HOT is a new template format meant to replace the Heat CloudFormation-compatible format (CFN) as the native format supported by the Heat over time. This specification explains in detail all elements of the HOT template format. An example driven guide to writing HOT templates can be found at Heat Orchestration Template (HOT) Guide.
HOT is considered reliable, supported, and standardized as of our Icehouse (April 2014) release. The Heat core team may make improvements to the standard, which very likely would be backward compatible. The template format is also versioned. Since Juno release, Heat supports multiple different versions of the HOT specification.
HOT templates are defined in YAML and follow the structure outlined below.
heat_template_version: 2015-04-30
description:
# a description of the template
parameter_groups:
# a declaration of input parameter groups and order
parameters:
# declaration of input parameters
resources:
# declaration of template resources
outputs:
# declaration of output parameters
The value of heat_template_version tells Heat not only the format of the template but also features that will be validated and supported. For example, Heat currently supports the following values for the heat_template_version key:
The key with value 2013-05-23 indicates that the YAML document is a HOT template and it may contain features implemented until the Icehouse release. This version supports the following functions (some are back ported to this version):
get_attr
get_file
get_param
get_resource
list_join
resource_facade
str_replace
Fn::Base64
Fn::GetAZs
Fn::Join
Fn::MemberListToMap
Fn::Replace
Fn::ResourceFacade
Fn::Select
Fn::Split
Ref
The key with value 2014-10-16 indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Juno release. This version removes most CFN functions that were supported in the Icehouse release, i.e. the 2013-05-23 version. So the supported functions now are:
get_attr
get_file
get_param
get_resource
list_join
resource_facade
str_replace
Fn::Select
The key with value 2015-04-30 indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Kilo release. This version adds the repeat function. So the complete list of supported functions is:
get_attr
get_file
get_param
get_resource
list_join
repeat
digest
resource_facade
str_replace
Fn::Select
The key with value 2015-10-15 indicates that the YAML document is a HOT template and it may contain features added and/or removed up until the Liberty release. This version removes the Fn::Select function, path based get_attr/get_param references should be used instead. Moreover get_attr since this version returns dict of all attributes for the given resource excluding show attribute, if there’s no <attribute name> specified, e.g. { get_attr: [<resource name>]}. This version also adds the str_split function and support for passing multiple lists to the existing list_join function. The complete list of supported functions is:
get_attr
get_file
get_param
get_resource
list_join
repeat
digest
resource_facade
str_replace
str_split
The parameter_groups section allows for specifying how the input parameters should be grouped and the order to provide the parameters in. These groups are typically used to describe expected behavior for downstream user interfaces.
These groups are specified in a list with each group containing a list of associated parameters. The lists are used to denote the expected order of the parameters. Each parameter should be associated to a specific group only once using the parameter name to bind it to a defined parameter in the parameters section.
parameter_groups:
- label: <human-readable label of parameter group>
description: <description of the parameter group>
parameters:
- <param name>
- <param name>
The parameters section allows for specifying input parameters that have to be provided when instantiating the template. Such parameters are typically used to customize each deployment (e.g. by setting custom user names or passwords) or for binding to environment-specifics like certain images.
Each parameter is specified in a separated nested block with the name of the parameters defined in the first line and additional attributes such as type or default value defined as nested elements.
parameters:
<param name>:
type: <string | number | json | comma_delimited_list | boolean>
label: <human-readable name of the parameter>
description: <description of the parameter>
default: <default value for parameter>
hidden: <true | false>
constraints:
<parameter constraints>
Defines whether the parameters should be hidden when a user requests information about a stack created from the template. This attribute can be used to hide passwords specified as parameters.
This attribute is optional and defaults to false.
The table below describes all currently supported types with examples:
Type | Description | Examples |
---|---|---|
string | A literal string. | “String param” |
number | An integer or float. | “2”; “0.2” |
comma_delimited_list | An array of literal strings that are separated by commas. The total number of strings should be one more than the total number of commas. | [“one”, “two”]; “one, two”; Note: “one, two” returns [“one”, ” two”] |
json | A JSON-formatted map or list. | {“key”: “value”} |
boolean | Boolean type value, which can be equal “t”, “true”, “on”, “y”, “yes”, or “1” for true value and “f”, “false”, “off”, “n”, “no”, or “0” for false value. | “on”; “n” |
The following example shows a minimalistic definition of two parameters
parameters:
user_name:
type: string
label: User Name
description: User name to be configured for the application
port_number:
type: number
label: Port Number
description: Port number to be configured for the web server
Note
The description and the label are optional, but defining these attributes is good practice to provide useful information about the role of the parameter to the user.
