Use the 1Password Terraform provider

With the 1Password Terraform provider , you can reference, create, or update items in your vaults using a 1Password Connect Server, a 1Password Service Account, or the 1Password desktop app.

Requirements

Connect server

• Create a Connect server.

Service account

• Create a service account

1Password app

• Install the latest beta release of the 1Password desktop app.

tip

If you don't see the option to update to the latest beta in the app, you can download it directly for Mac, Windows, or Linux.

Get started

Connect server

To use the 1Password Terraform provider with a Connect server:

1. Specify the Connect server token.

   You can set this value with the OP_CONNECT_TOKEN environment variable or with the connect_token field in the provider configuration.

2. Specify the Connect server hostname, URL, or IP address.

   You can set this value with the OP_CONNECT_HOST environment variable or with the connect_url field in the provider configuration.

Service account

To use the 1Password Terraform provider with a service account, you'll need to provide your service account token.

You can set this value with the OP_SERVICE_ACCOUNT_TOKEN environment variable or with the service_account_token field in the provider configuration.

1Password app

First, turn on the "Integrate with other apps" setting in the 1Password desktop app. If you don't see this setting, make sure you've installed the beta version of the app.

Mac

1. Open and unlock the 1Password app.
2. Select your account or collection at the top of the sidebar.
3. Navigate to Settings > Developer.
4. Under Integrate with the 1Password SDKs, select Integrate with other apps.
5. If you want to authenticate with Touch ID, navigate to Settings > Security, then turn on Unlock using Touch ID.

Windows

1. Open and unlock the 1Password app.
2. Select your account or collection at the top of the sidebar.
3. Navigate to Settings > Developer.
4. Under Integrate with the 1Password SDKs, select Integrate with other apps.
5. If you want to authenticate with Windows Hello, navigate to Settings > Security, then turn on Unlock using Windows Hello.

Linux

1. Open and unlock the 1Password app.
2. Select your account or collection at the top of the sidebar.
3. Navigate to Settings > Developer.
4. Under Integrate with the 1Password SDKs, select Integrate with other apps.
5. If you want to authenticate the same way you sign in to your Linux account, navigate to Settings > Security, then turn on Unlock using system authentication.

Then provide your account name or ID in the provider configuration:

1. Get the name of your 1Password account as it appears at the top of the left sidebar in the 1Password desktop app. Alternatively, you can use 1Password CLI to run op account get to find your account ID.
2. Set the OP_ACCOUNT environment variable or account in the provider configuration to your account name or ID.

Run a Terraform command that requires authentication, and you'll be prompted to authenticate in the same way you unlock your 1Password app, like with biometrics or your 1Password account password.

Reference

The following sections contain reference information for the 1Password Terraform provider:

• Configuration
• Resources
• Data sources

Configuration

The 1Password Terraform provider has fields you must set before you can use it with a 1Password Connect server, service account, or the 1Password desktop app. The following table describes each field.

Field	Type	Description	Required
connect_token	String	A valid token for the 1Password Connect server. You can also source the value from the OP_CONNECT_TOKEN environment variable.	Required if using a Connect server.
connect_url	String	The HTTP(s) URL of the 1Password Connect server. You can also source the value from the OP_CONNECT_HOST environment variable.	Required if using a Connect server.
service_account_token	String	A valid token for the 1Password Service Account. You can also source the value from the OP_SERVICE_ACCOUNT_TOKEN environment variable.	Required if using a service account.
account	String	The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID. You can also source the value from the ACCOUNT environment variable.	Required if using the 1Password desktop app integration.

You can use the following environment variables to specify configuration values.

Environment variable	Description	Configuration field
OP_CONNECT_TOKEN	A valid token for the 1Password Connect server.	connect_token
OP_CONNECT_HOST	The hostname, IP address, or URL of the 1Password Connect server.	connect_url
OP_SERVICE_ACCOUNT_TOKEN	A valid token for the 1Password Service Account.	service_account_token
OP_ACCOUNT	The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID.	account

Configuration examples

The following code blocks show configuration examples.

tip

The following examples use environment variables. Make sure to set the environment variables beforehand or use plain text.

Connect server

The following example shows a provider configuration using a Connect server:

connect-example.tf

Service account

The following example shows a provider configuration using a service account:

service-account-example.tf

1Password app

The following example shows a provider configuration using the 1Password desktop app:

1password-account-example.tf

Resources

The 1Password Terraform provider has the following resources:

• onepassword_item resource

Item resource

The onepassword_item resource represents a 1Password item. You can import a onepassword_item with the following syntax:

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
vault	String	The UUID of the vault the item is in.	Yes	Read-Write
category	String	The category of the item. Acceptable values: login, password, or database.	No	Read-Write
database	String	The name of the database. Only applies to the database category.	No	Read-Write
hostname	String	The address where the database can be found. Only applies to the database category.	No	Read-Write
password	String, Sensitive	The password for the item.	No	Read-Write
password_recipe	Block List, Max: 1	The password recipe for the item. Only applies to Login and Password items. See password_recipe.	No	Read-Write
port	String	The port the database is listening on. Only applies to the database category.	No	Read-Write
section	Block List	A list of custom sections in the item. See section.	No	Read-Write
tags	List of String	An array of strings representing the tags assigned to the item.	No	Read-Write
title	String	The title of the item.	No	Read-Write
type	String	The type of database. Only applies to the database category. Acceptable values: db2, filemaker, msaccess, mssql, mysql, oracle, postgresql, sqlite or other.	No	Read-Write
url	String	The primary URL for the item.	No	Read-Write
username	String	The username for the item.	No	Read-Write
id	String	The Terraform resource identifier for the item in the format vaults/<vault_id>/items/<item_id>.	N/A	Read-Only
uuid	String	The UUID of the item. Item identifiers are unique within a specific vault.	N/A	Read-Only

password_recipe

tip

Password recipes can only be added to Login and Password items.

