Add support for 1Password Environments #302
Description
Summary
Add support for accessing 1Password Environments through the Terraform provider, enabling infrastructure-as-code workflows for application configuration management across different deployment environments.
Use cases
We manage multiple applications within a monorepo, each with several deployment environments (development, staging, production, etc.). We need to set configuration for each app and each environment. Using 1Password to be the source of truth for our configurations appears to be the smoothest and simplest approach, when compared with other options like:
- AWS parameter store: far too clunky to set manually, and complex to automate
- CI/CD tool: not well suited for storing a multitude of configuration for an ever-growing monorepo
- 1Password environment with AWS secrets sync: not everything is a secret in our config and thus don't want to store it as a secret (and incur the cost overhead of doing so)
Proposed solution
Add new Terraform resources and data sources to interact with 1Password Environments:
data "onepassword_environment" "my_app" {
name = "${var.appname}_${var.environment}"
}
resource "aws_lambda_function" "api" {
function_name = "${var.appname}-api"
environment {
variables {
LOG_LEVEL = data.onepassword_environment.my_app.log_level
}
}
}Is there a workaround to accomplish this today?
The current workaround would be to create a vault per environment and use onepassword_item resources, but this approach has limitations:
- Doesn't align with 1Password's recommended practices for environment configuration
- Creates vault sprawl that's harder to manage if we create a vault per app + environment, or if we have only a vault per environment we have multiple teams modifying items in the one big vault (risking increase in mistakes)
- Loses the semantic meaning of "environments" in our infrastructure code
- More complex access control management across numerous vaults