diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 4f4dc1667..5746055eb 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -24,7 +24,7 @@ {% set manager_states = [ 'salt.master', - 'ca', + 'ca.server', 'pcap.ca', 'registry', 'manager', diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 9d30b0438..3a0fdf91c 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -3,20 +3,10 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: -{% if GLOBALS.is_manager %} +{% if GLOBALS.is_manager %} - ca.server -{% endif %} - - ca.trustca - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - {% endif %} + - ca.trustca diff --git a/salt/ca/server.sls b/salt/ca/server.sls index 9143c6e75..2f01a3df7 100644 --- a/salt/ca/server.sls +++ b/salt/ca/server.sls @@ -3,6 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} pki_private_key: @@ -51,3 +52,11 @@ cakeyperms: - name: /etc/pki/ca.key - mode: 640 - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/ca/trustca.sls b/salt/ca/trustca.sls index 04db0e27d..1e349c654 100644 --- a/salt/ca/trustca.sls +++ b/salt/ca/trustca.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'vars/globals.map.jinja' import GLOBALS %} cacertdir: file.directory: