A Terraform provider to manage Password Pusher resources via its REST API using Terraform.
It supports provisioning and configuration of secure one-time pushes – including secrets, files, URLs, and QR codes – with expiration and passphrase protection.
Here are practical scenarios where using the pwpush Terraform provider is ideal compared to manual usage:
- ✅ GitOps & automation: Push secrets in CI/CD pipelines as part of automated infrastructure provisioning.
- 🔐 Temporary credential sharing: Safely share credentials with newly created users, contractors, or services.
- 🛠️ Immutable environments: Recreate secrets on every Terraform run as part of a secure, reproducible workflow.
- 📤 Credential delivery: Deliver generated passwords (e.g., via Terraform random provider) to human recipients.
- 🚫 Avoid storing secrets in state files: Send secrets via expiring link instead of embedding in outputs or storage.
- 🧪 Secret testing environments: Create disposable, time-limited secrets for test or staging use.
- 🧾 Auditable provisioning: Keep track of when secrets are pushed and for what purpose via version control.
- 📦 Multi-platform provisioning: Coordinate secret delivery alongside cloud or on-prem resource provisioning.
This provider makes it easy to integrate secure secret sharing into infrastructure-as-code workflows, especially where automation and reproducibility are key.
- Terraform v0.13+
- Password Pusher server or hosted instance
- Go 1.21+ (if building from source)
make build| Provider | Status |
|---|---|
| Terraform |  |
| OpenTofu | |
provider "pwpush" {
endpoint = "https://pwpush.example.com" # optional
email = "your@example.com" # optional
token = "your-api-token" # optional
skip_ssl_verify = true # optional
}🔐 Authentication is required for file uploads and notes. The provider uses:
X-User-EmailX-User-Token
Example:
provider "pwpush" {
email = "user@example.com"
token = "super_secret_token"
}export PWPUSH_ENDPOINT="https://pwpush.example.com"
export PWPUSH_EMAIL="your@example.com"
export PWPUSH_TOKEN="your-api-token"| Name | Type | Required | Description |
|---|---|---|---|
endpoint |
string | ❌ no | The URL of the Password Pusher server - Default: https://pwpush.com |
email |
string | ❌ no | Email for authenticated pushes (if needed) |
token |
string | ❌ no | API token for authenticated pushes |
skip_ssl_verify |
bool | ❌ no | Skip TLS certificate verification (default: false) |
| Resource | Docs | Example | Status | E2E Tests |
|---|---|---|---|---|
pwpush_push |
push | example (push*) | |
✅ Daily verified |
Open a feature request or contribute directly.
See CONTRIBUTING.md for details.
We welcome all questions, issues and ideas — open a GitHub Issue or PR.
Have questions, suggestions or want to contribute ideas?
GitHub Discussions
This provider is validated daily using GitHub Actions on real Password Pusher instances using real terraform plan and terraform apply.
💡 This helps catch regressions and API changes early.
To test the provider locally, start the Pwpush Web UI using Docker Compose:
make upThen open http://localhost:5100 in your browser by:
make launchAfter making changes to the provider source code, follow these steps: Build the provider binary:
make buildInstall the binary into the local Terraform plugin directory:
make install-pluginUpdate your main.tf to use the local provider source Add the following to your Terraform configuration:
terraform {
required_providers {
pwpush = {
source = "localdomain/local/pwpush"
}
}
}Now you're ready to test your provider against the local or cloud Pwpush instance.
See Issues and CONTRIBUTING.md for development plans.
Maintained by Tomáš Grulich.
MIT License. See LICENSE.