Recommended/safest way to use connect server from github actions

Hi

I have my one password connect server running on my kubernetes cluster (in GCP) using the helm chart from your documentation. It's worked great for creating kubernetes secrets, but now I want to use it within our terraform configuration so I can store all our sensitive database usernames/passwords in 1Password, but then link to those password entries from within terraform.

I've read the 1password provider terraform docs but I'm wondering what the best way to go about this is, for more context:

  • We run our terraform plan/apply from within Github actions, not currently on self hosted runners, just the github runners they provide
  • Our 1password connect server is running on a private kubernetes cluster, on the default config i.e. exposed only on the cluster and not externally, over the default HTTP port.

I understand in order to get anything out of 1password connect there has to be token authentication, but would my terraform config look like this if I was to expose it over HTTPs publicly:

provider "onepassword" {
url = "https://some-domain.com"
}

as I obviously need to allow terraform to be able to communicate with my one password connect server. However exposing this externally over HTTPs still feels risky.

Thoughts/comments from others who may have had this same issue welcome :) thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • sarahthekey
    sarahthekey
    Community Member

    TL;DR - is it risky to have onepassword connector on a public URL? Has anyone else done this?

  • Hi @sarahthekey:

    We're currently exploring 1Password Service Accounts, which might be a better fit for this use case, rather than having to expose the 1Password Connect Kubernetes Operator to the public internet.

    Jack

  • sarahthekey
    sarahthekey
    Community Member

    Hi Jack, that sounds interesting thanks for the info. Do you have an idea on rough timelines for this?

  • eddy_1P
    edited May 2023

    Hey @sarahthekey,

    Service accounts are now available to be used. Check out this page to get an overview of what they do and how you can use them. Note that you need to be an Admin / Owner of the 1Password account to be able to create service accounts.

    In terms of integrations, we have the Kubernetes Secrets Injector that injects the secrets that you want directly into your deployment. This one works with both service accounts and Connect. We're still working on adding service account support for the Terraform provider.

    Coming back to your question about safely providing the Connect host to your terraform, you can achieve that by doing the following steps:
    1. Define a terraform variable (usually in the variables.tf file) like this one:

    variable "op_connect_host" {
        type        = string
        sensitive = true
    }
    

    Marking it as sensitive will also mask the value of it in the logs e.g. when running terraform plan.
    2. Use the Terraform variable in your terraform file like so:

    provider "onepassword" {
        url = var.op_connect_host
    }
    
    1. Define an environment variable secret for your repository like so: TF_VAR_op_connect_host=https://some-domain.com.
    2. In the step in which you run your Terraform commands, provide the environment variable:
    steps:
      - name: Run Terraform commands
        env:
          TF_VAR_op_connect_host: ${{ secrets.TF_VAR_op_connect_host }}
        run: |
          terraform apply
    

    Let me know if this helps in decreasing the risk of exposing your Connect host. 😊

This discussion has been closed.