0

I'm trying to setup a Terraform configuration for Sonatype Nexus (among other things). Rather than providing my passwords directly, I want to get them from my 1Password system. The advantage for doing this is this Terraform config will live with alongside my broader infrastructure configuration, which includes the setup of the 1password Connect deployment.

My infrastructure CI/CD therefore already has environment variables set for the 1password credentials out of necessity, and it would be nice to make those the only variables I would need for anything. Hence trying to access this password from 1Password.

Below is my Terraform setup. As you can see, it gets the Nexus admin password from 1Password and tries to use it in the provider. However, when I run this Terraform script, it fails with a 401 response from Nexus when trying to create the blobstore.

To be honest, the 1Password Terraform documentation leaves much to be desired. I don't even know if I can configure a provider with data from another provider to begin with.

terraform {
  backend "kubernetes" {
    secret_suffix = "nexus-state"
    config_path   = "~/.kube/config"
  }

  required_providers {
    nexus = {
      source  = "datadrivers/nexus"
      version = "1.21.0"
    }

    onepassword = {
      source = "1Password/onepassword"
      version = "1.1.4"
    }
  }
}

provider "onepassword" {
  url = "https://my-1password"
  token = var.onepassword_token
}

data "onepassword_item" "nexus_admin" {
  vault = "VAULT_UUID"
  uuid = "ITEM_UUID"
}

provider "nexus" {
  insecure = true
  password = data.onepassword_item.nexus_admin.password
  username = "admin"
  url = "https://my-nexus"
}

resource "nexus_blobstore_file" "npm_private" {
  name = "npm-private"
  path = "/nexus-data/npm-private"
}
halfer
  • 19,824
  • 17
  • 99
  • 186
craigmiller160
  • 5,751
  • 9
  • 41
  • 75
  • Does this https://stackoverflow.com/a/38647969/11715259 answer your question? – N1ngu Sep 02 '22 at 20:52
  • @N1ngu how could that question be related to this one? – Marko E Sep 02 '22 at 20:58
  • It is actually close to a duplicate because that's what you are doing: using resources/data from provider A to interpolate the credentials for provider B. Be them AWS and MySql or 1Password and Nexus, Terraform does not care. Your question is tailored but AFAIU it is answered by that more canonical question. – N1ngu Sep 02 '22 at 21:03
  • That answer is more than six years old. The interpolation here is correct. – Marko E Sep 02 '22 at 21:13
  • 1
    @craigmiller160 You can verify that the password is correct by outputting the value of the data source. So you would first comment out the nexus provider and resource blocks, create an output `output "one_pass" { value = data.onepassword_item.nexus_admin.password }`. That way you should be able to verify that it contains the password you need. Also, did you run `terraform plan` prior to running `terraform apply`? – Marko E Sep 02 '22 at 21:25

0 Answers0