Summary

The provider code should be configured to support debugging sessions (e.g. Delve, Goland).

Use cases

To make debugging the Terraform provider "out of the box" more convenient for developers.

Proposed solution

Modify plugin.Serve within main.go to take a Debug boolean, which can be provided through a flag. This is the approach recommended on the Hashicorp documentation: https://developer.hashicorp.com/terraform/plugin/sdkv2/debugging.

Is there a workaround to accomplish this today?

Modifying the main.go file locally before debugging.

References & Prior Work

• https://developer.hashicorp.com/terraform/plugin/sdkv2/debugging
• https://opencredo.com/blogs/running-a-terraform-provider-with-a-debugger/

Your environment

Terraform Provider Version: 1.1.3

Connect Server Version: 1.5.0

OS: any

Terraform Version: 1.0.7, but it shouldn't matter

What happened?

Trying to create a field with type "TOTP" causes a validation error coming from the Connect server:

Error: status 400: Validation: (validateVaultItem failed to Validate), Couldn't validate the item: "[ItemValidator] has found 1 errors, 0 warnings: \nErrors: {1. details.sections[1].fields[0] has unsupported field type: totp}"

According to the 1Password/connect#26 the correct value for field.type is "OTP" rather than "TOTP". Can you please fix the fieldTypes array accordingly?

Thank you!

Steps to reproduce

resource "onepassword_item" "something" {
  ...
  section {
    ...
    field {
      label = "One-time password"
      type = "TOTP"
      value = ...
    }
  }
}

Your environment

Terraform Cloud

Connect Server Version: None

CLI Version: any

OS: Ubuntu

Terraform Version:

What happened?

Can anyone give me an example of using a 'local-exec' provisioner to install the OP CLI when using Terraform Cloud?

I'm unable to get it to work. I keep getting the following error:

 failed to get version of op CLI: failed to execute command: exec: "op": executable file not found in $PATH

What did you expect to happen?

Steps to reproduce

Notes & Logs

Your environment

Terraform Provider Version: 1.0.2

Connect Server Version: 1.1.1 (container image: sha256:aa808e82ff23b99574526dde1c18e5503c30f5f08eed0d1d5f2ce68f1441d3ed)

OS:

cat /etc/lsb-release
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=20.1
DISTRIB_CODENAME=ulyssa
DISTRIB_DESCRIPTION="Linux Mint 20.1 Ulyssa"

Terraform Version: v0.14.9

What happened?

Upon running the command terraform destroy, the logs indicate that the secrets have been deleted, but they remain in the 1password vault.

What did you expect to happen?

The secrets are destroyed as indicated in the log messages.

OR

The documentation clearly outlines that secrets will not be deleted from the 1password vault on terraform destroy.

OR

(Preferred) An option exists in the Terraform provider resources which specifies the action that will be taken when a destroy action is required. Example:

resource "onepassword_item" "demo_login" {
  vault = var.vault_id

  remove_on_destroy = <bool>

  title    = "Demo Terraform Login"
  category = "password"

  username = "demo-username"

  password_recipe {
    length  = 40
    symbols = false
  }
}

Steps to reproduce

1. Follow the example code here: https://github.com/1Password/terraform-provider-onepassword/tree/main/examples
2. Verify that the secrets are created in the appropriate 1password vault
3. Using a token with delete permissions, run the terraform destroy command
4. Verify that the logs indicate that the secrets were destroyed
5. Verify that the secrets remain available in the appropriate 1password vault

Notes & Logs

Terraform destroy:

onepassword_item.demo_password: Destroying... [id=vaults/<uuid>/items/<uuid>]
onepassword_item.demo_login: Destroying... [id=vaults/<uuid>/items/<uuid>]
onepassword_item.demo_db: Destroying... [id=vaults/<uuid>/items/<uuid>]
onepassword_item.demo_sections: Destroying... [id=vaults/<uuid>/items/<uuid>]
onepassword_item.demo_login: Destruction complete after 0s
onepassword_item.demo_sections: Destruction complete after 1s
onepassword_item.demo_db: Destruction complete after 1s
onepassword_item.demo_password: Destruction complete after 1s

docker-compose (source: https://support.1password.com/connect-deploy-docker/#step-2-deploy-a-1password-connect-server):

op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid>","timestamp":"2021-05-19T19:28:36.628298253Z","level":3,"scope":{"request_id":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid>","timestamp":"2021-05-19T19:28:36.628339326Z","level":3,"scope":{"request_id":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid>","timestamp":"2021-05-19T19:28:36.628298254Z","level":3,"scope":{"request_id":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid>","timestamp":"2021-05-19T19:28:36.6288812Z","level":3,"scope":{"request_id":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid> completed (204: No Content)","timestamp":"2021-05-19T19:28:37.266439816Z","level":3,"scope":{"request_id":"<uuid>","jti":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid> completed (204: No Content)","timestamp":"2021-05-19T19:28:37.552712026Z","level":3,"scope":{"request_id":"<uuid>","jti":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid> completed (204: No Content)","timestamp":"2021-05-19T19:28:37.868969691Z","level":3,"scope":{"request_id":"<uuid>","jti":"<uuid>"}}
op-connect-api_1   | {"log_message":"(I) DELETE /v1/vaults/<uuid>/items/<uuid> completed (204: No Content)","timestamp":"2021-05-19T19:28:38.15887181Z","level":3,"scope":{"request_id":"<uuid>","jti":"<uuid>"}}

Environment:
terraform: 0.14.8
onepassword-provider: 0.2.0
onepassword-connect: 0.5.3

When changing an item name, the old item is not cleaned up.

e.g.

Change from:

resource "onepassword_item" "op_pg_ip" {
  vault = var.op_vault

  title    = "PostgreSQL - ${var.environment}"
  category = "password"
  password = random_string.psql.result
}

to

resource "onepassword_item" "op_pg_ip" {
  vault = var.op_vault

  title    = "PostgreSQL Password - ${var.environment}"
  category = "password"
  password = random_string.psql.result
}

And two items will now exist in the vault: PostgreSQL Password - FOO and PostgreSQL - FOO.
It is expected that only PostgreSQL Password - FOO exists after the change.

trying the terraform integration using a pretty "standard" config for 1password on terraform and I'm getting this error:

**│ Error: Missing required attribute
│
│ on line 1:
│ (source code not available)
│
│ The attribute "url" is required, but no definition was found.
**
my docker compose file is:

version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    ports:
      - "8080:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"
  op-connect-sync:
    image: 1password/connect-sync:latest
    ports:
      - "8081:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"

volumes:
  data:

and my terraform file is

terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "2.15.0"
    }
    onepassword = {
      source = "1Password/onepassword"
      version = "~> 1.1.2"

    }
  }
}

provider "onepassword" {
  url = "http://localhost:8080"
}

resource "onepassword_item" "demo_password" {
  vault = "ACTUAL_VAULT_UUID"

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }
}

output of versions

❯ terraform version
Terraform v1.0.8
on darwin_amd64
+ provider registry.terraform.io/1password/onepassword v1.1.2
+ provider registry.terraform.io/kreuzwerker/docker v2.15.0
❯ docker version
Client:
 Cloud integration: 1.0.17
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.16.4
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:22 2021
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:58 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Environment:
terraform: 0.14.8
onepassword-provider: 0.2.0
onepassword-connect: 0.5.3

When creating secrets via terraform, I am encountering a 504 error. However, the connect-api shows 200, and the secrets are correctly placed into the desired vault.

Terraform error:

Error: Unable to create item. Receieved "504 Gateway Timeout" for "/v1/vaults/<VAULT_ID>/items"

  on ../../../modules/aks/secrets.tf line 1, in resource "onepassword_item" "my_secret":
   1: resource "onepassword_item" "my_secret" {

connect-api logs at the time of occurrence do not show a 504:

{"log_message":"(I) POST /v1/vaults/<VAULT_ID>/items","timestamp":"2021-03-23T18:22:35.5096888Z","level":3,"scope":{"request_id":"96fb4005-4fda-40fb-823c-23305d04cf0e"}}
{"log_message":"(I) POST /v1/vaults/<VAULT_ID>/items","timestamp":"2021-03-23T18:22:35.5097037Z","level":3,"scope":{"request_id":"841c287f-e9f4-4ef0-8b38-78e29d41def8"}}
{"log_message":"(I) POST /v1/vaults/<VAULT_ID>/items completed (200: OK)","timestamp":"2021-03-23T18:22:35.95327435Z","level":3,"scope":{"request_id":"4a66e9da-e1e5-4b41-8d29-a672faae6efc","jti":"se65mrp2v7q2iencvpvxgovp2u"}}
{"log_message":"(I) POST /v1/vaults/<VAULT_ID>/items completed (200: OK)","timestamp":"2021-03-23T18:22:36.163594062Z","level":3,"scope":{"request_id":"71c258fd-5507-47c3-9fc5-5a046ccd770c","jti":"se65mrp2v7q2iencvpvxgovp2u"}}

Summary

In 1password UI each item has a default section with certain keys for different template types. You also have the ability to add different fields to the default section. It doesn't seem possible to edit that default section with custom fields through terraform currently.

I can add custom sections with my custom fields but I would like to also add certain fields to the default section for each item as well.

Proposed solution

resource "onepassword_item" "item" {
  vault = var.vault

  title    = var.name
  category = var.category

  username = var.username
  password = var.password
  database = var.database
  port     = var.port

  password_recipe {
    length  = var.password_recipe.length
    letters = var.password_recipe.letters
    digits  = var.password_recipe.digits
    symbols = var.password_recipe.symbols
  }

  // This will be the custom field in the default section
  field {
    label = "some label"
    type = "STRING"
    value = "some value"
  }

  field {
    label = "some label2"
    type = "CONCEALED"
    value = "some value2"
  }

  // This will be the rest of the custom sections and fields in those sections for the object
  dynamic "section" {
    for_each = var.sections
    content {
      label = section.value.label
      dynamic "field" {
        for_each = section.value.fields
        content {
          label = field.value.label
          type = field.value.type
          value = field.value.value
        }
      }
    }
  }

Is there a workaround to accomplish this today?

Not that I can tell looking through the source code

Summary

Add resources to manage users, and user groups

Use cases

Code-controlled and easily reviewed provisioning of access is very good, and also very automation-friendly

Proposed solution

resource "onepassword_user" "foo" {
  email = "[email protected]"
}

resource "onepassword_group" "bar" {
  members = [
    onepassword_user.alice.id,
    onepassword_user.bob.id,
  ]
  vaults = [
    onepassword_vault.private.id,
    onepassword_vault.top_secret.id,
  ]
}

something like that

Is there a workaround to accomplish this today?

not really, just use the GUI, or in some cases the CLI? but that's not terraform-y

References & Prior Work

• https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team
  GitHub kinda does this, but they have individual resources for adding a user to a group, which gets super tedious (and basically necessitates you writing modules to make group management feasible). I think something more like what I templated out would be great

Your environment

Terraform Provider Version: 1.1.4 (latest)
Connect Server Version: 1.5.7
OS: MacOS 13.3 on M1
Terraform Version: 1.4.4

What happened?

• create a basic item

• create a section with 3 fields (no values)

• fields named a_password, b_password, z_password

• terraform apply

• added values manually to fields

• added a new field name c_password

• terraform apply

• ~ field {
        id    = "hmaa7pivgm6qro75zlelovwab4"
      ~ label = "z_password" -> "c_password"
        # (1 unchanged attribute hidden)
    }
  + field {
      + label = "z_password"
      + type  = "CONCEALED"
    }
  

• label for field z_password was changed to c_password and thus manual data are now available in the wrong field

What did you expect to happen?

• new field with label c_password

Steps to reproduce

1. see above, source code attached below, authentication is stored in AWS Secrets manager for Connect authentication
2. I tried to give an id to the field, but this id was happily changed as well

Source code

terraform {
  required_version = ">= 1.4.0"

  required_providers {
    onepassword = {
      source  = "1Password/onepassword"
      version = "~> 1.1.4"
    }
  }
}

# ########################## 1Password config ############################
# the configuration for connecting to 1password Agent

data "aws_secretsmanager_secret" "onepassword_token" {
  name = "onepassword-token"
}
data "aws_secretsmanager_secret_version" "onepassword_token" {
  secret_id = data.aws_secretsmanager_secret.onepassword_token.id
}

provider "onepassword" {
  url   = "http://localhost:8080"
  token = data.aws_secretsmanager_secret_version.onepassword_token.secret_string
}

locals {
  one_password_vault = "your-vault-goes-here"
}

data "onepassword_vault" "this" {
  name = local.one_password_vault
}

# plain resources
resource "onepassword_item" "plain" {
  vault = data.onepassword_vault.this.uuid

  title    = "plain"
  category = "password"

  section {
    label = "collector"
     field {
      label = "a_password"
      type  = "CONCEALED"
    }
    field {
      label = "b_password"
      type  = "CONCEALED"
    }
    # initially commented out
    # field {
    #   label = "c_password"
    #   type  = "CONCEALED"
    # }
    field {
      label = "z_password"
      type  = "CONCEALED"
    }
  }
}

Looking for guidance here with. I'm attempting to use 1password to create the admin pasword I would need to create a database in aws. I wanted to keep the item in op updated with all the information about the rds instance (hostname, dbname, port, etc) using the outputs from aws rds resource but that metadata won't be available till the aws rds instance is created and the requirement for that is that I need to password to the database resource.

