Use the 1Password Terraform provider - 1Password Developer Docs

With the 1Password Terraform provider , you can reference, create, or update items in your vaults using a 1Password Connect Server, a 1Password Service Account, or your 1Password account and biometrics.

Requirements

Connect server
1Password CLI

Create a Connect server.

Get started

Connect server
1Password CLI

To use the 1Password Terraform provider with a Connect server:

Specify the Connect server token. You can set this value with the OP_CONNECT_TOKEN environment variable or with the token field in the provider configuration.
Specify the Connect server hostname, URL, or IP address. You can set this value with the OP_CONNECT_HOST environment variable or with the url field in the provider configuration.

You can use the 1Password Terraform provider with 1Password CLI. You can authenticate 1Password CLI with a service account or with your 1Password account and biometrics.

Learn about the retry mechanism

The 1Password Terraform provider retry mechanism uses the provider with 1Password CLI. The reason it has a retry mechanism is that 1Password doesn’t allow parallel modification on the items located in the same vault.If you use a service account, keep in mind that each retry fast forwards to the service account rate limit.It’s recommended to limit the number of parallel resource operations. You can do this by using the -parallelism=n flag when running terraform apply, where n is the number of parallel resource operations (the default is 10).

terraform apply -parallelism=n

Service account
1Password account and biometrics

To use the 1Password Terraform provider with a service account:

Specify the 1Password CLI installation path. You can set this value with the OP_CLI_PATH environment variable or with the op_cli_path field in the provider configuration.
Specify the service account token. You can set this value with the OP_SERVICE_ACCOUNT_TOKEN environment variable or with the service_account_token field in the provider configuration.

To use the 1Password Terraform provider with your 1Password account and biometrics:

Specify the 1Password CLI installation path. You can set this value with the OP_CLI_PATH environment variable or with the op_cli_path field in the provider configuration.
Turn on the 1Password app integration.

Run op account ls in the terminal to find the sign-in address or account ID. It prints output similar to the following example in the console:

URL                        EMAIL                                         USER ID
acme.dev.com               test.user@acme.com                            HERE_WILL_BE_REAL_USER_ID
acme.prod.com              prod.user@acme.com                            HERE_WILL_BE_REAL_USER_ID

Set the OP_ACCOUNT environment variable or account in the provider configuration with the previous step’s URL or USER ID value.
When you run a Terraform command that requires authentication, 1Password prompts you to authenticate using your system authentication method.

Reference

The following sections contain reference information for the 1Password Terraform provider:

Configuration
Resources
Data sources

Configuration

The 1Password Terraform provider has fields you must set before you can use it with a Connect server or 1Password CLI. The following table describes each field.

Field	Type	Description	Required
`op_cli_path`	String	The path to the 1Password CLI binary. You can also source the value from the `OP_CLI_PATH` environment variable. The default value is `op`.	No.
`service_account_token`	String	A valid token for the 1Password Service Account. You can also source the value from the `OP_SERVICE_ACCOUNT_TOKEN` environment variable.	Required if using a service account.
`token`	String	A valid token for the 1Password Connect server. You can also source the value from the `OP_CONNECT_TOKEN` environment variable.	Required if using a Connect server.
`url`	String	The HTTP(s) URL of the 1Password Connect server. You can also source the value from the `OP_CONNECT_HOST` environment variable.	Required if using a Connect server.

You can use the following environment variables to specify configuration values.

Environment variable	Description	Configuration field
`OP_CLI_PATH`	The path to the 1Password CLI binary.	`op_cli_path`
`OP_SERVICE_ACCOUNT_TOKEN`	A valid token for the 1Password Service Account.	`service_account_token`
`OP_CONNECT_TOKEN`	A valid token for the 1Password Connect server.	`token`
`OP_CONNECT_HOST`	The hostname, IP address, or URL of the 1Password Connect server.	`url`
`OP_ACCOUNT`	The 1Password user account.	`account`

Configuration examples

The following code blocks show configuration examples.

The following examples use environment variables. Make sure to set the environment variables beforehand or use plain text.

Connect server
Service account
1Password account

The following example shows a provider configuration using a Connect server:

connect-example.tf

provider "onepassword" {
  url                   = "OP_CONNECT_HOST"
  token                 = "OP_CONNECT_TOKEN"
}

The following example shows a provider configuration using a service account:

service-account-example.tf

provider "onepassword" {
  service_account_token = "OP_SERVICE_ACCOUNT_TOKEN"
  op_cli_path           = "OP_CLI_PATH" # Default is `op`
}

The following example shows a provider configuration using a 1Password account:

1password-account-example.tf

provider "onepassword" {
  account               = "OP_ACCOUNT"
  op_cli_path           = "OP_CLI_PATH" # Default is `op`
}

Resources

The 1Password Terraform provider has the following resources:

onepassword_item resource

Item resource

The onepassword_item resource represents a 1Password item. You can import a onepassword_item with the following syntax:

terraform import onepassword_item.<item_name> vaults/<vault_uuid>/items/<item_uuid>

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`vault`	String	The UUID of the vault the item is in.	Yes	Read-Write
`category`	String	The category of the item. Acceptable values: `login`, `password`, or `database`.	No	Read-Write
`database`	String	The name of the database. Only applies to the database category.	No	Read-Write
`hostname`	String	The address where the database can be found. Only applies to the database category.	No	Read-Write
`password`	String, Sensitive	The password for the item.	No	Read-Write
`password_recipe`	Block List, Max: 1	The password recipe for the item. Only applies to Login and Password items. See `password_recipe`.	No	Read-Write
`port`	String	The port the database is listening on. Only applies to the database category.	No	Read-Write
`section`	Block List	A list of custom sections in the item. See `section`.	No	Read-Write
`tags`	List of String	An array of strings representing the tags assigned to the item.	No	Read-Write
`title`	String	The title of the item.	No	Read-Write
`type`	String	The type of database. Only applies to the database category. Acceptable values: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite` or `other`.	No	Read-Write
`url`	String	The primary URL for the item.	No	Read-Write
`username`	String	The username for the item.	No	Read-Write
`id`	String	The Terraform resource identifier for the item in the format `vaults/<vault_id>/items/<item_id>`.	N/A	Read-Only
`uuid`	String	The UUID of the item. Item identifiers are unique within a specific vault.	N/A	Read-Only

`password_recipe`

Password recipes can only be added to Login and Password items.

The nested schema for the password_recipe field:

Field	Type	Description	Required	Access
`digits`	Boolean	Use digits `[0-9]` when generating the password.	No	Read-Write
`length`	Number	The length of the password to be generated.	No	Read-Write
`letter`	Boolean	Use letters `[a-zA-Z]` when generating the password.	No	Read-Write
`symbols`	Boolean	Use symbols `[!@.-_*]` when generating the password.	No	Read-Write

`section`

The nested schema for the section field:

Field	Type	Description	Required	Access
`label`	String	The label for the section.	Yes	Read-Write
`field`	Block List	A list of custom fields in the section. See `section.field`.	No	Read-Write
`id`	String	A unique identifier for the section.	N/A	Read-Only

`section.field`

The nested schema for the section.field field:

Field	Type	Description	Required	Access
`label`	String	The label for the field.	Yes	Read-Write
`id`	String	A unique identifier for the field.	No	Read-Write
`password_recipe`	String	The password for the item. Only applies to Login and Password items. See `section.field.password_recipe`.	No	Read-Write
`purpose`	String	The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: `USERNAME`, `PASSWORD`, or `NOTES`.	No	Read-Write
`type`	String	The type of value stored in the field. Acceptable values: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`.	No	Read-Write
`value`	String, Sensitive	The value of the field.	No	Read-Write

`section.field.password_recipe`

Password recipes can only be added to Login and Password items.

