cpl 2.0.2 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87e32bc116e1b72a8282d38542a4ff8ba39240b4038e5cd5ad61bb7fda27a492
-  data.tar.gz: 496bc3b6fc6c49f6865a430c91d12e98400c6af3e9eb97cac24090b575365918
+  metadata.gz: 27661f3a2e2aff2f7018e2cb0e77835ee4de88a8ee0268ec549cafa9d02dfbaa
+  data.tar.gz: 001a114b051c3501b5449eb6d3e4c9f7dea3fa608c6e4595e2129c3bcad8f855
 SHA512:
-  metadata.gz: 6ac8eec9af37340bb5c2ac4b635daf6ab1b60c77893ecd412224879ae700c1569b0ac76675f520b245f4021d1d7476aafb95d5d067b4e5efaabedee1a8068176
-  data.tar.gz: 9d67284e4db41824b6492dd9a9aa6db37ea49261ac965dadc6efad5e0d4a4f9cc1aa383aac3964bd16ee5b879a76ee63dafa5f895a0e451a033bf35efce591b3
+  metadata.gz: 38dfd9ca9aa2d28dc7df577677e5732f37740448beb857269ff156da7a8ff2f8627872c958b63e9d1d308ce091df1376e44c09aff96bc82f128edb887e1aba94
+  data.tar.gz: 14c73bf485166dd5be51ff276b6cef8aa3152bb0482fd92b6752e47575cd43ab0bd620ba1c49de619863cff955b628477eb32188a8f76393423c50b1a81e5b07

data/.gitignore

@@ -15,3 +15,4 @@
 .rspec_status
 
 /spec.log
+/spec/dummy/.controlplane/controlplane*-tmp-*.yml

data/CHANGELOG.md

@@ -14,6 +14,42 @@ Changes since the last non-beta release.
 
 _Please add entries here for your pull requests that have not yet been released._
 
+### Fixed
+
+- Fixed issue where `ps:wait` command hangs forever if workloads are suspended. [PR 198](https://github.com/shakacode/control-plane-flow/pull/198) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+### Added
+
+- Added a timeout for `run` jobs (6 hours by default, but configurable through `runner_job_timeout` in `controlplane.yml`). [PR 194](https://github.com/shakacode/control-plane-flow/pull/194) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+### Changed
+
+- `run` command now overrides the `--image`, `--cpu`, and `--memory` for each job separately, which completely removes any race conditions when running simultaneous jobs with different overrides. [PR 182](https://github.com/shakacode/control-plane-flow/pull/182) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- `run` jobs now use a CPU size of 1 (1 core) and a memory size of 2Gi (2 gibibytes) by default (configurable through `runner_job_default_cpu` and `runner_job_default_memory` in `controlplane.yml`). [PR 182](https://github.com/shakacode/control-plane-flow/pull/182) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- `run` command now keeps ENV values synced between original and runner workloads. [PR 196](https://github.com/shakacode/control-plane-flow/pull/196) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+## [2.1.0] - 2024-05-27
+
+### Fixed
+
+- Fixed issue where release script was not running from the app image. [PR 183](https://github.com/shakacode/control-plane-flow/pull/183) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- Fixed issue where deprecated options were not being warned. [PR 183](https://github.com/shakacode/control-plane-flow/pull/183) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+### Added
+
+- Added post-creation hook to `setup-app` command (configurable through `hooks.post_creation` in `controlplane.yml`). [PR 183](https://github.com/shakacode/control-plane-flow/pull/183) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- Added pre-deletion hook to `delete` command (configurable through `hooks.pre_deletion` in `controlplane.yml`). [PR 183](https://github.com/shakacode/control-plane-flow/pull/183) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- Added `doctor` command to run validations. [PR 185](https://github.com/shakacode/control-plane-flow/pull/185) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+### Changed
+
+- `cpl` now sets `CPLN_SKIP_UPDATE_CHECK` to `true` for all internal `cpln` calls, which disables the version check and prevents cluttering the logs. [PR 180](https://github.com/shakacode/control-plane-flow/pull/180) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- `setup-app` command now automatically creates a secret, policy, and identity for the app if they do not exist. The `--skip-secrets-setup` option prevents this behavior. [PR 181](https://github.com/shakacode/control-plane-flow/pull/181) by [Rafael Gomes](https://github.com/rafaelgomesxyz). [PR 190](https://github.com/shakacode/control-plane-flow/pull/190) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- Specific validations are now run before commands, and the command will exit with a non-zero code if any validation fails. Can be disabled by setting `DISABLE_VALIDATIONS` env var to `true`. [PR 185](https://github.com/shakacode/control-plane-flow/pull/185) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+- Deprecated the `--skip-secret-access-binding` option in favor of `--skip-secrets-setup`. This can also now be configured through `skip_secrets_setup` in `controlplane.yml` [PR 190](https://github.com/shakacode/control-plane-flow/pull/190) by [Rafael Gomes](https://github.com/rafaelgomesxyz).
+
+## [2.0.2] - 2024-05-17
+
 - Fixed issue with improper handling of job statuses. Fixed issue with interactive magic string showing and exit code. [PR 177](https://github.com/shakacode/control-plane-flow/pull/177) by [Sergey Tarasov](https://github.com/dzirtusss).
 
