.. highlight: yaml :linenothreshold: 5 .. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. .. _hot_spec: =============================================== Heat Orchestration Template (HOT) specification =============================================== HOT is a new template format meant to replace the Heat CloudFormation-compatible format (CFN) as the native format supported by the Heat over time. This specification explains in detail all elements of the HOT template format. An example driven guide to writing HOT templates can be found at :ref:`hot_guide`. Status ~~~~~~ HOT is considered reliable, supported, and standardized as of our Icehouse (April 2014) release. The Heat core team may make improvements to the standard, which very likely would be backward compatible. The template format is also versioned. Since Juno release, Heat supports multiple different versions of the HOT specification. Template structure ~~~~~~~~~~~~~~~~~~ HOT templates are defined in YAML and follow the structure outlined below. :: heat_template_version: 2013-05-23 description: # a description of the template parameter_groups: # a declaration of input parameter groups and order parameters: # declaration of input parameters resources: # declaration of template resources outputs: # declaration of output parameters heat_template_version This key with value ``2013-05-23`` (or a later date) indicates that the YAML document is a HOT template of the specified version. description This optional key allows for giving a description of the template, or the workload that can be deployed using the template. parameter_groups This section allows for specifying how the input parameters should be grouped and the order to provide the parameters in. This section is optional and can be omitted when necessary. parameters This section allows for specifying input parameters that have to be provided when instantiating the template. The section is optional and can be omitted when no input is required. resources This section contains the declaration of the single resources of the template. This section with at least one resource should be defined in any HOT template, or the template would not really do anything when being instantiated. outputs This section allows for specifying output parameters available to users once the template has been instantiated. This section is optional and can be omitted when no output values are required. .. _hot_spec_template_version: Heat template version ~~~~~~~~~~~~~~~~~~~~~ The value of ``heat_template_version`` tells Heat not only the format of the template but also features that will be validated and supported. For example, Heat currently supports the following values for the ``heat_template_version`` key: 2013-05-23 The key with value ``2013-05-23`` indicates that the YAML document is a HOT template and it may contain features implemented until the Icehouse release. This version supports the following functions (some are back ported to this version):: get_attr get_file get_param get_resource list_join resource_facade str_replace Fn::Base64 Fn::GetAZs Fn::Join Fn::MemberListToMap Fn::Replace Fn::ResourceFacade Fn::Select Fn::Split Ref 2014-10-16 The key with value ``2014-10-16`` indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Juno release. This version removes most CFN functions that were supported in the Icehouse release, i.e. the ``2013-05-23`` version. So the supported functions now are:: get_attr get_file get_param get_resource list_join resource_facade str_replace Fn::Select 2015-04-30 The key with value ``2015-04-30`` indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Kilo release. This version adds the ``repeat`` function. So the complete list of supported functions is:: get_attr get_file get_param get_resource list_join repeat digest resource_facade str_replace Fn::Select 2015-10-15 The key with value ``2015-10-15`` indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Liberty release. This version removes the *Fn::Select* function, path based ``get_attr``/``get_param`` references should be used instead. :: get_attr get_file get_param get_resource list_join repeat digest resource_facade str_replace str_split .. _hot_spec_parameter_groups: Parameter groups section ~~~~~~~~~~~~~~~~~~~~~~~~ The ``parameter_groups`` section allows for specifying how the input parameters should be grouped and the order to provide the parameters in. These groups are typically used to describe expected behavior for downstream user interfaces. These groups are specified in a list with each group containing a list of associated parameters. The lists are used to denote the expected order of the parameters. Each parameter should be associated to a specific group only once using the parameter name to bind it to a defined parameter in the ``parameters`` section. :: parameter_groups: - label: description: parameters: - - label A human-readable label that defines the associated group of parameters. description This attribute allows for giving a human-readable description of the parameter group. parameters A list of parameters associated with this parameter group. param name The name of the parameter that is defined in the associated ``parameters`` section. .. _hot_spec_parameters: Parameters section ~~~~~~~~~~~~~~~~~~ The ``parameters`` section allows for specifying input parameters that have to be provided when instantiating the template. Such parameters are typically used to customize each deployment (e.g. by setting custom user names or passwords) or for binding to environment-specifics like certain images. Each parameter is specified in a separated nested block with the name of the parameters defined in the first line and additional attributes such as type or default value defined as nested elements. :: parameters: : type: label: description: default: hidden: constraints: param name The name of the parameter. type The type of the parameter. Supported types are ``string``, ``number``, ``comma_delimited_list``, ``json`` and ``boolean``. This attribute is required. label A human readable name for the parameter. This attribute is optional. description A human readable description for the parameter. This attribute is optional. default A default value for the parameter. This value is used if the user doesn't specify his own value during deployment. This attribute is optional. hidden Defines whether the parameters should be hidden when a user requests information about a stack created from the template. This attribute can be used to hide passwords specified as parameters. This attribute is optional and defaults to ``false``. constraints A list of constraints to apply. The constraints are validated by the Orchestration engine when a user deploys a stack. The stack creation fails if the parameter value doesn't comply to the constraints. This attribute is optional. The table below describes all currently supported types with examples: +----------------------+-------------------------------+------------------+ | Type | Description | Examples | +======================+===============================+==================+ | string | A literal string. | "String param" | +----------------------+-------------------------------+------------------+ | number | An integer or float. | "2"; "0.2" | +----------------------+-------------------------------+------------------+ | comma_delimited_list | An array of literal strings | ["one", "two"]; | | | that are separated by commas. | "one, two"; | | | The total number of strings | Note: "one, two" | | | should be one more than the | returns | | | total number of commas. | ["one", " two"] | +----------------------+-------------------------------+------------------+ | json | A JSON-formatted map or list. | {"key": "value"} | +----------------------+-------------------------------+------------------+ | boolean | Boolean type value, which can | "on"; "n" | | | be equal "t", "true", "on", | | | | "y", "yes", or "1" for true | | | | value and "f", "false", | | | | "off", "n", "no", or "0" for | | | | false value. | | +----------------------+-------------------------------+------------------+ The following example shows a minimalistic definition of two parameters:: parameters: user_name: type: string label: User Name description: User name to be configured for the application port_number: type: number label: Port Number description: Port number to be configured for the web server .. note:: The description and the label are optional, but defining these attributes is good practice to provide useful information about the role of the parameter to the user. .. _hot_spec_parameters_constraints: Parameter Constraints --------------------- The ``constraints`` block of a parameter definition defines additional validation constraints that apply to the value of the parameter. The parameter values provided by a user are validated against the constraints at instantiation time. The constraints are defined as a list with the following syntax:: constraints: - : description: constraint type Type of constraint to apply. The set of currently supported constraints is given below. constraint definition The actual constraint, depending on the constraint type. The concrete syntax for each constraint type is given below. description A description of the constraint. The text is presented to the user when the value he defines violates the constraint. If omitted, a default validation message is presented to the user. This attribute is optional. The following example shows the definition of a string parameter with two constraints. Note that while the descriptions for each constraint are optional, it is good practice to provide concrete descriptions to present useful messages to the user at deployment time. :: parameters: user_name: type: string label: User Name description: User name to be configured for the application constraints: - length: { min: 6, max: 8 } description: User name must be between 6 and 8 characters - allowed_pattern: "[A-Z]+[a-zA-Z0-9]*" description: User name must start with an uppercase character .. note:: While the descriptions for each constraint are optional, it is good practice to provide concrete descriptions so useful messages can be presented to the user at deployment time. The following sections list the supported types of parameter constraints, along with the concrete syntax for each type. length ++++++ The ``length`` constraint applies to parameters of type ``string``. It defines a lower and upper limit for the length of the string value. The syntax of the ``length`` constraint is:: length: { min: , max: } It is possible to define a length constraint with only a lower limit or an upper limit. However, at least one of ``min`` or ``max`` must be specified. range +++++ The ``range`` constraint applies to parameters of type ``number``. It defines a lower and upper limit for the numeric value of the parameter. The syntax of the ``range`` constraint is:: range: { min: , max: } It is possible to define a range constraint with only a lower limit or an upper limit. However, at least one of ``min`` or ``max`` must be specified. The minimum and maximum boundaries are included in the range. For example, the following range constraint would allow for all numeric values between 0 and 10:: range: { min: 0, max: 10 } allowed_values ++++++++++++++ The ``allowed_values`` constraint applies to parameters of type ``string`` or ``number``. It specifies a set of possible values for a parameter. At deployment time, the user-provided value for the respective parameter must match one of the elements of the list. The syntax of the ``allowed_values`` constraint is:: allowed_values: [ , , ... ] Alternatively, the following YAML list notation can be used:: allowed_values: - - - ... For example:: parameters: instance_type: type: string label: Instance Type description: Instance type for compute instances constraints: - allowed_values: - m1.small - m1.medium - m1.large allowed_pattern +++++++++++++++ The ``allowed_pattern`` constraint applies to parameters of type ``string``. It specifies a regular expression