There is only on work around I can see.

1. Create a random password using terraform hashicorp random
2. Use it to create the aws rds instance
3. Then create the op_item with all relevant information.

What I would like.

1. Create the op_item using 1password-provider
2. Use the output from op_item to create aws rds instance
3. (NEW) Create the op_item_metadata (depends on op_item_id) in which I can pass other metadata like sections etc.

Curious on thoughts here about this ^

Summary

Add datasources for vault and retrieving items from onepassword.

Use cases

Currently we can retrieve items from onepassword which are stored/created using this provider only.

Allow to retrieve items which are not stored using this provider.

Proposed solution

For e.g
data "onepassword_vault" "secret" {
name = "Secret"
}

data "onepassword_item" "example" {
category = "login"
title = "test"
vault_id = data.onepassword_vault.secret.id
uuid = "There should be a way(datasource) to retrieve the uuid of the items using title"
}

Now in your code to retrieve the password

output "example" {
value = data.onepassword_item.example.password
}

References & Prior Work

Your environment

Mac

Terraform Provider Version:
1.1.3

Connect Server Version:

OS: Mac

Terraform Version:
1.0.5

What happened?

Getting an error using the onepassword_vault data source.

What did you expect to happen?

The data source should have been retrieved and I should be able to retrieve the vault's uuid

Steps to reproduce

terraform {
  required_providers {
    onepassword = {
      source  = "1Password/onepassword"
      version = "~> 1.1.3"
    }
  }
}

data "onepassword_vault" "vault" {
  name = "my vault"  
}

terraform init && terraform apply

Notes & Logs

Error:

 Error: decoding response: invalid character '<' looking for beginning of value  with data.onepassword_vault.vault,
  on main.tf line 11, in data "onepassword_vault" "vault":   11: data "onepassword_vault" "vault" {

I have also set OP_CONNECT_TOKEN.

I'll really appreciate some guidance 🙇

Summary

1passoword supports more more types than just the login, password, and database categories.
Importing server items that were manually created into terraforms control will fail because they do that is not supported by this provider.

Use cases

When people have manually created password items of a different category that they then wish to import.

Proposed solution

Add sport for the rest of the item types that can be stored in the vault.

Is there a workaround to accomplish this today?

There is no work around, perhaps manually recreating everything with the new type will work but thats not really a viable work around.

Your environment

Terraform Provider Version: 1.0.2

Connect Server Version: 1.2.0

OS: macOS 11.6.1

Terraform Version: 1.0.6

What happened?

I've been unable to find acceptable Terraform syntax for creating a date-typed 1Password field. Attempts so far have all resulted in "400 Bad Request" results back from terraform apply. Here are five potential formats that I've tried, along with one string-typed field to show that the date formatting succeeds.

locals {
  date  = "2021-10-29T23:26:27Z"
  vault = "[redacted vault ID]"
}

resource "onepassword_item" "secret-date-metadata" {
  vault    = local.vault
  title    = "Test of date field creation"
  category = "password"
  password = "bibbity bobbity boo plus my birthdate"

  section {
    label = "Dates"

    field {
      type  = "DATE"
      label = "Expiration date as date"

      # All of these potential values result in "400 Bad Request" from terraform apply
      # value = local.date
      # value = formatdate("YYYY/MM/DD", local.date)
      # value = formatdate("MM/DD/YYYY", local.date)
      # value = "2021/10/29"
      value = 1635800957
    }

    field {
      type  = "STRING"
      label = "Expiration date as string"
      value = formatdate("YYYY/MM/DD", local.date)
    }
  }
}

What did you expect to happen?

I expected at least one of those five value-setting lines to set a value without an error. I arrived at the 1635800957 epoch date by looking at how the JSON data came back from the op CLI after setting a date field interactively, but setting it also failed.

Ideally, I'd like to find a date format acceptable to 1Password Connect's Terraform provider that can be emitted by Terraform's formatdate function (epoch date is not on that list).

Steps to reproduce

1. Plug in a valid vault ID in the locals block, and apply the above file.

Notes & Logs

│ Error: Unable to update item. Receieved "400 Bad Request" for "/v1/vaults/[redacted-vault-ID]/items/l3bwryhvzkf3eyx2aye2xh3nyu"
│ 
│   with onepassword_item.secret-date-metadata,
│   on date-format.tf line 5, in resource "onepassword_item" "secret-date-metadata":
│    5: resource "onepassword_item" "secret-date-metadata" {

Your environment

Terraform Provider Version: 1.0.0
Connect Server Version: 1.0.0
OS: macOS Big Sur
Terraform Version: 0.15.1

What happened?

I'm using the example project provided looking at the code. I see tags tags a list(string). I added tags = ["test"] to all resources in example project. The apply shows the tags being added but when you look at the state file I see tags being an empty list but apply completed successfully. The resource in vault also don't show any tags either. When I run apply again it tries to add the tags again.

What did you expect to happen?

If I pass a list of tags it successfully adds the tags

Steps to reproduce

1. Add tags to all resources in example project. Tried with one tag or two tags
2. Run plan & apply

resource "onepassword_item" "demo_password" {
  vault = var.demo_vault

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }

  tags = ["test"]
}

resource "onepassword_item" "demo_login" {
  vault = var.demo_vault

  title    = "Demo Terraform Login"
  category = "login"
  username = "[email protected]"
  tags = ["test"]
}

resource "onepassword_item" "demo_db" {
  vault    = var.demo_vault
  category = "database"
  type     = "mysql"

  title    = "Demo TF Database"
  username = "root"

  database = "Example MySQL Instance"
  hostname = "localhost"
  port     = 3306
  tags = ["test"]
}

resource "onepassword_item" "demo_sections" {
  vault = var.demo_vault

  title    = "Demo Terraform Item with Sections"
  category = "login"
  username = "[email protected]"

  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 40
        symbols = false
      }
    }

    field {
      label = "User"
      value = "demo"
    }
  }
  tags = ["test"]
}

Notes & Logs

2021-04-29T12:51:43.814-0400 [DEBUG] provider.terraform-provider-onepassword_v1.0.0: 2021/04/29 12:51:43 [ERROR] setting state: Invalid address to set: []string{"notesPlain"}
2021-04-29T12:51:43.815-0400 [WARN]  Provider "provider[\"registry.terraform.io/1password/onepassword\"]" produced an unexpected new value for onepassword_item.demo_db, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .tags: element 0 has vanished
      - .tags: element 1 has vanished

Your environment

Terraform Provider Version: 1.1.1

Connect Server Version: 1.2.0

OS: Terraform Cloud

Terraform Version: 1.0.1

What happened?

