fix(edge_configurations): correct ID resolution and detect file content changes (#115, #116)

Author: grulicht

docs/resources/edge_configurations.md

@@ -24,9 +24,13 @@ resource "portainer_edge_configurations" "example_edge_configuration" {
 
 ## ⚙️ Lifecycle & Behavior
 - **Create** uploads a configuration file and sets the name, type, and association to edge groups.
-- **Update** updates the configuration via `PUT /edge_configurations/{id}` (supports changing `type`, `edge_group_ids`, and `file_path`).
+- **Update** updates the configuration via `PUT /edge_configurations/{id}` (supports changing `type`, `edge_group_ids`, and `file_path`, and is also triggered when the contents of the file at `file_path` change — see `file_sha256` below).
 - **Delete** removes the configuration via `DELETE /edge_configurations/{id}`.
-- **Read** retrieves metadata and synchronizes state with Portainer using `GET /edge_configurations/{id}`.
+- **Read** retrieves metadata and synchronizes state with Portainer using `GET /edge_configurations/{id}`. The Portainer API does not return file content or any digest, so `file_sha256` is preserved from state and recomputed locally during plan.
+
+> 💡 **File content change detection:** During plan the provider reads `file_path` and computes its SHA256 into the `file_sha256` computed attribute. If the new hash differs from state, Terraform plans an in-place Update — even when `file_path` itself didn't change. This means rewriting the file in place (or `terraform apply` after the file's bytes change) will correctly re-upload it. `file_path` must be readable at plan time.
+
+> ⚠️ **Same-name limitation:** Portainer's `POST /edge_configurations` endpoint does not return the new configuration's ID. To resolve the ID after create, the provider snapshots existing edge configurations matching the requested `name` *before* the POST and picks the new entry that appears afterwards. If multiple entries appear (concurrent writers) the most recently created one is chosen. Because Portainer permits multiple edge configurations with the same `name`, **avoid creating Terraform-managed and out-of-band configurations with identical names** — if a same-name entry is created concurrently with `terraform apply`, the provider may bind to the wrong record. This will be fully resolved once Portainer returns the ID on POST.
 
 ---
 
@@ -45,6 +49,7 @@ resource "portainer_edge_configurations" "example_edge_configuration" {
 
 ## 📤 Attributes Reference
 
-| Name | Description                             |
-|------|-----------------------------------------|
-| `id` | The Edge Configuration ID assigned by Portainer |
+| Name           | Description                                                                 |
+|----------------|-----------------------------------------------------------------------------|
+| `id`           | The Edge Configuration ID assigned by Portainer                             |
+| `file_sha256`  | SHA256 hex digest of the uploaded file's contents, used to detect in-place file changes between plans |

internal/resource_edge_configurations.go

@@ -2,13 +2,17 @@ package internal
 
 import (
 	"bytes"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"net/http"
 	"os"
 	"path/filepath"
+	"sort"
 	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -49,10 +53,11 @@ type EdgeConfiguration struct {
 
 func resourcePortainerEdgeConfigurations() *schema.Resource {
 	return &schema.Resource{
-		Create: resourcePortainerEdgeConfigurationsCreate,
-		Read:   resourcePortainerEdgeConfigurationsRead,
-		Update: resourcePortainerEdgeConfigurationsUpdate,
-		Delete: resourcePortainerEdgeConfigurationsDelete,
+		Create:        resourcePortainerEdgeConfigurationsCreate,
+		Read:          resourcePortainerEdgeConfigurationsRead,
+		Update:        resourcePortainerEdgeConfigurationsUpdate,
+		Delete:        resourcePortainerEdgeConfigurationsDelete,
+		CustomizeDiff: customizeDiffEdgeConfigurationFileHash,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
@@ -63,6 +68,7 @@ func resourcePortainerEdgeConfigurations() *schema.Resource {
 			"base_dir":       {Type: schema.TypeString, Optional: true, Default: ""},
 			"edge_group_ids": {Type: schema.TypeList, Required: true, Elem: &schema.Schema{Type: schema.TypeInt}},
 			"file_path":      {Type: schema.TypeString, Required: true},
+			"file_sha256":    {Type: schema.TypeString, Computed: true},
 		},
 	}
 }
@@ -75,8 +81,126 @@ func convertToIntSlice(input []interface{}) []int {
 	return result
 }
 