against which a user-provided parameter value must evaluate at deployment. The syntax of the ``allowed_pattern`` constraint is:: allowed_pattern: For example:: parameters: user_name: type: string label: User Name description: User name to be configured for the application constraints: - allowed_pattern: "[A-Z]+[a-zA-Z0-9]*" description: User name must start with an uppercase character custom_constraint +++++++++++++++++ The ``custom_constraint`` constraint adds an extra step of validation, generally to check that the specified resource exists in the backend. Custom constraints get implemented by plug-ins and can provide any kind of advanced constraint validation logic. The syntax of the ``custom_constraint`` constraint is:: custom_constraint: The ``name`` attribute specifies the concrete type of custom constraint. It corresponds to the name under which the respective validation plugin has been registered in the Orchestration engine. For example:: parameters: key_name type: string description: SSH key pair constraints: - custom_constraint: nova.keypair .. _hot_spec_pseudo_parameters: Pseudo parameters ----------------- In addition to parameters defined by a template author, Heat also creates three parameters for every stack that allow referential access to the stack's name, stack's identifier and project's identifier. These parameters are named ``OS::stack_name`` for the stack name, ``OS::stack_id`` for the stack identifier and ``OS::project_id`` for the project identifier. These values are accessible via the `get_param`_ intrinsic function, just like user-defined parameters. .. note:: ``OS::project_id`` is available since 2015.1 (Kilo). .. _hot_spec_resources: Resources section ~~~~~~~~~~~~~~~~~ The ``resources`` section defines actual resources that make up a stack deployed from the HOT template (for instance compute instances, networks, storage volumes). Each resource is defined as a separate block in the ``resources`` section with the following syntax:: resources: : type: properties: : metadata: depends_on: update_policy: deletion_policy: resource ID A resource ID which must be unique within the ``resources`` section of the template. type The resource type, such as ``OS::Nova::Server`` or ``OS::Neutron::Port``. This attribute is required. properties A list of resource-specific properties. The property value can be provided in place, or via a function (see :ref:`hot_spec_intrinsic_functions`). This section is optional. metadata Resource-specific metadata. This section is optional. depends_on Dependencies of the resource on one or more resources of the template. See :ref:`hot_spec_resources_dependencies` for details. This attribute is optional. update_policy Update policy for the resource, in the form of a nested dictionary. Whether update policies are supported and what the exact semantics are depends on the type of the current resource. This attribute is optional. deletion_policy Deletion policy for the resource. Which type of deletion policy is supported depends on the type of the current resource. This attribute is optional. Depending on the type of resource, the resource block might include more resource specific data. All resource types that can be used in CFN templates can also be used in HOT templates, adapted to the YAML structure as outlined above. The following example demonstrates the definition of a simple compute resource with some fixed property values:: resources: my_instance: type: OS::Nova::Server properties: flavor: m1.small image: F18-x86_64-cfntools .. _hot_spec_resources_dependencies: Resource dependencies --------------------- The ``depends_on`` attribute of a resource defines a dependency between this resource and one or more other resources. If a resource depends on just one other resource, the ID of the other resource is specified as string of the ``depends_on`` attribute, as shown in the following example:: resources: server1: type: OS::Nova::Server depends_on: server2 server2: type: OS::Nova::Server If a resource depends on more than one other resources, the value of the ``depends_on`` attribute is specified as a list of resource IDs, as shown in the following example:: resources: server1: type: OS::Nova::Server depends_on: [ server2, server3 ] server2: type: OS::Nova::Server server3: type: OS::Nova::Server .. _hot_spec_outputs: Outputs section ~~~~~~~~~~~~~~~ The ``outputs`` section defines output parameters that should be available to the user after a stack has been created. This would be, for example, parameters such as IP addresses of deployed instances, or URLs of web applications deployed as part of a stack. Each output parameter is defined as a separate block within the outputs section according to the following syntax:: outputs: : description: value: parameter name The output parameter name, which must be unique within the ``outputs`` section of a template. description A short description of the output parameter. This attribute is optional. parameter value The value of the output parameter. This value is usually resolved by means of a function. See :ref:`hot_spec_intrinsic_functions` for details about the functions. This attribute is required. The example below shows how the IP address of a compute resource can be defined as an output parameter:: outputs: instance_ip: description: IP address of the deployed compute instance value: { get_attr: [my_instance, first_address] } .. _hot_spec_intrinsic_functions: Intrinsic functions ~~~~~~~~~~~~~~~~~~~ HOT provides a set of intrinsic functions that can be used inside templates to perform specific tasks, such as getting the value of a resource attribute at runtime. The following section describes the role and syntax of the intrinsic functions. get_attr -------- The ``get_attr`` function references an attribute of a resource. The attribute value is resolved at runtime using the resource instance created from the respective resource definition. Path based attribute referencing using keys or indexes requires ``heat_template_version`` ``2014-10-16`` or higher. The syntax