top of page
  • Akmod

Understanding ESM (Enforced State Management) in Idem

When working in cloud infrastructure management, tracking idempotent resources is critical. The aim is to guarantee that a resource is created once and only once, and to determine if a resource exists before an attempt is made to recreate it. Enforced State Management (ESM) in Idem is designed to manage this process. ESM monitors a resource from run to run, utilizing the resource's ID, reference, and name. It keeps idempotence by preserving a cache of the enforced state, and it is instrumental in drift correction. Furthermore, ESM has the ability to manage resources that are not inherently idempotent, like VPCs, ensuring they maintain their idempotence.

I had a joke about idempotence, but it gets the same reaction every time.

This is where Enforced State Management (ESM) in Idem comes into play. ESM keeps track of a resource from run to run, using the resource's ID, reference, and name. It maintains idempotence by storing a cache of the enforced state and plays a role in drift correction.

Here's a quick guide to understanding ESM and how you can work with it in Idem.

Local Cache

Idem employs a local cache by default to maintain the enforced state. The local cache is established on CLI arguments or variables defined in the Idem config file.

By default, a local cache is used to keep track of the enforced state. The local cache is based on CLI arguments or variables defined in the Idem config file. The default cache locations are as follows:

  • For Linux/Mac: ~/.idem/var/cache/idem/esm/local/cli.msgpack

  • For Windows: C:\Users\<username>\AppData\Local\idem\esm\local\cli.msgpack

Cache Keys

The cache contains the latest values from Idem state runs. Every key in the cache carries a tag based on state ID, state reference, and state name, facilitating accurate state tracking. For example, for an SLS state like this:

       name: state_name

The tag in the cache becomes the following:


Idem States

Idem States return old_state and new_state, with the new_state available in the context (ctx) of subsequent runs. This crucial feature ensures each state's accurate tracking and preservation. Here's how you can define them:

def present(hub, ctx, name):
    new_state = {}
    return {
        "result": True,
        "comment": "",
        "old_state": ctx.old_state,
        "new_state": new_state,


Idem also provides a set of exec commands to work with ESM from the CLI. Here are some examples:

  • Unlocking an Idem State Run: $ idem exec esm.unlock provider=<...> profile=<...>

  • Display the ESM content: $ idem exec provider=<...> profile=<...>

  • Remove a resource from ESM: $ idem exec esm.remove tag=<...> provider=<...> profile=<...>

Writing an ESM Plugin

For more versatility, you can create your own ESM plugin. This flexibility allows you to augment the capabilities of ESM to match your specific requirements. Furthermore, the idem refresh command updates the ESM cache by integrating resources from a describe operation into the ESM context. If you've ever thought that writing an Enforced State Management (ESM) plugin was a complex task, prepare to have your mind changed. Writing an ESM plugin can be a breeze, requiring only four essential functions: enter, exit_, get_state, and set_state.

  1. enter: This function enters the context of your ESM plugin. If you have multiple idem processes running at once, it ensures that the cache can only be used by one of them at a time.

  2. exit_: When a process is done with the state, the exit function releases the lock, making the state file available for other processes. It ensures the lock's atomic release to maintain the state's integrity.

  3. get_state: This function is your state retriever. It fetches the current state from the source (which could be a local cache, an S3 bucket, or any other arbitrary key-value pair structure), and returns it as a python dictionary.

  4. set_state: This function updates the state in the source. It accepts a dictionary representing the new state and writes it to the source atomically to maintain the integrity of the state.

The possibilities with ESM plugins are as vast as your imagination allows. Whether you prefer local cache, an S3 bucket, or even keeping your cache on the tags of a VPC (yes, even something wacky like that is possible!), you have the freedom to design your plugin to meet your needs. With these four functions in your arsenal, you can confidently write an ESM plugin that's simple, efficient, and reliable. So go ahead, unleash your creativity, and make your ESM plugin a reality!

Remote storage for ESM with Idem-AWS

Idem-aws provides remote storage for Idem's ESM feature, allowing Idem to store ESM data on an AWS S3 bucket and using DynamoDB as a file lock.

An example acct file for an aws esm profile might look like this:

    use_ssl: True
    aws_access_key_id: AAAAAAAAA5CDFSDER3UQ
    aws_secret_access_key: eHjPASFWERSFwVXKlsdfS4afD
    region_name: eu-west-2
      bucket: "idem-state-storage-bucket"
      dynamodb_table: "idem-state-storage-table"
      key: "/idem-state/demo-storage.json"

This configuration will use the AWS S3 bucket "idem-state-storage-bucket" and the DynamoDB table "idem-state-storage-table" in the eu-west-2 region to manage ESM data. Note that both the S3 bucket and the DynamoDB table need to be created before using this feature.

The ability to extend ESM with plugins like the "aws" plugin in idem-aws demonstrates the flexibility and power of Idem's approach to state management. You can choose between local caching, disabling ESM, or using a remote storage plugin like "aws" depending on your use case and infrastructure needs.


Enforced State Management (ESM) in Idem provides a robust and highly customizable way to manage and track idempotent resources in your infrastructure. The ease of creating custom ESM plugins tailored to your specific needs adds another layer of versatility to the mix. You can easily maintain idempotence, implement drift correction, and manage non-idempotent resources, such as VPCs, ensuring they maintain their idempotence.

Another crucial aspect where ESM shines is speeding up the lookups for argbinding. ESM uses the results of a previous run for argbinding or fills in the gaps if a subset of states is being run that requires argbinding outside of the current SLS context. This ensures more efficient state management and an optimized execution of Idem states.

In the ever-evolving landscape of cloud infrastructure management, having a system like Idem's ESM by your side can be a game-changer. Whether you're using a local cache or leveraging the power of AWS S3 buckets, or even going as far as keeping your cache on the tags of a VPC (we weren't joking about that), ESM is there to provide a seamless and efficient state management experience.

We encourage you to try out ESM in your Idem projects. Experiment with the flexibility and power of ESM plugins and experience firsthand how Idem and ESM can revolutionize your cloud infrastructure management. Happy coding!

Recent Posts

See All

Bình luận

bottom of page