The nested schema for the section.field.password_recipe field:

Field	Type	Description	Required	Access
`digits`	Boolean	Use digits `[0-9]` when generating the password.	No	Read-Write
`length`	Number	The length of the password to be generated.	No	Read-Write
`letter`	Boolean	Use letters `[a-zA-Z]` when generating the password.	No	Read-Write
`symbols`	Boolean	Use symbols `[!@.-_*]` when generating the password.	No	Read-Write

Example

The following code block shows an example usage of the onepassword_item resource.

resource.tf

resource "onepassword_item" "demo_password" {
  vault = var.demo_vault

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }
}

resource "onepassword_item" "demo_login" {
  vault = var.demo_vault

  title    = "Demo Terraform Login"
  category = "login"
  username = "test@example.com"
}

resource "onepassword_item" "demo_db" {
  vault    = var.demo_vault
  category = "database"
  type     = "mysql"

  title    = "Demo TF Database"
  username = "root"

  database = "Example MySQL Instance"
  hostname = "localhost"
  port     = 3306
}

Data sources

The 1Password Terraform provider has the following data sources:

onepassword_item data source
onepassword_vault data source

Item data source

Use the onepassword_item data source to get details of a 1Password item. You can identify an item by its vault UUID and either the item’s title or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`vault`	String	The UUID of the vault the item is in.	Yes	Read-Write
`note_value`	String, Sensitive	The Secure Note value.	No	Read-Write
`title`	String	The title of the item to retrieve. This field populates with the title of the item if the item is looked up by its UUID.	No	Read-Write
`uuid`	String	The UUID of the item to retrieve. This field populates with the UUID of the item if the item is looked up by its title.	No	Read-Write
`category`	String	The category of the item. Acceptable values: `login`, `password`, or `database`.	No	Read-Only
`database`	String	The name of the database. Only applies to the database category.	No	Read-Only
`hostname`	String	The address where the database can be found. Only applies to the database category.	No	Read-Only
`id`	String	The Terraform resource identifier for the item in the format `vaults/<vault_id>/items/<item_id>`.	No	Read-Only
`password`	String, Sensitive	The password for the item.	No	Read-Only
`port`	String	The port the database is listening on. Only applies to the database category.	No	Read-Only
`section`	List of Object	A list of custom sections in an item.	No	Read-Only
`tags`	List of String	An array of strings of the tags assigned to the item.	No	Read-Only
`type`	String	The type of database. Only applies to the database category. Acceptable values: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite`, or `other`.	No	Read-Only
`url`	String	The primary URL for the item.	No	Read-Only
`username`	String	The username for the item.	No	Read-Only

`section`

The nested schema for the section field:

Field	Type	Description	Required	Access
`field`	List of Object	A list of custom fields in the section. See `section.field`.	N/A	Read-Only
`id`	String	A unique identifier for the section.	N/A	Read-Only
`label`	String	The label for the section.	N/A	Read-Only

`section.field`

The nested schema for the section.field field:

Field	Type	Description	Required	Access
`id`	String	A unique identifier for the field.	N/A	Read-Only
`label`	String	The label for the field.	N/A	Read-Only
`purpose`	String	The purpose indicates this is a special field: a username, password, or notes field. Acceptable values: `USERNAME`, `PASSWORD`, or `NOTES`.	N/A	Read-Only
`type`	String	The type of value stored in the field. Acceptable values: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`.	N/A	Read-Only
`value`	String, Sensitive	The value of the field.	N/A	Read-Only

Example

The following example shows how to use the onepassword_item data source.

data-source.tf

data "onepassword_item" "example" {
  vault = var.demo_vault
  uuid  = onepassword_item.demo_sections.uuid
}

Vault data source

Use the onepassword_vault data source to get details of a vault. You can identify a vault with the vault name or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`name`	String	The name of the vault to retrieve. This field populates with the name of the vault if the vault is looked up by its UUID.	No	Read-Write
`uuid`	String	The UUID of the vault to retrieve. This field populates with the UUID of the vault if the vault is looked up by its name.	No	Read-Write
`description`	String	The description of the vault.	No	Read-Only
`id`	String	The Terraform resource identifier for this item in the format `vaults/<vault_id>`.	No	Read-Only

Integrations

​Requirements

​Get started

​Reference

​Configuration

​Configuration examples

​Resources

​Item resource

Schema

password_recipe

section

section.field

section.field.password_recipe

Example

​Data sources

​Item data source

Schema

section

section.field

Example

​Vault data source

Schema

Requirements

Get started

Reference

Configuration

Configuration examples

Resources

Item resource

`password_recipe`

`section`

`section.field`

`section.field.password_recipe`

Data sources

Item data source

`section`

`section.field`

Vault data source