Use the 1Password Terraform provider - 1Password Developer Docs

With the 1Password Terraform provider , you can reference, create, or update items in your vaults using a 1Password Connect Server, a 1Password Service Account, or the 1Password desktop app.

Requirements

Connect server
Service account
1Password app

Create a Connect server.

Get started

Connect server
Service account
1Password app

To use the 1Password Terraform provider with a Connect server:

Specify the Connect server token. You can set this value with the OP_CONNECT_TOKEN environment variable or with the connect_token field in the provider configuration.
Specify the Connect server hostname, URL, or IP address. You can set this value with the OP_CONNECT_HOST environment variable or with the connect_url field in the provider configuration.

To use the 1Password Terraform provider with a service account, you’ll need to provide your service account token.You can set this value with the OP_SERVICE_ACCOUNT_TOKEN environment variable or with the service_account_token field in the provider configuration.

First, turn on the “Integrate with other apps” setting in the 1Password desktop app. If you don’t see this setting, make sure you’ve installed the beta version of the app.

Mac
Windows
Linux

Open and unlock the 1Password app.
Select your account or collection at the top of the sidebar.
Navigate to Settings > Developer.
Under Integrate with the 1Password SDKs, select Integrate with other apps.
If you want to authenticate with Touch ID, navigate to Settings > Security, then turn on Unlock using Touch ID.

Then provide your account name or ID in the provider configuration:

Get the name of your 1Password account as it appears at the top of the left sidebar in the 1Password desktop app. Alternatively, you can use 1Password CLI to run op account get to find your account ID.
Set the OP_ACCOUNT environment variable or account in the provider configuration to your account name or ID.

Run a Terraform command that requires authentication, and you’ll be prompted to authenticate in the same way you unlock your 1Password app, like with biometrics or your 1Password account password.

Reference

The following sections contain reference information for the 1Password Terraform provider:

Configuration
Resources
Data sources

Configuration

The 1Password Terraform provider has fields you must set before you can use it with a 1Password Connect server, service account, or the 1Password desktop app. The following table describes each field.

Field	Type	Description	Required
`connect_token`	String	A valid token for the 1Password Connect server. You can also source the value from the `OP_CONNECT_TOKEN` environment variable.	Required if using a Connect server.
`connect_url`	String	The HTTP(s) URL of the 1Password Connect server. You can also source the value from the `OP_CONNECT_HOST` environment variable.	Required if using a Connect server.
`service_account_token`	String	A valid token for the 1Password Service Account. You can also source the value from the `OP_SERVICE_ACCOUNT_TOKEN` environment variable.	Required if using a service account.
`account`	String	The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID. You can also source the value from the `ACCOUNT` environment variable.	Required if using the 1Password desktop app integration.

You can use the following environment variables to specify configuration values.

Environment variable	Description	Configuration field
`OP_CONNECT_TOKEN`	A valid token for the 1Password Connect server.	`connect_token`
`OP_CONNECT_HOST`	The hostname, IP address, or URL of the 1Password Connect server.	`connect_url`
`OP_SERVICE_ACCOUNT_TOKEN`	A valid token for the 1Password Service Account.	`service_account_token`
`OP_ACCOUNT`	The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID.	`account`

Configuration examples

The following code blocks show configuration examples.

The following examples use environment variables. Make sure to set the environment variables beforehand or use plain text.

Connect server
Service account
1Password app

The following example shows a provider configuration using a Connect server:

connect-example.tf

provider "onepassword" {
  connect_url                   = "OP_CONNECT_HOST"
  connect_token                 = "OP_CONNECT_TOKEN"
}

The following example shows a provider configuration using a service account:

service-account-example.tf

provider "onepassword" {
  service_account_token = "OP_SERVICE_ACCOUNT_TOKEN"
}

The following example shows a provider configuration using the 1Password desktop app:

1password-account-example.tf

provider "onepassword" {
  account               = "OP_ACCOUNT"
}

Resources

The 1Password Terraform provider has the following resources:

onepassword_item resource

Item resource

The onepassword_item resource represents a 1Password item. You can import a onepassword_item with the following syntax:

terraform import onepassword_item.<item_name> vaults/<vault_uuid>/items/<item_uuid>

