Terraform `data "onepassword_item"` does not include the actual password

Options
coriolinus
coriolinus
Community Member
in Secrets Automation

I have a terraform plan intended to copy a password from an organization vault into Github Actions. It looks like this:

data "onepassword_item" "my_api_key" {
  vault = data.onepassword_vault.my_vault.uuid
  uuid  = "k57uofd2emrq6yba25x4qyrweu"
}

resource "github_actions_secret" "my_api_key" {
  for_each = local.repositories

  repository  = each.value.name
  secret_name = "MY_API_KEY"

  plaintext_value = data.onepassword_item.my_api_key.password
}

This doesn't work. After applying this plan, the password field of the state is blank:

$ terraform show -json | jq '.values.root_module.resources[] | select(.address == "data.onepassword_item.my_api_key")'
{
  "address": "data.onepassword_item.my_api_key",
  "mode": "data",
  "type": "onepassword_item",
  "name": "my_api_key",
  "provider_name": "registry.terraform.io/1password/onepassword",
  "schema_version": 0,
  "values": {
    "category": "password",
    "database": null,
    "hostname": null,
    "id": "vaults/vjrvyhwxyynbiudsqwdse56ery/items/k57uofd2emrq6yba25x4qyrweu",
    "note_value": "This is actually an API credential, but we can't assign this the `API Credential` type in 1password because then the terraform `data \"onepassword_item\"` doesn't know what to do with it.",
    "password": "",
    "port": null,
    "section": [],
    "tags": [],
    "title": "my api key",
    "type": null,
    "url": null,
    "username": null,
    "uuid": "k57uofd2emrq6yba25x4qyrweu",
    "vault": "vjrvyhwxyynbiudsqwdse56ery"
  },
  "sensitive_values": {
    "note_value": true,
    "password": true,
    "section": [],
    "tags": [
      false,
      false,
      false
    ]
  }
}

Note the blank .values.password item above.

However, the password field is in fact set in 1password, which we can verify with the CLI:

$ op item get k57uofd2emrq6yba25x4qyrweu
ID:          k57uofd2emrq6yba25x4qyrweu
Title:       my api key
Vault:       my-vault (vjrvyhwxyynbiudsqwdse56ery)
Created:     2 hours ago
Updated:     2 hours ago by (me)
Favorite:    false
Tags:        
Version:     4
Category:    LOGIN
Fields:
  password:      (redacted, but correct)
  username:      gha-machine-user
  notesPlain:    This is actually an API credential, but we can't assign this the `API Credential` type in 1password because then the terraform `data "onepassword_item"` doesn't know what to do with it.

What is the proper way to extract the actual password data from the item within terraform?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided