Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Terraform `data "onepassword_item"` does not include the actual password
I have a terraform plan intended to copy a password from an organization vault into Github Actions. It looks like this:
```terraform
data "onepassword_item" "my_api_key" {
vault = data.onepassword_vault.my_vault.uuid
uuid = "k57uofd2emrq6yba25x4qyrweu"
}
resource "github_actions_secret" "my_api_key" {
for_each = local.repositories
repository = each.value.name
secret_name = "MY_API_KEY"
plaintext_value = data.onepassword_item.my_api_key.password
}
```
This doesn't work. After applying this plan, the password field of the state is blank:
sh
$ terraform show -json | jq '.values.root_module.resources[] | select(.address == "data.onepassword_item.my_api_key")'
{
"address": "data.onepassword_item.my_api_key",
"mode": "data",
"type": "onepassword_item",
"name": "my_api_key",
"provider_name": "registry.terraform.io/1password/onepassword",
"schema_version": 0,
"values": {
"category": "password",
"database": null,
"hostname": null,
"id": "vaults/vjrvyhwxyynbiudsqwdse56ery/items/k57uofd2emrq6yba25x4qyrweu",
"note_value": "This is actually an API credential, but we can't assign this the `API Credential` type in 1password because then the terraform `data \"onepassword_item\"` doesn't know what to do with it.",
"password": "",
"port": null,
"section": [],
"tags": [],
"title": "my api key",
"type": null,
"url": null,
"username": null,
"uuid": "k57uofd2emrq6yba25x4qyrweu",
"vault": "vjrvyhwxyynbiudsqwdse56ery"
},
"sensitive_values": {
"note_value": true,
"password": true,
"section": [],
"tags": [
false,
false,
false
]
}
}
Note the blank .values.password item above.
However, the password field is in fact set in 1password, which we can verify with the CLI:
sh
$ op item get k57uofd2emrq6yba25x4qyrweu
ID: k57uofd2emrq6yba25x4qyrweu
Title: my api key
Vault: my-vault (vjrvyhwxyynbiudsqwdse56ery)
Created: 2 hours ago
Updated: 2 hours ago by (me)
Favorite: false
Tags:
Version: 4
Category: LOGIN
Fields:
password: (redacted, but correct)
username: gha-machine-user
notesPlain: This is actually an API credential, but we can't assign this the `API Credential` type in 1password because then the terraform `data "onepassword_item"` doesn't know what to do with it.
What is the proper way to extract the actual password data from the item within terraform?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
No RepliesBe the first to reply