 ## [2.0.1] - 2024-05-15
@@ -194,7 +230,9 @@ _Please add entries here for your pull requests that have not yet been released.
 
 - Initial release
 
-[Unreleased]: https://github.com/shakacode/control-plane-flow/compare/v2.0.1...HEAD
+[Unreleased]: https://github.com/shakacode/control-plane-flow/compare/v2.1.0...HEAD
+[2.1.0]: https://github.com/shakacode/control-plane-flow/compare/v2.0.2...v2.1.0
+[2.0.2]: https://github.com/shakacode/control-plane-flow/compare/v2.0.1...v2.0.2
 [2.0.1]: https://github.com/shakacode/control-plane-flow/compare/v2.0.0...v2.0.1
 [2.0.0]: https://github.com/shakacode/control-plane-flow/compare/v1.4.0...v2.0.0
 [1.4.0]: https://github.com/shakacode/control-plane-flow/compare/v1.3.0...v1.4.0

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cpl (2.0.2)
+    cpl (2.2.0)
       debug (~> 1.7.1)
       dotenv (~> 2.8.1)
       jwt (~> 2.8.1)
@@ -49,10 +49,10 @@ GEM
     racc (1.7.3)
     rainbow (3.1.1)
     rake (13.2.1)
-    rdoc (6.6.3.1)
+    rdoc (6.7.0)
       psych (>= 4.0.0)
     regexp_parser (2.9.0)
-    reline (0.5.7)
+    reline (0.5.8)
       io-console (~> 0.5)
     rexml (3.2.6)
     rspec (3.12.0)

data/README.md

@@ -196,9 +196,6 @@ aliases:
     # 2. Each file can contain many objects, such as in the case of templates that create a resource, like `postgres`.
     # 3. While the naming often corresponds to a workload or other object name, the naming is arbitrary. 
     #    Naming does not need to match anything other than the file name without the `.yml` extension.
-    #
-    # If you're going to use secrets, you need to apply the `secrets.yml` template separately (one-time setup):
-    # `cpl apply-template secrets -a my-app`
     setup_app_templates:
       - app
       - redis
@@ -207,6 +204,9 @@ aliases:
       - rails
       - sidekiq
 
+    # Skips secrets setup when running `cpl setup-app`.
+    skip_secrets_setup: true
+
     # Only needed if using a custom secrets name.
     # The default is '{APP_PREFIX}-secrets'. For example:
     # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
@@ -249,6 +249,18 @@ aliases:
     # when running `cpl run`.
     fix_terminal_size: true
 
