search

1Password / terraform-provider-onepassword

Use the 1Password Terraform Provider to reference, create, or update items in your 1Password Vaults.
https://developer.1password.com/docs/terraform/
MIT License
325 stars 48 forks source link

Standalone Section/Field resources #177

Open ekostjuk opened 6 months ago

ekostjuk commented 6 months ago

Summary

It would be great to be able to combine multiple sources of secrets under same item. I.e. manually created ones + automated ones from different components/modules. Since there is no access control granularity past vault-level - there is no security downside to this. However from UX standpoint - this has a benefit of keeping everything in one place vs needing to spam an item per individual piece of automation code + anything manual you'd have to add on top.

Use cases

PostgreSQL users/urls, multiple levels of grafana tokens (cloud/stack), secrets for a single app that comes from multiple sources (db, cdn, deploy keys, buckets, metrics/logs/traces publisher keys). If you use something like terragrunt or magic python wrapper - you get separately scoped component for each service. (to reduce graph size, apply different concurrency or run less in CI/CD.. etc)

Proposed solution

Have dedicated section/item resource. Possibly needing a "custom composite" item type that supports this.

Is there a workaround to accomplish this today?

Hint of a workaround is to use ignore_changes+protect_from_destroy for manual secrets, but still does not handle multiple sources. Also, other code having to ignore things it should not know about is a scope leak.

josh-thisisbud commented 4 months ago

This would be so helpful!