diff --git a/REFERENCE.md b/REFERENCE.md
index aaee151c4..0ad959862 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -2179,13 +2179,15 @@ Default value: `'present'`
 
 ##### <a name="-elasticsearch--user--password"></a>`password`
 
-Data type: `String`
+Data type: `Optional[String]`
 
 Password for the given user. A plaintext password will be managed
 with the esusers utility and requires a refresh to update, while
 a hashed password from the esusers utility will be managed manually
 in the uses file.
 
+Default value: `undef`
+
 ##### <a name="-elasticsearch--user--roles"></a>`roles`
 
 Data type: `Array`
diff --git a/manifests/user.pp b/manifests/user.pp
index dfd412c7b..56cc4569a 100644
--- a/manifests/user.pp
+++ b/manifests/user.pp
@@ -23,26 +23,36 @@
 # @author Gavin Williams <gavin.williams@elastic.co>
 #
 define elasticsearch::user (
-  String                    $password,
-  Enum['absent', 'present'] $ensure = 'present',
-  Array                     $roles  = [],
+  Optional[String]          $password = undef,
+  Enum['absent', 'present'] $ensure   = 'present',
+  Array                     $roles    = [],
 ) {
-  if $password =~ /^\$2a\$/ {
-    elasticsearch_user_file { $name:
-      ensure          => $ensure,
-      configdir       => $elasticsearch::configdir,
-      hashed_password => $password,
-      before          => Elasticsearch_user_roles[$name],
-    }
-  } else {
+  if $ensure == 'absent' {
     elasticsearch_user { $name:
-      ensure    => $ensure,
+      ensure    => 'absent',
       configdir => $elasticsearch::configdir,
-      password  => $password,
-      before    => Elasticsearch_user_roles[$name],
     }
   }
-
+  else {
+    if $password == undef {
+      fail('elasticsearch::user: password must be provided when ensure => present')
+    }
+    if $password =~ /^\$2a\$/ {
+      elasticsearch_user_file { $name:
+        ensure          => present,
+        configdir       => $elasticsearch::configdir,
+        hashed_password => $password,
+        before          => Elasticsearch_user_roles[$name],
+      }
+    } else {
+      elasticsearch_user { $name:
+        ensure    => present,
+        configdir => $elasticsearch::configdir,
+        password  => $password,
+        before    => Elasticsearch_user_roles[$name],
+      }
+    }
+  }
   elasticsearch_user_roles { $name:
     ensure => $ensure,
     roles  => $roles,
diff --git a/spec/defines/007_elasticsearch_user_spec.rb b/spec/defines/007_elasticsearch_user_spec.rb
index 54b62782e..b1ae46b76 100644
--- a/spec/defines/007_elasticsearch_user_spec.rb
+++ b/spec/defines/007_elasticsearch_user_spec.rb
@@ -86,6 +86,31 @@ class { 'elasticsearch': }
 
         include_examples 'class', :systemd
       end
+
+      context "with ensure => 'absent' and no password" do
+        let(:params) do
+          {
+            ensure: 'absent',
+            roles: []
+          }
+        end
+
+        it { is_expected.to compile }
+
+        it do
+          expect(subject).to contain_elasticsearch_user('elastic').with(
+            'ensure' => 'absent',
+            'configdir' => '/etc/elasticsearch'
+          )
+        end
+
+        it do
+          expect(subject).to contain_elasticsearch_user_roles('elastic').with(
+            'ensure' => 'absent',
+            'roles' => []
+          )
+        end
+      end
     end
   end
 end