I added an item and vault data source to my project

data "onepassword_vault" "vault" {
  name = "Vault Name"
}

data "onepassword_item" "item" {
  vault = data.onepassword_vault.vault.id
  title = "Item Name"
}

When I ran terraform plan the vault was retrieved successfully but the item lookup failed

│ Error: Unable to retrieve item. Receieved "404 Not Found" for "/v1/vaults/vaults/<vault uuid>/items?filter=title+eq+%22Item+Title%22""
│ 
│   with data.onepassword_item.item,
│   on credentials.tf line 5, in data "onepassword_item" "item":
│    5: data "onepassword_item" "item" {
│ 

Checking the Connect server logs it highlighted that the Terraform Provider is doubling /vaults/vaults in the request path.

What did you expect to happen?

I expected the provider to look up the vault and the item successfully so I could reference

Steps to reproduce

1. Add Vault Data Source
2. Add Item Data Source referencing vault id

Notes & Logs

This happens when using either title or uuid lookup for the Item data source

Summary

When creating an item using Terraform, only one URL can be provided and it is set a primary.

Use cases

There are many cases where you want to be able to add more URLs to support the browser autofill.
It is supported in the API and Python SDK, so I guess it is just not implemented in the Terraform provider.

Proposed solution

Accept a list of URLs instead of the url parameter, or add an additional urls parameter to add non-primary URLs.

We need more complex examples. For example, how to fetch an key from an item? I tried something like this:

data "onepassword_item" "secrets" {
vault = data.onepassword_vault.aw.uuid
title = "secrets"
}

data.onepassword_item.secrets.section[index(data.onepassword_item.secrets.section.*.label, "my-label")]

Didn't work. Also tried with:

data.onepassword_item.secrets.section[index(data.onepassword_item.secrets.section.*.field.label, "my-label")]

Didn't work either. So what's the correct way to get one key out of an item?

Your environment

Terraform Provider Version: 1.2.2

Connect Server Version: n/a

OP CLI Version: 2.23.0

OS: macOS 14.1.1

Terraform Version: 1.6.4

What happened?

When using provider with Service Accounts users may encounter the following error op error: (409) Conflict: Internal server conflict when create/update/delete a bunch of items in the same vault as Terraform Provider handles each resource separately and therefore it makes a bunch of parallel requests using CLI for each of the resources.

What did you expect to happen?

No errors occurred.

Steps to reproduce

1. Create Service Account token with write permissions.
2. Create main.tf with the following content (see Notes section below)
3. terraform init
4. terraform apply
5. Some items won't be created and you should see op error: (409) Conflict: Internal server conflict in the console.

Notes & Logs

main.tf example

terraform {
  required_providers {
    onepassword = {
      source  = "1Password/onepassword"
      version = "~> 1.2.2"
    }
  }
}

provider "onepassword" {
  service_account_token = "your_service_account_token"
}

resource "onepassword_item" "demo_password" {
  vault = "vault_id"

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }

  section {
    label = "API Creds"

    field {
      label = "PORT"
      type  = "CONCEALED"
      value = "8080"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }
}

resource "onepassword_item" "demo_login" {
  vault = "vault_id"

  title    = "Demo Terraform Login changed"
  category = "login"
  username = "[email protected]"
}

resource "onepassword_item" "demo_sections" {
  vault = "vault_id"

  title    = "Demo Terraform Item with Sections"
  category = "login"
  username = "[email protected]"


  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 30
        symbols = false
      }
    }

    field {
      label = "User"
      value = "dchanged emo"
    }
  }
}

resource "onepassword_item" "another_password" {
  vault = "vault_id"

  title    = "Another Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }
}

resource "onepassword_item" "another_demo_login" {
  vault = "vault_id"

  title    = "Another Demo Terraform Login changed"
  category = "login"
  username = "[email protected]"
}

resource "onepassword_item" "another_demo_sections" {
  vault = "vault_id"

  title    = "Another Demo Terraform Item with Sections"
  category = "login"
  username = "[email protected]"


  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Another Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 30
        symbols = false
      }
    }

    field {
      label = "User"
      value = "dchanged emo"
    }
  }
}

Possible solution:

The issue might be solved by adding a retry mechanism when getting 409 error from the server using op-cli.

Summary

I couldn't find any example on how to create/retrieve SSH keys.
The only issue mentioning it is this one, but I see that the API already supports other types of items.

curl -H "Authorization: Bearer $(cat op_token)" local_op_server/v1/vaults/:vault_id/items/:item_id
{"additionalInformation":"SHA256:h8SXUtOpl5UzEhV3nEjWNDQmxdZHrk7bgHCkpqsSsxs","category":"SSH_KEY","createdAt":"2023-03-11T18:36:38Z","fields":[{"id":"notesPlain","label":"notesPlain","purpose":"NOTES","type":"STRING"},{"id":"public_key","label":"public key","type":"STRING","value":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLHciYuL95p0a+nzB8BA7oSoePLmYh2suG3beiUI1pz"},{"id":"fingerprint","label":"fingerprint","type":"STRING","value":"SHA256:h8SXUtOpl5UzEhV3nEjWNDQmxdZHrk7bgHCkpqsSsxs"},{"id":"private_key","label":"private key","type":"SSHKEY","value":"-----BEGIN PRIVATE KEY-----\nMFMCAQEwBQYDK2VwBCIEIBH6rPUQbzw8aFbInex1xcQCXg4PdzzmF+Ur1wY6expK\noSMDIQASx3ImLi/eadGvp8wfAQO6EqHjy5mIdrLht23olCNacw==\n-----END PRIVATE KEY-----\n"},{"id":"key_type","label":"key type","type":"STRING","value":"ed25519"}],"id":":vault_id","lastEditedBy":":uid","title":"SSH Key","updatedAt":"2023-03-11T18:36:38Z","vault":{"id":"vault_id","name":"Terraform"},"version":1}

Use cases

Create and retrieve private/public keys for deployed applications

Summary

Ability to manage the vault life cycle

Use cases

Sometimes one wants to create vaults and delete them when needed. I have a requirement to create a dedicated vault with
some naming convention, and then populate that vault. Also it would be great if I could define users and their permission for a
given vault.

Proposed solution

Check the community provider at: https://github.com/anasinnyk/terraform-provider-onepassword
This provider supports creation of vault, however deletion fails with an error.

Is there a workaround to accomplish this today?

No, because the Vault can only be created/deleted manually.

References & Prior Work

none

Summary

Currently when running terraform destroy or terraform apply after removing 1password provider resources, Terraform destroys any secrets that it has created or imported into state. This behavior can be dangerous or unwanted in the case of a need to preserve secrets outside the Terraform lifecycle.

For example, it could be problematic to import a set of database credentials for use in Terraform only to have them deleted automatically at some point in the future.

It would be preferable to allow users the option to configure what action the Terraform provider takes when an outcome could be the deletion of secrets from 1password vaults.

Use cases

Scenario A:
A user needs to rename Terraform resources to follow a new naming convention (eg: fixing Terraform linting issues where resource names include -), the resulting vault item title and content of the secret will remain unchanged once the refactoring is complete.

Prior to the terraform apply, the vault item is imported into a new Terraform resource. While the terraform apply is occuring, the password must remain available to other consumers of the secret (eg: k8s pods are configured to restart automatically when the secret changes), and thus cannot be removed and recreated.

Scenario B:
A specific vault contains secrets used in a CI/CD environment that validates infrastructure as code changes as part of the PR process. This vault is reused by all CI/CD runners which in turn import certain secrets into Terraform state, and thus must be available any time a PR is submitted or subsequent commits are pushed. Since these secrets are critical to the proper functioning of the CI/CD pipeline, they cannot be removed when terraform destroy is called.

Proposed solution

Options exist globally for the 1password Terraform provider and within individual provider resources that control what happens in the case of a terraform destroy or similarly destructive set of circumstances which would result in the deletion of critical 1password secrets.

Internally this might look like a check for the status of the bool at the time the API call is made and act or not act as appropriate. If the state is not to act, a warning should be logged to help users understand what the decision was and hint at why it was made.

Note that more appropriate / better names for these options are welcome.

Provider example:

provider "onepassword" {
  url = "http://localhost:8080"
  remove_secrets_from_vault_on_destroy = <bool>
}

Resource example:

resource "onepassword_item" "demo_login" {
  vault = var.vault_id

  remove_from_vault_on_destroy = <bool>

  title    = "Demo Terraform Login"
  category = "password"

  username = "demo-username"

  password_recipe {
    length  = 40
    symbols = false
  }

Is there a workaround to accomplish this today?

The only way to currently solve for this problem today would be to manually remove the resources from Terraform state prior to a destructive action being taken.

This might not always be feasible due to policies around individual contributor rights or when using CI/CD automation tools such as Atlantis.

Additionally, depending on how many secrets are being managed via Terraform or how the code is arranged (eg: when using nested modules), it might be prohibitively complex to attempt manual state manipulation.

References & Prior Work

These are examples of an open issues in Terraform itself looking for ways to "leave resources in place when destroying", some of which are ancient:

• hashicorp/terraform#23547
• hashicorp/terraform#2253
• hashicorp/terraform#3874

These links are not examples of prior work, but they do relate to the problem at hand:

• https://www.terraform.io/docs/language/meta-arguments/lifecycle.html#create_before_destroy
• https://www.terraform.io/docs/language/meta-arguments/lifecycle.html#prevent_destroy
• https://www.terraform.io/docs/cli/commands/state/rm.html

We've received this bit of feedback from a customer:

1Password Terraform does not support any other item categories apart from Login, Password and Database.

At the moment we utilise AWS Secret Manager where you are able to store a flat JSON object without any compulsory fields. Utilising any of the supported item categories in 1password provider forces us to have compulsory fields such as "password" "url" "username" which are different with supported item categories.

We could definitely use, for instance Password item category with only one compulsory field "password", and just add custom fields as required. But in the future we would have to migrate to appropriate item categories once you add support to the provider causing additional overhead.

So the questions are: Is there a roadmap to add more categories to Terraform provider? If so when and which ones? Particularly categories without any compulsory field? Although I'm not sure if 1password has categories like that. And/or can you think of any workarounds with available categories without compulsory fields? Although kind of new, but there's already an issue reported on your Github #51 regarding missing document category

The team in Slack mentioned that this is a know issue and a workaround that was offered, e.g. using the API credentials category was shot down again because there seems to be an issue retrieving API credentials via the Terraform provider.

Someone from our team added in Slack:

I hit this personally recently. Unfortunately some weird things happen with the current terraform provider release and api credentials (I couldn’t access the credential)
There was talking in April/May of improving and expanding the supported Item types but I don’t think anything materialized there

Summary

Add provider settings to define one or more tags that get added by default to resources.

Use cases

Default tags would provide several useful use cases:

• Set a tag like "terraform-managed" to see that Terraform manages the 1Password object
• Set a tag to identify which service/repository etc the resource belongs to/is used by

Proposed solution

• Define optional default tags in the provider settings
• Default tags are merged together with any tags defined in the resource

Example format:

provider "onepassword" {
  default_tags {
    tags = ["foo", "bar"]
  }

Given a resource like this, the finalized set of tags for the resource would be ["foo", "bar", "baz"].

resource "onepassword_item" "example" {
  tags = ["baz"]
}

Is there a workaround to accomplish this today?

None I'm aware of.

References & Prior Work

• Default tags in the AWS Terraform provider

Currently reviewing the integration with Terraform and documentation could be better to get new users to this provider started.

When trying to find documentation on your website about this provider it points to this page, there seems to be no other documentation? This page is not enough unfortunately.

Example from documentation:

  vault = var.demo_vault
  uuid  = onepassword_item.demo_sections.uuid
}

When I would use the onepassword_item resource I wouldn't need the data object since I can directly use the outputs from the resource, data objects are meant to be used when the item is outside of terraform. Is there a way to find the UUID for objects that have not been created through Terraform? Please document getting the UUID.

