1Password
`password_recipe` is not generasting `password` field
Your environment
Terraform Provider Version: 1.4.0 Connect Server Version: CLI Version: 2.24.0 OS: macOS 14.2.1 Terraform Version: 1.6.3
What happened?
Using the following config, the password isn't being populated:
resource "onepassword_item" "rabbitmq" {
title = "RabbitMQ"
vault = var.vault_id
category = "database"
type = "other"
database = "RabbitMQ"
hostname = "127.0.0.1"
username = "flashbot"
port = 5672
tags = ["managed-by:terraform"]
password_recipe {
length = 20
symbols = true
digits = true
letters = true
}
}
terraform {
backend "local" {
path = "terraform.tfstate"
}
required_version = "1.6.3"
required_providers {
null = {
source = "hashicorp/null"
version = "3.2.2"
}
onepassword = {
source = "1Password/onepassword"
version = "1.4.0"
}
}
}
provider "onepassword" {}
What did you expect to happen?
I expected the following onepassword_item to generate a password value when only use password_recipe:
Steps to reproduce
- Copy past the previous code
- Run apply the changes
- Observe there is no password being generated
Notes & Logs
https://github.com/1Password/terraform-provider-onepassword/assets/4237280/5fb4005c-e486-491e-bd0b-0d7294126df0
Thank you for raising! We'll address this in the future release!
But if you want to help and have time, you're welcome to contribute and create a PR with the fix! 😃 Here are our CONTRIBUTING.md instructions.
Had this issue also for category: "login" - using random_password for now.
I noticed that only the password item can generate a password using password_recipe. This is not stated anywhere in the docs, which is why I'd consider it a bug. If the 1Password team considers it a feature that would be nice to have in the future, I'd appreciate a note in the documentation. I'm using provider version 1.4.3.
In the meantime, I used a separate password onepassword_item to generate the password, which I also saved in my database item, like this:
resource "onepassword_item" "db_password" {
# This needs to be its own item because the provider doesn't generate a password if it's not a "password" item.
# See https://github.com/1Password/terraform-provider-onepassword/issues/129
title = "Wordpress MySQL RDS password"
vault = data.onepassword_vault.vault.uuid
category = "password"
password_recipe {
length = 32
letters = true
digits = true
symbols = false # Symbols recipe includes @, which can't be used in a MySQL password
}
}
resource "onepassword_item" "db_credentials" {
title = "Wordpress MySQL RDS"
vault = data.onepassword_vault.vault.uuid
category = "database"
type = "mysql"
hostname = aws_db_instance.db_instance.address
port = local.rds_credentials.port
database = local.rds_credentials.database
username = local.rds_credentials.username
password = onepassword_item.db_password.password
}
The ugly part of this workaround is the fact that it generates an additional entry in the vault, but I prefer it over something like random_password which ends up saved in plaintext in the state.
Would love to get this working as well.
Does seem like the "Database" category's password field is missing the "Purpose" parameter that both the "Login" and "Password" categories have. This is required for the Password Generation logic to work:
https://github.com/1Password/terraform-provider-onepassword/blob/69451ed86b1b422d497bf45f206e14007f9377a1/internal/onepassword/cli/utils.go#L54-L68