+    # Sets a default CPU size for `cpl run` jobs (can be overridden per job through `--cpu`).
+    # If not specified, defaults to "1" (1 core).
+    runner_job_default_cpu: "2"
+
+    # Sets a default memory size for `cpl run` jobs (can be overridden per job through `--memory`).
+    # If not specified, defaults to "2Gi" (2 gibibytes).
+    runner_job_default_memory: "4Gi"
+
+    # Sets the maximum number of seconds that `cpl run` jobs can execute before being stopped.
+    # If not specified, defaults to 21600 (6 hours).
+    runner_job_timeout: 1000
+
     # Apps with a deployed image created before this amount of days will be listed for deletion
     # when running the command `cpl cleanup-stale-apps`.
     stale_app_image_deployed_days: 5
@@ -273,6 +285,15 @@ apps:
     # e.g., "my-app-review-pr123", "my-app-review-anything-goes", etc.
     match_if_app_name_starts_with: true
 
+    # Hooks can be either a script path that exists in the app image or a command.
+    # They're run in the context of `cpl run` with the latest image.
+    hooks:
+      # Used by the command `cpl setup-app` to run a hook after creating the app.
+      post_creation: bundle exec rake db:prepare
+
+      # Used by the command `cpl delete` to run a hook before deleting the app.
+      pre_deletion: bundle exec rake db:drop
+
   my-app-production:
     <<: *common
 

data/docs/commands.md

@@ -109,6 +109,9 @@ cpl copy-image-from-upstream -a $APP_NAME --upstream-token $UPSTREAM_TOKEN --ima
 - Deletes the whole app (GVC with all workloads, all volumesets and all images) or a specific workload
 - Also unbinds the app from the secrets policy, as long as both the identity and the policy exist (and are bound)
 - Will ask for explicit user confirmation
+- Runs a pre-deletion hook before the app is deleted if `hooks.pre_deletion` is specified in the `.controlplane/controlplane.yml` file
+- If the hook exits with a non-zero code, the command will stop executing and also exit with a non-zero code
+- Use `--skip-pre-deletion-hook` to skip the hook if specified in `controlplane.yml`
 
 ```sh
 # Deletes the whole app (GVC with all workloads, all volumesets and all images).
@@ -121,14 +124,29 @@ cpl delete -a $APP_NAME -w $WORKLOAD_NAME
 ### `deploy-image`
 
 - Deploys the latest image to app workloads
-- Optionally runs a release script before deploying if specified through `release_script` in the `.controlplane/controlplane.yml` file and `--run-release-phase` is provided
+- Runs a release script before deploying if `release_script` is specified in the `.controlplane/controlplane.yml` file and `--run-release-phase` is provided
 - The release script is run in the context of `cpl run` with the latest image
-- The deploy will fail if the release script exits with a non-zero code or doesn't exist
+- If the release script exits with a non-zero code, the command will stop executing and also exit with a non-zero code
 
 ```sh
 cpl deploy-image -a $APP_NAME
 ```
 
+### `doctor`
+
+- Runs validations
+
+```sh
+# Runs all validations that don't require additional options by default.
+cpl doctor
+
+# Runs config validation.
+cpl doctor --validations config
+
+# Runs templates validation (requires app).
+cpl doctor --validations templates -a $APP_NAME
+```
+
 ### `env`
 
 - Displays app-specific environment variables
@@ -276,7 +294,7 @@ cpl open-console -a $APP_NAME
   - Runs `cpl copy-image-from-upstream` to copy the latest image from upstream
   - Runs `cpl deploy-image` to deploy the image
   - If `.controlplane/controlplane.yml` includes the `release_script`, `cpl deploy-image` will use the `--run-release-phase` option
-  - The deploy will fail if the release script exits with a non-zero code
+  - If the release script exits with a non-zero code, the command will stop executing and also exit with a non-zero code
 
 ```sh
 cpl promote-app-from-upstream -a $APP_NAME -t $UPSTREAM_TOKEN
@@ -353,12 +371,17 @@ cpl ps:swait -a $APP_NAME -w $WORKLOAD_NAME
 - - log async fetching for non-interactive mode
 - The Dockerfile entrypoint is used as the command by default, which assumes `exec "${@}"` to be present,
   and the args ["bash", "-c", cmd_to_run] are passed
-- The entrypoint can be overriden through `--entrypoint`, which must be a single command or a script path that exists in the container,
+- The entrypoint can be overridden through `--entrypoint`, which must be a single command or a script path that exists in the container,
   and the args ["bash", "-c", cmd_to_run] are passed,
   unless the entrypoint is `bash`, in which case the args ["-c", cmd_to_run] are passed
 - Providing `--entrypoint none` sets the entrypoint to `bash` by default
 - If `fix_terminal_size` is `true` in the `.controlplane/controlplane.yml` file,
-  the remote terminal size will be fixed to match the local terminal size (may also be overriden through `--terminal-size`)
+  the remote terminal size will be fixed to match the local terminal size (may also be overridden through `--terminal-size`)
+- By default, all jobs use a CPU size of 1 (1 core) and a memory size of 2Gi (2 gibibytes)
+  (can be configured through `runner_job_default_cpu` and `runner_job_default_memory` in `controlplane.yml`,
+  and also overridden per job through `--cpu` and `--memory`)
+- By default, the job is stopped if it takes longer than 6 hours to finish
+  (can be configured though `runner_job_timeout` in `controlplane.yml`)
 
 ```sh
 # Opens shell (bash by default).
@@ -407,9 +430,15 @@ cpl run -a $APP_NAME --entrypoint /app/alternative-entrypoint.sh -- rails db:mig
 
 - Creates an app and all its workloads
 - Specify the templates for the app and workloads through `setup_app_templates` in the `.controlplane/controlplane.yml` file
-- This should only be used for temporary apps like review apps, never for persistent apps like production (to update workloads for those, use 'cpl apply-template' instead)
-- Automatically binds the app to the secrets policy, as long as both the identity and the policy exist
-- Use `--skip-secret-access-binding` to prevent the automatic bind
+- This should only be used for temporary apps like review apps, never for persistent apps like production or staging (to update workloads for those, use 'cpl apply-template' instead)
+- Configures app to have org-level secrets with default name "{APP_PREFIX}-secrets"
+  using org-level policy with default name "{APP_PREFIX}-secrets-policy" (names can be customized, see docs)
+- Creates identity for secrets if it does not exist
+- Use `--skip-secrets-setup` to prevent the automatic setup of secrets,
+  or set it through `skip_secrets_setup` in the `.controlplane/controlplane.yml` file
+- Runs a post-creation hook after the app is created if `hooks.post_creation` is specified in the `.controlplane/controlplane.yml` file
+- If the hook exits with a non-zero code, the command will stop executing and also exit with a non-zero code
+- Use `--skip-post-creation-hook` to skip the hook if specified in `controlplane.yml`
 
 ```sh
 cpl setup-app -a $APP_NAME

data/docs/secrets-and-env-values.md

@@ -0,0 +1,42 @@
+# Secrets and ENV Values
+
+You can store ENV values used by a container (within a workload) within Control Plane at the following levels:
+
+1. Workload Container
+2. GVC
+
+For your "review apps," it is convenient to have simple ENVs stored in plain text in your source code. You will want to
+keep some ENVs, like the Rails' `SECRET_KEY_BASE`, out of your source code. For staging and production apps, you will
+set these values directly at the GVC or workload levels, so none of these ENV values are committed to the source code.
+
+For storing ENVs in the source code, we can use a level of indirection so that you can store an ENV value in your source
+code like `cpln://secret/my-app-review-env-secrets.SECRET_KEY_BASE` and then have the secret value stored at the org
+level, which applies to your GVCs mapped to that org.
+
+For setting up secrets, you'll need:
+
+- **Org-level Secret:** This is where the values will be stored.
+- **GVC Identity:** An identity that must be associated with each workload that requires access to the secret.
+- **Org-level Policy:** A policy that binds the identity to the secret, granting the necessary permissions for the workload to access the secret.
+
+You can do this during the initial app setup, like this:
+
+1. Add the template for `app` to `.controlplane/templates`
+2. Ensure that the `app` template is listed in `setup_app_templates` for the app in `.controlplane/controlplane.yml`
+3. Run `cpl setup-app -a $APP_NAME`
+4. The secrets, secrets policy and identity will be automatically created, along with the proper binding
+5. In the Control Plane console, upper left "Manage Org" menu, click on "Secrets"
+6. Find the created secret (it will be in the `$APP_PREFIX-secrets` format) and add the secret env vars there
+7. Use `cpln://secret/...` in the app to access the secret env vars (e.g., `cpln://secret/$APP_PREFIX-secrets.SOME_VAR`)
+
+Here are the manual steps for reference. We recommend that you follow the steps above:
+
+1. In the upper left of the Control Plane console, "Manage Org" menu, click on "Secrets"
+2. Create a secret with `Secret Type: Dictionary` (e.g., `my-secrets`) and add the secret env vars there
+3. In the upper left "Manage GVC" menu, click on "Identities"
+4. Create an identity (e.g., `my-identity`)
+5. Navigate to the workload that you want to associate with the identity created
+6. Click "Identity" on the left menu and select the identity created
+7. In the lower left "Access Control" menu, click on "Policies"
+8. Create a policy with `Target Kind: Secret` and add a binding with the `reveal` permission for the identity created
+9. Use `cpln://secret/...` in the app to access the secret env vars (e.g., `cpln://secret/my-secrets.SOME_VAR`)

data/docs/tips.md

@@ -3,7 +3,7 @@
 1. [GVCs vs. Orgs](#gvcs-vs-orgs)
 2. [RAM](#ram)
 3. [Remote IP](#remote-ip)
-4. [ENV Values](#env-values)
+4. [Secrets and ENV Values](/docs/secrets-and-env-values.md)
 5. [CI](#ci)
 6. [Memcached](#memcached)
 7. [Sidekiq](#sidekiq)
@@ -70,45 +70,6 @@ pick those up and automatically populate `request.remote_ip`.
 
 So `REMOTE_ADDR` should not be used directly, only `request.remote_ip`.
 
-## ENV Values
-
-You can store ENV values used by a container (within a workload) within Control Plane at the following levels:
-
-1. Workload Container
-2. GVC
-
-For your "review apps," it is convenient to have simple ENVs stored in plain text in your source code. You will want to
-keep some ENVs, like the Rails' `SECRET_KEY_BASE`, out of your source code. For staging and production apps, you will
-set these values directly at the GVC or workload levels, so none of these ENV values are committed to the source code.
-
-For storing ENVs in the source code, we can use a level of indirection so that you can store an ENV value in your source
-code like `cpln://secret/my-app-review-env-secrets.SECRET_KEY_BASE` and then have the secret value stored at the org
-level, which applies to your GVCs mapped to that org.
-
-You can do this during the initial app setup, like this:
-
-1. Add the templates for `app` and `secrets` to `.controlplane/templates`
-2. Ensure that the `app` template includes the `identity`
-3. Ensure that the `app` template is listed in `setup_app_templates` for the app in `.controlplane/controlplane.yml`
-4. Run `cpl apply-template secrets -a $APP_NAME` (one-time setup)
-5. Run `cpl setup-app -a $APP_NAME`
-6. The secrets, secrets policy and identity will be automatically created, along with the proper binding
-7. In the Control Plane console, upper left "Manage Org" menu, click on "Secrets"
-8. Find the created secret (it will be in the `$APP_PREFIX-secrets` format) and add the secret env vars there
-9. Use `cpln://secret/...` in the app to access the secret env vars (e.g., `cpln://secret/$APP_PREFIX-secrets.SOME_VAR`)
-
-Here are the manual steps for reference. We recommend that you follow the steps above:
-
-1. In the upper left of the Control Plane console, "Manage Org" menu, click on "Secrets"
-2. Create a secret with `Secret Type: Dictionary` (e.g., `my-secrets`) and add the secret env vars there
-3. In the upper left "Manage GVC" menu, click on "Identities"
-4. Create an identity (e.g., `my-identity`)
-5. Navigate to the workload that you want to associate with the identity created
-6. Click "Identity" on the left menu and select the identity created
-7. In the lower left "Access Control" menu, click on "Policies"
-8. Create a policy with `Target Kind: Secret` and add a binding with the `reveal` permission for the identity created
-9. Use `cpln://secret/...` in the app to access the secret env vars (e.g., `cpln://secret/my-secrets.SOME_VAR`)
-
 ## CI
 
 **Note:** Docker builds much slower on Apple Silicon, so try configuring CI to build the images when using Apple

data/examples/controlplane.yml

@@ -31,9 +31,6 @@ aliases:
     # 2. Each file can contain many objects, such as in the case of templates that create a resource, like `postgres`.
     # 3. While the naming often corresponds to a workload or other object name, the naming is arbitrary. 
     #    Naming does not need to match anything other than the file name without the `.yml` extension.
-    #
-    # If you're going to use secrets, you need to apply the `secrets.yml` template separately (one-time setup):
-    # `cpl apply-template secrets -a my-app`
     setup_app_templates:
       - app
       - redis
@@ -42,6 +39,9 @@ aliases:
       - rails
       - sidekiq
 
+    # Uncomment next line to skips secrets setup when running `cpl setup-app`.
+    # skip_secrets_setup: true
+
     # Only needed if using a custom secrets name.
     # The default is '{APP_PREFIX}-secrets'. For example:
     # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
@@ -84,6 +84,18 @@ aliases:
     # when running `cpl run`.
     fix_terminal_size: true
 
+    # Sets a default CPU size for `cpl run` jobs (can be overridden per job through `--cpu`).
+    # If not specified, defaults to "1" (1 core).
+    runner_job_default_cpu: "2"
+
+    # Sets a default memory size for `cpl run` jobs (can be overridden per job through `--memory`).
+    # If not specified, defaults to "2Gi" (2 gibibytes).
+    runner_job_default_memory: "4Gi"
+
+    # Sets the maximum number of seconds that `cpl run` jobs can execute before being stopped.
+    # If not specified, defaults to 21600 (6 hours).
+    runner_job_timeout: 1000
+
     # Apps with a deployed image created before this amount of days will be listed for deletion
     # when running the command `cpl cleanup-stale-apps`.
     stale_app_image_deployed_days: 5
@@ -108,6 +120,15 @@ apps:
     # e.g., "my-app-review-pr123", "my-app-review-anything-goes", etc.
     match_if_app_name_starts_with: true
 
+    # Hooks can be either a script path that exists in the app image or a command.
+    # They're run in the context of `cpl run` with the latest image.
+    hooks:
+      # Used by the command `cpl setup-app` to run a hook after creating the app.
+      post_creation: bundle exec rake db:prepare
+
+      # Used by the command `cpl delete` to run a hook before deleting the app.
+      pre_deletion: bundle exec rake db:drop
+
   my-app-production:
     <<: *common
 

data/lib/command/apply_template.rb

@@ -8,7 +8,8 @@ module Command
     OPTIONS = [
       app_option(required: true),
       location_option,
-      skip_confirm_option
+      skip_confirm_option,
+      add_app_identity_option
     ].freeze
     DESCRIPTION = "Applies application-specific configs from templates"
     LONG_DESCRIPTION = <<~DESC
@@ -39,45 +40,27 @@ module Command
       cpl apply-template app postgres redis rails -a $APP_NAME
       ```
     EX
+    VALIDATIONS = %w[config templates].freeze
+
+    def call # rubocop:disable Metrics/MethodLength
+      @template_parser = TemplateParser.new(config)
+      @names_to_filenames = config.args.to_h do |name|
+        [name, @template_parser.template_filename(name)]
+      end
 
-    def call # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
       ensure_templates!
 
       @created_items = []
       @failed_templates = []
       @skipped_templates = []
 
-      @asked_for_confirmation = false
-
-      pending_templates = templates.select do |template|
-        if template == "app"
-          confirm_app(template)
-        else
-          confirm_workload(template)
-        end
-      end
-
-      progress.puts if @asked_for_confirmation
-
-      @deprecated_variables = []
-
-      pending_templates.each do |template, filename|
-        step("Applying template '#{template}'", abort_on_error: false) do
-          items = apply_template(filename)
-          unless items
-            report_failure(template)
-            next false
-          end
-
-          items.each do |item|
-            report_success(item)
-          end
-          true
-        end
+      templates = @template_parser.parse(@names_to_filenames.values)
+      pending_templates = confirm_templates(templates)
+      add_app_identity_template(pending_templates) if config.options[:add_app_identity]
+      pending_templates.each do |template|
+        apply_template(template)
       end
 
-      warn_deprecated_variables
-
       print_created_items
       print_failed_templates
       print_skipped_templates
@@ -87,18 +70,21 @@ module Command
 
     private
 
-    def templates
-      @templates ||= config.args.to_h do |template|
-        [template, "#{config.app_cpln_dir}/templates/#{template}.yml"]
+    def template_kind(template)
+      case template["kind"]
+      when "gvc"
+        "app"
+      else
+        template["kind"]
       end
     end
 
     def ensure_templates!
-      missing_templates = templates.reject { |_template, filename| File.exist?(filename) }.to_h
+      missing_templates = @names_to_filenames.reject { |_, filename| File.exist?(filename) }
       return if missing_templates.empty?
 
-      missing_templates_str = missing_templates.map do |template, filename|
-        "  - #{template} (#{filename})"
+      missing_templates_str = missing_templates.map do |name, filename|
+        "  - #{name} (#{filename})"
       end.join("\n")
       progress.puts("#{Shell.color('Missing templates:', :red)}\n#{missing_templates_str}\n\n")
 
@@ -113,10 +99,10 @@ module Command
     end
 
     def confirm_app(template)
-      app = cp.fetch_gvc
+      app = cp.fetch_gvc(template["name"])
       return true unless app
 
-      confirmed = confirm_apply("App '#{config.app}' already exists, do you want to re-create it?")
+      confirmed = confirm_apply("App '#{template['name']}' already exists, do you want to re-create it?")
       return true if confirmed
 
       report_skipped(template)
@@ -124,63 +110,67 @@ module Command
     end
 
     def confirm_workload(template)
-      workload = cp.fetch_workload(template)
+      workload = cp.fetch_workload(template["name"])
       return true unless workload
 
-      confirmed = confirm_apply("Workload '#{template}' already exists, do you want to re-create it?")
+      confirmed = confirm_apply("Workload '#{template['name']}' already exists, do you want to re-create it?")
       return true if confirmed
 
       report_skipped(template)
       false
     end
 
-    def apply_template(filename) # rubocop:disable Metrics/MethodLength
-      data = File.read(filename)
-                 .gsub("{{APP_ORG}}", config.org)
-                 .gsub("{{APP_NAME}}", config.app)
-                 .gsub("{{APP_LOCATION}}", config.location)
-                 .gsub("{{APP_LOCATION_LINK}}", app_location_link)
-                 .gsub("{{APP_IMAGE}}", latest_image)
-                 .gsub("{{APP_IMAGE_LINK}}", app_image_link)
-                 .gsub("{{APP_IDENTITY}}", app_identity)
-                 .gsub("{{APP_IDENTITY_LINK}}", app_identity_link)
-                 .gsub("{{APP_SECRETS}}", app_secrets)
-                 .gsub("{{APP_SECRETS_POLICY}}", app_secrets_policy)
+    def confirm_templates(templates) # rubocop:disable Metrics/MethodLength
+      @asked_for_confirmation = false
+
+      pending_templates = templates.select do |template|
+        case template["kind"]
+        when "gvc"
+          confirm_app(template)
+        when "workload"
+          confirm_workload(template)
+        else
+          true
+        end
+      end
 
-      find_deprecated_variables(data)
+      progress.puts if @asked_for_confirmation
+
+      pending_templates
+    end
 
-      # Kept for backwards compatibility
-      data = data
-             .gsub("APP_ORG", config.org)
-             .gsub("APP_GVC", config.app)
-             .gsub("APP_LOCATION", config.location)
-             .gsub("APP_IMAGE", latest_image)
+    def add_app_identity_template(templates)
+      app_template_index = templates.index { |template| template["name"] == config.app }
+      app_identity_template_index = templates.index { |template| template["name"] == config.identity }
 
-      # Don't read in YAML.safe_load as that doesn't handle multiple documents
-      cp.apply_template(data)
+      return unless app_template_index && app_identity_template_index.nil?
+
+      # Adding the identity template right after the app template is important since:
+      # a) we can't create the identity at the beginning because the app doesn't exist yet
+      # b) we also can't create it at the end because any workload templates associated with it will fail to apply
+      templates.insert(app_template_index + 1, build_app_identity_hash)
     end
 
-    def new_variables
+    def build_app_identity_hash
       {
-        "APP_ORG" => "{{APP_ORG}}",
-        "APP_GVC" => "{{APP_NAME}}",
-        "APP_LOCATION" => "{{APP_LOCATION}}",
-        "APP_IMAGE" => "{{APP_IMAGE}}"
+        "kind" => "identity",
+        "name" => config.identity
       }
     end
 
-    def find_deprecated_variables(data)
-      @deprecated_variables.push(*new_variables.keys.select { |old_key| data.include?(old_key) })
-      @deprecated_variables = @deprecated_variables.uniq.sort
-    end
-
-    def warn_deprecated_variables
-      return unless @deprecated_variables.any?
+    def apply_template(template) # rubocop:disable Metrics/MethodLength
+      step("Applying template for #{template_kind(template)} '#{template['name']}'", abort_on_error: false) do
+        items = cp.apply_hash(template)
+        unless items
+          report_failure(template)
+          next false
+        end
 
-      message = "Please replace these variables in the templates, " \
-                "as support for them will be removed in a future major version bump:"
-      deprecated = @deprecated_variables.map { |old_key| "  - #{old_key} -> #{new_variables[old_key]}" }.join("\n")
-      progress.puts("\n#{Shell.color("DEPRECATED: #{message}", :yellow)}\n#{deprecated}")
+        items.each do |item|
+          report_success(item)
+        end
+        true
+      end
     end
 
     def report_success(item)
@@ -205,14 +195,14 @@ module Command
     def print_failed_templates
       return unless @failed_templates.any?
 
-      failed = @failed_templates.map { |template| "  - #{template}" }.join("\n")
+      failed = @failed_templates.map { |template| "  - [#{template_kind(template)}] #{template['name']}" }.join("\n")
       progress.puts("\n#{Shell.color('Failed to apply templates:', :red)}\n#{failed}")
     end
 
     def print_skipped_templates
       return unless @skipped_templates.any?
 
-      skipped = @skipped_templates.map { |template| "  - #{template}" }.join("\n")
+      skipped = @skipped_templates.map { |template| "  - [#{template_kind(template)}] #{template['name']}" }.join("\n")
       progress.puts("\n#{Shell.color('Skipped templates (already exist):', :blue)}\n#{skipped}")
     end
   end