The constraints block of a parameter definition defines additional validation constraints that apply to the value of the parameter. The parameter values provided by a user are validated against the constraints at instantiation time. The constraints are defined as a list with the following syntax
constraints:
- <constraint type>: <constraint definition>
description: <constraint description>
The following example shows the definition of a string parameter with two constraints. Note that while the descriptions for each constraint are optional, it is good practice to provide concrete descriptions to present useful messages to the user at deployment time.
parameters:
user_name:
type: string
label: User Name
description: User name to be configured for the application
constraints:
- length: { min: 6, max: 8 }
description: User name must be between 6 and 8 characters
- allowed_pattern: "[A-Z]+[a-zA-Z0-9]*"
description: User name must start with an uppercase character
Note
While the descriptions for each constraint are optional, it is good practice to provide concrete descriptions so useful messages can be presented to the user at deployment time.
The following sections list the supported types of parameter constraints, along with the concrete syntax for each type.
The length constraint applies to parameters of type string. It defines a lower and upper limit for the length of the string value.
The syntax of the length constraint is
length: { min: <lower limit>, max: <upper limit> }
It is possible to define a length constraint with only a lower limit or an upper limit. However, at least one of min or max must be specified.
The range constraint applies to parameters of type number. It defines a lower and upper limit for the numeric value of the parameter.
The syntax of the range constraint is
range: { min: <lower limit>, max: <upper limit> }
It is possible to define a range constraint with only a lower limit or an upper limit. However, at least one of min or max must be specified.
The minimum and maximum boundaries are included in the range. For example, the following range constraint would allow for all numeric values between 0 and 10
range: { min: 0, max: 10 }
The allowed_values constraint applies to parameters of type string or number. It specifies a set of possible values for a parameter. At deployment time, the user-provided value for the respective parameter must match one of the elements of the list.
The syntax of the allowed_values constraint is
allowed_values: [ <value>, <value>, ... ]
Alternatively, the following YAML list notation can be used
allowed_values:
- <value>
- <value>
- ...
For example
parameters:
instance_type:
type: string
label: Instance Type
description: Instance type for compute instances
constraints:
- allowed_values:
- m1.small
- m1.medium
- m1.large
The allowed_pattern constraint applies to parameters of type string. It specifies a regular expression against which a user-provided parameter value must evaluate at deployment.
The syntax of the allowed_pattern constraint is
allowed_pattern: <regular expression>
For example
parameters:
user_name:
type: string
label: User Name
description: User name to be configured for the application
constraints:
- allowed_pattern: "[A-Z]+[a-zA-Z0-9]*"
description: User name must start with an uppercase character
The custom_constraint constraint adds an extra step of validation, generally to check that the specified resource exists in the backend. Custom constraints get implemented by plug-ins and can provide any kind of advanced constraint validation logic.
The syntax of the custom_constraint constraint is
custom_constraint: <name>
The name attribute specifies the concrete type of custom constraint. It corresponds to the name under which the respective validation plugin has been registered in the Orchestration engine.
For example
parameters:
key_name
type: string
description: SSH key pair
constraints:
- custom_constraint: nova.keypair
The following section lists the custom constraints and the plug-ins that support them.
