search

1Password / terraform-provider-onepassword

Use the 1Password Terraform Provider to reference, create, or update items in your 1Password Vaults.
https://developer.1password.com/docs/terraform/
MIT License
322 stars 44 forks source link

Differentiate the terraform resource identifier than vault_id on the onepassword_vault datasource. #198

Closed nathaclmpaulino closed 2 weeks ago

nathaclmpaulino commented 2 weeks ago

Summary

Create a new read-only attribute on the onepassword_vault datasource to be able to get only the vault_id instead of the id which is the Terraform Resource Identifier associated to it.

Use cases

The most common use case for datasources in Terraform is to have access to a specific attribute in a resource which is not mapped in your Terraform code. Since we don't have a resource that creates a 1Password Vault for us, the only way to get the ID to create an onepassword_item resource in Terraform is using the datasource. In a terraform context, the code will be similiar this:

data "onepassword_vault" "vault" {
   name = "my-vault"
}

resource "onepassword_item" "item" {
  vault = data.onepassword_vault.vault.id
  ...
}

But doing this will throw an error:

onepassword_item.item: Creating...
│ Error: 1Password Item create error
│ 
│   with onepassword_item.item,
│   on READACTED line 12, in resource "onepassword_item" "item":
│   12: resource "onepassword_item" "item" {
│ 
│ Error creating 1Password item, got error op error: unable to process line
│ 1: "vaults/<VAULT_ID>" isn't a vault in this account.
│ Specify the vault with its ID or name.

Proposed solution

The proposed solution is to create a new read-only attribute on the onepassword_vault datasource named vault_id which will change the snippet above to be like this:

data "onepassword_vault" "vault" {
   name = "my-vault"
}

resource "onepassword_item" "item" {
  vault = data.onepassword_vault.vault.vault_id
  ...
}

And that will not trigger an error.

Is there a workaround to accomplish this today?

Accordingly to the datasource docs, the id value is in the format vaults/<vault_id>, so to avoid the previous error today on Terraform code, we can have something like this:


data "onepassword_vault" "vault" {
   name = "my-vault"
}

resource "onepassword_item" "item" {
  vault = trimprefix(data.onepassword_vault.vault.id, "vaults/")
  ...
}
edif2008 commented 2 weeks ago

Hey @nathaclmpaulino! 👋🏻

There is already a field that contains the vault identifier: it's named uuid. It's mentioned in the onepassword_vault Data Source schema:

uuid (String) The UUID of the vault to retrieve. This field will be populated with the UUID of the vault if the vault it looked up by its name.

So your snippet would look like this with the appropriate vault identifier:

data "onepassword_vault" "vault" {
   name = "my-vault"
}

resource "onepassword_item" "item" {
  vault = data.onepassword_vault.vault.uuid
  ...
}

Does this address the use case you're trying to achieve?

nathaclmpaulino commented 2 weeks ago

Yes! This works for my use case! Sorry to open this feature request issue! I'll closed it now!

Just one question though, do you have plans to add a onepassword_vault as a resource in the provider?