+// sha256File returns the lowercase hex-encoded SHA256 of the file contents
+// at the given path. Used to detect changes to the underlying edge config
+// file when the file_path itself hasn't changed (issue #116) — the Portainer
+// API doesn't expose the uploaded file content or any digest, so we track
+// our locally computed hash in state.
+func sha256File(path string) (string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(h.Sum(nil)), nil
+}
+
+// customizeDiffEdgeConfigurationFileHash hashes the file at file_path during
+// plan and writes it to file_sha256. If the new hash differs from the value
+// in state, Terraform sees a diff and triggers an in-place Update — even when
+// file_path didn't change (i.e. the file's contents were rewritten in place).
+func customizeDiffEdgeConfigurationFileHash(_ context.Context, d *schema.ResourceDiff, _ interface{}) error {
+	fp, _ := d.Get("file_path").(string)
+	if fp == "" {
+		return nil
+	}
+	hash, err := sha256File(fp)
+	if err != nil {
+		return fmt.Errorf("failed to hash file_path %q: %w", fp, err)
+	}
+	if d.Get("file_sha256").(string) == hash {
+		return nil
+	}
+	return d.SetNew("file_sha256", hash)
+}
+
+// listEdgeConfigurations fetches all edge configurations from Portainer.
+func listEdgeConfigurations(client *APIClient) ([]EdgeConfiguration, error) {
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/edge_configurations", client.Endpoint), nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build list request: %w", err)
+	}
+	if client.APIKey != "" {
+		req.Header.Set("X-API-Key", client.APIKey)
+	} else if client.JWTToken != "" {
+		req.Header.Set("Authorization", "Bearer "+client.JWTToken)
+	}
+	resp, err := client.HTTPClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list edge configurations: %w", err)
+	}
+	defer resp.Body.Close()
+	var configs []EdgeConfiguration
+	if err := json.NewDecoder(resp.Body).Decode(&configs); err != nil {
+		return nil, fmt.Errorf("failed to decode edge configurations list: %w", err)
+	}
+	return configs, nil
+}
+
+// resolveCreatedEdgeConfigID disambiguates the just-created edge configuration
+// when the Portainer API returns an empty POST response. It diffs the post-create
+// listing against a pre-create snapshot of IDs sharing the same name; if no new
+// entry is found, it falls back to the most recently created matching config.
+//
+// Background: Portainer's POST /edge_configurations does not return the new ID
+// (https://github.com/portainer/terraform-provider-portainer/issues/115). Using
+// name alone causes the provider to bind to a pre-existing same-name config,
+// later mutating or deleting it. The snapshot-based diff fixes that for any
+// case where a same-name config already exists.
+func resolveCreatedEdgeConfigID(configs []EdgeConfiguration, name string, preExistingIDs map[int]struct{}) (EdgeConfiguration, error) {
+	var newMatches []EdgeConfiguration
+	var allMatches []EdgeConfiguration
+	for _, c := range configs {
+		if c.Name != name {
+			continue
+		}
+		allMatches = append(allMatches, c)
+		if _, existed := preExistingIDs[c.ID]; !existed {
+			newMatches = append(newMatches, c)
+		}
+	}
+
+	pickNewest := func(in []EdgeConfiguration) EdgeConfiguration {
+		sort.Slice(in, func(i, j int) bool { return in[i].Created > in[j].Created })
+		return in[0]
+	}
+
+	switch {
+	case len(newMatches) >= 1:
+		// Exactly the entry POST just produced; if a concurrent caller raced
+		// us, prefer the most recently created one.
+		return pickNewest(newMatches), nil
+	case len(allMatches) >= 1:
+		// Server returned no new entry (replication lag, server quirk). Best
+		// effort: pick the most recently created matching name.
+		return pickNewest(allMatches), nil
+	default:
+		return EdgeConfiguration{}, fmt.Errorf("edge configuration created but could not determine its ID")
+	}
+}
+
 func resourcePortainerEdgeConfigurationsCreate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*APIClient)
+	name := d.Get("name").(string)
+
+	// Snapshot existing edge configuration IDs sharing the requested name.
+	// Portainer's POST does not return the new ID, so after the create we
+	// diff the listing against this snapshot to identify the new entry. This
+	// is what prevents adopting a pre-existing same-name config (issue #115).
+	preCreate, err := listEdgeConfigurations(client)
+	if err != nil {
+		return err
+	}
+	preExistingIDs := make(map[int]struct{})
+	for _, c := range preCreate {
+		if c.Name == name {
+			preExistingIDs[c.ID] = struct{}{}
+		}
+	}
 
 	filePath := d.Get("file_path").(string)
 	file, err := os.Open(filePath)
@@ -89,7 +213,7 @@ func resourcePortainerEdgeConfigurationsCreate(d *schema.ResourceData, meta inte
 	writer := multipart.NewWriter(body)
 
 	payload := map[string]interface{}{
-		"name":         d.Get("name").(string),
+		"name":         name,
 		"type":         d.Get("type").(string),
 		"category":     d.Get("category").(string),
 		"baseDir":      d.Get("base_dir").(string),
@@ -147,38 +271,26 @@ func resourcePortainerEdgeConfigurationsCreate(d *schema.ResourceData, meta inte
 	}
 
 	if created.ID == 0 {
-		// API returned empty body — find the created config by name
-		name := d.Get("name").(string)
-		listReq, err := http.NewRequest("GET", fmt.Sprintf("%s/edge_configurations", client.Endpoint), nil)
+		postCreate, err := listEdgeConfigurations(client)
 		if err != nil {
-			return fmt.Errorf("failed to build list request: %w", err)
+			return err
 		}
-		if client.APIKey != "" {
-			listReq.Header.Set("X-API-Key", client.APIKey)
-		} else if client.JWTToken != "" {
-			listReq.Header.Set("Authorization", "Bearer "+client.JWTToken)
-		}
-		listResp, err := client.HTTPClient.Do(listReq)
+		created, err = resolveCreatedEdgeConfigID(postCreate, name, preExistingIDs)
 		if err != nil {
-			return fmt.Errorf("failed to list edge configurations: %w", err)
-		}
-		defer listResp.Body.Close()
-		var configs []EdgeConfiguration
-		if err := json.NewDecoder(listResp.Body).Decode(&configs); err != nil {
-			return fmt.Errorf("failed to decode edge configurations list: %w", err)
-		}
-		for _, c := range configs {
-			if c.Name == name {
-				created = c
-				break
-			}
-		}
-		if created.ID == 0 {
-			return fmt.Errorf("edge configuration created but could not determine its ID")
+			return err
 		}
 	}
 
 	d.SetId(strconv.Itoa(created.ID))
+
+	// Persist the file's SHA256 in state so future plans can detect content
+	// changes even when file_path is unchanged (issue #116). CustomizeDiff
+	// already computed this for the diff, but we re-compute here so the value
+	// stored matches the bytes we actually uploaded.
+	if hash, err := sha256File(filePath); err == nil {
+		d.Set("file_sha256", hash)
+	}
+
 	return nil
 }
 
@@ -238,6 +350,10 @@ func resourcePortainerEdgeConfigurationsUpdate(d *schema.ResourceData, meta inte
 		return fmt.Errorf("failed to update edge configuration: %s", string(respBody))
 	}
 
+	if hash, err := sha256File(filePath); err == nil {
+		d.Set("file_sha256", hash)
+	}
+
 	return resourcePortainerEdgeConfigurationsRead(d, meta)
 }