Migrate Terraform Projects

1. Set up a 1Password Connect Server

With SecretHub, all integrations connect directly to the SecretHub API. Every time a secret is used, the encrypted data is fetched from the SecretHub servers. In contrast, with 1Password Secrets Automation, you can securely access secrets in your company’s apps and cloud infrastructure using a private REST API provided by a self-hosted 1Password Connect server, which uses 1Password.com as a backend. This means secrets are served to your applications with very low latency and in the rare event that the 1Password.com API is down, your secrets are still served from the Connect server.

Your applications fetch secrets from Connect using any of the integrations or by using the Connect API directly.

Secrets served to your applications via the Connect Server.
Secrets served to your applications via the Connect Server.

Follow the steps to get started with a 1Password Secrets Automation workflow and deploy the Connect server using your credentials. You’ll also get an access token to authenticate Terraform with the REST API.

2. Configure the Provider

Add 1Password/onepassword as a required provider and specify the Connect API Host in the provider configuration:

terraform {
  required_providers {
    onepassword = {
      source = "1Password/onepassword"
      version = "1.0.0"

provider "onepassword" {
  url     = "http://<1Password Connect API Hostname>"

Use the access token you created when setting up 1Password Secrets Automation to set the OP_CONNECT_TOKEN environment variable.

You’ll need to configure the url to point to the hostname or IP address of the Connect server you set up in the first step of this guide. For example localhost:8080 if the Connect server is running in Docker on the same host or <ip>:8080 or <hostname>:8080 if the Connect server is running on another host.

3. Create Vaults in 1Password

Vaults are used to store onepassword item resources. You can create vaults in your account on 1Password.com and in the 1Password apps.

4. Create Item Resources

With the provider configured, you can now create onepassword_item resources to store your secrets in 1Password:

resource "onepassword_item" "db" {
  vault = var.vault

  title    = "Database"
  category = "database"
  type     = "mysql"
  username = "mysqluser"
  database = "mydb"
  port     = 3306

  password_recipe {
    length  = 40
    symbols = false

You can use the values in other resources by referencing the item:

resource "aws_db_instance" "default" {
  allocated_storage    = 10
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = onepassword_item.db.name
  username             = onepassword_item.db.username
  password             = onepassword_item.db.password
  parameter_group_name = "default.mysql5.7"

Your secrets are now managed by Terraform and stored securely in 1Password! 🎉

5. Manage Access

1Password lets you to manage each user’s access to vaults, similar to access rules used in SecretHub. You can also use built-in groups and set access rules for those groups, rather than the individual users. With 1Password Business you can also create custom groups, to make access control more scalable.

Invite people to join your team on 1Password, if you haven’t done so already, and share vaults with individuals or groups. Similar to SecretHub, you can manage permissions for indidivuals or groups in each vault to control the level of access they have to items.