feat: improve OAuth secret handling and support k8s agent environments

Author: grulicht

docs/resources/environment.md

@@ -97,7 +97,7 @@ resource "meu_portainer_environment" "docker_tls" {
 | `name`                   | string                        | ✅ yes                       | Display name of the environment in Portainer.                                                                           |
 | `environment_address`    | string                        | ✅ yes                       | Target environment address (e.g. `tcp://host:9001`).                                                                    |
 | `public_ip`              | string                        | 🚫 optional                  | Public URL/IP shown in Portainer UI (maps to `PublicURL` field). Useful for correct Published Ports rendering.          |
-| `type`                   | int                           | ✅ yes                       | Environment type: `1` = Docker, `2` = Agent, `3` = Azure, `4` = Edge Agent, `5` = Kubernetes.                           |
+| `type`                   | int                           | ✅ yes                       | Environment type: `1` = Docker, `2` = Agent, `3` = Azure, `4` = Edge Agent, `5` = Kubernetes, `6` = Kubernetes via Agent |
 | `group_id`               | int                           | 🚫 optional (default `1`)    | ID of the Portainer endpoint group. Default is `1` (Unassigned).                                                        |
 | `tag_ids`                | list(int)                     | 🚫 optional                  | List of Portainer tag IDs to assign to the environment. Only used during creation.                                      |
 | `tls_enabled`            | bool                          | 🚫 optional (default `true`) | Enable TLS for connection to the agent. Must be `true` for agent-based environments.                                    |

internal/resource_environment.go

@@ -38,11 +38,11 @@ func resourceEnvironment() *schema.Resource {
 			"type": {
 				Type:        schema.TypeInt,
 				Required:    true,
-				Description: "Environment type: 1 = Docker, 2 = Agent, 3 = Azure, 4 = Edge Agent, 5 = Kubernetes",
+				Description: "Environment type: 1 = Docker, 2 = Agent, 3 = Azure, 4 = Edge Agent, 5 = Kubernetes, 6 = Kubernetes via agent",
 				ValidateFunc: func(val interface{}, key string) (warns []string, errs []error) {
 					t := val.(int)
-					if t < 1 || t > 5 {
-						errs = append(errs, fmt.Errorf("%q must be between 1 and 5", key))
+					if t < 1 || t > 6 {
+						errs = append(errs, fmt.Errorf("%q must be between 1 and 6", key))
 					}
 					return
 				},
@@ -123,9 +123,15 @@ func resourceEnvironmentCreate(d *schema.ResourceData, meta interface{}) error {
 	var requestBody bytes.Buffer
 	writer := multipart.NewWriter(&requestBody)
 
+	envType := d.Get("type").(int)
+	endpointCreationType := envType
+	if envType == 6 {
+		endpointCreationType = 2
+	}
+
+	_ = writer.WriteField("EndpointCreationType", strconv.Itoa(endpointCreationType))
 	_ = writer.WriteField("Name", d.Get("name").(string))
 	_ = writer.WriteField("URL", d.Get("environment_address").(string))
-	_ = writer.WriteField("EndpointCreationType", strconv.Itoa(d.Get("type").(int)))
 	_ = writer.WriteField("GroupID", strconv.Itoa(d.Get("group_id").(int)))
 	_ = writer.WriteField("TLS", strconv.FormatBool(d.Get("tls_enabled").(bool)))
 	_ = writer.WriteField("TLSSkipVerify", strconv.FormatBool(d.Get("tls_skip_verify").(bool)))

internal/resource_settings.go

@@ -203,9 +203,9 @@ func resourceSettings() *schema.Resource {
 							Optional:  true,
 							Computed:  true,
 							Sensitive: true,
-							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-								return old == "" || new == ""
-							},
+							//	DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+							//		return old == "" || new == ""
+							//	},
 						},
 						"default_team_id":         {Type: schema.TypeInt, Optional: true, Computed: true},
 						"logout_uri":              {Type: schema.TypeString, Optional: true, Computed: true},
@@ -238,9 +238,9 @@ func resourceSettings() *schema.Resource {
 							Optional:  true,
 							Computed:  true,
 							Sensitive: true,
-							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-								return old == "" || new == ""
-							},
+							//	DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+							//		return old == "" || new == ""
+							//	},
 						},
 						"reader_dn": {Type: schema.TypeString, Optional: true, Computed: true},
 						"start_tls": {Type: schema.TypeBool, Optional: true, Computed: true},
@@ -561,11 +561,13 @@ func resourceSettingsRead(d *schema.ResourceData, meta interface{}) error {
 			"kube_secret_key":         result.OAuthSettings.KubeSecretKey,
 		}
 
-		if currentOAuth, ok := d.GetOk("oauth_settings"); ok {
-			if items := currentOAuth.([]interface{}); len(items) > 0 {
-				if current := items[0].(map[string]interface{}); current != nil {
-					if secret := current["client_secret"]; secret != "" {
-						oauth["client_secret"] = secret
+		if currentOAuthRaw, ok := d.GetOk("oauth_settings"); ok {
+			if list, ok := currentOAuthRaw.([]interface{}); ok && len(list) > 0 && list[0] != nil {
+				if currentMap, ok := list[0].(map[string]interface{}); ok {
+					if secretRaw, ok := currentMap["client_secret"]; ok {
+						if secretStr, ok := secretRaw.(string); ok && secretStr != "" {
+							oauth["client_secret"] = secretStr
+						}
 					}
 				}
 			}