Name | Plug-in |
---|---|
cinder.backup | heat.engine.clients.os.cinder:VolumeBackupConstraint |
cinder.snapshot | heat.engine.clients.os.cinder:VolumeSnapshotConstraint |
cinder.volume | heat.engine.clients.os.cinder:VolumeConstraint |
cinder.vtype | heat.engine.clients.os.cinder:VolumeTypeConstraint |
cron_expression | heat.engine.constraint.common_constraints:CRONExpressionConstraint |
designate.domain | heat.engine.clients.os.designate:DesignateDomainConstraint |
glance.image | heat.engine.clients.os.glance:ImageConstraint |
ip_addr | heat.engine.constraint.common_constraints:IPConstraint |
iso_8601 | heat.engine.constraint.common_constraints:ISO8601Constraint |
keystone.domain | heat.engine.clients.os.keystone:KeystoneDomainConstraint |
keystone.group | heat.engine.clients.os.keystone:KeystoneGroupConstraint |
keystone.project | heat.engine.clients.os.keystone:KeystoneProjectConstraint |
keystone.role | heat.engine.clients.os.keystone:KeystoneRoleConstraint |
keystone.service | heat.engine.clients.os.keystone:KeystoneServiceConstraint |
keystone.user | heat.engine.clients.os.keystone:KeystoneUserConstraint |
mac_addr | heat.engine.constraint.common_constraints:MACConstraint |
manila.share_network | heat.engine.clients.os.manila:ManilaShareNetworkConstraint |
manila.share_snapshot | heat.engine.clients.os.manila:ManilaShareSnapshotConstraint |
manila.share_type | heat.engine.clients.os.manila:ManilaShareTypeConstraint |
monasca.notification | heat.engine.clients.os.monasca:MonascaNotificationConstraint |
net_cidr | heat.engine.constraint.common_constraints:CIDRConstraint |
neutron.network | heat.engine.clients.os.neutron:NetworkConstraint |
neutron.port | heat.engine.clients.os.neutron:PortConstraint |
neutron.router | heat.engine.clients.os.neutron:RouterConstraint |
neutron.subnet | heat.engine.clients.os.neutron:SubnetConstraint |
nova.flavor | heat.engine.clients.os.nova:FlavorConstraint |
nova.keypair | heat.engine.clients.os.nova:KeypairConstraint |
nova.network | heat.engine.clients.os.nova:NetworkConstraint |
nova.server | heat.engine.clients.os.nova:ServerConstraint |
sahara.image | heat.engine.clients.os.sahara:ImageConstraint |
sahara.plugin | heat.engine.clients.os.sahara:PluginConstraint |
timezone | heat.engine.constraint.common_constraints:TimezoneConstraint |
trove.flavor | heat.engine.clients.os.trove:FlavorConstraint |
In addition to parameters defined by a template author, Heat also creates three parameters for every stack that allow referential access to the stack’s name, stack’s identifier and project’s identifier. These parameters are named OS::stack_name for the stack name, OS::stack_id for the stack identifier and OS::project_id for the project identifier. These values are accessible via the get_param intrinsic function, just like user-defined parameters.
Note
OS::project_id is available since 2015.1 (Kilo).
The resources section defines actual resources that make up a stack deployed from the HOT template (for instance compute instances, networks, storage volumes).
Each resource is defined as a separate block in the resources section with the following syntax
resources:
<resource ID>:
type: <resource type>
properties:
<property name>: <property value>
metadata:
<resource specific metadata>
depends_on: <resource ID or list of ID>
update_policy: <update policy>
deletion_policy: <deletion policy>
Depending on the type of resource, the resource block might include more resource specific data.
All resource types that can be used in CFN templates can also be used in HOT templates, adapted to the YAML structure as outlined above.
The following example demonstrates the definition of a simple compute resource with some fixed property values
resources:
my_instance:
type: OS::Nova::Server
properties:
flavor: m1.small
image: F18-x86_64-cfntools
The depends_on attribute of a resource defines a dependency between this resource and one or more other resources.
If a resource depends on just one other resource, the ID of the other resource is specified as string of the depends_on attribute, as shown in the following example
resources:
server1:
type: OS::Nova::Server
depends_on: server2
server2:
type: OS::Nova::Server
If a resource depends on more than one other resources, the value of the depends_on attribute is specified as a list of resource IDs, as shown in the following example
resources:
server1:
type: OS::Nova::Server
depends_on: [ server2, server3 ]
server2:
type: OS::Nova::Server
server3:
type: OS::Nova::Server
The outputs section defines output parameters that should be available to the user after a stack has been created. This would be, for example, parameters such as IP addresses of deployed instances, or URLs of web applications deployed as part of a stack.
Each output parameter is defined as a separate block within the outputs section according to the following syntax
outputs:
<parameter name>:
description: <description>
value: <parameter value>
The example below shows how the IP address of a compute resource can be defined as an output parameter
outputs:
instance_ip:
description: IP address of the deployed compute instance
value: { get_attr: [my_instance, first_address] }
HOT provides a set of intrinsic functions that can be used inside templates to perform specific tasks, such as getting the value of a resource attribute at runtime. The following section describes the role and syntax of the intrinsic functions.
