New plugin: terraform login credential helper

[skyqrose]

Platform or tool

terraform and opentofu

Relevant links

• https://developer.hashicorp.com/terraform/cli/config/config-file#credentials-helpers
• https://developer.hashicorp.com/terraform/internals/credentials-helpers
• https://opentofu.org/docs/v1.11/cli/config/config-file/#credentials-helpers
• https://opentofu.org/docs/v1.11/internals/credentials-helpers/

Goal or desired behavior

By default, terraform login or tofu login stores tokens on disk in plain text. Terraform/opentofu provides an interface for credential helpers to store these tokens in other secure systems, but there are no good implementations.

I want a credential helper that implements this interface to save tofu's tokens in a 1Password item.

It's not quite the same as other credentials I save in 1Password, since this token never has to be read or written by a human or copied to any other systems. It's just a secure way for tofu to write and read its own tokens. (When you do tofu login website.example it opens a web browser to the website's normal human login process, and that process generates a token which is given to tofu.) But I think 1Password is the right place for this because it's an existing secure system, and I'm already hooked into it for other tofu authentication I do (e.g. via the aws 1password plugin).

Contribution

• I'd be up for building the plugin myself.

Additional information

I believe this is an entirely different system than what the existing Terraform plugin covers.

Also related: The existing terraform plugin doesn't support opentofu #483

Open question: Should this be added to the existing terraform plugin, or should it be its own plugin?