diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls index 187922d6e..303383cfe 100644 --- a/salt/elasticsearch/auth.sls +++ b/salt/elasticsearch/auth.sls @@ -1,3 +1,9 @@ +{% set so_elastic_user_pass = salt['random.get_str'](20) %} +{% set so_kibana_user_pass = salt['random.get_str'](20) %} +{% set so_logstash_user_pass = salt['random.get_str'](20) %} +{% set so_beats_user_pass = salt['random.get_str'](20) %} +{% set so_monitor_user_pass = salt['random.get_str'](20) %} + elastic_auth_pillar: file.managed: - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls @@ -8,24 +14,26 @@ elastic_auth_pillar: users: so_elastic_user: user: so_elastic - pass: {{ salt['random.get_str'](20) }} + pass: {{ so_elastic_user_pass }} so_kibana_user: user: so_kibana - pass: {{ salt['random.get_str'](20) }} + pass: {{ so_kibana_user_pass }} so_logstash_user: user: so_logstash - pass: {{ salt['random.get_str'](20) }} + pass: {{ so_logstash_user_pass }} so_beats_user: user: so_beats - pass: {{ salt['random.get_str'](20) }} + pass: {{ so_beats_user_pass }} so_monitor_user: user: so_monitor - pass: {{ salt['random.get_str'](20) }} + pass: {{ so_monitor_user_pass }} # since we are generating a random password, and we don't want that to happen everytime # a highstate runs, we only manage the file each user isn't present in the file. if the # pillar file doesn't exists, then the default vault provided to pillar.get should not # be within the file either, so it should then be created +{% if salt['pillar.get']('elasticsearch:auth', False) %} - unless: - {% for so_app_user in salt['pillar.get']('elasticsearch:auth:users', {'so_noapp_user': {'user': 'r@NDumu53Rd0NtDOoP'}}) %} + {% for so_app_user in salt['pillar.get']('elasticsearch:auth:users') %} - grep {{ so_app_user.user }} /opt/so/saltstack/local/pillar/elasticsearch/auth.sls {% endfor%} +{% endif %}