Note: these functions can only be used within the “properties” section of each resource or in the outputs section.
The get_attr function references an attribute of a resource. The attribute value is resolved at runtime using the resource instance created from the respective resource definition.
Path based attribute referencing using keys or indexes requires heat_template_version 2014-10-16 or higher.
The syntax of the get_attr function is
get_attr:
- <resource name>
- <attribute name>
- <key/index 1> (optional)
- <key/index 2> (optional)
- ...
The resource name for which the attribute needs to be resolved.
The resource name must exist in the resources section of the template.
The following example demonstrates how to use the get_attr function:
resources:
my_instance:
type: OS::Nova::Server
# ...
outputs:
instance_ip:
description: IP address of the deployed compute instance
value: { get_attr: [my_instance, first_address] }
instance_private_ip:
description: Private IP address of the deployed compute instance
value: { get_attr: [my_instance, networks, private, 0] }
In this example, if the networks attribute contained the following data:
{"public": ["2001:0db8:0000:0000:0000:ff00:0042:8329", "1.2.3.4"],
"private": ["10.0.0.1"]}
then the value of get_attr function would resolve to 10.0.0.1 (first item of the private entry in the networks map).
From heat_template_version: ‘2015-10-15’ <attribute_name> is optional and if <attribute_name> is not specified, get_attr returns dict of all attributes for the given resource excluding show attribute. In this case syntax would be next:
get_attr:
- <resource_name>
The get_file function returns the content of a file into the template. It is generally used as a file inclusion mechanism for files containing scripts or configuration files.
The syntax of get_file function is
get_file: <content key>
The content key is used to look up the files dictionary that is provided in the REST API call. The Orchestration client command (heat) is get_file aware and populates the files dictionary with the actual content of fetched paths and URLs. The Orchestration client command supports relative paths and transforms these to the absolute URLs required by the Orchestration API.
Note
The get_file argument must be a static path or URL and not rely on intrinsic functions like get_param. the Orchestration client does not process intrinsic functions (they are only processed by the Orchestration engine).
The example below demonstrates the get_file function usage with both relative and absolute URLs
resources:
my_instance:
type: OS::Nova::Server
properties:
# general properties ...
user_data:
get_file: my_instance_user_data.sh
my_other_instance:
type: OS::Nova::Server
properties:
# general properties ...
user_data:
get_file: http://example.com/my_other_instance_user_data.sh
The files dictionary generated by the Orchestration client during instantiation of the stack would contain the following keys:
The get_param function references an input parameter of a template. It resolves to the value provided for this input parameter at runtime.
The syntax of the get_param function is
get_param:
- <parameter name>
- <key/index 1> (optional)
- <key/index 2> (optional)
- ...
The following example demonstrates the use of the get_param function
parameters:
instance_type:
type: string
label: Instance Type
description: Instance type to be used.
server_data:
type: json
resources:
my_instance:
type: OS::Nova::Server
properties:
flavor: { get_param: instance_type}
metadata: { get_param: [ server_data, metadata ] }
key_name: { get_param: [ server_data, keys, 0 ] }
In this example, if the instance_type and server_data parameters contained the following data:
{"instance_type": "m1.tiny",
{"server_data": {"metadata": {"foo": "bar"},
"keys": ["a_key","other_key"]}}}
then the value of the property flavor would resolve to m1.tiny, metadata would resolve to {"foo": "bar"} and key_name would resolve to a_key.
The get_resource function references another resource within the same template. At runtime, it is resolved to reference the ID of the referenced resource, which is resource type specific. For example, a reference to a floating IP resource returns the respective IP address at runtime. The syntax of the get_resource function is
get_resource: <resource ID>
The resource ID of the referenced resource is given as single parameter to the get_resource function.
For example
resources:
instance_port:
type: OS::Neutron::Port
properties: ...
instance:
type: OS::Nova::Server
properties:
...
networks:
port: { get_resource: instance_port }
The list_join function joins a list of strings with the given delimiter.
The syntax of the list_join function is
list_join:
- <delimiter>
- <list to join>
For example
list_join: [', ', ['one', 'two', 'and three']]
This resolve to the string one, two, and three.
