Terraform 1password
Terraform provider for 1password usage with your infrastructure, for example you can share password from your admin panel via some vault in you 1password company account. This provider is based on 1Password CLI client version 1.4.0, but you can rewrite it by env variable OPVERSION.
- A 1Password Secrets Manager terraform module. Used to fetch secrets from 1Password.
- The security of 1Password – store credentials, tokens and other secrets fully encrypted. Terraform, Kubernetes and Ansible, with more integrations on the way. You'll also find ready-to-use.
- Terraform Cloud always encrypts state at rest and protects it with TLS in transit. Terraform Cloud also knows the identity of the user requesting state and maintains a history of state changes. This can be used to control access and track activity. Terraform Enterprise also supports detailed audit logging.
Terraform 1password Tutorial
Password specialist 1Password has acquired SecretHub, a secrets management platform aimed at IT engineers, and made a new service called Secrets Automation, previously in beta, generally available.
Terraform Password
The proliferation of passwords and SSH keys in modern IT has brought with it a tricky management problem, not only for people but also for machine-to-machine communications. Developers may struggle to keep secrets such as database logins secure, when their code will not function without them.
In 2019 researchers at North Carolina State University scanned code publicly committed to GitHub and found [PDF] that 'not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets are leaked every day.' In June 2020, security researcher Craig Hays deliberately leaked server credentials in a GitHub repository and observed an unauthorised login just 34 minutes later.
Secrets Automation uses a Connect Server, delivered as a Docker container, which users deploy in their environment. This provides a REST API which applications and services call to get the credentials they need.
These requests are authenticated with an access token, unique to each application or service. 1Password provides API client libraries for Go, Node.js and Python, and there are plugins for tools including Terraform, Kubernetes, Hashicorp Vault, and Ansible.
There is also an upcoming integration with GitHub; VP of partner engineering Dana Lawson said that 'with the upcoming GitHub and 1Password Secrets Automation integration, teams will be able to fully automate all of their infrastructure secrets,' but no further details are available yet. GitHub also has its own Secrets API as part of its Actions DevOps service.
Developers and admins still have the task of managing the access tokens themselves, though these can be stored in 1Password. We presume that embedding them in code is a bad idea, even though the 1Password sample code for Node looks like this:
1Password's chief product officer, Akshay Bhargava, acknowledged that Secrets Automation does not fix this part of the problem, telling us that 'we've purposely designed Secrets Automation to allow customers using tokens to narrow the scope of access to the secrets needed by each part of their infrastructure. It does mean that the token now has that access, so deploying it as a protected secret in your infrastructure is important.
'This could be a Kubernetes secret, an environment variable, or a managed secret in the various cloud platform stacks, etc. This isn't about delivering secure credentials for the connect server to the application. But instead it is about delivering infrastructure secrets through 1Password to the applications securely. More things will be ported over, but we are sunsetting the SecretHub product.'
The price of the new service is based on the number of tokens issued and the number of vaults they access. A free tier offers three credits per month, then pricing starts at $29 per month for 25 credits.
Secrets Automation was developed by 1Password; what will happen to the existing SecretHub product following the acquisition? 'There are going to be some key features from SecretHub that will make their way into the Secrets Automation product,' Bhargava told The Register.
Former SecretHub CEO Marc Mackenbach, who is now joining 1Password, said that existing users 'can continue to use SecretHub as you currently do until January 1st, 2022.' ®
A few months ago I wrote a Terraform Module for deploying an ECS cluster. The module allows you the option to attach an Elastic File System to the cluster using my EFS Module. I quickly ran into an issue with the AutoScaling Group (ASG) deployed before the EFS mount points were ready, so the EFS filesystem would not be mounted on the node. It turns out the EFS ID that is needed for my user-data is available long before the mount points are, which would allow the Launch Configuration and ASG deployment to proceed.
To solve the problem, I created a variable called depends_on_efs that is set to the EFS mount point IDs and then set it as a depends_on in my user-data template. This will ensure the IDs are populated before creating user-data, which causes the ASG deployment to wait until EFS is ready.
Terraform 1password Extension
This worked as intended, keeping the ASG from deploying before the EFS mount points were ready, but it also introduced another issue. Since Terraform defers the read action until the apply phase, the resource is always marked for update (and in turn the Launch Configuration and ASG will update as well). Every time I run terraform plan, it tells me that there are changes to the code, even if there are none (it’s a known issue). Fortunately, I was able to solve it by making a slight change to my template block. Instead of using the depends_on clause, I moved it to the vars section of my data block. Even though the template file doesn’t use it, the rest of the block will wait for it to be available before proceeding.
Now when I run terraform plan, it will tell me my infrastructure is up to date if I haven’t actually made any changes and it will still wait for the EFS to be ready on a clean deploy. Win win.