When performing a terraform init I get:

│ Error: Invalid provider configuration
│ 
│ Provider "registry.terraform.io/1password/onepassword" requires explicit
│ configuration. Add a provider block to the root module and configure the
│ provider's required arguments as described in the provider documentation.
│ 
╵
╷
│ Error: URL for Connect API is not set. Either provide the "url" field in the provider configuration or set the OP_CONNECT_HOST environment variable
│ 
│   with provider["registry.terraform.io/1password/onepassword"],
│   on <input-prompt> line 1:
│   (source code not available)

Some documentation on how to get this URL would be helpful or basic info about the requirement for the Connect API would be nice. What I understand so far is that you need to create a connect server, pointing someone to this documentation on how to set this up would help. Initially, I tried to set this server up through the op CLI without success, from the documentation I gathered that this is not the way to do this and docker-compose / AWS / helm charts are the easiest way to get this. Is there a public API connect URL we could use as an alternative?

  A valid token for your 1Password Connect API. Can also be sourced from OP_CONNECT_TOKEN.

Some documentation could be helpful on how to generate this token.

Not a support question, just a request to document your provider.

Currently, in the documentation we provide either this example to set up provider

// README.md
provider "onepassword" {
  url = "http://localhost:8080"
}

or this

// README in Terraform Registry (`templates/index.md.tmpl` file)
provider "onepassword" {
  URL                                 = "http://localhost:8080"
  token                               = "CONNECT_TOKEN"
  service_account_token = "SERVICE_ACCOUNT_TOKEN"
  op_cli_path                     = "OP_CLI_PATH"
}

Setting the sensitive values (tokens) directly in the terraform script is not secure, as it can be accidentally pushed and potentially leak the secrets. Therefore, the suggested and more secure way to set up the provider will be to use env variables OP_SERVICE_ACCOUNT_TOKEN to use service accounts and OP_CONNECT_TOKEN to use Connect.

We need to update the documentation to reflect this.

Summary

Allow some way for the password field to be left blank during resource creation.

Use cases

For some password entries it is not desirable to have a password field. (for example AWS IAM access keys, a better format may be to use something like the following (created through the 1password website) where the secrets are stored in additional fields that can be named appropriately.

However, when using the the Terraform resource leaving out the password parameter leads to the generation of a new random password which may not be desirable. (explicitly setting it to an empty string has the same result).

Proposed solution

In order to maintain backwards compatibility a null, or "" password must continue to generate a new random password.
Instead, the password_recipe.length parameter can be modified to allow a password length of 0, or a new password_recipe.generate = False to be specified to disable the generation of random passwords.

Is there a workaround to accomplish this today?

As far as I can tell there is no way to not include the password field in any resources generated by Terrafrom. The closest I have been able to get is to set the password to a clearly non password value of not a real password.

References & Prior Work

• min length validation
• generate if ""

Goreleaser won't build the darwin_arm64 target as the go version is too old.

See https://github.com/1Password/terraform-provider-onepassword/runs/2773180408?check_suite_focus=true#step:5:33

Submitted #34 .

Refs #7

The README and examples/ both reference 0.2 as the latest version. These should be updated for v1. I think the sources need to also be updated to point to the registry.

Your environment

Terraform Provider Version: 1.2.1

Connect Server Version: 1.7.2

OS: macOS 14.1.1

Terraform Version: 1.4.6

What happened?

It doesn't create the field within the section if password_recipe is specified.

What did you expect to happen?

A field with a password is created within the section. It should work for both Connect and Service Accounts.

Steps to reproduce

1. Define the following resource in your main.tf file

resource "onepassword_item" "demo_sections" {
  vault = "your_vault_id"

  title    = "Demo Terraform Item with Sections"
  category = "login"
  username = "[email protected]"

  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 40
        symbols = false
      }
    }

    field {
      label = "User"
      value = "demo"
    }
  }
}

2. terraform apply
3. Check the created item in 1Password Vault.
4. See that there is no filed with the label App Specific Password in Terraform Second Section section.

Notes & Logs

This issue happens for Connect and Service Accounts.

Summary

Is there a plan to add service account support to Terraform?

Use cases

I have a private cluster and connection to 1Password would be a lot easier through a SA instead of having to deploy a Terraform Agent in the cluster

Proposed solution

Add SA support to the Terraform provider

Is there a workaround to accomplish this today?

Today I would have to deploy a Terraform Agent in the cluster and install the 1Password Operator to give access to secrets

References & Prior Work

• GitHub Actions can use SA

Your environment

Terraform Provider Version: v1.1.2

Connect Server Version:

OS: ubuntu / docker

Terraform Version: v1.0.3

What happened?

I'm trying to create a password to my test vault and it returns:

module.secrets.onepassword_item.sql_password: Creating...
╷
│ Error: decoding error response: invalid character 'p' after top-level value
│ 
│   with module.secrets.onepassword_item.test_password,
│   on modules/secrets/main.tf line 18, in resource "onepassword_item" "sql_password":
│   18: resource "onepassword_item" "sql_password" {
│ 
╵

What did you expect to happen?

It should successfully create a password when running terraform apply

Steps to reproduce

1. create a vault for testing
2. setup the secrets automation workflow, api tokens and such
3. have following terraform config:

terraform {
  required_providers {
    onepassword = {
      source = "1Password/onepassword"
      version = "~> 1.1.2"
    }
  }
}

provider "onepassword" {
  url = "http://op-connect-api:8080"
}

data "onepassword_vault" "staging_vault" {
  name = "staging-test"
}

resource "onepassword_item" "sql_password" {
  vault = data.onepassword_vault.staging_vault.id

  title    = "SQL password - test"
  category = "password"
  password_recipe {
    length  = 40
    symbols = false
  }
}

4. run terraform apply
5. get the error mentioned above

If the error is valid which it very well might be, the error message should be more descriptive.

Your environment

Terraform Provider Version: 1.1.4 (due to this bug on later versions)

Connect Server Version: latest which at this moment should be 1.7.1

OS: Linux (running the container that 1Password provides)

Terraform Version: v1.4.6

What happened?

I used the item resource to create an item in a vault. Then I deleted the item in the vault, and ran terraform again. Terraform threw an error after refresh saying that the item wasn't found.

What did you expect to happen?

I expected that terraform would recreate the item.

Steps to reproduce

1. Create an item using the provider
2. Delete the item
3. Run terraform again

Notes & Logs

Your environment

Terraform Provider Version: 1.0.0
Connect Server Version: 1.0.0

OS: macOs Big Sur 11.2.3

Terraform Version: 0.15.2

What happened?

Created a test op item as category: password with only password recipe all other variables blank. It create the password item successfully and I see the password in vault. When changing the category to login terraform shows that it'll change the category type BUT it blanks out the password in the vault. Example code

resource "onepassword_item" "item" {
  vault = var.vault

  title    = var.name // test
  category = var.category // password -> login

  username = var.username // default ""
  database = var.database // default ""
  hostname = var.hostname // default ""
  port     = var.port // default ""

  password_recipe {
    length  = 40
    symbols = false
  }
}

What did you expect to happen?

I expected it to change the category type successfully and the resource in vault would convert the item to login without it blanking out the password in vault.

If changing category types aren't possible I would expect the provider to error out.

Steps to reproduce

1. Run apply with category as password
2. Run second apply with category as login

Summary

If there is no Connect or service account token provided in the configuration, it can try to authenticate the op-cli with a biometric unlock.

Use cases

There is no Connect or service account token in the configuration, but provider still can authenticate op-cli using biometric unlock.

Proposed solution

Is there a workaround to accomplish this today?

Add additional check in the during provider initialization to cover the case when no Connect or service account token provided.

References & Prior Work

• Set the biometric unlock environment variable

Your environment

Terraform Provider Version:1.2.1

Connect Server Version:

OS:Windows

Terraform Version:Terraform v1.6.3
on windows_amd64

• provider registry.terraform.io/1password/onepassword v1.2.1

What happened?

When I run terraform apply i get below error:
2023-11-22T10:32:49.155+0100 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-11-22T10:32:49.156+0100 [ERROR] vertex "onepassword_item.demo_login" error: decoding response: invalid character '<' looking for beginning of value
╷
│ Error: decoding response: invalid character '<' looking for beginning of value
│
│ with onepassword_item.demo_login,
│ on main.tf line 23, in resource "onepassword_item" "demo_login":
│ 23: resource "onepassword_item" "demo_login" {
│
╵
╷
│ Error: decoding response: invalid character '<' looking for beginning of value
│
│ with onepassword_item.demo_db,
│ on main.tf line 31, in resource "onepassword_item" "demo_db":
│ 31: resource "onepassword_item" "demo_db" {
│
╵
I am trying with the exact code on the repo, except the URL. The credentials work perfectly with 1password CLI.

What did you expect to happen?

1password item should have created.

Steps to reproduce

1. Use the same example in the repo with my 1password URL configured. Vault id and service account token was given as input while running terraform plan using var.tfvars file. Terraform apply resulted in the error.

Notes & Logs

Update the following files to mention that the provider supports Service Accounts:

• Update autogenerated docs template templates/index.md.tmpl
• Update bug report .github/ISSUE_TEMPLATE/bug_report.md

Improve CONTRIBUTE.md

• Add Sign Your Commits section.
• Add Debugging section

When using version 1.2.0 the usage of sections stopped working as expected compared to version 1.1.2 till 1.1.4:

`
resource "onepassword_item" "workspace_details" {
vault = var.vault_uuid

title = var.name
category = "login" # Only supports login, database of notes

password = var.token
#username = "not-required"

section {
label = "Workspace"
field {
label = "workspace_id"
type = "STRING"
value = var.workspace_id
}
field {
label = "workspace_url"
type = "STRING"
value = var.workspace_url
}
}
}
`

Your environment

Terraform Provider Version: v1.0.2

Connect Server Version: v1.1.1

OS: macOS BigSur

Terraform Version: v0.15.3

What happened?

When running terraform apply but got 401 Unauthorized error

What did you expect to happen?

Run success and create a new password item

Steps to reproduce

Run terrform apply

Notes & Logs

The server logs

2021-05-15 08:25:13 | stdout | {"log_message":"(I) POST /v1/vaults/bmtferd2cmdmi6ejx5jelmu4xy/items completed (401: Unauthorized)","timestamp":"2021-05-15T08:25:13.828612223Z","level":3,"scope":{"request_id":"3b110817-a0a0-4708-873d-02a29d91583a"}}
-- | -- | --
2021-05-15 08:25:13 | stdout | {"log_message":"(E) Server: (failed to unverifiedTokenFromRequest), 401: Invalid bearer token","timestamp":"2021-05-15T08:25:13.828472374Z","level":1,"scope":{"request_id":"3b110817-a0a0-4708-873d-02a29d91583a"}}
2021-05-15 08:25:13 | stdout | {"log_message":"(W) Server: (could not parse JWT), failed to ParseSigned: illegal base64 data at input byte 84","timestamp":"2021-05-15T08:25:13.828399163Z","level":2,"scope":{"request_id":"3b110817-a0a0-4708-873d-02a29d91583a"}}

Summary

Allow Section Fields LookUp by Title when using data "onepassword_item" resource.

Use cases

As a programmer, I would like to have a way to lookup a Section Field by Title.

Given the following secret:

{
  "overview": {
    "title": "my-title",
  },
  "details": {
    "sections": [
      {
        "name": "add more",
        "title": "",
        "fields": [
          {
            "t": "DO_ACCESS_TOKEN",
            "k": "concealed"
          },
          {
            "t": "DO_SPACES_ACCESS_ID",
            "k": "concealed"
          },
          {
            "t": "DO_SPACES_ACCESS_KEY",
            "k": "concealed"
          },
        ]
      }
    ]
  }
}

I would like to be able to use the title (in this case DO_ACCESS_TOKEN) of the field.

data "onepassword_item" "main" {}

resource "terraform_data" "do_access_token" {
  input = data.onepassword_item.my-title.section.fields["DO_ACCESS_TOKEN"]
}

Proposed solution

Introduce fields (plural), or break change (🤷🏻) in order to look up the fields by title.

Otherwise, document how I suppose to do this because my skills are limited and I can not find a simple way to do it.
I am not sure what I am doing wrong here.

Is there a workaround to accomplish this today?

I think that, you loop thru the fields, match in the field name, get the value back into a local and then use it! 😭

References & Prior Work

Your environment

Terraform Provider Version: 1.1.4

Connect Server Version: 1.5.1

OS: macOS

Terraform Version:1.1.7

What happened?

Define an item in 1password and assign a new section to it, "DATA" say. Inside this section, define a field, "appName" say. When calling this item using onepassword_item, the sections' label is "Data" and the label of the mentioned field is "appname".

What did you expect to happen?

Sections' label should be "DATA" and fields' label should be "appName", i.e. the case should be preserved.
At least, both labels should be consistently modified => "data", "appname".

Steps to reproduce

As described above.

Notes & Logs

For the fields' name, the provider explicitly converts it to lower case

dataField["label"] = strings.ToLower(f.Label)

The label of the section, however, is not modified in the provider. It is returned from a call to the sdk

github.com/1Password/connect-sdk-go

and there, just a

json.Unmarshal(body, result)

is called. Thus, the conversion needs to happen either in connect, or returned from 1password API, directly.

Summary

Add Notes to the optional schema for the onepassword_item resource

Use cases

It would be helpful to be able to edit the Notes field in onepassword through the Terraform integration. This would provide an additional feature match to what can be done through OnePassword UI.

Our specific request resolve around adding anote to reference that the item was managed by Terraform. We can do this through a tag but the ideal solution would to expose the notes as a modified attribute.

Summary

Add the ability to retrieve (with a new or existing data in terraform) and store (with a new or existing terraform resources) files (document category).

Use cases

We save somes privates and secure document in our vault, like ssh private key or other certificate.
We would like to retrieve them with the terraform provider to avoid retrieving those files on our filesystem.

Proposed solution

From this discussion on your community forum (https://1password.community/discussion/120671/secrets-automation-1password-documents), it seems that the connect-api now support file https://support.1password.com/connect-api-reference/#get-file-content since a few months (August 2021)

Don't hesitate to ask more details if needed!

heyas. looks like the provider registry isn't actually showing the docs.

Hello, it seems the latest released version of the provider is v1.1.4, which was released back in January.

Looking at this repository history, it seems that several changes have been merged to main (see here) that address a couple of bug fixes and other improvements such as #70 or #69 that would be nice to have.

If this is not the place to request for such thing, please let me know.

Thank you!

v1.2.0 was released weeks ago, but the latest version offered via the official Terraform Registry is still v1.1.4.

Your environment

Terraform Provider Version:
Terraform v1.1.9
on darwin_amd64

Connect Server Version: ~> 1.0.1

OS: macOS

Terragrunt Version:
terragrunt version v0.36.8

Connect Server Version:

1.5.1

What happened?

I'm trying to pull secure_note content with the provider and there is no field for it.

This is the terraform (masked) output:

  {
    "category" = "secure_note"
    "database" = null
    "hostname" = null
    "id" = "vaults/***/items/ov3e2sgbt2hufhxjej3vseosei"  ## <<< note the ID
    "password" = null
    "port" = null
    "section" = []
    "tags" = [
      "***",
    ]
    "title" = "***"
    "type" = null
    "url" = null
    "username" = null
    "uuid" = "***"
    "vault" = "***"
  },

While from the curl output I can get a more details info:

❯ curl \
-H "Accept: application/json" \
-H "Authorization: Bearer $OP_API_TOKEN" \
http://localhost:8050/v1/vaults/*****/items/ov3e2sgbt2hufhxjej3vseosei | jq -r
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2837    0  2837    0     0  15257      0 --:--:-- --:--:-- --:--:-- 17621
{
  "id": "ov3e2sgbt2hufhxjej3vseosei",
  "title": "****",
  "tags": [
    "***"
  ],
  "version": 3,
  "vault": {
    "id": "***"
  },
  "category": "SECURE_NOTE",
  "last_edited_by": "***",
  "created_at": "2022-04-27T08:48:32Z",
  "updated_at": "2022-05-01T11:39:08Z",
  "fields": [
    {
      "id": "notesPlain",
      "type": "STRING",
      "purpose": "NOTES",
      "label": "notesPlain",
      "value": "{<GOOD VALUE>"    ## <<<<<< Where is this in the output from the provider?  <<< *THIS IS WHAT I WANT*
    }
  ]
}

What did you expect to happen?

The information from the secure_note.

I want .fields[0].value

Steps to reproduce

Here is my Terrafrom code:
( I pass an array of secrets to retrieve)

variable "vault_name" {
  description = "The name of the Vault"

}
data "onepassword_vault" "this_vault" {
  # uuid  = var.vault_id
  name = var.vault_name
}
locals {
  secrets = toset(var.onepassword_secrets)
  env     = upper(var.env)
}

data "onepassword_item" "onepassword_secrets" {
  vault    = data.onepassword_vault.this_vault.uuid
  for_each = local.secrets
  title    = "${local.env} | ${each.key}"
}

Notes & Logs

All other passwords/tokens received correctly.

Only the secure_note doesn't even have a felid for the info.

Your environment

Terraform Provider Version: 1.1.4
Connect Server Version: 1.10.0
OS: Terraform Cloud so probably Ubuntu
Terraform Version: Latest (1.4.2)

What happened?

Hostname for database category items is not set

What did you expect to happen?

Hostname for database items should be set

Steps to reproduce

1. Create a database item in 1password
2. Use the data resource for item to access the item
3. The hostname field will be null instead of the value

Notes & Logs

The problem stems from onepassword\data_source_onepassword_item.go line 211 to 222 specifically line 220

	for _, f := range item.Fields {
		switch f.Purpose {
		case "USERNAME":
			data.Set("username", f.Value)
		case "PASSWORD":
			data.Set("password", f.Value)
		case "NOTES":
			data.Set("note_value", f.Value)
		default:
			if f.Section == nil {
				data.Set(strings.ToLower(f.Label), f.Value)
			}
		}
	}

In the case of database items 1connect sends and id for hostname but the label is set to server they probably should both be server as that makes more sense for a database.

The best work around I could come up with that didn't require a major refactor was to set that section like this.

	for _, f := range item.Fields {
		switch f.Purpose {
		case "USERNAME":
			data.Set("username", f.Value)
		case "PASSWORD":
			data.Set("password", f.Value)
		case "NOTES":
			data.Set("note_value", f.Value)
		default:
			if f.Section == nil {
				if f.Label == "server" {
					data.Set(strings.ToLower(f.ID), f.Value)
				} else {
					data.Set(strings.ToLower(f.Label), f.Value)
				}
			}
		}
	}

Basically use ID inste4ad of label for server this gets around the schema validation. Another option would be to solve the naming issue in 1password connect and use hostname or server for both ID and label.

Summary

Would be nice to get an items list when accessing data.onepassword_vault.

Use cases

I want to use a dedicated and shared vault to store and manage applications secrets. Then i would do something like this to create the secrets into my provider secret manager:

data "onepassword_vault" "secrets" {
  name = "My Vault"
}

data "onepassword_item" "secrets" {
  for_each = data.onepassword_vault.secrets.items
  vault    = data.onepassword_vault.secrets.id
  uuid     = each.key
}

resource "myprovider_secret_manager" "secrets" {
  for_each = data.onepassword_vault.secrets.items
  name     = data.onepassword_item[each.key].password.key
  value    = data.onepassword_item[each.key].password.value
}

Is there a workaround to accomplish this today?

The current workaround would be to use one big item with each secret as a password field.