Implement BitwardenLoginCredentialParameter (#151)

2025-09-02 18:50:24 +00:00 · 2024-04-03 16:01:03 -07:00 · 2024-04-03 16:01:03 -07:00 · 1d1e29b813
commit 1d1e29b813
parent 999eda9b5d
12 changed files with 392 additions and 8 deletions
--- a/alembic/versions/2024_04_03_2257-4630ab8c198e_create_bitwarden_credential_parameter_.py
+++ b/alembic/versions/2024_04_03_2257-4630ab8c198e_create_bitwarden_credential_parameter_.py
@ -0,0 +1,67 @@
 """Create bitwarden credential parameter table
 Revision ID: 4630ab8c198e
 Revises: ffe2f57bd288
 Create Date: 2024-04-03 22:57:03.231654+00:00
 """
 from typing import Sequence, Union
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision: str = "4630ab8c198e"
 down_revision: Union[str, None] = "ffe2f57bd288"
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
 def upgrade() -> None:
    # ### commands auto generated by Alembic - please adjust! ###
    op.create_table(
        "bitwarden_login_credential_parameters",
        sa.Column("bitwarden_login_credential_parameter_id", sa.String(), nullable=False),
        sa.Column("workflow_id", sa.String(), nullable=False),
        sa.Column("key", sa.String(), nullable=False),
        sa.Column("description", sa.String(), nullable=True),
        sa.Column("bitwarden_client_id_aws_secret_key", sa.String(), nullable=False),
        sa.Column("bitwarden_client_secret_aws_secret_key", sa.String(), nullable=False),
        sa.Column("bitwarden_master_password_aws_secret_key", sa.String(), nullable=False),
        sa.Column("url_parameter_key", sa.String(), nullable=False),
        sa.Column("created_at", sa.DateTime(), nullable=False),
        sa.Column("modified_at", sa.DateTime(), nullable=False),
        sa.Column("deleted_at", sa.DateTime(), nullable=True),
        sa.ForeignKeyConstraint(
            ["workflow_id"],
            ["workflows.workflow_id"],
        ),
        sa.PrimaryKeyConstraint("bitwarden_login_credential_parameter_id"),
    )
    op.create_index(
        op.f("ix_bitwarden_login_credential_parameters_bitwarden_login_credential_parameter_id"),
        "bitwarden_login_credential_parameters",
        ["bitwarden_login_credential_parameter_id"],
        unique=False,
    )
    op.create_index(
        op.f("ix_bitwarden_login_credential_parameters_workflow_id"),
        "bitwarden_login_credential_parameters",
        ["workflow_id"],
        unique=False,
    )
    # ### end Alembic commands ###
 def downgrade() -> None:
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_index(
        op.f("ix_bitwarden_login_credential_parameters_workflow_id"), table_name="bitwarden_login_credential_parameters"
    )
    op.drop_index(
        op.f("ix_bitwarden_login_credential_parameters_bitwarden_login_credential_parameter_id"),
        table_name="bitwarden_login_credential_parameters",
    )
    op.drop_table("bitwarden_login_credential_parameters")
    # ### end Alembic commands ###
--- a/skyvern/exceptions.py
+++ b/skyvern/exceptions.py
@ -185,3 +185,28 @@ class DownloadFileMaxSizeExceeded(SkyvernException):
    def __init__(self, max_size: int) -> None:
        self.max_size = max_size
        super().__init__(f"Download file size exceeded the maximum allowed size of {max_size} MB.")
 class BitwardenBaseError(SkyvernException):
    def __init__(self, message: str) -> None:
        super().__init__(f"Bitwarden error: {message}")
 class BitwardenLoginError(BitwardenBaseError):
    def __init__(self, message: str) -> None:
        super().__init__(f"Error logging in to Bitwarden: {message}")
 class BitwardenUnlockError(BitwardenBaseError):
    def __init__(self, message: str) -> None:
        super().__init__(f"Error unlocking Bitwarden: {message}")
 class BitwardenListItemsError(BitwardenBaseError):
    def __init__(self, message: str) -> None:
        super().__init__(f"Error listing items in Bitwarden: {message}")
 class BitwardenLogoutError(BitwardenBaseError):
    def __init__(self, message: str) -> None:
        super().__init__(f"Error logging out of Bitwarden: {message}")
--- a/skyvern/forge/sdk/db/client.py
+++ b/skyvern/forge/sdk/db/client.py
@ -13,6 +13,7 @@ from skyvern.forge.sdk.db.exceptions import NotFoundError
 from skyvern.forge.sdk.db.models import (
    ArtifactModel,
    AWSSecretParameterModel,
    BitwardenLoginCredentialParameterModel,
    OrganizationAuthTokenModel,
    OrganizationModel,
    OutputParameterModel,
@ -28,6 +29,7 @@ from skyvern.forge.sdk.db.utils import (
    _custom_json_serializer,
    convert_to_artifact,
    convert_to_aws_secret_parameter,
    convert_to_bitwarden_login_credential_parameter,
    convert_to_organization,
    convert_to_organization_auth_token,
    convert_to_output_parameter,
@ -43,6 +45,7 @@ from skyvern.forge.sdk.models import Organization, OrganizationAuthToken, Step,
 from skyvern.forge.sdk.schemas.tasks import ProxyLocation, Task, TaskStatus
 from skyvern.forge.sdk.workflow.models.parameter import (
    AWSSecretParameter,
    BitwardenLoginCredentialParameter,
    OutputParameter,
    WorkflowParameter,
    WorkflowParameterType,
@ -844,6 +847,31 @@ class AgentDB:
            await session.refresh(aws_secret_parameter)
            return convert_to_aws_secret_parameter(aws_secret_parameter)
    async def create_bitwarden_login_credential_parameter(
        self,
        workflow_id: str,
        bitwarden_client_id_aws_secret_key: str,
        bitwarden_client_secret_aws_secret_key: str,
        bitwarden_master_password_aws_secret_key: str,
        url_parameter_key: str,
        key: str,
        description: str | None = None,
    ) -> BitwardenLoginCredentialParameter:
        async with self.Session() as session:
            bitwarden_login_credential_parameter = BitwardenLoginCredentialParameterModel(
                workflow_id=workflow_id,
                bitwarden_client_id_aws_secret_key=bitwarden_client_id_aws_secret_key,
                bitwarden_client_secret_aws_secret_key=bitwarden_client_secret_aws_secret_key,
                bitwarden_master_password_aws_secret_key=bitwarden_master_password_aws_secret_key,
                url_parameter_key=url_parameter_key,
                key=key,
                description=description,
            )
            session.add(bitwarden_login_credential_parameter)
            await session.commit()
            await session.refresh(bitwarden_login_credential_parameter)
            return convert_to_bitwarden_login_credential_parameter(bitwarden_login_credential_parameter)
    async def create_output_parameter(
        self,
        workflow_id: str,
--- a/skyvern/forge/sdk/db/id.py
+++ b/skyvern/forge/sdk/db/id.py
@ -38,6 +38,7 @@ WORKFLOW_RUN_PREFIX = "wr"
 WORKFLOW_PARAMETER_PREFIX = "wp"
 AWS_SECRET_PARAMETER_PREFIX = "asp"
 OUTPUT_PARAMETER_PREFIX = "op"
 BITWARDEN_LOGIN_CREDENTIAL_PARAMETER_PREFIX = "blc"
 def generate_workflow_id() -> str:
@ -65,6 +66,11 @@ def generate_output_parameter_id() -> str:
    return f"{OUTPUT_PARAMETER_PREFIX}_{int_id}"
 def generate_bitwarden_login_credential_parameter_id() -> str:
    int_id = generate_id()
