terraform-provider-onepassword icon indicating copy to clipboard operation
terraform-provider-onepassword copied to clipboard

Published 20 hours ago verified publisher icon anasinnyk

support for multiple 1password accounts

Open overratedpro opened this issue 4 years ago • 4 comments

This is just a feature request, but it would be great to be able to use this provider in a more complex CI/CD scenario.

Problem Description

In order to use a different 1password account than the one currently activated on the machine, the support for the --account and/or --shorthand switch(es) for the op signin call is necessary. There may be a need to prepare a unique shorthand value for that purpose.

Use Scenario

Two (or more) infrastructure environments. Each environment has a Terraform workspace and a 1password account. Also, the machine may already have a 1pasword GUI application with active authentication for yet another account. Each Terraform workspace should to be able to use its respective 1password account under any circumstances.

Alternatives
  1. Running Terraform in designated docker containers, separate for each environment.

overratedpro avatar Jun 03 '20 15:06 overratedpro

in the meanwhile, do you know how to correctly switch accounts or de-activated the current one on the machine?

amazingandyyy avatar Jun 18 '20 22:06 amazingandyyy

@overratedpro @amazingandyyy can you try to use for example two providers with different credentials. I believe it was supported by terraform native and I wasn't broken this logic with op client. It returns temporary token after signin and you can use a different token for different accounts. Like this:

provider "onepassword" {
  email          = "[email protected]"
  password   = "super-master-password-here"
  secret_key = "secret-key-from-pdf-document"
}

provider "onepassword" {
  alias = "second"
  email          = "[email protected]"
  password   = "super-master-password-here"
  secret_key = "secret-key-from-pdf-document"
}

resource "onepassword_vault" "first" {
  name = "vault-in-first-acc"
}

resource "onepassword_vault" "second" {
  provider = onepassword.second
  name = "vault-in-second-acc"
}

You can read detailed about that here https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-instances

anasinnyk avatar Aug 05 '20 17:08 anasinnyk

Terribly sorry but this is not exactly working for me.

Error: Cannot signin: [ERROR] 2020/11/04 15:18:06 an account is already configured with [REDACTED] using the same shorthand. Please try again with an explicit `--shorthand=[name]` flag to override this

Exit code: exit status 1

The problem occurs even with just a single provider defined. I think this will be only reproducible with two accounts in the same unit (OP_SUBDOMAIN).

overratedpro avatar Nov 04 '20 14:11 overratedpro

Testing with multiple accounts I narrowed the problem to an organisation account. This will not reproduce with just a plain one, because the latter does not need the subdomain keyword and related logic. A workaround is to remove the subdomain keyword from the provider config, then update the PATH variable and place a wrapper "op" script in a prioritised location looking more or less so:

#!/bin/bash

if [[ $1 == '--version' ]]; then
    exec /usr/local/bin/op "$@"
elif [[ $1 == 'signin' ]]; then
    exec /usr/local/bin/op "$@" --shorthand=something
else
    exec /usr/local/bin/op "$@" --account=something
fi

overratedpro avatar Nov 06 '20 14:11 overratedpro