module · Secrets & Config

1Password

1Password — Events API audit (sign-ins, item usages, admin)

Namespace: weave onepassword Env: OP_EVENTS_TOKEN

Commands

—

State kinds

Secrets & Config

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

1Password Events API

Variable	Description	Status
OP_EVENTS_TOKEN	Required for authentication.	required
OP_EVENTS_HOST	Events API host (default: events.1password.com).	optional

Sanity-check the wiring:

weave secrets check
weave onepassword --help
weave doctor   # reports OP_EVENTS_TOKEN status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
audit-event	·	✓	·	·	·	·	·
item-usage	·	✓	·	·	·	·	·
signin-attempt	·	✓	·	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

list (3)

list audit-events

read

List admin audit events.

weave onepassword list audit-events <arg>

list item-usages

read

List recent item-usage events.

weave onepassword list item-usages <arg>

list signin-attempts

read

List recent sign-in attempts.

weave onepassword list signin-attempts <arg>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Investigate suspicious vault access

weave onepassword list signin-attempts --since=24h
weave onepassword list item-usages --since=24h
weave onepassword list audit-events --since=24h

Weekly security review export

Pipe Events API output into your SIEM or a dated archive.

op run --env-file ~/.config/weave/op-env -- weave onepassword list audit-events --since=7d --format=json > op-audit-$(date +%F).json

Correlate with weave doctor

weave doctor   # confirms OP_EVENTS_TOKEN is loaded
weave onepassword list signin-attempts

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
onepassword_vault	Not in scope — weave reads Events API, not vault CRUD Use the 1Password Terraform provider for vault structure; use weave for live audit trails.
(Events API — no Terraform resource)	weave onepassword list signin-attempts / item-usage / audit-events Operational audit verbs unique to weave.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including OP_EVENTS_TOKEN) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave onepassword diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/onepassword. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.