# README
Pass Terraform Provider
This provider was forked from the now-defunct camptocamp/terraform-provider-pass and took some inspirational patches from another fork which is based on the 2.x releases.
This provider adds integration between Terraform and Pass and Gopass password stores.
Pass is a password store using gpg to encrypt password and git to version. Gopass is a rewrite of the pass password manager in Go with the aim of making it cross-platform and adding additional features.
Requirements
- Terraform 0.12.x
- Go 1.18
- goreleaser >= 2.5.1
Building The Provider
Download the provider source code
$ git clone https://github.com/digipost/terraform-provider-pass.git
Enter the provider directory and build the provider
$ cd terraform-provider-pass
$ make
Testing the binary locally
- Set up a developer override in Terraform for the provider, as described in https://developer.hashicorp.com/terraform/cli/config/config-file#development-overrides-for-provider-developers
This amounts to creating or updating a
~/.terraformrcfile with contents of:
provider_installation {
dev_overrides {
"github.com/digipost/pass" = "${GOPATH}/bin"
}
# For all other providers, install them directly from their origin provider
# registries as normal. If you omit this, Terraform will _only_ use
# the dev_overrides block, and so no other providers will be available.
direct {}
}
You must substitute ${GOPATH} with the actual value of your shell environment variable, GOPATH, as
environment variable substitution in that file, does not work.
-
Install the binary of the provider locally:
go install .This places a copy of the binary in the folder configured above. -
Create a new folder to hold a new minimal Terraform configuration, a
main.tffile with contents like:
terraform {
required_providers {
pass = {
source = "github.com/digipost/pass"
}
}
}
provider "pass" {
store_dir = "<YOUR pass store directory, e.g. ~/.password-store>"
refresh_store = false
}
data "pass_password" "test" {
path = "<some secret path in the password store, /foo/bar/username >"
}
output "testdata" {
value = data.pass_password.test
- Change into the directory and execute
terraform plan,terraform applyetc. This should produce no errors.
Installing the provider
After building the provider, install it using the Terraform instructions for installing a third party provider or in-house providers.
Example
provider "pass" {
store_dir = "/srv/password-store" # defaults to $PASSWORD_STORE_DIR
refresh_store = false # do not call `git pull`
}
resource "pass_password" "test" {
path = "secret/foo"
password = "0123456789"
data = {
zip = "zap"
}
}
data "pass_password" "test" {
path = "${pass_password.test.path}"
}
Usage
The pass provider
Argument Reference
The provider takes the following arguments:
store_dir- (Optional) Path to your password store, defaults to$PASSWORD_STORE_DIRrefresh_store- (Optional) Boolean whether to callgit pullwhen configuring the provider, defaults totrue
The pass_password resource
Argument Reference
The resource takes the following arguments:
path- Full path from which a password will be readpassword- Secret passworddata- (Optional) Additional secret data
Attribute Reference
The following attributes are exported:
path- Full path from which the password was readpassword- Secret passworddata- Additional secret databody- Raw secret data if not YAMLfull- Entire secret contents
The pass_password data source
Argument Reference
The data source takes the following arguments:
path- Full path from which a password will be read
Attribute Reference
The following attributes are exported:
path- Full path from which the password was readpassword- Secret passworddata- Additional secret databody- Raw secret data if not YAMLfull- Entire secret contents