of the ``get_attr`` function is:: get_attr: - - - (optional) - (optional) - ... resource name The resource name for which the attribute needs to be resolved. The resource name must exist in the ``resources`` section of the template. attribute name The attribute name to be resolved. If the attribute returns a complex data structure such as a list or a map, then subsequent keys or indexes can be specified. These additional parameters are used to navigate the data structure to return the desired value. The following example demonstrates how to use the :code:`get_attr` function:: resources: my_instance: type: OS::Nova::Server # ... outputs: instance_ip: description: IP address of the deployed compute instance value: { get_attr: [my_instance, first_address] } instance_private_ip: description: Private IP address of the deployed compute instance value: { get_attr: [my_instance, networks, private, 0] } In this example, if the ``networks`` attribute contained the following data:: {"public": ["2001:0db8:0000:0000:0000:ff00:0042:8329", "1.2.3.4"], "private": ["10.0.0.1"]} then the value of :code:`get_attr` function would resolve to ``10.0.0.1`` (first item of the ``private`` entry in the ``networks`` map). get_file -------- The ``get_file`` function returns the content of a file into the template. It is generally used as a file inclusion mechanism for files containing scripts or configuration files. The syntax of ``get_file`` function is:: get_file: The ``content key`` is used to look up the ``files`` dictionary that is provided in the REST API call. The Orchestration client command (``heat``) is ``get_file`` aware and populates the ``files`` dictionary with the actual content of fetched paths and URLs. The Orchestration client command supports relative paths and transforms these to the absolute URLs required by the Orchestration API. .. note:: The ``get_file`` argument must be a static path or URL and not rely on intrinsic functions like ``get_param``. the Orchestration client does not process intrinsic functions (they are only processed by the Orchestration engine). The example below demonstrates the ``get_file`` function usage with both relative and absolute URLs:: resources: my_instance: type: OS::Nova::Server properties: # general properties ... user_data: get_file: my_instance_user_data.sh my_other_instance: type: OS::Nova::Server properties: # general properties ... user_data: get_file: http://example.com/my_other_instance_user_data.sh The ``files`` dictionary generated by the Orchestration client during instantiation of the stack would contain the following keys: * :file:`file:///path/to/my_instance_user_data.sh` * :file:`http://example.com/my_other_instance_user_data.sh` get_param --------- The ``get_param`` function references an input parameter of a template. It resolves to the value provided for this input parameter at runtime. The syntax of the ``get_param`` function is:: get_param: - - (optional) - (optional) - ... parameter name The parameter name to be resolved. If the parameters returns a complex data structure such as a list or a map, then subsequent keys or indexes can be specified. These additional parameters are used to navigate the data structure to return the desired value. The following example demonstrates the use of the ``get_param`` function:: parameters: instance_type: type: string label: Instance Type description: Instance type to be used. server_data: type: json resources: my_instance: type: OS::Nova::Server properties: flavor: { get_param: instance_type} metadata: { get_param: [ server_data, metadata ] } key_name: { get_param: [ server_data, keys, 0 ] } In this example, if the ``instance_type`` and ``server_data`` parameters contained the following data:: {"instance_type": "m1.tiny", {"server_data": {"metadata": {"foo": "bar"}, "keys": ["a_key","other_key"]}}} then the value of the property ``flavor`` would resolve to ``m1.tiny``, ``metadata`` would resolve to ``{"foo": "bar"}`` and ``key_name`` would resolve to ``a_key``. get_resource ------------ The ``get_resource`` function references another resource within the same template. At runtime, it is resolved to reference the ID of the referenced resource, which is resource type specific. For example, a reference to a floating IP resource returns the respective IP address at runtime. The syntax of the ``get_resource`` function is:: get_resource: The resource ID of the referenced resource is given as single parameter to the ``get_resource`` function. For example:: resources: instance_port: type: OS::Neutron::Port properties: ... instance: type: OS::Nova::Server properties: ... networks: port: { get_resource: instance_port } list_join --------- The ``list_join`` function joins a list of strings with the given delimiter. The syntax of the ``list_join`` function is:: list_join: - - For example:: list_join: [', ', ['one', 'two', 'and three']] This resolve to the string ``one, two, and three``. digest ------ The ``digest`` function allows for performing digest operations on a given value. This function has been introduced in the Kilo release and is usable with HOT versions later than ``2015-04-30``. The syntax of the ``digest`` function is:: digest: - - algorithm The digest algorithm. Valid algorithms are the ones provided natively by hashlib (md5, sha1, sha224, sha256, sha384, and sha512) or any one provided by OpenSSL. value The value to digest. This function will resolve to the corresponding hash of the value. For example:: # from a user supplied parameter pwd_hash: { digest: ['sha512', { get_param: raw_password }] } The value of the digest function would resolve to the corresponding hash of the value of ``raw_password``. repeat ------ The ``repeat`` function allows for dynamically transforming lists by iterating over the contents of one or more source lists and replacing the list elements into a template. The result of this function is a new list, where the elements are set to the template, rendered for each list item. The syntax of the ``repeat`` function is:: repeat: template: