Salt States
The state modules you reach for 90% of the time, how requisites tie them together, and four patterns lifted from production deployments.
v1.0 · Updated 2026-05-09
01 · Foundation · ~3 min
A Salt state is YAML describing a desired condition, not a sequence of actions. Salt looks at the current state of the box, compares to what you wrote, and changes only what's not yet correct. Run it ten times and the box usually lands in the same place — that property is called idempotency.
# every state has three parts:
<state ID>: # a unique label — your choice
<module>.<function>: # what to do (file.managed, pkg.installed, etc.)
- arg_name: arg_value # module arguments
- arg_name: arg_valueA real one:
nginx_running: # state ID
service.running: # module = service, function = running
- name: nginx # the service name
- enable: True # enable on bootAlways dry-run before you commit. Append test=True to any apply command and Salt prints what it would change. salt 'web*' state.apply nginx test=True. Spot typos and unintended diffs before the fleet sees them.
02 · Reference · ~7 min
Salt ships hundreds of state modules. Six cover almost everything you'll do in a normal day. Master these, browse the rest at docs.saltproject.io when you need something exotic.
.directory · .managed · .symlink · .absent · .recurse
nginx_conf:
file.managed:
- name: /etc/nginx/nginx.conf
- source: salt://nginx/nginx.conf
- mode: '0644'
- template: jinjaFolders, files, content, ownership, permissions. template: jinja renders templates with grains/pillar.
.installed · .removed · .uptodate · .latest
nginx_pkg:
pkg.installed:
- name: nginx
- version: 1.24.* # pin looselyCross-OS — same state on RHEL, Debian, and Windows. Pin versions in production. Lists work too: - pkgs: [nginx, curl, rsync].
.running · .dead · .enabled · .disabled
nginx_service:
service.running:
- name: nginx
- enable: True
- watch:
- file: nginx_confenable: True survives reboots. watch: auto-restarts on file changes.
.present · .absent
app_user:
user.present:
- name: appsvc
- shell: /bin/bash
- groups: [docker, sudo]
- createhome: TrueCross-OS user management. Use pillar for any password — never hardcode.
.present · .absent
add_to_rdp:
group.present:
- name: Remote Desktop Users
- addusers:
- DOMAIN\\app-svcLocal group membership. Users must already exist (locally or AD). Double-backslash for AD users.
.run · .script · .wait
tag_machine:
cmd.run:
- name: echo 'managed' > /etc/managed
- unless: test -f /etc/managedUse sparingly. Always pair with unless: or onlyif: for idempotency. Real states are better.
Naming. Salt has a name: shortcut — if you skip it, Salt uses the state ID as the name. nginx_pkg: pkg.installed: - name: nginx can be shortened to just nginx: pkg.installed. Clean for one-offs, confusing in bigger files. Pick one style per project.
03 · The dependency system · ~5 min
Salt runs states in dependency order, not file order. Declare those dependencies with requisites. Skip them and you'll watch a service try to start before its package exists.
service: nginx_pkg means "wait until nginx_pkg is done."require, plus react if anything changed. Service restarts automatically when its config file changes.watch, but batched. Useful for one-time post-deployment hooks.Each requisite has a _in mirror — require_in, watch_in, onchanges_in, listen_in. Same effect, declared from the other side. Use whichever reads better:
# both of these mean "service restarts on config change"
# forward — declared on the service
nginx_service:
service.running:
- name: nginx
- watch:
- file: nginx_conf
# inverse — declared on the file
nginx_conf:
file.managed:
- name: /etc/nginx/nginx.conf
- source: salt://nginx/nginx.conf
- watch_in:
- service: nginx_serviceIf you can't tell from looking at a state file what runs in what order, the requisites are usually wrong. Fix the chain rather than the symptom.
