1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Infrastructure
  5. Pulumi IaC

ESC Pulumi IaC Integration

    With support for Pulumi ESC built into the Pulumi CLI, you can expose an environment’s settings and secrets to any or all of your Pulumi stacks, bypassing the need to define and maintain individual configuration settings or secrets “locally” in Pulumi config files. The optional pulumiConfig key enables this.

    The pulumi CLI (as of v3.139.0) now tracks ESC environments used in stack updates. You can view which ESC environments were used in your updates on the Stack Overview page within the Pulumi Cloud Console.

    The following example updates the myorg/myapp/dev environment by adding a pulumiConfig block. This block specifies the Pulumi configuration settings to expose to the Pulumi stack at runtime:

    # myorg/myapp/dev
    imports:
      - aws/dev
      - stripe/dev
    
    values:
      greeting: Hello from the myapp/dev environment!
    
      environmentVariables:
        AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
        AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
        STRIPE_API_KEY: ${stripe.apiKey}
        STRIPE_API_URL: ${stripe.apiURL}
        GREETING: ${greeting}
    
      # Add a `pulumiConfig` block to expose these settings to your Pulumi stacks.
      pulumiConfig:
        aws:region: ${aws.region}
        stripeApiKey: ${stripe.apiKey}
        stripeApiURL: ${stripe.apiURL}
        greeting: ${greeting}
    

    Any stack belonging to the myorg organization can inherit these settings by adding the optional environment block to its stack-configuration file:

    # Pulumi.dev.yaml
    environment:
      - myapp/dev
    

    Values are accessible using the standard configuration API:

    // index.ts
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    // Import the values using the standard Pulumi configuration API.
    const config = new pulumi.Config();
    const greeting = config.require("greeting");
    const stripeApiKey = config.requireSecret("stripeApiKey");
    const stripeApiURL= config.requireSecret("stripeApiURL");
    
    const callbackFunction = new aws.lambda.CallbackFunction("callback", {
        callback: async () => ({
            statusCode: 200,
            body: JSON.stringify({
                greeting,
    
                // Use them in your program as would any config value.
                stripeApiURL: process.env.STRIPE_API_URL,
             }),
        }),.
        environment: {
            variables: {
                STRIPE_API_URL: stripeApiURL,
            },
        },
    });
    
    const functionUrl = new aws.lambda.FunctionUrl("url", {
        functionName: callbackFunction.name,
        authorizationType: "NONE",
    });
    
    export const url = functionUrl.functionUrl;
    

    Stacks may only read from environments that belong to the same Pulumi organization.

    Convert existing Stack Config to an ESC Environment

    To convert your existing stack config to a new ESC Environment, you can use the pulumi CLI to run the following:

    pulumi config env init
    

    See here for more information.

    Automation API integration

    You can use ESC with Automation API in Node, Go, and Python. The following methods are supported today:

    • addEnvironments(...): Append environments to your Pulumi stack’s import list.
    • listEnvironments(): Retrieve a list of environments currently imported into your stack.
    • removeEnvironment(environment): Remove a specific environment from your stack’s import list.

    Accessing Pulumi Stack outputs

    You can also access outputs from Pulumi IaC stacks within an ESC environment using the pulumi-stacks provider.

    values:
      stackRefs:
        fn::open::pulumi-stacks:
          stacks:
            vpcInfra:
              stack: vpc-infra/dev
      pulumiConfig:
        vpcId: ${stackRefs.vpcInfra.vpcId}
        publicSubnetIds: ${stackRefs.vpcInfra.publicSubnetIds}
        privateSubnetIds: ${stackRefs.vpcInfra.privateSubnetIds}
    
      Platform Engineering Workshop Series - Register Now