Use the 1Password Terraform provider
With the 1Password Terraform provider , you can reference, create, or update items in your vaults using a 1Password Connect Server, a 1Password Service Account, or your 1Password account and biometrics.
Requirements
- Connect server
- 1Password CLI
- Install 1Password CLI.
Version 2.23.0 or later. - Optional: Create a service account.
Only required if you plan to authenticate with a service account instead of your 1Password account.
You must install 1Password CLI on the machine running Terraform. Refer to the Terraform documentation to learn how to install 1Password CLI on Terraform Cloud.
Get started
- Connect server
- 1Password CLI
To use the 1Password Terraform provider with a Connect server:
-
Specify the Connect server token.
You can set this value with the OP_CONNECT_TOKEN environment variable or with the token field in the provider configuration.
-
Specify the Connect server hostname, URL, or IP address.
You can set this value with the OP_CONNECT_HOST environment variable or with the url field in the provider configuration.
You can use the 1Password Terraform provider with 1Password CLI. You can authenticate 1Password CLI with a service account or with your 1Password account and biometrics.
Learn about the retry mechanism
The 1Password Terraform provider retry mechanism uses the provider with 1Password CLI. The reason it has a retry mechanism is that 1Password doesn't allow parallel modification on the items located in the same vault.
If you use a service account, keep in mind that each retry fast forwards to the service account rate limit.
It's recommended to limit the number of parallel resource operations. You can do this by using the -parallelism=n flag when running terraform apply, where n is the number of parallel resource operations (the default is 10).
- Service account
- 1Password account and biometrics
To use the 1Password Terraform provider with a service account:
-
Specify the 1Password CLI installation path.
You can set this value with the OP_CLI_PATH environment variable or with the op_cli_path field in the provider configuration.
-
Specify the service account token.
You can set this value with the OP_SERVICE_ACCOUNT_TOKEN environment variable or with the service_account_token field in the provider configuration.
To use the 1Password Terraform provider with your 1Password account and biometrics:
-
Specify the 1Password CLI installation path.
You can set this value with the OP_CLI_PATH environment variable or with the op_cli_path field in the provider configuration.
-
Run
op account lsin the terminal to find the sign-in address or account ID. It prints output similar to the following example in the console: -
Set the OP_ACCOUNT environment variable or account in the provider configuration with the previous step's
URLorUSER IDvalue. -
When you run a Terraform command that requires authentication, 1Password prompts you to authenticate using your system authentication method.
Reference
The following sections contain reference information for the 1Password Terraform provider:
Configuration
The 1Password Terraform provider has fields you must set before you can use it with a Connect server or 1Password CLI. The following table describes each field.
| Field | Type | Description | Required |
|---|---|---|---|
| op_cli_path | String | The path to the 1Password CLI binary. You can also source the value from the OP_CLI_PATH environment variable. The default value is op. | No. |
| service_account_token | String | A valid token for the 1Password Service Account. You can also source the value from the OP_SERVICE_ACCOUNT_TOKEN environment variable. | Required if using a service account. |
| token | String | A valid token for the 1Password Connect server. You can also source the value from the OP_CONNECT_TOKEN environment variable. | Required if using a Connect server. |
| url | String | The HTTP(s) URL of the 1Password Connect server. You can also source the value from the OP_CONNECT_HOST environment variable. | Required if using a Connect server. |
You can use the following environment variables to specify configuration values.
| Environment variable | Description | Configuration field |
|---|---|---|
| OP_CLI_PATH | The path to the 1Password CLI binary. | op_cli_path |
| OP_SERVICE_ACCOUNT_TOKEN | A valid token for the 1Password Service Account. | service_account_token |
| OP_CONNECT_TOKEN | A valid token for the 1Password Connect server. | token |
| OP_CONNECT_HOST | The hostname, IP address, or URL of the 1Password Connect server. | url |
| OP_ACCOUNT | The 1Password user account. | account |
Configuration examples
The following code blocks show configuration examples.
The following examples use environment variables. Make sure to set the environment variables beforehand or use plain text.
- Connect server
- Service account
- 1Password account
The following example shows a provider configuration using a Connect server:
connect-example.tf
The following example shows a provider configuration using a service account:
service-account-example.tf
The following example shows a provider configuration using a 1Password account:
1password-account-example.tf
Resources
The 1Password Terraform provider has the following resources:
Item resource
The onepassword_item resource represents a 1Password item. You can import a onepassword_item with the following syntax:
Schema
The following tables describe the onepassword_item resource schema.
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
vault | String | The UUID of the vault the item is in. | Yes | Read-Write |
category | String | The category of the item. Acceptable values: login, password, or database. | No | Read-Write |
database | String | The name of the database. Only applies to the database category. | No | Read-Write |
hostname | String | The address where the database can be found. Only applies to the database category. | No | Read-Write |
password | String, Sensitive | The password for the item. | No | Read-Write |
password_recipe | Block List, Max: 1 | The password recipe for the item. Only applies to Login and Password items. See password_recipe. | No | Read-Write |
port | String | The port the database is listening on. Only applies to the database category. | No | Read-Write |
section | Block List | A list of custom sections in the item. See section. | No | Read-Write |
tags | List of String | An array of strings representing the tags assigned to the item. | No | Read-Write |
title | String | The title of the item. | No | Read-Write |
type | String | The type of database. Only applies to the database category. Acceptable values: db2, filemaker, msaccess, mssql, mysql, oracle, postgresql, sqlite or other. | No | Read-Write |
url | String | The primary URL for the item. | No | Read-Write |
username | String | The username for the item. | No | Read-Write |
id | String | The Terraform resource identifier for the item in the format vaults/<vault_id>/items/<item_id>. | N/A | Read-Only |
uuid | String | The UUID of the item. Item identifiers are unique within a specific vault. | N/A | Read-Only |
password_recipe
Password recipes can only be added to Login and Password items.
