Thanks a lot for providing such a detailed answer! Sweet setup you've build there :sunglasses:

Sharing the environment with colleagues

I can't speak for my colleagues, as everyone uses direnv like they wish.

One advantage of secret references we had seen at SecretHub, (we had build something similar for SecretHub before https://blog.1password.com/secrethub-acquisition/), was that by replacing the plaintext secrets with references, the environment file now no longer needs to be kept secret. If you want this (and this is completely optional!), you could check in the .env file in source control together with your code. These are a couple of advantages users saw in that:

1. No need to manually update the environment files anymore when a colleague makes an environment change. With any pull of the source code, the corresponding environment file is pulled as well.
2. Your project is reproducible. If a colleague runs terraform plan or terraform apply on the same commit, they'll get the same results, as they'll use the same secrets.
3. It's easier for new colleagues to join the project, as they'll immediately have their setup configured when cloning the repo.
4. When introducing a change in your Terraform configuration that requires an environment variable to be set, you commit the secret reference along with it. And even the secrets used are now covered by any reviews you do on code changes.

Using op run

Running Terraform through op run doesn't feel like optimal, as not all terraform runs need secrets, and expiring 1password session is annoying, especially with long passphrase and without Touch ID

I'd love to learn more about what we can do to help.

What's the downside if op run runs, but doesn't add any secrets? Is there anything besides the expiring session? How's the speed of op run? Is that a concern? Any other downsides?

And when we have touch ID support ready, would you use op run or continue to use direnv?

Is it a concern to you that environment variables continue to be available to other commands that you run in your terminal in-between invocations of the Terraform commands?

Integrating with dotenv

Like you said, this is fun!

We had the idea of a dotenv integration tracked internally to consider looking into when some bandwidth frees up, so you can imagine it was pretty awesome to hear you are already using 1Password like this! :chuffed:

I think it'd indeed be awesome if we can publish the result for others to be able to use it as well. I'd love to eventually put it on https://github.com/1password/ (if more than a one-liner is required) and https://developer.1password.com so it will be easy for anyone to find.

Implementation

It looks like https://github.com/direnv/direnv/blob/cb5222442cb9804b1574954999f6073cc636eff0/man/direnv-stdlib.1.md#direnv_load-command-generating-dump-output requires the passed argument to be in the format of the shell used. I think it'd be great if we can re-use the functionality already built into direnv dump for that.

I think we'll want to make the sources used by op run further configurable. Specifically, we could make it possible to opt-out of passing the OS environment and use just the environment file(s).