CLI with Terraform Cloud

Question

When interacting with Terraform services, Terraform expects to find API tokens in CLI configuration files in credentials blocks, for example, a file named .terraformrc
credentials "app.terraform.io" {
  token = "xxxxxx.yyyyyyy.zzzzzzzzzzzzz"
}

The above file .terraformrc would be referenced from an environment variable , for example,
❯ echo $TF_CLI_CONFIG_FILE
/Users/xxxxx/projects/terraform/.terraformrc

When I run a terraform plan I would like to pull the token from 1Password using the CLI if that's possible. It seems I could use op inject to potentially do the work but that essentially results in a config file with the hardcoded token.

Would this scenario be possible using the CLI?

Thanks

1Password Version: 8.7.0
Extension Version: 2.0.0
OS Version: macOS 12.3

Answer

Hey @rbracewe,

Can you give us more details about your use-case, please?
Specifically, would it be feasible for you to change the location of your Terraform token? I see that there is a possibility to provision Terraform with the token through an environment variable: TFE_TOKEN. In this situation, I imagine it would possible to set it to a 1Password secret reference and to prefix terraform plan with op run --, or even create an alias for terraform as op run -- terraform in your profile.
Let me know if this solution can work for you.

Best,
Horia

Answer

I had already tried this approach and this is when I learnt that TFE_TOKEN is deprecated and cant be used.

My use-case is to simply move static credentials from the filesystem into 1Password after reading the blog post about ways to use the 1Password CLI with tools like Github and SSH.

Forum Discussion

CLI with Terraform Cloud

2 Replies

Recent Discussions

Console flooded with errors when clicking links during 1Password passkey selection dialog

WSL2 Arm Build

`op account add` with `Integrate with 1Password CLI`

1password doesn't seem to remember the key approval for JetBrains IDEA Ultimate

Use op on headless system with glab?