heat_template_version: 2016-04-08

description: >
  OpenStack controller node configured by Puppet.

parameters:
  AdminPassword:
    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
    type: string
    hidden: true
  AodhPassword:
    description: The password for the aodh services.
    type: string
    hidden: true
  controllerExtraConfig:
    default: {}
    description: |
      Deprecated. Use ControllerExtraConfig via parameter_defaults instead.
    type: json
  ControllerExtraConfig:
    default: {}
    description: |
      Controller specific hiera configuration data to inject into the cluster.
    type: json
  ControllerIPs:
    default: {}
    description: >
      A network mapped list of IPs to assign to Controllers in the following form:
      {
        "internal_api": ["a.b.c.d", "e.f.g.h"],
        ...
      }
    type: json
  ControlVirtualInterface:
    default: 'br-ex'
    description: Interface where virtual ip will be assigned.
    type: string
  CorosyncIPv6:
    default: false
    description: Enable IPv6 in Corosync
    type: boolean
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
  EnableFencing:
    default: false
    description: Whether to enable fencing in Pacemaker or not.
    type: boolean
  EnableGalera:
    default: true
    description: Whether to use Galera instead of regular MariaDB.
    type: boolean
  EnableLoadBalancer:
    default: true
    description: Whether to deploy a LoadBalancer on the Controller
    type: boolean
  ExtraConfig:
    default: {}
    description: |
      Additional hieradata to inject into the cluster, note that
      ControllerExtraConfig takes precedence over ExtraConfig.
    type: json
  FencingConfig:
    default: {}
    description: |
      Pacemaker fencing configuration. The JSON should have
      the following structure:
        {
          "devices": [
            {
              "agent": "AGENT_NAME",
              "host_mac": "HOST_MAC_ADDRESS",
              "params": {"PARAM_NAME": "PARAM_VALUE"}
            }
          ]
        }
      For instance:
        {
          "devices": [
            {
              "agent": "fence_xvm",
              "host_mac": "52:54:00:aa:bb:cc",
              "params": {
                "multicast_address": "225.0.0.12",
                "port": "baremetal_0",
                "manage_fw": true,
                "manage_key_file": true,
                "key_file": "/etc/fence_xvm.key",
                "key_file_password": "abcdef"
              }
            }
          ]
        }
    type: json
  Flavor:
    description: Flavor for control nodes to request when deploying.
    type: string
    constraints:
      - custom_constraint: nova.flavor
  HAProxyStatsPassword:
    description: Password for HAProxy stats endpoint
    type: string
  HAProxyStatsUser:
    description: User for HAProxy stats endpoint
    default: admin
    type: string
  HAProxySyslogAddress:
    default: /dev/log
    description: Syslog address where HAproxy will send its log
    type: string
  HeatAuthEncryptionKey:
    description: Auth encryption key for heat-engine
    type: string
    hidden: true
  HorizonSecret:
    description: Secret key for Django
    type: string
    hidden: true
  Image:
    type: string
    default: overcloud-control
    constraints:
      - custom_constraint: glance.image
  ImageUpdatePolicy:
    default: 'REBUILD_PRESERVE_EPHEMERAL'
    description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt.
    type: string
  InstanceNameTemplate:
    default: 'instance-%08x'
    description: Template string to be used to generate instance names
    type: string
  KeyName:
    default: default
    description: Name of an existing Nova key pair to enable SSH access to the instances
    type: string
    constraints:
      - custom_constraint: nova.keypair
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  ManageFirewall:
    default: false
    description: Whether to manage IPtables rules.
    type: boolean
  MemcachedIPv6:
    default: false
    description: Enable IPv6 features in Memcached.
    type: boolean
  PurgeFirewallRules:
    default: false
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean
  MysqlClusterUniquePart:
    description: A unique identifier of the MySQL cluster the controller is in.
    type: string
    default: 'unset'  # Has to be here because of the ignored empty value bug
    # Drop the validation: https://bugs.launchpad.net/tripleo/+bug/1405446
    # constraints:
    # - length: {min: 4, max: 10}
  MysqlInnodbBufferPoolSize:
    description: >
        Specifies the size of the buffer pool in megabytes. Setting to