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`vault`	String	The UUID of the vault the item is in.	Yes	Read-Write
`category`	String	The category of the item. Acceptable values: `login`, `password`, or `database`.	No	Read-Write
`database`	String	The name of the database. Only applies to the database category.	No	Read-Write
`hostname`	String	The address where the database can be found. Only applies to the database category.	No	Read-Write
`password`	String, Sensitive	The password for the item.	No	Read-Write
`password_recipe`	Block List, Max: 1	The password recipe for the item. Only applies to Login and Password items. See `password_recipe`.	No	Read-Write
`port`	String	The port the database is listening on. Only applies to the database category.	No	Read-Write
`section`	Block List	A list of custom sections in the item. See `section`.	No	Read-Write
`section_map`	Map of Object	A map of custom sections for the item, where `label` is the map key. See `section_map`.	No	Read-Write
`tags`	List of String	An array of strings representing the tags assigned to the item.	No	Read-Write
`title`	String	The title of the item.	No	Read-Write
`type`	String	The type of database. Only applies to the database category. Acceptable values: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite` or `other`.	No	Read-Write
`url`	String	The primary URL for the item.	No	Read-Write
`username`	String	The username for the item.	No	Read-Write
`id`	String	The Terraform resource identifier for the item in the format `vaults/<vault_id>/items/<item_id>`.	N/A	Read-Only
`uuid`	String	The UUID of the item. Item identifiers are unique within a specific vault.	N/A	Read-Only

`password_recipe`

Password recipes can only be added to Login and Password items.

The nested schema for the password_recipe field:

Field	Type	Description	Required	Access
`digits`	Boolean	Use digits `[0-9]` when generating the password.	No	Read-Write
`length`	Number	The length of the password to be generated.	No	Read-Write
`symbols`	Boolean	Use symbols `[!@.-_*]` when generating the password.	No	Read-Write

`section`

The nested schema for the section field:

Field	Type	Description	Required	Access
`label`	String	The label for the section.	Yes	Read-Write
`field`	Block List	A list of custom fields in the section. See `section.field`.	No	Read-Write
`id`	String	A unique identifier for the section.	N/A	Read-Only

`section_map`

The nested schema for the section_map field:

Field	Type	Description	Required	Access
`field_map`	Map of Object	A map of custom fields in the section, where `label` is the map key. See `field_map`.	No	Read-Write
`id`	String	A unique identifier for the section.	N/A	Read-Only

`section.field`

The nested schema for the section.field field:

Field	Type	Description	Required	Access
`label`	String	The label for the field.	Yes	Read-Write
`id`	String	A unique identifier for the field.	No	Read-Write
`password_recipe`	String	The password for the item. Only applies to Login and Password items. See `section.field.password_recipe`.	No	Read-Write
`type`	String	The type of value stored in the field. Acceptable values: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`.	No	Read-Write
`value`	String, Sensitive	The value of the field.	No	Read-Write

`field_map`

The nested schema for the field_map field:

Field	Type	Description	Required	Access
`id`	String	A unique identifier for the field.	N/A	Read-Only
`password_recipe`	The password recipe for the field.	No	Read-Write
`type`	String	The type of value stored in the field.	No	Read-Write
`value`	String, Sensitive	The value of the field.	No	Read-Write

`section.field.password_recipe`

Password recipes can only be added to Login and Password items.

