Add stateful app preflight resource

Add a stateful phala_app_preflight resource and matching data source support so preflight compose hashes can be stored in Terraform state without destroy-time refresh side effects.

Author: h4x3rotab

docs/data-sources/app_preflight.md

@@ -0,0 +1,58 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "phala_app_preflight Data Source - phala"
+subcategory: ""
+description: |-
+  Runs Phala Cloud app provision/preflight and returns the compose hash without committing a CVM deployment.
+---
+
+# phala_app_preflight (Data Source)
+
+Runs Phala Cloud app provision/preflight and returns the compose hash without committing a CVM deployment.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `docker_compose` (String) Docker Compose YAML content.
+- `name` (String) App/CVM name included in the app compose.
+- `size` (String) Instance type (e.g. tdx.small).
+
+### Optional
+
+- `custom_app_id` (String) Optional custom app_id for deterministic identity flow.
+- `disk_size` (Number) Disk size in GB.
+- `env` (Map of String, Sensitive) Plaintext env vars. Only keys enter the app compose allowed_envs list.
+- `env_keys` (List of String) Allowed environment variable keys used when env values are not provided.
+- `gateway_enabled` (Boolean) Enable public gateway routing.
+- `image` (String) OS image name.
+- `kms` (String) KMS type for app provisioning. Defaults to phala when omitted.
+- `listed` (Boolean) Whether the resource should be publicly listed. Defaults to false when omitted.
+- `node_id` (Number) Optional target node (teepod) ID for placement.
+- `nonce` (Number) Optional nonce paired with custom_app_id for PHALA KMS deterministic app_id flow.
+- `pre_launch_script` (String) Optional pre-launch script content.
+- `public_logs` (Boolean) Expose container logs publicly.
+- `public_sysinfo` (Boolean) Expose system info publicly.
+- `public_tcbinfo` (Boolean) Expose TCB attestation info publicly.
+- `region` (String) Preferred region identifier.
+- `secure_time` (Boolean) Enable secure time mode.
+- `ssh_authorized_keys` (List of String) Per-deployment SSH public keys injected at launch via user_config.
+- `storage_fs` (String) Storage filesystem for deployment (`zfs` or `ext4`).
+
+### Read-Only
+
+- `app_env_encrypt_pubkey` (String) Public key used for app environment encryption.
+- `app_id` (String) Preflight app identifier returned by Phala Cloud.
+- `compose_hash` (String) SHA-256 hash of the normalized app compose file returned by Phala Cloud preflight.
+- `device_id` (String)
+- `fmspc` (String)
+- `id` (String) Stable data source ID (same as compose_hash).
+- `instance_type` (String)
+- `kms_id` (String)
+- `kms_info_json` (String) Raw KMS info object as JSON.
+- `matched_node_id` (Number) Matched teepod/node ID returned by preflight, when present.
+- `os_image_hash` (String)
+- `raw_json` (String) Full provision response as JSON.

docs/resources/app_preflight.md

@@ -0,0 +1,58 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "phala_app_preflight Resource - phala"
+subcategory: ""
+description: |-
+  Runs Phala Cloud app provision/preflight and stores the resulting compose hash as Terraform state. No remote object is created.
+---
+
+# phala_app_preflight (Resource)
+
+Runs Phala Cloud app provision/preflight and stores the resulting compose hash as Terraform state. No remote object is created.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `docker_compose` (String) Docker Compose YAML content.
+- `name` (String) App/CVM name included in the app compose.
+- `size` (String) Instance type (e.g. tdx.small).
+
+### Optional
+
+- `custom_app_id` (String) Optional custom app_id for deterministic identity flow.
+- `disk_size` (Number) Disk size in GB.
+- `env` (Map of String, Sensitive) Plaintext env vars. Only keys enter the app compose allowed_envs list.
+- `env_keys` (List of String) Allowed environment variable keys used when env values are not provided.
+- `gateway_enabled` (Boolean) Enable public gateway routing.
+- `image` (String) OS image name.
+- `kms` (String) KMS type for app provisioning. Defaults to phala when omitted.
+- `listed` (Boolean) Whether the resource should be publicly listed. Defaults to false when omitted.
+- `node_id` (Number) Optional target node (teepod) ID for placement.
+- `nonce` (Number) Optional nonce paired with custom_app_id for PHALA KMS deterministic app_id flow.
+- `pre_launch_script` (String) Optional pre-launch script content.
+- `public_logs` (Boolean) Expose container logs publicly.
+- `public_sysinfo` (Boolean) Expose system info publicly.
+- `public_tcbinfo` (Boolean) Expose TCB attestation info publicly.
+- `region` (String) Preferred region identifier.
+- `secure_time` (Boolean) Enable secure time mode.
+- `ssh_authorized_keys` (List of String) Per-deployment SSH public keys injected at launch via user_config.
+- `storage_fs` (String) Storage filesystem for deployment (`zfs` or `ext4`).
+
+### Read-Only
+
+- `app_env_encrypt_pubkey` (String) Public key used for app environment encryption.
+- `app_id` (String) Preflight app identifier returned by Phala Cloud.
+- `compose_hash` (String) SHA-256 hash of the normalized app compose file returned by Phala Cloud preflight.
+- `device_id` (String)
+- `fmspc` (String)
+- `id` (String) Stable resource ID (same as compose_hash).
+- `instance_type` (String)
+- `kms_id` (String)
+- `kms_info_json` (String) Raw KMS info object as JSON.
+- `matched_node_id` (Number) Matched teepod/node ID returned by preflight, when present.
+- `os_image_hash` (String)
+- `raw_json` (String) Full provision response as JSON.

