`password_recipe` is not generasting `password` field

yordis commented 10 months ago

Your environment

Terraform Provider Version: 1.4.0 Connect Server Version: CLI Version: 2.24.0 OS: macOS 14.2.1 Terraform Version: 1.6.3

What happened?

Using the following config, the password isn't being populated:

resource "onepassword_item" "rabbitmq" {
  title    = "RabbitMQ"
  vault    = var.vault_id
  category = "database"
  type     = "other"
  database = "RabbitMQ"
  hostname = "127.0.0.1"
  username = "flashbot"
  port     = 5672
  tags = ["managed-by:terraform"]
  password_recipe {
    length  = 20
    symbols = true
    digits  = true
    letters = true
  }
}

terraform {
  backend "local" {
    path = "terraform.tfstate"
  }
  required_version = "1.6.3"
  required_providers {
    null = {
      source = "hashicorp/null"
      version = "3.2.2"
    }
    onepassword = {
      source  = "1Password/onepassword"
      version = "1.4.0"
    }
  }
}

provider "onepassword" {}

What did you expect to happen?

I expected the following onepassword_item to generate a password value when only use password_recipe:

Steps to reproduce

Copy past the previous code
Run apply the changes
Observe there is no password being generated

Notes & Logs

https://github.com/1Password/terraform-provider-onepassword/assets/4237280/5fb4005c-e486-491e-bd0b-0d7294126df0

volodymyrZotov commented 9 months ago

Thank you for raising! We'll address this in the future release!

But if you want to help and have time, you're welcome to contribute and create a PR with the fix! 😃 Here are our CONTRIBUTING.md instructions.

jdewar commented 5 months ago

I just ran into this as well. Is this because it is category: "database"?

maxexcloo commented 5 months ago

Had this issue also for category: "login" - using random_password for now.

CamiloDFM commented 5 months ago

I noticed that only the password item can generate a password using password_recipe. This is not stated anywhere in the docs, which is why I'd consider it a bug. If the 1Password team considers it a feature that would be nice to have in the future, I'd appreciate a note in the documentation. I'm using provider version 1.4.3.

In the meantime, I used a separate password onepassword_item to generate the password, which I also saved in my database item, like this:

resource "onepassword_item" "db_password" {
  # This needs to be its own item because the provider doesn't generate a password if it's not a "password" item.
  # See https://github.com/1Password/terraform-provider-onepassword/issues/129
  title = "Wordpress MySQL RDS password"
  vault = data.onepassword_vault.vault.uuid
  category = "password"
  password_recipe {
    length = 32
    letters = true
    digits = true
    symbols = false  # Symbols recipe includes @, which can't be used in a MySQL password
  }
}

resource "onepassword_item" "db_credentials" {
  title = "Wordpress MySQL RDS"
  vault = data.onepassword_vault.vault.uuid
  category = "database"
  type = "mysql"
  hostname = aws_db_instance.db_instance.address
  port = local.rds_credentials.port
  database = local.rds_credentials.database
  username = local.rds_credentials.username
  password = onepassword_item.db_password.password
}

The ugly part of this workaround is the fact that it generates an additional entry in the vault, but I prefer it over something like random_password which ends up saved in plaintext in the state.

wsidl commented 5 months ago

Would love to get this working as well.

Does seem like the "Database" category's password field is missing the "Purpose" parameter that both the "Login" and "Password" categories have. This is required for the Password Generation logic to work:

https://github.com/1Password/terraform-provider-onepassword/blob/69451ed86b1b422d497bf45f206e14007f9377a1/internal/onepassword/cli/utils.go#L54-L68

1Password / terraform-provider-onepassword