obvious how to bypass this. Any ideas?