Hundreds of state files end up looking like this. Memorize it.
nginx_pkg:
pkg.installed:
- name: nginx
nginx_conf:
file.managed:
- name: /etc/nginx/nginx.conf
- source: salt://nginx/nginx.conf
- require:
- pkg: nginx_pkg # package must exist first
nginx_service:
service.running:
- name: nginx
- enable: True
- require:
- pkg: nginx_pkg # package must exist
- watch:
- file: nginx_conf # restart on config change04 · Routing · ~3 min
top.sls is Salt's routing table. It says "for each minion, here's the list of states that apply." Lives at /srv/salt/top.sls. Highstate reads it and figures out the rest.
# /srv/salt/top.sls
base: # environment (also: dev, staging, prod)
'*': # every minion
- common.baseline
'web*': # glob — minion ID matching
- nginx
- app
'os_family:RedHat': # grain match
- match: grain
- linux.hardening
'G@os:Windows and G@env:prod': # compound
- match: compound
- windows.iis
- windows.auditweb*, db-prod-?match: grain — match on a single grain: os_family:Windows, os:CentOSmatch: pillar — match on pillar data: tier:criticalmatch: list — explicit list: web1,web2,web3match: compound — combine with and / or / not + matcher prefixes (G@, I@, L@, E@)The flow. salt '*' state.highstate → master reads top.sls → for each minion, gathers the matched state names → applies them → minion converges. state.apply <name> ignores top.sls and applies just the one. Both idempotent.
05 · Production · ~10 min
Four sanitized patterns from production deployments. Each one is real code, trimmed to the load-bearing bits.
Pattern 01
Idempotent demo user creation, with sudoers granted via a drop-in. Validates the sudoers fragment with visudo -cf before moving it into place — a malformed line can't break sudo system-wide.
# /srv/salt/linux/demo_user.sls
{% set sudo_user = salt['pillar.get']('linux:sudoer:username', 'saltdemo') %}
{% set sudo_shell = salt['pillar.get']('linux:sudoer:shell', '/bin/bash') %}
{% set nopasswd = salt['pillar.get']('linux:sudoer:nopasswd', True) %}
demo_user:
user.present:
- name: {{ sudo_user }}
- shell: {{ sudo_shell }}
- createhome: True
demo_user_sudoers:
file.managed:
- name: /etc/sudoers.d/{{ sudo_user }}
- user: root
- group: root
- mode: '0440'
- contents: |
# Managed by Salt
{{ sudo_user }} ALL=(ALL){% if nopasswd %} NOPASSWD:{% endif %} ALL
- check_cmd: /usr/sbin/visudo -cf # validate before commit
- require:
- user: demo_userWhy this is good: values come from pillar (per-environment override), check_cmd guards against malformed sudoers, require: ensures the user exists before adding rights, and the whole thing is conditional on Linux (in real life with a Jinja {% if grains['kernel'] == 'Linux' %} wrapper).
Pattern 02
Reboot a Windows box from Salt and wait for it to come back before continuing the highstate. The "reboot orchestration" pattern that separates production-grade Salt from script-style Salt.
# /srv/salt/windows/reboot.sls
reboot_now:
cmd.run:
- name: shutdown /r /t 2
- shell: cmd
wait_for_winrm:
cmd.run:
- name: |
powershell -ExecutionPolicy Bypass -Command "
$counter = 0
while ($counter -lt 30) {
if (Test-NetConnection -ComputerName $env:COMPUTERNAME `
-Port 5985 -InformationLevel Quiet) { exit 0 }
Start-Sleep -Seconds 10
$counter++
}
exit 1"
- shell: cmd
- require:
- cmd: reboot_now
post_reboot_smoke_test:
cmd.run:
- name: powershell -Command "Get-Service salt-minion"
- shell: cmd
- require:
- cmd: wait_for_winrmWhy this works: WinRM (port 5985) coming back is a reliable signal that the box is genuinely up — services started, network up, ready to take work. The PowerShell loop polls for 5 minutes max, fails fast if the box doesn't come back. Subsequent states require: the wait, so the highstate doesn't try to do work on a half-booted box.