The nested schema for the password_recipe field:

Field	Type	Description	Required	Access
digits	Boolean	Use digits [0-9] when generating the password.	No	Read-Write
length	Number	The length of the password to be generated.	No	Read-Write
symbols	Boolean	Use symbols [!@.-_*] when generating the password.	No	Read-Write

section

The nested schema for the section field:

Field	Type	Description	Required	Access
label	String	The label for the section.	Yes	Read-Write
field	Block List	A list of custom fields in the section. See section.field.	No	Read-Write
id	String	A unique identifier for the section.	N/A	Read-Only

section.field

The nested schema for the section.field field:

Field	Type	Description	Required	Access
label	String	The label for the field.	Yes	Read-Write
id	String	A unique identifier for the field.	No	Read-Write
password_recipe	String	The password for the item. Only applies to Login and Password items. See section.field.password_recipe.	No	Read-Write
purpose	String	The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: USERNAME, PASSWORD, or NOTES.	No	Read-Write
type	String	The type of value stored in the field. Acceptable values: STRING, EMAIL, CONCEALED, URL, OTP, DATE, MONTH_YEAR, or MENU.	No	Read-Write
value	String, Sensitive	The value of the field.	No	Read-Write

section.field.password_recipe

tip

Password recipes can only be added to Login and Password items.

The nested schema for the section.field.password_recipe field:

Field	Type	Description	Required	Access
digits	Boolean	Use digits [0-9] when generating the password.	No	Read-Write
length	Number	The length of the password to be generated.	No	Read-Write
symbols	Boolean	Use symbols [!@.-_*] when generating the password.	No	Read-Write

Example

The following code block shows an example usage of the onepassword_item resource.

resource.tf

Data sources

The 1Password Terraform provider has the following data sources:

• onepassword_item data source
• onepassword_vault data source

Item data source

Use the onepassword_item data source to get details of a 1Password item. You can identify an item by its vault UUID and either the item's title or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
vault	String	The UUID of the vault the item is in.	Yes	Read-Write
note_value	String, Sensitive	The Secure Note value.	No	Read-Write
title	String	The title of the item to retrieve. This field populates with the title of the item if the item is looked up by its UUID.	No	Read-Write
uuid	String	The UUID of the item to retrieve. This field populates with the UUID of the item if the item is looked up by its title.	No	Read-Write
category	String	The category of the item. Acceptable values: login, password, or database.	No	Read-Only
database	String	The name of the database. Only applies to the database category.	No	Read-Only
hostname	String	The address where the database can be found. Only applies to the database category.	No	Read-Only
id	String	The Terraform resource identifier for the item in the format vaults/<vault_id>/items/<item_id>.	No	Read-Only
password	String, Sensitive	The password for the item.	No	Read-Only
port	String	The port the database is listening on. Only applies to the database category.	No	Read-Only
section	List of Object	A list of custom sections in an item.	No	Read-Only
tags	List of String	An array of strings of the tags assigned to the item.	No	Read-Only
type	String	The type of database. Only applies to the database category. Acceptable values: db2, filemaker, msaccess, mssql, mysql, oracle, postgresql, sqlite, or other.	No	Read-Only
url	String	The primary URL for the item.	No	Read-Only
username	String	The username for the item.	No	Read-Only

section

The nested schema for the section field:

Field	Type	Description	Required	Access
field	List of Object	A list of custom fields in the section. See section.field.	N/A	Read-Only
id	String	A unique identifier for the section.	N/A	Read-Only
label	String	The label for the section.	N/A	Read-Only

section.field

The nested schema for the section.field field:

Field	Type	Description	Required	Access
id	String	A unique identifier for the field.	N/A	Read-Only
label	String	The label for the field.	N/A	Read-Only
purpose	String	The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: USERNAME, PASSWORD, or NOTES.	N/A	Read-Only
type	String	The type of value stored in the field. Acceptable values: STRING, EMAIL, CONCEALED, URL, OTP, DATE, MONTH_YEAR, or MENU.	N/A	Read-Only
value	String, Sensitive	The value of the field.	N/A	Read-Only

Example

The following example shows how to use the onepassword_item data source.

data-source.tf

Vault data source

Use the onepassword_vault data source to get details of a vault. You can identify a vault with the vault name or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
name	String	The name of the vault to retrieve. This field populates with the name of the vault if the vault is looked up by its UUID.	No	Read-Write
uuid	String	The UUID of the vault to retrieve. This field populates with the UUID of the vault if the vault is looked up by its name.	No	Read-Write
description	String	The description of the vault.	No	Read-Only
id	String	The Terraform resource identifier for this item in the format vaults/<vault_id>.	No	Read-Only

Learn more

• Changelog