        zero should be interpreted as "no value" and will defer to the
        lower level default.
    type: number
    default: 0
  MysqlMaxConnections:
    description: Configures MySQL max_connections config setting
    type: number
    default: 4096
  MysqlClustercheckPassword:
    type: string
    hidden: true
  MysqlRootPassword:
    type: string
    hidden: true
    default: ''  # Has to be here because of the ignored empty value bug
  NeutronMetadataProxySharedSecret:
    description: Shared secret to prevent spoofing
    type: string
    hidden: true
  NeutronPassword:
    description: The password for the neutron service and db account, used by neutron agents.
    type: string
    hidden: true
  NeutronPublicInterface:
    default: nic1
    description: What interface to bridge onto br-ex for network nodes.
    type: string
  NovaEnableDBPurge:
    default: true
    description: |
        Whether to create cron job for purging soft deleted rows in Nova database.
    type: boolean
  NovaIPv6:
    default: false
    description: Enable IPv6 features in Nova
    type: boolean
  NovaPassword:
    description: The password for the nova service and db account, used by nova-api.
    type: string
    hidden: true
  PcsdPassword:
    type: string
    description: The password for the 'pcsd' user.
    hidden: true
  PublicVirtualInterface:
    default: 'br-ex'
    description: >
        Specifies the interface where the public-facing virtual ip will be assigned.
        This should be int_public when a VLAN is being used.
    type: string
  RabbitCookie:
    type: string
    default: ''  # Has to be here because of the ignored empty value bug
    hidden: true
  RabbitPassword:
    description: The password for RabbitMQ
    type: string
    hidden: true
  RabbitUserName:
    default: guest
    description: The username for RabbitMQ
    type: string
  RabbitClientUseSSL:
    default: false
    description: >
        Rabbit client subscriber parameter to specify
        an SSL connection to the RabbitMQ host.
    type: string
  RabbitClientPort:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
  RedisPassword:
    description: The password for Redis
    type: string
    hidden: true
  RedisVirtualIP:
    type: string
    default: ''  # Has to be here because of the ignored empty value bug
  RedisVirtualIPUri:
    type: string
    default: ''  # Has to be here because of the ignored empty value bug
    description: An IP address which is wrapped in brackets in case of IPv6
  SwiftHashSuffix:
    description: A random string to be used as a salt when hashing to determine mappings
      in the ring.
    hidden: true
    type: string
  UpgradeLevelNovaCompute:
    type: string
    description: Nova Compute upgrade level
    default: ''
  MysqlVirtualIP:
    type: string
    default: ''
  EnablePackageInstall:
    default: 'false'
    description: Set to true to enable package installation via Puppet
    type: boolean
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  UpdateIdentifier:
    default: ''
    type: string
    description: >
      Setting to a previously unused value during stack-update will trigger
      package update on all nodes
  Hostname:
    type: string
    default: '' # Defaults to Heat created hostname
  HostnameMap:
    type: json
    default: {}
    description: Optional mapping to override hostnames
  NetworkDeploymentActions:
    type: comma_delimited_list
    description: >
      Heat action when to apply network configuration changes
    default: ['CREATE']
  NodeIndex:
    type: number
    default: 0
  SoftwareConfigTransport:
    default: POLL_SERVER_CFN
    description: |
      How the server should receive the metadata required for software configuration.
    type: string
    constraints:
    - allowed_values: [POLL_SERVER_CFN, POLL_SERVER_HEAT, POLL_TEMP_URL, ZAQAR_MESSAGE]
  CloudDomain:
    default: ''
    type: string
    description: >
      The DNS domain used for the hosts. This should match the dhcp_domain
      configured in the Undercloud neutron. Defaults to localdomain.
  ServerMetadata:
    default: {}
    description: >
      Extra properties or metadata passed to Nova for the created nodes in
      the overcloud. It's accessible via the Nova metadata API.
    type: json
  SchedulerHints:
    type: json
    description: Optional scheduler hints to pass to nova
    default: {}
  ServiceConfigSettings:
    type: json
    default: {}
  ServiceNames:
    type: comma_delimited_list
    default: []
  ConfigCommand:
    type: string
    description: Command which will be run whenever configuration data changes
    default: os-refresh-config --timeout 14400

parameter_groups:
- label: deprecated
  description: Do not use deprecated params, they will be removed.
  parameters:
  - controllerExtraConfig

resources:

  Controller:
    type: OS::TripleO::Server
    metadata:
      os-collect-config:
        command: {get_param: ConfigCommand}
    properties:
      image: {get_param: Image}
      image_update_policy: {get_param: ImageUpdatePolicy}
      flavor: {get_param: Flavor}
      key_name: {get_param: KeyName}
      networks:
        - network: ctlplane
      user_data_format: SOFTWARE_CONFIG
      user_data: {get_resource: UserData}
      name:
        str_replace:
            template: {get_param: Hostname}
            params: {get_param: HostnameMap}
      software_config_transport: {get_param: SoftwareConfigTransport}
      metadata: {get_param: ServerMetadata}
      scheduler_hints: {get_param: SchedulerHints}

  # Combine the NodeAdminUserData and NodeUserData mime archives
  UserData:
    type: OS::Heat::MultipartMime
    properties:
      parts:
      - config: {get_resource: NodeAdminUserData}
        type: multipart
      - config: {get_resource: NodeUserData}
        type: multipart

  # Creates the "heat-admin" user if configured via the environment
  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
  NodeAdminUserData:
    type: OS::TripleO::NodeAdminUserData

  # For optional operator additional userdata
  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
  NodeUserData:
    type: OS::TripleO::NodeUserData

  ExternalPort:
    type: OS::TripleO::Controller::Ports::ExternalPort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  InternalApiPort:
    type: OS::TripleO::Controller::Ports::InternalApiPort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  StoragePort:
    type: OS::TripleO::Controller::Ports::StoragePort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  StorageMgmtPort:
    type: OS::TripleO::Controller::Ports::StorageMgmtPort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  TenantPort:
    type: OS::TripleO::Controller::Ports::TenantPort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  ManagementPort:
    type: OS::TripleO::Controller::Ports::ManagementPort
    properties:
      IPPool: {get_param: ControllerIPs}
      NodeIndex: {get_param: NodeIndex}
      ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]}

  NetIpMap:
    type: OS::TripleO::Network::Ports::NetIpMap
    properties:
      ControlPlaneIp: {get_attr: [Controller, networks, ctlplane, 0]}
      ExternalIp: {get_attr: [ExternalPort, ip_address]}
      ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]}
      ExternalIpUri: {get_attr: [ExternalPort, ip_address_uri]}
      InternalApiIp: {get_attr: [InternalApiPort, ip_address]}
      InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]}
      InternalApiIpUri: {get_attr: [InternalApiPort, ip_address_uri]}
      StorageIp: {get_attr: [StoragePort, ip_address]}
      StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]}
      StorageIpUri: {get_attr: [StoragePort, ip_address_uri]}
      StorageMgmtIp: {get_attr: [StorageMgmtPort, ip_address]}
      StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]}
      StorageMgmtIpUri: {get_attr: [StorageMgmtPort, ip_address_uri]}
      TenantIp: {get_attr: [TenantPort, ip_address]}
      TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]}
      TenantIpUri: {get_attr: [TenantPort, ip_address_uri]}
      ManagementIp: {get_attr: [ManagementPort, ip_address]}
      ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]}
      ManagementIpUri: {get_attr: [ManagementPort, ip_address_uri]}

  NetworkConfig:
    type: OS::TripleO::Controller::Net::SoftwareConfig
    properties:
      ControlPlaneIp: {get_attr: [Controller, networks, ctlplane, 0]}
      ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]}
      InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]}
      StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]}
      StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]}
      TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]}
      ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]}

  NetworkDeployment:
    type: OS::TripleO::SoftwareDeployment
    properties:
      name: NetworkDeployment
      config: {get_resource: NetworkConfig}
      server: {get_resource: Controller}
      actions: {get_param: NetworkDeploymentActions}
      input_values:
        bridge_name: br-ex
        interface_name: {get_param: NeutronPublicInterface}

  # Resource for site-specific injection of root certificate
  NodeTLSCAData:
    depends_on: NetworkDeployment
    type: OS::TripleO::NodeTLSCAData
    properties:
      server: {get_resource: Controller}

  # Resource for site-specific passing of private keys/certificates
  NodeTLSData:
    depends_on: NodeTLSCAData
    type: OS::TripleO::NodeTLSData
    properties:
      server: {get_resource: Controller}
      NodeIndex: {get_param: NodeIndex}


  ControllerDeployment:
    type: OS::TripleO::SoftwareDeployment
    depends_on: NetworkDeployment
    properties:
      name: ControllerDeployment
      config: {get_resource: ControllerConfig}
      server: {get_resource: Controller}
      input_values:
        bootstack_nodeid: {get_attr: [Controller, name]}
        haproxy_log_address: {get_param: HAProxySyslogAddress}
        haproxy_stats_password: {get_param: HAProxyStatsPassword}
        haproxy_stats_user: {get_param: HAProxyStatsUser}
        heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
        horizon_secret: {get_param: HorizonSecret}
        admin_password: {get_param: AdminPassword}
        debug: {get_param: Debug}
        cinder_public_url: {get_param: [EndpointMap, CinderPublic, uri]}
        cinder_internal_url: {get_param: [EndpointMap, CinderInternal, uri]}
        cinder_admin_url: {get_param: [EndpointMap, CinderAdmin, uri]}
        cinder_public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
        cinder_internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
        cinder_admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
        keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
        keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
        keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] }
        enable_fencing: {get_param: EnableFencing}
        enable_galera: {get_param: EnableGalera}
        enable_load_balancer: {get_param: EnableLoadBalancer}
        manage_firewall: {get_param: ManageFirewall}
        purge_firewall_rules: {get_param: PurgeFirewallRules}
        mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
        mysql_max_connections: {get_param: MysqlMaxConnections}
        mysql_root_password: {get_param: MysqlRootPassword}
        mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
        mysql_cluster_name:
          str_replace:
            template: tripleo-CLUSTER
            params:
              CLUSTER: {get_param: MysqlClusterUniquePart}
        neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
        neutron_password: {get_param: NeutronPassword}
        neutron_internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
        neutron_public_url: { get_param: [ EndpointMap, NeutronPublic, uri ] }
        neutron_admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
        neutron_auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] }
        nova_internal_url: { get_param: [ EndpointMap, NovaInternal, uri ] }
        aodh_password: {get_param: AodhPassword}
        aodh_internal_url: { get_param: [ EndpointMap, AodhInternal, uri ] }
        aodh_public_url: { get_param: [ EndpointMap, AodhPublic, uri ] }
        aodh_admin_url: { get_param: [ EndpointMap, AodhAdmin, uri ] }
        ceilometer_coordination_url:
          list_join:
            - ''
            - - 'redis://:'
              - {get_param: RedisPassword}
              - '@'
              - {get_param: RedisVirtualIPUri}
              - ':6379/'
        aodh_dsn:
          list_join:
            - ''
            - - {get_param: [EndpointMap, MysqlInternal, protocol]}
              - '://aodh:'
              - {get_param: AodhPassword}
              - '@'
              - {get_param: [EndpointMap, MysqlInternal, host]}
              - '/aodh'
        gnocchi_internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
        gnocchi_public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] }
        gnocchi_admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] }
        nova_enable_db_purge: {get_param: NovaEnableDBPurge}
        nova_ipv6: {get_param: NovaIPv6}
        corosync_ipv6: {get_param: CorosyncIPv6}
        memcached_ipv6: {get_param: MemcachedIPv6}
        nova_password: {get_param: NovaPassword}
        upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute}
        instance_name_template: {get_param: InstanceNameTemplate}
        nova_public_url: {get_param: [EndpointMap, NovaPublic, uri]}
        nova_internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
        nova_admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
        fencing_config: {get_param: FencingConfig}
        pcsd_password: {get_param: PcsdPassword}
        rabbit_username: {get_param: RabbitUserName}
        rabbit_password: {get_param: RabbitPassword}
        rabbit_cookie: {get_param: RabbitCookie}
        rabbit_client_use_ssl: {get_param: RabbitClientUseSSL}
        rabbit_client_port: {get_param: RabbitClientPort}
        control_virtual_interface: {get_param: ControlVirtualInterface}
        public_virtual_interface: {get_param: PublicVirtualInterface}
        swift_hash_suffix: {get_param: SwiftHashSuffix}
        enable_package_install: {get_param: EnablePackageInstall}
        enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
        swift_proxy_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftProxyNetwork]}]}
        swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
        cinder_iscsi_network:
          str_replace:
            template: "'IP'"
            params:
              IP: {get_attr: [NetIpMap, net_ip_uri_map, {get_param: [ServiceNetMap, CinderIscsiNetwork]}]}
        cinder_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CinderApiNetwork]}]}
        glance_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]}
        glance_registry_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, GlanceRegistryNetwork]}]}
        glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]}
        heat_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]}
        keystone_public_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
        keystone_admin_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
        keystone_region: {get_param: KeystoneRegion}
        mongo_db_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MongoDbNetwork]}]}
        neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
        neutron_local_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronTenantNetwork]}]}
        ceilometer_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CeilometerApiNetwork]}]}
        aodh_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, AodhApiNetwork]}]}
        gnocchi_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, GnocchiApiNetwork]}]}
        nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]}
        nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]}
        horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
        horizon_subnet:
          str_replace:
            template: "['SUBNET']"
            params:
              SUBNET: {get_attr: [NetIpMap, net_ip_subnet_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
        rabbitmq_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RabbitMqNetwork]}]}
        redis_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RedisNetwork]}]}
        redis_vip: {get_param: RedisVirtualIP}
        sahara_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SaharaApiNetwork]}]}
        memcached_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
        mysql_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
        mysql_virtual_ip: {get_param: MysqlVirtualIP}
        ceph_cluster_network: {get_attr: [NetIpMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]}
        ceph_public_network: {get_attr: [NetIpMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
        ceph_public_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
        ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}