Pattern 03
One salt-run state.orch command, deploying state to multiple groups of minions in dependency order. This is the pattern for anything that involves "deploy A on these boxes, then B on those, then C on the others." Used here for a Remote Desktop Services build (license server first, then session hosts, then app publishing).
# /srv/salt/orch/rds_build.sls
# run with: sudo salt-run state.orch orch.rds_build
deploy_broker_gateway:
salt.state:
- tgt: 'G@server_role:rds_broker'
- tgt_type: compound
- sls: windows.rds.broker_gateway
deploy_license_server:
salt.state:
- tgt: 'G@server_role:rds_license'
- tgt_type: compound
- sls: windows.rds.license_server
deploy_session_hosts:
salt.state:
- tgt: 'G@server_role:rds_session_host'
- tgt_type: compound
- sls: windows.rds.session_host
- require:
- salt: deploy_broker_gateway # brokers ready first
- salt: deploy_license_server # licensing ready first
publish_apps:
salt.function:
- tgt: 'G@server_role:rds_broker'
- tgt_type: compound
- name: cmd.run
- arg:
- powershell -File C:\scripts\publish_apps.ps1
- require:
- salt: deploy_session_hosts # hosts ready firstWhy this works: it replaces the usual Bash-plus-Ansible kludge with sleeps and pings. salt.state applies states to grain-targeted groups; salt.function runs ad-hoc functions; require: chains them. Re-run any time; only unconverged parts do work.
Pattern 04
Salt has an event bus. Anything happening on the master or minions fires an event. Reactors map those event tags to state files, so the fleet reacts to events automatically rather than waiting for someone to invoke a state.
# /etc/salt/master.d/reactor.conf
reactor:
- 'orchestrate/rds/start': # custom event tag
- /srv/salt/reactor/start_rds_build.sls
- 'salt/minion/*/start': # built-in: minion came up
- /srv/salt/reactor/welcome_new_minion.sls
# /srv/salt/reactor/start_rds_build.sls
start_rds_build:
runner.state.orchestrate:
- mods: orch.rds_buildFire the event from anywhere — a CI pipeline, another minion, a webhook handler — and the orchestration kicks off automatically:
salt-call event.send 'orchestrate/rds/start'Why this matters: blue/green deploys, automated remediation, scheduled builds — they all live here. The install guide's blue/green pattern is essentially this: an event fires, a reactor responds, an orchestration runs.
06 · What not to do · ~3 min
Six things that look like they work and bite you six months later.
unless: or onlyif:Runs on every highstate. Slows everything down, makes idempotency a lie. If a real state module exists (file.managed, pkg.installed, etc.), use that. If cmd.run is genuinely necessary, gate it.
Hostnames, paths, credentials, environment names — they belong in pillar. Hardcode and you'll need a state file per environment. Pillar them and one state file works everywhere. Getting Started covers pillar.
require: chainsWithout it, Salt is free to run states in parallel. For "package must exist before service starts" that's a race. Salt won't always lose it — but when it does, you'll spend hours debugging.
.sls with everything in itHundreds of states in /srv/salt/all.sls. Hard to read, hard to test, impossible to reuse. Split by concern: nginx/init.sls, nginx/config.sls, nginx/cert.sls. Use include: to compose.
Use watch:, not cmd.run with a reload command. watch: only fires when something actually changed. cmd.run fires every time. Difference between "graceful reload when needed" and "kicking nginx every 10 minutes."
test=True in productionAlways dry-run. Especially after pillar edits, especially on critical fleets. The fix takes 5 seconds (state.apply test=True). The recovery if you skip it can take an afternoon.
.sls files, top.sls, pillar, Git integrationprereq, use, runas)Patterns distilled from Saltify's production deployments + the official Salt docs at salt/doc/ (Apache 2.0).