The nested schema for the password_recipe field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
digits | Boolean | Use digits [0-9] when generating the password. | No | Read-Write |
length | Number | The length of the password to be generated. | No | Read-Write |
letter | Boolean | Use letters [a-zA-Z] when generating the password. | No | Read-Write |
symbols | Boolean | Use symbols [!@.-_*] when generating the password. | No | Read-Write |
section
The nested schema for the section field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
label | String | The label for the section. | Yes | Read-Write |
field | Block List | A list of custom fields in the section. See section.field. | No | Read-Write |
id | String | A unique identifier for the section. | N/A | Read-Only |
section.field
The nested schema for the section.field field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
label | String | The label for the field. | Yes | Read-Write |
id | String | A unique identifier for the field. | No | Read-Write |
password_recipe | String | The password for the item. Only applies to Login and Password items. See section.field.password_recipe. | No | Read-Write |
purpose | String | The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: USERNAME, PASSWORD, or NOTES. | No | Read-Write |
type | String | The type of value stored in the field. Acceptable values: STRING, EMAIL, CONCEALED, URL, OTP, DATE, MONTH_YEAR, or MENU. | No | Read-Write |
value | String, Sensitive | The value of the field. | No | Read-Write |
section.field.password_recipe
Password recipes can only be added to Login and Password items.
The nested schema for the section.field.password_recipe field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
digits | Boolean | Use digits [0-9] when generating the password. | No | Read-Write |
length | Number | The length of the password to be generated. | No | Read-Write |
letter | Boolean | Use letters [a-zA-Z] when generating the password. | No | Read-Write |
symbols | Boolean | Use symbols [!@.-_*] when generating the password. | No | Read-Write |
Example
The following code block shows an example usage of the onepassword_item resource.
resource.tf
Data sources
The 1Password Terraform provider has the following data sources:
Item data source
Use the onepassword_item data source to get details of a 1Password item. You can identify an item by its vault UUID and either the item's title or UUID.
Schema
The following tables describe the onepassword_item resource schema.
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
vault | String | The UUID of the vault the item is in. | Yes | Read-Write |
note_value | String, Sensitive | The Secure Note value. | No | Read-Write |
title | String | The title of the item to retrieve. This field populates with the title of the item if the item is looked up by its UUID. | No | Read-Write |
uuid | String | The UUID of the item to retrieve. This field populates with the UUID of the item if the item is looked up by its title. | No | Read-Write |
category | String | The category of the item. Acceptable values: login, password, or database. | No | Read-Only |
database | String | The name of the database. Only applies to the database category. | No | Read-Only |
hostname | String | The address where the database can be found. Only applies to the database category. | No | Read-Only |
id | String | The Terraform resource identifier for the item in the format vaults/<vault_id>/items/<item_id>. | No | Read-Only |
password | String, Sensitive | The password for the item. | No | Read-Only |
port | String | The port the database is listening on. Only applies to the database category. | No | Read-Only |
section | List of Object | A list of custom sections in an item. | No | Read-Only |
tags | List of String | An array of strings of the tags assigned to the item. | No | Read-Only |
type | String | The type of database. Only applies to the database category. Acceptable values: db2, filemaker, msaccess, mssql, mysql, oracle, postgresql, sqlite, or other. | No | Read-Only |
url | String | The primary URL for the item. | No | Read-Only |
username | String | The username for the item. | No | Read-Only |
section
The nested schema for the section field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
field | List of Object | A list of custom fields in the section. See section.field. | N/A | Read-Only |
id | String | A unique identifier for the section. | N/A | Read-Only |
label | String | The label for the section. | N/A | Read-Only |
section.field
The nested schema for the section.field field:
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
id | String | A unique identifier for the field. | N/A | Read-Only |
label | String | The label for the field. | N/A | Read-Only |
purpose | String | The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: USERNAME, PASSWORD, or NOTES. | N/A | Read-Only |
type | String | The type of value stored in the field. Acceptable values: STRING, EMAIL, CONCEALED, URL, OTP, DATE, MONTH_YEAR, or MENU. | N/A | Read-Only |
value | String, Sensitive | The value of the field. | N/A | Read-Only |
Example
The following example shows how to use the onepassword_item data source.
data-source.tf
Vault data source
Use the onepassword_vault data source to get details of a vault. You can identify a vault with the vault name or UUID.
Schema
The following tables describe the onepassword_item resource schema.
| Field | Type | Description | Required | Access |
|---|---|---|---|---|
name | String | The name of the vault to retrieve. This field populates with the name of the vault if the vault is looked up by its UUID. | No | Read-Write |
uuid | String | The UUID of the vault to retrieve. This field populates with the UUID of the vault if the vault is looked up by its name. | No | Read-Write |
description | String | The description of the vault. | No | Read-Only |
id | String | The Terraform resource identifier for this item in the format vaults/<vault_id>. | No | Read-Only |