  # Map heat metadata into hiera datafiles
  ControllerConfig:
    type: OS::Heat::StructuredConfig
    properties:
      group: os-apply-config
      config:
        hiera:
          hierarchy:
            - '"%{::uuid}"'
            - heat_config_%{::deploy_config_name}
            - controller_extraconfig
            - extraconfig
            - service_configs
            - service_names
            - controller
            - database
            - object
            - swift_devices_and_proxy # provided by SwiftDevicesAndProxyConfig
            - ceph_cluster # provided by CephClusterConfig
            - ceph
            - bootstrap_node # provided by BootstrapNodeConfig
            - all_nodes # provided by allNodesConfig
            - vip_data # provided by vip-config
            - '"%{::osfamily}"'
            - common
            - network
            - cinder_dellsc_data # Optionally provided by ControllerExtraConfigPre
            - cinder_netapp_data # Optionally provided by ControllerExtraConfigPre
            - cinder_eqlx_data # Optionally provided by ControllerExtraConfigPre
            - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre
            - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre
            - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre
            - midonet_data #Optionally provided by AllNodesExtraConfig
          merge_behavior: deeper
          datafiles:
            service_names:
              mapped_data:
                service_names: {get_param: ServiceNames}
            service_configs:
              mapped_data: {get_param: ServiceConfigSettings}
            controller_extraconfig:
              mapped_data:
                map_merge:
                  - {get_param: controllerExtraConfig}
                  - {get_param: ControllerExtraConfig}
            extraconfig:
              mapped_data: {get_param: ExtraConfig}
            common:
              raw_data: {get_file: hieradata/common.yaml}
            network:
              mapped_data:
                net_ip_map: {get_attr: [NetIpMap, net_ip_map]}
                net_ip_subnet_map: {get_attr: [NetIpMap, net_ip_subnet_map]}
                net_ip_uri_map: {get_attr: [NetIpMap, net_ip_uri_map]}
            ceph:
              raw_data: {get_file: hieradata/ceph.yaml}
              mapped_data:
                ceph::profile::params::cluster_network: {get_input: ceph_cluster_network}
                ceph::profile::params::public_network: {get_input: ceph_public_network}
                ceph::profile::params::public_addr: {get_input: ceph_public_ip}
            database:
              raw_data: {get_file: hieradata/database.yaml}
            object:
              raw_data: {get_file: hieradata/object.yaml}
            controller:
              raw_data: {get_file: hieradata/controller.yaml}
              mapped_data: # data supplied directly to this deployment configuration, etc
                bootstack_nodeid: {get_input: bootstack_nodeid}

                # Pacemaker
                enable_fencing: {get_input: enable_fencing}
                enable_load_balancer: {get_input: enable_load_balancer}
                hacluster_pwd: {get_input: pcsd_password}
                corosync_ipv6: {get_input: corosync_ipv6}
                tripleo::fencing::config: {get_input: fencing_config}

                # Swift
                # FIXME: need to move proxy_local_net_ip into swift-proxy.yaml
                swift::proxy::proxy_local_net_ip: {get_input: swift_proxy_network}
                swift::storage::all::storage_local_net_ip: {get_input: swift_management_network}
                swift::swift_hash_path_suffix: {get_input: swift_hash_suffix}

                # Cinder
                tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: {get_input: cinder_iscsi_network}
                cinder::api::bind_host: {get_input: cinder_api_network}
                cinder::keystone::auth::public_url: {get_input: cinder_public_url }
                cinder::keystone::auth::internal_url: {get_input: cinder_internal_url }
                cinder::keystone::auth::admin_url: {get_input: cinder_admin_url }
                cinder::keystone::auth::public_url_v2: {get_input: cinder_public_url_v2 }
                cinder::keystone::auth::internal_url_v2: {get_input: cinder_internal_url_v2 }
                cinder::keystone::auth::admin_url_v2: {get_input: cinder_admin_url_v2 }
                cinder::keystone::auth::password: {get_input: cinder_password }
                cinder::keystone::auth::region: {get_input: keystone_region}

                # Glance
                glance::api::bind_host: {get_input: glance_api_network}
                glance::registry::bind_host: {get_input: glance_registry_network}
                glance::keystone::auth::region: {get_input: keystone_region}

                # Heat
                heat::api::bind_host: {get_input: heat_api_network}
                heat::api_cloudwatch::bind_host: {get_input: heat_api_network}
                heat::api_cfn::bind_host: {get_input: heat_api_network}
                heat::engine::auth_encryption_key: {get_input: heat_auth_encryption_key}

                # Keystone
                keystone::admin_bind_host: {get_input: keystone_admin_api_network}
                keystone::public_bind_host: {get_input: keystone_public_api_network}
                keystone::wsgi::apache::bind_host: {get_input: keystone_public_api_network}
                keystone::wsgi::apache::admin_bind_host: {get_input: keystone_admin_api_network}

                # MongoDB
                mongodb::server::bind_ip: {get_input: mongo_db_network}

                # MySQL
                admin_password: {get_input: admin_password}
                enable_galera: {get_input: enable_galera}
                mysql_innodb_buffer_pool_size: {get_input: mysql_innodb_buffer_pool_size}
                mysql_max_connections: {get_input: mysql_max_connections}
                mysql::server::root_password: {get_input: mysql_root_password}
                mysql_clustercheck_password: {get_input: mysql_clustercheck_password}
                mysql_cluster_name: {get_input: mysql_cluster_name}
                mysql_bind_host: {get_input: mysql_network}
                mysql_virtual_ip: {get_input: mysql_virtual_ip}

                # Neutron
                neutron::bind_host: {get_input: neutron_api_network}
                neutron::agents::ml2::ovs::local_ip: {get_input: neutron_local_ip}
                neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network}
                neutron::keystone::auth::public_url: {get_input: neutron_public_url }
                neutron::keystone::auth::internal_url: {get_input: neutron_internal_url }
                neutron::keystone::auth::admin_url: {get_input: neutron_admin_url }
                neutron::keystone::auth::password: {get_input: neutron_password }
                neutron::keystone::auth::region: {get_input: keystone_region}

                # Ceilometer
                ceilometer::api::host: {get_input: ceilometer_api_network}
                snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
                snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}

                # Aodh
                aodh_mysql_conn_string: {get_input: aodh_dsn}
                aodh::rabbit_userid: {get_input: rabbit_username}
                aodh::rabbit_password: {get_input: rabbit_password}
                aodh::rabbit_use_ssl: {get_input: rabbit_client_use_ssl}
                aodh::rabbit_port: {get_input: rabbit_client_port}
                aodh::debug: {get_input: debug}
                aodh::wsgi::apache::ssl: false
                aodh::wsgi::apache::bind_host: {get_input: aodh_api_network}
                aodh::api::service_name: 'httpd'
                aodh::api::host: {get_input: aodh_api_network}
                aodh::api::keystone_password: {get_input: aodh_password}
                aodh::api::keystone_auth_uri: {get_input: keystone_auth_uri}
                aodh::api::keystone_identity_uri: {get_input: keystone_identity_uri}
                aodh::auth::auth_url: {get_input: keystone_auth_uri}
                aodh::auth::auth_password: {get_input: aodh_password}
                aodh::db::mysql::password: {get_input: aodh_password}
                # for a migration path from ceilometer-alarm to aodh, we use the same database & coordination
                aodh::evaluator::coordination_url: {get_input: ceilometer_coordination_url}
                aodh::keystone::auth::public_url: {get_input: aodh_public_url }
                aodh::keystone::auth::internal_url: {get_input: aodh_internal_url }
                aodh::keystone::auth::admin_url: {get_input: aodh_admin_url }
                aodh::keystone::auth::password: {get_input: aodh_password }
                aodh::keystone::auth::region: {get_input: keystone_region}

                # Gnocchi
                gnocchi::wsgi::apache::bind_host: {get_input: gnocchi_api_network}
                gnocchi::api::host: {get_input: gnocchi_api_network}
                gnocchi::api::keystone_auth_uri: {get_input: keystone_auth_uri}
                gnocchi::api::keystone_identity_uri: {get_input: keystone_identity_uri}
                gnocchi::storage::swift::swift_authurl: {get_input: keystone_auth_uri}
                gnocchi::keystone::auth::public_url: {get_input: gnocchi_public_url }
                gnocchi::keystone::auth::internal_url: {get_input: gnocchi_internal_url }
                gnocchi::keystone::auth::admin_url: {get_input: gnocchi_admin_url }
                gnocchi::keystone::auth::region: {get_input: keystone_region}

                # Nova
                nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute}
                nova::use_ipv6: {get_input: nova_ipv6}
                nova::api::auth_uri: {get_input: keystone_auth_uri}
                nova::api::identity_uri: {get_input: keystone_identity_uri}
                nova::api::api_bind_address: {get_input: nova_api_network}
                nova::api::metadata_listen: {get_input: nova_metadata_network}
                nova::api::admin_password: {get_input: nova_password}
                nova::glance_api_servers: {get_input: glance_api_servers}
                nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret}
                nova::api::instance_name_template: {get_input: instance_name_template}
                nova::network::neutron::neutron_password: {get_input: neutron_password}
                nova::network::neutron::neutron_url: {get_input: neutron_internal_url}
                nova::network::neutron::neutron_auth_url: {get_input: neutron_auth_url}
                nova::vncproxy::host: {get_input: nova_api_network}
                nova_enable_db_purge: {get_input: nova_enable_db_purge}
                nova::keystone::auth::public_url: {get_input: nova_public_url}
                nova::keystone::auth::internal_url: {get_input: nova_internal_url}
                nova::keystone::auth::admin_url: {get_input: nova_admin_url}
                nova::keystone::auth::password: {get_input: nova_password }
                nova::keystone::auth::region: {get_input: keystone_region}

                # Horizon
                apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet}
                apache::ip: {get_input: horizon_network}
                horizon::django_debug: {get_input: debug}
                horizon::secret_key: {get_input: horizon_secret}
                horizon::bind_address: {get_input: horizon_network}
                horizon::keystone_url: {get_input: keystone_auth_uri}

                # RabbitMQ
                rabbitmq::node_ip_address: {get_input: rabbitmq_network}
                rabbitmq::erlang_cookie: {get_input: rabbit_cookie}
                # Redis
                redis::bind: {get_input: redis_network}
                redis_vip: {get_input: redis_vip}
                # Firewall
                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                # Misc
                memcached_ipv6: {get_input: memcached_ipv6}
                memcached::listen_ip: {get_input: memcached_network}
                control_virtual_interface: {get_input: control_virtual_interface}
                public_virtual_interface: {get_input: public_virtual_interface}
                tripleo::keepalived::control_virtual_interface: {get_input: control_virtual_interface}
                tripleo::keepalived::public_virtual_interface: {get_input: public_virtual_interface}
                tripleo::haproxy::control_virtual_interface: {get_input: control_virtual_interface}
                tripleo::haproxy::public_virtual_interface: {get_input: public_virtual_interface}
                tripleo::haproxy::haproxy_log_address: {get_input: haproxy_log_address}
                tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                tripleo::haproxy::haproxy_stats_user: {get_input: haproxy_stats_user}
                tripleo::haproxy::haproxy_stats_password: {get_input: haproxy_stats_password}
                tripleo::haproxy::redis_password: {get_input: redis_password}
                tripleo::packages::enable_install: {get_input: enable_package_install}
                tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}

  # Hook for site-specific additional pre-deployment config, e.g extra hieradata
  ControllerExtraConfigPre:
    depends_on: ControllerDeployment
    type: OS::TripleO::ControllerExtraConfigPre
    properties:
        server: {get_resource: Controller}

  # Hook for site-specific additional pre-deployment config,
  # applying to all nodes, e.g node registration/unregistration
  NodeExtraConfig:
    depends_on: [ControllerExtraConfigPre, NodeTLSData]
    type: OS::TripleO::NodeExtraConfig
    properties:
        server: {get_resource: Controller}

  UpdateConfig:
    type: OS::TripleO::Tasks::PackageUpdate

  UpdateDeployment:
    type: OS::Heat::SoftwareDeployment
    properties:
      name: UpdateDeployment
      config: {get_resource: UpdateConfig}
      server: {get_resource: Controller}
      input_values:
        update_identifier:
          get_param: UpdateIdentifier

outputs:
  ip_address:
    description: IP address of the server in the ctlplane network
    value: {get_attr: [Controller, networks, ctlplane, 0]}
  external_ip_address:
    description: IP address of the server in the external network
    value: {get_attr: [ExternalPort, ip_address]}
  internal_api_ip_address:
    description: IP address of the server in the internal_api network
    value: {get_attr: [InternalApiPort, ip_address]}
  storage_ip_address:
    description: IP address of the server in the storage network
    value: {get_attr: [StoragePort, ip_address]}
  storage_mgmt_ip_address:
    description: IP address of the server in the storage_mgmt network
    value: {get_attr: [StorageMgmtPort, ip_address]}
  tenant_ip_address:
    description: IP address of the server in the tenant network
    value: {get_attr: [TenantPort, ip_address]}
  management_ip_address:
    description: IP address of the server in the management network
    value: {get_attr: [ManagementPort, ip_address]}
  hostname:
    description: Hostname of the server
    value: {get_attr: [Controller, name]}
  hosts_entry:
    description: >
      Server's IP address and hostname in the /etc/hosts format
    value:
      str_replace:
        template: |
          PRIMARYIP PRIMARYHOST.DOMAIN PRIMARYHOST
          EXTERNALIP EXTERNALHOST.DOMAIN EXTERNALHOST
          INTERNAL_APIIP INTERNAL_APIHOST.DOMAIN INTERNAL_APIHOST
          STORAGEIP STORAGEHOST.DOMAIN STORAGEHOST
          STORAGE_MGMTIP STORAGE_MGMTHOST.DOMAIN STORAGE_MGMTHOST
          TENANTIP TENANTHOST.DOMAIN TENANTHOST
          MANAGEMENTIP MANAGEMENTHOST.DOMAIN MANAGEMENTHOST
        params:
          PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ControllerHostnameResolveNetwork]}]}
          DOMAIN: {get_param: CloudDomain}
          PRIMARYHOST: {get_attr: [Controller, name]}
          EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
          EXTERNALHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - external
          INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
          INTERNAL_APIHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - internalapi
          STORAGEIP: {get_attr: [StoragePort, ip_address]}
          STORAGEHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - storage
          STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
          STORAGE_MGMTHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - storagemgmt
          TENANTIP: {get_attr: [TenantPort, ip_address]}
          TENANTHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - tenant
          MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
          MANAGEMENTHOST:
            list_join:
            - '.'
            - - {get_attr: [Controller, name]}
              - management
  nova_server_resource:
    description: Heat resource handle for the Nova compute server
    value:
      {get_resource: Controller}
  swift_device:
    description: Swift device formatted for swift-ring-builder
    value:
      str_replace:
        template: 'r1z1-IP:%PORT%/d1'
        params:
          IP: {get_attr: [NetIpMap, net_ip_uri_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
  swift_proxy_memcache:
    description: Swift proxy-memcache value
    value:
      str_replace:
        template: "IP:11211"
        params:
          IP: {get_attr: [NetIpMap, net_ip_uri_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
  tls_key_modulus_md5:
    description: MD5 checksum of the TLS Key Modulus
    value: {get_attr: [NodeTLSData, key_modulus_md5]}
  tls_cert_modulus_md5:
    description: MD5 checksum of the TLS Certificate Modulus
    value: {get_attr: [NodeTLSData, cert_modulus_md5]}