Apply Type

This document describes the design of the apply resource type for composing manifests from smaller reusable manifests.

Overview

The apply resource resolves and executes a child manifest within the parent manifest’s execution context. The child manifest shares the parent’s manager and session, allowing resource ordering and subscribe relationships across manifest boundaries.

Key behaviors:

Noop strengthening: A parent in noop mode forces all children into noop mode, regardless of the child’s noop property
Health check strengthening: Same semantics as noop; health check mode can only be strengthened, never weakened
Recursion depth limiting: Nested apply resources are capped at a configurable maximum depth (default 10) to prevent infinite loops
Transitive trust control: The allow_apply property prevents a child manifest from containing its own apply resources

Provider Interface

Apply providers must implement the ApplyProvider interface:

type ApplyProvider interface {
    model.Provider

    ApplyManifest(ctx context.Context, mgr model.Manager, properties *model.ApplyResourceProperties, currentDepth int, healthCheckOnly bool, log model.Logger) (*model.ApplyState, error)
}

Method Responsibilities

Method	Responsibility
`ApplyManifest`	Resolve and execute a child manifest, handling state save/restore and overrides

State Response

The ApplyManifest method returns an ApplyState containing:

type ApplyState struct {
    CommonResourceState
    ResourceCount int // Number of resources in the child manifest
}

Available Providers

Provider	Source	Documentation
`ccmmanifest`	Local manifest file	CCM Manifest

Ensure States

Value	Description
`present`	Resolve and execute the child manifest

Only present is valid. The ensure property defaults to present if not specified.

Properties

Property	Type	Description
`name`	string	File path to the child manifest
`noop`	bool	Execute child in noop mode (can only strengthen)
`health_check_only`	bool	Execute child in health check mode (can only strengthen)
`allow_apply`	bool	Allow the child manifest to contain apply resources (default `true`)
`data`	map[string]any	Data to pass to the child manifest, merged with external data

Apply Logic

┌─────────────────────────────────────────┐
│ Save parent state (noop, data, wd)      │
│ (restored via defer on all paths)       │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Strengthen noop and health_check_only   │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Resolve child manifest                  │
│ (applies data overrides, sets wd)       │
└─────────────────┬───────────────────────┘
                  │
                  ▼
    ┌─────────────┴─────────────┐
    │ Recursion depth within    │
    │ limit?                    │
    └─────────────┬─────────────┘
              Yes │         No
                  │         │
                  ▼         ▼
    ┌─────────────┴───┐ ┌───────┐
    │ allow_apply     │ │ Error │
    │ satisfied?      │ └───────┘
    └─────────────┬───┘
              Yes │         No
                  │         │
                  ▼         ▼
    ┌─────────────┴───┐ ┌───────┐
    │ Execute child   │ │ Error │
    │ resources       │ └───────┘
    └─────────┬───────┘
              │
              ▼
┌─────────────────────────────────────────┐
│ Report resource count, changed, failed  │
└─────────────────────────────────────────┘

Noop Strengthening

Noop mode follows a strict strengthening rule: a child manifest can run in noop mode when the parent does not, but a child can never weaken noop mode.

Parent noop	Child `noop` property	Effective child noop	Behavior
`true`	`false`	`true`	Warning logged, parent noop applies
`true`	`true`	`true`	Both agree
`false`	`true`	`true`	Child strengthens to noop
`false`	`false`	`false`	Normal execution

Health check mode follows the same strengthening pattern.

State Save and Restore

The provider saves three pieces of manager state before manifest resolution and restores them after execution:

State	Save method	Restore method	Reason
Noop mode	`NoopMode()`	`SetNoopMode(saved)`	Child noop must not leak to subsequent resources
Working directory	`WorkingDirectory()`	`SetWorkingDirectory(wd)`	`ResolveManifestUrl` changes working directory
Data	`Data()`	`SetData(saved)`	Child data overrides must not persist

State is saved before calling any resolve functions because ResolveManifestUrl mutates the manager’s working directory and data during resolution.

Recursion Depth Limiting

Nested apply resources increment a depth counter passed through Execute() options. The default maximum depth is 10.

parent.yaml (depth 0)
  +-- child.yaml (depth 1)
        +-- grandchild.yaml (depth 2)
              +-- ... (up to depth 10)

Exceeding the maximum depth returns an error before iterating any child resources.

Transitive Trust

The allow_apply property controls whether a child manifest may contain its own apply resources. When allow_apply is false, the child manifest is scanned for apply resources after resolution but before execution. If any are found, an error is returned.

This provides a mechanism to limit the trust boundary when including manifests authored by others.

`allow_apply` value	Child contains apply resources	Result
`true` (default)	Yes	Allowed
`true` (default)	No	Allowed
`false`	Yes	Error
`false`	No	Allowed

Data Handling

The data property provides key-value data to the child manifest. This data is passed through the WithOverridingResolvedData option and merged into the resolved data after the child manifest’s own data resolution.

External data (CLI overrides) always persists through the merge. The parent’s original data is restored after child execution via the state save/restore mechanism.

Apply resources support the standard subscribe property. Subscribe targets use the apply#name format:

- apply:
    - child.yaml:

- exec:
    - post-apply:
        command: /usr/local/bin/notify.sh
        refresh_only: true
        subscribe:
          - apply#child.yaml

Child Manifest Failures

After child manifest execution, the provider inspects the result to determine the outcome:

Child result	Parent behavior
All resources succeeded	Log success, report unchanged
Some resources changed	Log warning, report changed
Any resource failed	Return error with failure count