From HOT version 2015-10-15 you may optionally pass additional lists, which will be appended to the previous lists to join.
For example:
list_join: [', ', ['one', 'two'], ['three', 'four']]]
This resolve to the string one, two, three, four.
From HOT version 2015-10-15 you may optionally also pass non-string list items (e.g json/map/list parameters or attributes) and they will be serialized as json before joining.
The digest function allows for performing digest operations on a given value. This function has been introduced in the Kilo release and is usable with HOT versions later than 2015-04-30.
The syntax of the digest function is
digest:
- <algorithm>
- <value>
For example
# from a user supplied parameter
pwd_hash: { digest: ['sha512', { get_param: raw_password }] }
The value of the digest function would resolve to the corresponding hash of the value of raw_password.
The repeat function allows for dynamically transforming lists by iterating over the contents of one or more source lists and replacing the list elements into a template. The result of this function is a new list, where the elements are set to the template, rendered for each list item.
The syntax of the repeat function is
repeat:
template:
<template>
for_each:
<var>: <list>
The following example shows how a security group resource can be defined to include a list of ports given as a parameter
parameters:
ports:
type: comma_delimited_list
label: ports
default: "80,443,8080"
resources:
security_group:
type: OS::Neutron::SecurityGroup
properties:
name: web_server_security_group
rules:
repeat:
for_each:
%port%: { get_param: ports }
template:
protocol: tcp
port_range_min: %port%
port_range_max: %port%
The following example demonstrates how the use of multiple lists enables the security group to also include parameterized protocols
parameters:
ports:
type: comma_delimited_list
label: ports
default: "80,443,8080"
protocols:
type: comma_delimited_list
label: protocols
default: "tcp,udp"
resources:
security_group:
type: OS::Neutron::SecurityGroup
properties:
name: web_server_security_group
rules:
repeat:
for_each:
%port%: { get_param: ports }
%protocol%: { get_param: protocols }
template:
protocol: %protocol%
port_range_min: %port%
Note how multiple entries in the for_each argument are equivalent to nested for-loops in most programming languages.
The resource_facade function retrieves data in a parent provider template.
A provider template provides a custom definition of a resource, called its facade. For more information about custom templates, see Template composition. The syntax of the resource_facade function is
resource_facade: <data type>
data type can be one of metadata, deletion_policy or update_policy.
The str_replace function dynamically constructs strings by providing a template string with placeholders and a list of mappings to assign values to those placeholders at runtime. The placeholders are replaced with mapping values wherever a mapping key exactly matches a placeholder.
The syntax of the str_replace function is
str_replace:
template: <template string>
params: <parameter mappings>
The following example shows a simple use of the str_replace function in the outputs section of a template to build a URL for logging into a deployed application
resources:
my_instance:
type: OS::Nova::Server
# general metadata and properties ...
outputs:
Login_URL:
description: The URL to log into the deployed application
value:
str_replace:
template: http://host/MyApplication
params:
host: { get_attr: [ my_instance, first_address ] }
The following examples show the use of the str_replace function to build an instance initialization script
parameters:
DBRootPassword:
type: string
label: Database Password
description: Root password for MySQL
hidden: true
resources:
my_instance:
type: OS::Nova::Server
properties:
# general properties ...
user_data:
str_replace:
template: |
#!/bin/bash
echo "Hello world"
echo "Setting MySQL root password"
mysqladmin -u root password $db_rootpassword
# do more things ...
params:
$db_rootpassword: { get_param: DBRootPassword }
In the example above, one can imagine that MySQL is being configured on a compute instance and the root password is going to be set based on a user provided parameter. The script for doing this is provided as userdata to the compute instance, leveraging the str_replace function.
The str_split function allows for splitting a string into a list by providing an arbitrary delimiter, the opposite of list_join.
The syntax of the str_split function is as follows:
str_split:
- ','
- string,to,split
Or:
str_split: [',', 'string,to,split']
The result of which is:
['string', 'to', 'split']
Optionally, an index may be provided to select a specific entry from the resulting list, similar to get_attr/get_param:
str_split: [',', 'string,to,split', 0]
The result of which is:
'string'
Note: The index starts at zero, and any value outside the maximum (e.g the length of the list minus one) will cause an error.