ElasticCloud (EC) Provider

Installation

The ElasticCloud (EC) provider is available as a package in all Pulumi languages:

• JavaScript/TypeScript: @pulumi/ec
• Python: pulumi-ec
• Go: github.com/pulumi/pulumi-ec/sdk/go/ec
• .NET: Pulumi.Ec
• Java: com.pulumi/ec

Overview

page_title: “Provider: Elastic Cloud”

The Elastic Cloud Pulumi provider can be used to configure and manage resources on Elastic Cloud, such as Elastic Hosted Deployments or Elastic Serverless Projects, using the Elastic Cloud APIs. Use the navigation to the left to read about functions and resources supported by the Elastic Cloud provider.

This provider works with:

• Elastic Cloud Hosted
• Elastic Cloud Serverless
• Elastic Cloud Enterprise (Self managed offering)
• Elastic GovCloud offerings

Authentication

The Elastic Cloud Pulumi provider offers two methods of authentication against the remote API: apikey or a combination of username and password. Depending on the environment, you may choose one over the other. The Public API of Elasticsearch Service (ESS) is the default endpoint that the provider will target.

Elasticsearch Service (ESS) only supports apikey. Elastic Cloud Enterprise (ECE) supports apikey or a combination of username and password.

!> Warning: Hard-coding credentials into a Pulumi configuration is not recommended, and risks secret leakage should this file ever be committed to a public version control system.

API key authentication (recommended)

API keys are the recommended authentication method. They can be used to authenticate against Elasticsearch Service or Elastic Cloud Enterprise.

Generating an Elasticsearch Service (ESS) API Key

To generate an API key, follow these steps:

1. Open you browser and navigate to https://cloud.elastic.co/login.
2. Log in with your email and password.
3. Click on Elasticsearch Service.
4. Navigate to Organization > API Keys and click on Create API Key.
5. Choose a name for your API key.
6. Save your API key somewhere.

Using your API Key on the Elastic Cloud pulumi provider

After you’ve generated your API Key, you can make it available to the Pulumi provider by exporting it as the environment variable EC_API_KEY (recommended), or hardcoded in the provider .tf configuration file (supported but not recommended).

$ export EC_API_KEY="<apikey value>"

Or set the apikey field in the “ec” provider to the value of your generated API key.

# Pulumi.yaml provider configuration file
name: configuration-example
runtime:
config:
    ec:apikey:
        value: <apikey value>

Username and password login (ECE)

If you are targeting an ECE environment, you can also use a combination of username and password as authentication method.

They can either be hardcoded in the provider .tf configuration (not recommended), or specified with the following environment variables: EC_USERNAME or EC_USER and EC_PASSWORD or EC_PASS.

# Pulumi.yaml provider configuration file
name: configuration-example
runtime:
config:
    ec:endpoint:
        value: https://my.ece-environment.corp
    ec:insecure:
        value: true
    ec:password:
        value: my-password
    ec:username:
        value: my-username

Configuration Reference

• apikey (String, Sensitive) API Key to use for API authentication. The only valid authentication mechanism for the Elasticsearch Service.
• endpoint (String) Endpoint where the pulumi provider will point to. Defaults to “https://api.elastic-cloud.com”.
• insecure (Boolean) Allow the provider to skip TLS validation on its outgoing HTTP calls.
• password (String, Sensitive) Password to use for API authentication. Available only when targeting ECE Installations or Elasticsearch Service Private.
• timeout (String) Timeout used for individual HTTP calls. Defaults to “1m”.
• username (String) Username to use for API authentication. Available only when targeting ECE Installations or Elasticsearch Service Private.
• verbose (Boolean) When set, a “request.log” file will be written with all outgoing HTTP requests. Defaults to “false”.
• verboseCredentials (Boolean) When set with verbose, the contents of the Authorization header will not be redacted. Defaults to “false”.
• verboseFile (String) Timeout used for individual HTTP calls. Defaults to “1m”.