    return f"{BITWARDEN_LOGIN_CREDENTIAL_PARAMETER_PREFIX}_{int_id}"
 def generate_organization_auth_token_id() -> str:
    int_id = generate_id()
    return f"{ORGANIZATION_AUTH_TOKEN_PREFIX}_{int_id}"
--- a/skyvern/forge/sdk/db/models.py
+++ b/skyvern/forge/sdk/db/models.py
@ -8,6 +8,7 @@ from skyvern.forge.sdk.db.enums import OrganizationAuthTokenType
 from skyvern.forge.sdk.db.id import (
    generate_artifact_id,
    generate_aws_secret_parameter_id,
    generate_bitwarden_login_credential_parameter_id,
    generate_org_id,
    generate_organization_auth_token_id,
    generate_output_parameter_id,
@ -177,6 +178,24 @@ class AWSSecretParameterModel(Base):
    deleted_at = Column(DateTime, nullable=True)
 class BitwardenLoginCredentialParameterModel(Base):
    __tablename__ = "bitwarden_login_credential_parameters"
    bitwarden_login_credential_parameter_id = Column(
        String, primary_key=True, index=True, default=generate_bitwarden_login_credential_parameter_id
    )
    workflow_id = Column(String, ForeignKey("workflows.workflow_id"), index=True, nullable=False)
    key = Column(String, nullable=False)
    description = Column(String, nullable=True)
    bitwarden_client_id_aws_secret_key = Column(String, nullable=False)
    bitwarden_client_secret_aws_secret_key = Column(String, nullable=False)
    bitwarden_master_password_aws_secret_key = Column(String, nullable=False)
    url_parameter_key = Column(String, nullable=False)
    created_at = Column(DateTime, default=datetime.datetime.utcnow, nullable=False)
    modified_at = Column(DateTime, default=datetime.datetime.utcnow, onupdate=datetime.datetime.utcnow, nullable=False)
    deleted_at = Column(DateTime, nullable=True)
 class WorkflowRunParameterModel(Base):
    __tablename__ = "workflow_run_parameters"
--- a/skyvern/forge/sdk/db/utils.py
+++ b/skyvern/forge/sdk/db/utils.py
@ -9,6 +9,7 @@ from skyvern.forge.sdk.db.enums import OrganizationAuthTokenType
 from skyvern.forge.sdk.db.models import (
    ArtifactModel,
    AWSSecretParameterModel,
    BitwardenLoginCredentialParameterModel,
    OrganizationAuthTokenModel,
    OrganizationModel,
    OutputParameterModel,
@ -24,6 +25,7 @@ from skyvern.forge.sdk.models import Organization, OrganizationAuthToken, Step,
 from skyvern.forge.sdk.schemas.tasks import ProxyLocation, Task, TaskStatus
 from skyvern.forge.sdk.workflow.models.parameter import (
    AWSSecretParameter,
    BitwardenLoginCredentialParameter,
    OutputParameter,
    WorkflowParameter,
    WorkflowParameterType,
@ -211,6 +213,30 @@ def convert_to_aws_secret_parameter(
    )
 def convert_to_bitwarden_login_credential_parameter(
    bitwarden_login_credential_parameter_model: BitwardenLoginCredentialParameterModel, debug_enabled: bool = False
 ) -> BitwardenLoginCredentialParameter:
    if debug_enabled:
        LOG.debug(
            "Converting BitwardenLoginCredentialParameterModel to BitwardenLoginCredentialParameter",
            bitwarden_login_credential_parameter_id=bitwarden_login_credential_parameter_model.bitwarden_login_credential_parameter_id,
        )
    return BitwardenLoginCredentialParameter(
        bitwarden_login_credential_parameter_id=bitwarden_login_credential_parameter_model.bitwarden_login_credential_parameter_id,
        workflow_id=bitwarden_login_credential_parameter_model.workflow_id,
        key=bitwarden_login_credential_parameter_model.key,
        description=bitwarden_login_credential_parameter_model.description,
        bitwarden_client_id_aws_secret_key=bitwarden_login_credential_parameter_model.bitwarden_client_id_aws_secret_key,
        bitwarden_client_secret_aws_secret_key=bitwarden_login_credential_parameter_model.bitwarden_client_secret_aws_secret_key,
        bitwarden_master_password_aws_secret_key=bitwarden_login_credential_parameter_model.bitwarden_master_password_aws_secret_key,
        url_parameter_key=bitwarden_login_credential_parameter_model.url_parameter_key,
        created_at=bitwarden_login_credential_parameter_model.created_at,
        modified_at=bitwarden_login_credential_parameter_model.modified_at,
        deleted_at=bitwarden_login_credential_parameter_model.deleted_at,
    )
 def convert_to_output_parameter(
    output_parameter_model: OutputParameterModel, debug_enabled: bool = False
 ) -> OutputParameter:
--- a/skyvern/forge/sdk/services/bitwarden.py
+++ b/skyvern/forge/sdk/services/bitwarden.py
@ -0,0 +1,97 @@
 import json
 import os
 import subprocess
 import structlog
 from skyvern.exceptions import BitwardenListItemsError, BitwardenLoginError, BitwardenLogoutError, BitwardenUnlockError
 LOG = structlog.get_logger()
 class BitwardenService:
    @staticmethod
    def run_command(command: list[str], additional_env: dict[str, str] | None = None) -> subprocess.CompletedProcess:
        """
        Run a CLI command with the specified additional environment variables and return the result.
        """
        env = os.environ.copy()  # Copy the current environment
        # Make sure node isn't returning warnings. Warnings are sent through stderr and we raise exceptions on stderr.
        env["NODE_NO_WARNINGS"] = "1"
        if additional_env:
            env.update(additional_env)  # Update with any additional environment variables
        return subprocess.run(command, capture_output=True, text=True, env=env)
    @staticmethod
    def get_secret_value_from_url(
        client_id: str,
        client_secret: str,
        master_password: str,
        url: str,
    ) -> dict[str, str]:
        """
        Get the secret value from the Bitwarden CLI.
        """
        # Step 1: Set up environment variables and log in
        env = {"BW_CLIENTID": client_id, "BW_CLIENTSECRET": client_secret, "BW_PASSWORD": master_password}
        login_command = ["bw", "login", "--apikey"]
        login_result = BitwardenService.run_command(login_command, env)
        # Print both stdout and stderr for debugging
        if login_result.stderr:
            raise BitwardenLoginError(login_result.stderr)
        # Step 2: Unlock the vault
        unlock_command = ["bw", "unlock", "--passwordenv", "BW_PASSWORD"]
        unlock_result = BitwardenService.run_command(unlock_command, env)
        if unlock_result.stderr:
            raise BitwardenUnlockError(unlock_result.stderr)
        # Extract session key
        try:
            session_key = unlock_result.stdout.split('"')[1]
        except IndexError:
            raise BitwardenUnlockError("Unable to extract session key.")
        if not session_key:
            raise BitwardenUnlockError("Session key is empty.")
        # Step 3: Retrieve the items
        list_command = ["bw", "list", "items", "--url", url, "--session", session_key]
        items_result = BitwardenService.run_command(list_command)
        if items_result.stderr:
            raise BitwardenListItemsError(items_result.stderr)
        # Parse the items and extract credentials
        try:
            items = json.loads(items_result.stdout)
        except json.JSONDecodeError:
            raise BitwardenListItemsError("Failed to parse items JSON. Output: " + items_result.stdout)
        if not items:
            raise BitwardenListItemsError("No items found in Bitwarden.")
        credentials = [
            {"username": item["login"]["username"], "password": item["login"]["password"]}
            for item in items
            if "login" in item
        ]
        # Step 4: Log out
        BitwardenService.logout()
        # Todo: Handle multiple credentials, for now just return the last one
        return credentials[-1] if credentials else {}
    @staticmethod
    def logout() -> None:
        """
        Log out of the Bitwarden CLI.