The nested schema for the section.field.password_recipe field:

Field	Type	Description	Required	Access
`digits`	Boolean	Use digits `[0-9]` when generating the password.	No	Read-Write
`length`	Number	The length of the password to be generated.	No	Read-Write
`symbols`	Boolean	Use symbols `[!@.-_*]` when generating the password.	No	Read-Write

Example

The following code block shows an example usage of the onepassword_item resource.

resource.tf

resource "onepassword_item" "demo_password" {
  vault = var.demo_vault

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }
}

resource "onepassword_item" "demo_login" {
  vault = var.demo_vault

  title    = "Demo Terraform Login"
  category = "login"
  username = "test@example.com"
}

resource "onepassword_item" "demo_db" {
  vault    = var.demo_vault
  category = "database"
  type     = "mysql"

  title    = "Demo TF Database"
  username = "root"

  database = "Example MySQL Instance"
  hostname = "localhost"
  port     = 3306
}

Data sources

The 1Password Terraform provider has the following data sources:

onepassword_item data source
onepassword_vault data source

Item data source

Use the onepassword_item data source to get details of a 1Password item. You can identify an item by its vault UUID and either the item’s title or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`vault`	String	The UUID of the vault the item is in.	Yes	Read-Write
`note_value`	String, Sensitive	The Secure Note value.	No	Read-Write
`title`	String	The title of the item to retrieve. This field populates with the title of the item if the item is looked up by its UUID.	No	Read-Write
`uuid`	String	The UUID of the item to retrieve. This field populates with the UUID of the item if the item is looked up by its title.	No	Read-Write
`category`	String	The category of the item. Acceptable values: `login`, `password`, or `database`.	No	Read-Only
`database`	String	The name of the database. Only applies to the database category.	No	Read-Only
`hostname`	String	The address where the database can be found. Only applies to the database category.	No	Read-Only
`id`	String	The Terraform resource identifier for the item in the format `vaults/<vault_id>/items/<item_id>`.	No	Read-Only
`password`	String, Sensitive	The password for the item.	No	Read-Only
`port`	String	The port the database is listening on. Only applies to the database category.	No	Read-Only
`section`	List of Object	A list of custom sections in an item.	No	Read-Only
`tags`	List of String	An array of strings of the tags assigned to the item.	No	Read-Only
`type`	String	The type of database. Only applies to the database category. Acceptable values: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite`, or `other`.	No	Read-Only
`url`	String	The primary URL for the item.	No	Read-Only
`username`	String	The username for the item.	No	Read-Only

`section`

The nested schema for the section field:

Field	Type	Description	Required	Access
`field`	List of Object	A list of custom fields in the section. See `section.field`.	N/A	Read-Only
`id`	String	A unique identifier for the section.	N/A	Read-Only
`label`	String	The label for the section.	N/A	Read-Only

`section.field`

The nested schema for the section.field field:

Field	Type	Description	Required	Access
`id`	String	A unique identifier for the field.	N/A	Read-Only
`label`	String	The label for the field.	N/A	Read-Only
`type`	String	The type of value stored in the field. Acceptable values: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`.	N/A	Read-Only
`value`	String, Sensitive	The value of the field.	N/A	Read-Only

Example

The following example shows how to use the onepassword_item data source.

data-source.tf

data "onepassword_item" "example" {
  vault = var.demo_vault
  uuid  = onepassword_item.demo_sections.uuid
}

Vault data source

Use the onepassword_vault data source to get details of a vault. You can identify a vault with the vault name or UUID.

Schema

The following tables describe the onepassword_item resource schema.

Field	Type	Description	Required	Access
`name`	String	The name of the vault to retrieve. This field populates with the name of the vault if the vault is looked up by its UUID.	No	Read-Write
`uuid`	String	The UUID of the vault to retrieve. This field populates with the UUID of the vault if the vault is looked up by its name.	No	Read-Write
`description`	String	The description of the vault.	No	Read-Only
`id`	String	The Terraform resource identifier for this item in the format `vaults/<vault_id>`.	No	Read-Only

Learn more

Changelog

Integrations

​Requirements

​Get started

​Reference

​Configuration

​Configuration examples

​Resources

​Item resource

Schema

password_recipe

section

section_map

section.field

field_map

section.field.password_recipe

Example

​Data sources

​Item data source

Schema

section

section.field

Example

​Vault data source

Schema

​Learn more

Requirements

Get started

Reference

Configuration

Configuration examples

Resources

Item resource

`password_recipe`

`section`

`section_map`

`section.field`

`field_map`

`section.field.password_recipe`

Data sources

Item data source

`section`

`section.field`

Vault data source

Learn more