Outputs

The esc CLI and other ESC consumers (e.g. the pulumi CLI) conventionally assign specific semantics to certain top-level properties of an evaluated ESC environment (i.e. properties defined under the values section of the environment definition). These reserved properties shape the outputs an environment produces when it is opened: environment variables, temporary files, Pulumi IaC stack configuration, and Pulumi policy pack configuration.

environmentVariables

The environmentVariables reserved property contains values that should be exported as environment variables. For example, esc run exports each key-value pair in the environmentVariables property as an environment variable that is accessible to the command to run.

This property is also used by Pulumi policy packs. When an ESC environment is attached to a policy pack in a policy group, environmentVariables are injected into the policy runtime as environment variables.

Properties

Example

values:
  environmentVariables:
    GREETING: Hello

Evaluated result

{
  "environmentVariables": {
    "GREETING": "Hello"
  }
}

Using esc run

$ esc run default/greet -- sh -c '${GREETING}, ${USER}!'
Hello, user!

files

The files reserved property contains values that should be written to temporary files. For example, esc run writes the contents of each property in the files property to a temporary file and exports the file’s path in the named environment variable that is accessible to the command to run.

Properties

Example

values:
  files:
    GREETING: Hello, ${context.pulumi.user.login}!
    BINARY:
      fn::fromBase64: ...

Evaluated result

{
  "files": {
    "GREETING": "Hello, user!",
    "BINARY": ...
  }
}

Using esc run

$ esc run default/greet -- sh -c 'echo ${GREETING} & cat ${GREETING}'
/tmp/tmp.iBApHfcsJ1
Hello, user!

pulumiConfig

The pulumiConfig reserved property contains values that should be exported as stack configuration for Pulumi IaC. See the Pulumi IaC integration guide for an overview.

Properties

Example

values:
  pulumiConfig:
    aws:region: us-west-2
    greeting: Hello

Evaluated result

{
  "pulumiConfig": {
    "aws:region": "us-west-2",
    "greeting": "Hello"
  }
}

Using pulumi config

Assuming a Pulumi IaC stack that is configured to use the environment above:

$ pulumi config
KEY                           VALUE
aws:region                    us-west-2
greeting                      Hello

policyConfig

The policyConfig reserved property contains values that should be exported as configuration for Pulumi policy packs. When an ESC environment is attached to a policy pack in a policy group, the values under policyConfig are made available to the policy pack at runtime.

Properties

Keys can use either format:

• policyName — when the ESC environment is associated with a single policy pack
• packName:policyName — to scope configuration to a specific pack, following the same namespacing pattern as pulumiConfig

Example

Without pack namespace

values:
  compliance:
    apiToken:
      fn::secret: xxxxxxxxxxxxxxxx

  policyConfig:
    cost-compliance:
      maxMonthlyCost: 5000
      apiEndpoint: https://compliance.example.com
      apiToken: ${compliance.apiToken}

Evaluated result

{
  "policyConfig": {
    "cost-compliance": {
      "maxMonthlyCost": 5000,
      "apiEndpoint": "https://compliance.example.com",
      "apiToken": "[secret]"
    }
  }
}

With pack namespace

values:
  policyConfig:
    my-compliance-pack:cost-compliance:
      maxMonthlyCost: 5000

Evaluated result

{
  "policyConfig": {
    "my-compliance-pack:cost-compliance": {
      "maxMonthlyCost": 5000
    }
  }
}