        """
        logout_command = ["bw", "logout"]
        logout_result = BitwardenService.run_command(logout_command)
        if logout_result.stderr:
            raise BitwardenLogoutError(logout_result.stderr)
--- a/skyvern/forge/sdk/workflow/context_manager.py
+++ b/skyvern/forge/sdk/workflow/context_manager.py
@ -3,8 +3,9 @@ from typing import TYPE_CHECKING, Any
 import structlog
-from skyvern.exceptions import WorkflowRunContextNotInitialized
+from skyvern.exceptions import BitwardenBaseError, WorkflowRunContextNotInitialized
 from skyvern.forge.sdk.api.aws import AsyncAWSClient
 from skyvern.forge.sdk.services.bitwarden import BitwardenService
 from skyvern.forge.sdk.workflow.exceptions import OutputParameterKeyCollisionError
 from skyvern.forge.sdk.workflow.models.parameter import (
    PARAMETER_TYPE,
@ -113,6 +114,46 @@ class WorkflowRunContext:
                random_secret_id = self.generate_random_secret_id()
                self.secrets[random_secret_id] = secret_value
                self.values[parameter.key] = random_secret_id
        elif parameter.parameter_type == ParameterType.BITWARDEN_LOGIN_CREDENTIAL:
            try:
                # Get the Bitwarden login credentials from AWS secrets
                client_id = await aws_client.get_secret(parameter.bitwarden_client_id_aws_secret_key)
                client_secret = await aws_client.get_secret(parameter.bitwarden_client_secret_aws_secret_key)
                master_password = await aws_client.get_secret(parameter.bitwarden_master_password_aws_secret_key)
            except Exception as e:
                LOG.error(f"Failed to get Bitwarden login credentials from AWS secrets. Error: {e}")
                raise e
            if self.has_parameter(parameter.url_parameter_key) and self.has_value(parameter.url_parameter_key):
                url = self.values[parameter.url_parameter_key]
            else:
                LOG.error(f"URL parameter {parameter.url_parameter_key} not found or has no value")
                raise ValueError(f"URL parameter for Bitwarden login credentials not found or has no value")
            try:
                secret_credentials = BitwardenService.get_secret_value_from_url(
                    client_id,
                    client_secret,
                    master_password,
                    url,
                )
                if secret_credentials:
                    random_secret_id = self.generate_random_secret_id()
                    # username secret
                    username_secret_id = f"{random_secret_id}_username"
                    self.secrets[username_secret_id] = secret_credentials["username"]
                    # password secret
                    password_secret_id = f"{random_secret_id}_password"
                    self.secrets[password_secret_id] = secret_credentials["password"]
                    self.values[parameter.key] = {
                        "username": username_secret_id,
                        "password": password_secret_id,
                    }
            except BitwardenBaseError as e:
                BitwardenService.logout()
                LOG.error(f"Failed to get secret from Bitwarden. Error: {e}")
                raise e
        elif parameter.parameter_type == ParameterType.CONTEXT:
            # ContextParameter values will be set within the blocks
            return
@ -133,6 +174,9 @@ class WorkflowRunContext:
        aws_client: AsyncAWSClient,
        parameters: list[PARAMETER_TYPE],
    ) -> None:
        # BitwardenLoginCredentialParameter should be processed last since it requires the URL parameter to be set
        parameters.sort(key=lambda x: x.parameter_type != ParameterType.BITWARDEN_LOGIN_CREDENTIAL)
        for parameter in parameters:
            if parameter.key in self.parameters:
                LOG.debug(f"Parameter {parameter.key} already registered, skipping")
--- a/skyvern/forge/sdk/workflow/models/block.py
+++ b/skyvern/forge/sdk/workflow/models/block.py
@ -275,7 +275,7 @@ class ForLoopBlock(Block):
        return context_parameters
    def get_loop_over_parameter_values(self, workflow_run_context: WorkflowRunContext) -> list[Any]:
-        if isinstance(self.loop_over, WorkflowParameter):
+        if isinstance(self.loop_over, WorkflowParameter) or isinstance(self.loop_over, OutputParameter):
            parameter_value = workflow_run_context.get_value(self.loop_over.key)
            if isinstance(parameter_value, list):
                return parameter_value
@ -284,7 +284,6 @@ class ForLoopBlock(Block):
                return [parameter_value]
        else:
            # TODO (kerem): Implement this for context parameters
            # TODO (kerem): Implement this for output parameters
            raise NotImplementedError
    async def execute(self, workflow_run_id: str, **kwargs: dict) -> OutputParameter | None:
--- a/skyvern/forge/sdk/workflow/models/parameter.py
+++ b/skyvern/forge/sdk/workflow/models/parameter.py
@ -11,6 +11,7 @@ class ParameterType(StrEnum):
    WORKFLOW = "workflow"
    CONTEXT = "context"
    AWS_SECRET = "aws_secret"
    BITWARDEN_LOGIN_CREDENTIAL = "bitwarden_login_credential"
    OUTPUT = "output"
@ -37,6 +38,23 @@ class AWSSecretParameter(Parameter):
    deleted_at: datetime | None = None
 class BitwardenLoginCredentialParameter(Parameter):
    parameter_type: Literal[ParameterType.BITWARDEN_LOGIN_CREDENTIAL] = ParameterType.BITWARDEN_LOGIN_CREDENTIAL
    # parameter fields
    bitwarden_login_credential_parameter_id: str
    workflow_id: str
    # bitwarden cli required fields
    bitwarden_client_id_aws_secret_key: str
    bitwarden_client_secret_aws_secret_key: str
    bitwarden_master_password_aws_secret_key: str
    # url to request the login credentials from bitwarden
    url_parameter_key: str
    created_at: datetime
    modified_at: datetime
    deleted_at: datetime | None = None
 class WorkflowParameterType(StrEnum):
    STRING = "string"
    INTEGER = "integer"
@ -92,5 +110,7 @@ class OutputParameter(Parameter):
    deleted_at: datetime | None = None
-ParameterSubclasses = Union[WorkflowParameter, ContextParameter, AWSSecretParameter, OutputParameter]
+ParameterSubclasses = Union[
    WorkflowParameter, ContextParameter, AWSSecretParameter, BitwardenLoginCredentialParameter, OutputParameter
 ]
 PARAMETER_TYPE = Annotated[ParameterSubclasses, Field(discriminator="parameter_type")]
--- a/skyvern/forge/sdk/workflow/models/yaml.py
+++ b/skyvern/forge/sdk/workflow/models/yaml.py
@ -22,6 +22,21 @@ class AWSSecretParameterYAML(ParameterYAML):
    aws_key: str
 class BitwardenLoginCredentialParameterYAML(ParameterYAML):
