password_recipe is not generasting password field

[yordis]

Your environment

Terraform Provider Version: 1.4.0
Connect Server Version:
CLI Version: 2.24.0
OS: macOS 14.2.1
Terraform Version: 1.6.3

What happened?

Using the following config, the password isn't being populated:

resource "onepassword_item" "rabbitmq" {
  title    = "RabbitMQ"
  vault    = var.vault_id
  category = "database"
  type     = "other"
  database = "RabbitMQ"
  hostname = "127.0.0.1"
  username = "flashbot"
  port     = 5672
  tags = ["managed-by:terraform"]
  password_recipe {
    length  = 20
    symbols = true
    digits  = true
    letters = true
  }
}





terraform {
  backend "local" {
    path = "terraform.tfstate"
  }
  required_version = "1.6.3"
  required_providers {
    null = {
      source = "hashicorp/null"
      version = "3.2.2"
    }
    onepassword = {
      source  = "1Password/onepassword"
      version = "1.4.0"
    }
  }
}

provider "onepassword" {}

What did you expect to happen?

I expected the following onepassword_item to generate a password value when only use password_recipe:

Steps to reproduce

1. Copy past the previous code
2. Run apply the changes
3. Observe there is no password being generated

Notes & Logs

Screen.Recording.2024-01-07.at.3.27.56.PM.mov

[volodymyrZotov]

Thank you for raising! We'll address this in the future release!

But if you want to help and have time, you're welcome to contribute and create a PR with the fix! 😃
Here are our CONTRIBUTING.md instructions.

[jdewar]

I just ran into this as well. Is this because it is category: "database"?

[maxexcloo]

Had this issue also for category: "login" - using random_password for now.

[CamiloDFM]

I noticed that only the password item can generate a password using password_recipe. This is not stated anywhere in the docs, which is why I'd consider it a bug. If the 1Password team considers it a feature that would be nice to have in the future, I'd appreciate a note in the documentation. I'm using provider version 1.4.3.

In the meantime, I used a separate password onepassword_item to generate the password, which I also saved in my database item, like this:

resource "onepassword_item" "db_password" {
  # This needs to be its own item because the provider doesn't generate a password if it's not a "password" item.
  # See https://github.com/1Password/terraform-provider-onepassword/issues/129
  title = "Wordpress MySQL RDS password"
  vault = data.onepassword_vault.vault.uuid
  category = "password"
  password_recipe {
    length = 32
    letters = true
    digits = true
    symbols = false  # Symbols recipe includes @, which can't be used in a MySQL password
  }
}

resource "onepassword_item" "db_credentials" {
  title = "Wordpress MySQL RDS"
  vault = data.onepassword_vault.vault.uuid
  category = "database"
  type = "mysql"
  hostname = aws_db_instance.db_instance.address
  port = local.rds_credentials.port
  database = local.rds_credentials.database
  username = local.rds_credentials.username
  password = onepassword_item.db_password.password
}

The ugly part of this workaround is the fact that it generates an additional entry in the vault, but I prefer it over something like random_password which ends up saved in plaintext in the state.

[wsidl]

Would love to get this working as well.

Does seem like the "Database" category's password field is missing the "Purpose" parameter that both the "Login" and "Password" categories have. This is required for the Password Generation logic to work:

terraform-provider-onepassword/internal/onepassword/cli/utils.go

Lines 54 to 68 in 69451ed

	func passwordField(item *onepassword.Item) *onepassword.ItemField {
	for _, f := range item.Fields {
	if f.Purpose == onepassword.FieldPurposePassword {
	return f
	}
	}
	return nil
	}
	func passwordRecipe(item *onepassword.Item) string {
	if pf := passwordField(item); pf != nil {
	return passwordRecipeToString(pf.Recipe, pf.Generate)
	}
	return ""
	}