internal/provider/client.go

@@ -131,8 +131,7 @@ func (c *APIClient) requestWithRetry(
 
 		apiErr, ok := err.(*APIError)
 		if !ok ||
-			!isRetryableStatus(apiErr.StatusCode) ||
-			!shouldRetryWrite(method, path) ||
+			!shouldRetryAPIError(method, path, apiErr) ||
 			attempt == maxWriteRetries {
 			return err
 		}
@@ -177,6 +176,32 @@ func shouldRetryWrite(method, path string) bool {
 	}
 }
 
+func shouldRetryAPIError(method, path string, apiErr *APIError) bool {
+	if apiErr == nil || !shouldRetryWrite(method, path) {
+		return false
+	}
+	if isRetryableStatus(apiErr.StatusCode) {
+		return true
+	}
+	return isRetryableProvisionCompatibilityError(method, path, apiErr)
+}
+
+func isRetryableProvisionCompatibilityError(method, path string, apiErr *APIError) bool {
+	if method != http.MethodPost || apiErr == nil || apiErr.StatusCode != http.StatusBadRequest {
+		return false
+	}
+
+	normalizedPath := normalizePath(path)
+	if normalizedPath != "/cvms/provision" {
+		if _, ok := extractCVMID(normalizedPath, "/compose_file/provision"); !ok {
+			return false
+		}
+	}
+
+	message := strings.ToLower(apiErr.Message + " " + apiErr.Body)
+	return strings.Contains(message, "configuration parameters are not compatible")
+}
+
 func isRetryableStatus(status int) bool {
 	switch status {
 	case http.StatusConflict, http.StatusTooManyRequests, http.StatusServiceUnavailable:

internal/provider/client_contract_test.go

@@ -480,3 +480,33 @@ func TestAPIClientContract_RetriesOnlyReplaySafeWrites(t *testing.T) {
 		t.Fatalf("unexpected retry count for PATCH: got %d want 2", got)
 	}
 }
+
+func TestShouldRetryAPIError_ProvisionCompatibilityBadRequest(t *testing.T) {
+	err := &APIError{
+		StatusCode: http.StatusBadRequest,
+		Status:     "400 Bad Request",
+		Message:    "The configuration parameters are not compatible with each other",
+	}
+
+	if !shouldRetryAPIError(http.MethodPost, "/cvms/provision", err) {
+		t.Fatal("expected transient provision compatibility 400 to be retryable")
+	}
+	if !shouldRetryAPIError(http.MethodPost, "/cvms/cvm123/compose_file/provision", err) {
+		t.Fatal("expected transient compose-file provision compatibility 400 to be retryable")
+	}
+}
+
+func TestShouldRetryAPIError_DoesNotRetryGenericBadRequest(t *testing.T) {
+	err := &APIError{
+		StatusCode: http.StatusBadRequest,
+		Status:     "400 Bad Request",
+		Message:    "name is required",
+	}
+
+	if shouldRetryAPIError(http.MethodPost, "/cvms/provision", err) {
+		t.Fatal("expected generic provision 400 not to be retryable")
+	}
+	if shouldRetryAPIError(http.MethodPost, "/user/ssh-keys", err) {
+		t.Fatal("expected non-replay-safe create POST not to be retryable")
+	}
+}