    # There is a mypy bug with Literal. Without the type: ignore, mypy will raise an error:
    # Parameter 1 of Literal[...] cannot be of type "Any"
    # This pattern already works in block.py but since the ParameterType is not defined in this file, mypy is not able
    # to infer the type of the parameter_type attribute.
    parameter_type: Literal[ParameterType.BITWARDEN_LOGIN_CREDENTIAL] = ParameterType.BITWARDEN_LOGIN_CREDENTIAL  # type: ignore
    # bitwarden cli required fields
    bitwarden_client_id_aws_secret_key: str
    bitwarden_client_secret_aws_secret_key: str
    bitwarden_master_password_aws_secret_key: str
    # parameter key for the url to request the login credentials from bitwarden
    url_parameter_key: str
 class WorkflowParameterYAML(ParameterYAML):
    # There is a mypy bug with Literal. Without the type: ignore, mypy will raise an error:
    # Parameter 1 of Literal[...] cannot be of type "Any"
@ -80,7 +95,7 @@ class ForLoopBlockYAML(BlockYAML):
    block_type: Literal[BlockType.FOR_LOOP] = BlockType.FOR_LOOP  # type: ignore
    loop_over_parameter_key: str
-    loop_block: BlockYAML
+    loop_block: "BLOCK_YAML_SUBCLASSES"
 class CodeBlockYAML(BlockYAML):
@ -135,7 +150,13 @@ class SendEmailBlockYAML(BlockYAML):
    file_attachments: list[str] | None = None
-PARAMETER_YAML_SUBCLASSES = AWSSecretParameterYAML | WorkflowParameterYAML | ContextParameterYAML | OutputParameterYAML
+PARAMETER_YAML_SUBCLASSES = (
    AWSSecretParameterYAML
    | BitwardenLoginCredentialParameterYAML
    | WorkflowParameterYAML
    | ContextParameterYAML
    | OutputParameterYAML
 )
 PARAMETER_YAML_TYPES = Annotated[PARAMETER_YAML_SUBCLASSES, Field(discriminator="parameter_type")]
 BLOCK_YAML_SUBCLASSES = (
--- a/skyvern/forge/sdk/workflow/service.py
+++ b/skyvern/forge/sdk/workflow/service.py
@ -351,6 +351,26 @@ class WorkflowService:
            workflow_id=workflow_id, aws_key=aws_key, key=key, description=description
        )
    async def create_bitwarden_login_credential_parameter(
        self,
        workflow_id: str,
        bitwarden_client_id_aws_secret_key: str,
        bitwarden_client_secret_aws_secret_key: str,
        bitwarden_master_password_aws_secret_key: str,
        url_parameter_key: str,
        key: str,
        description: str | None = None,
    ) -> Parameter:
        return await app.DATABASE.create_bitwarden_login_credential_parameter(
            workflow_id=workflow_id,
            bitwarden_client_id_aws_secret_key=bitwarden_client_id_aws_secret_key,
            bitwarden_client_secret_aws_secret_key=bitwarden_client_secret_aws_secret_key,
            bitwarden_master_password_aws_secret_key=bitwarden_master_password_aws_secret_key,
            url_parameter_key=url_parameter_key,
            key=key,
            description=description,
        )
    async def create_output_parameter(
        self, workflow_id: str, key: str, description: str | None = None
    ) -> OutputParameter:
@ -643,6 +663,16 @@ class WorkflowService:
                        key=parameter.key,
                        description=parameter.description,
                    )
                elif parameter.parameter_type == ParameterType.BITWARDEN_LOGIN_CREDENTIAL:
                    parameters[parameter.key] = await self.create_bitwarden_login_credential_parameter(
                        workflow_id=workflow.workflow_id,
                        bitwarden_client_id_aws_secret_key=parameter.bitwarden_client_id_aws_secret_key,
                        bitwarden_client_secret_aws_secret_key=parameter.bitwarden_client_secret_aws_secret_key,
                        bitwarden_master_password_aws_secret_key=parameter.bitwarden_master_password_aws_secret_key,
                        url_parameter_key=parameter.url_parameter_key,
                        key=parameter.key,
                        description=parameter.description,
                    )
                elif parameter.parameter_type == ParameterType.WORKFLOW:
                    parameters[parameter.key] = await self.create_workflow_parameter(
                        workflow_id=workflow.workflow_id,
@ -708,10 +738,12 @@ class WorkflowService:
                max_retries=block_yaml.max_retries,
            )
        elif block_yaml.block_type == BlockType.FOR_LOOP:
            loop_block = await WorkflowService.block_yaml_to_block(block_yaml.loop_block, parameters)
            loop_over_parameter = parameters[block_yaml.loop_over_parameter_key]
            return ForLoopBlock(
                label=block_yaml.label,
-                loop_over_parameter_key=parameters[block_yaml.loop_over_parameter_key],
+                loop_over=loop_over_parameter,
-                loop_block=WorkflowService.block_yaml_to_block(block_yaml.loop_block, parameters),
+                loop_block=loop_block,
                output_parameter=output_parameter,
            )
        elif block_yaml.block_type == BlockType.CODE: