diff --git a/salt/kafka/config.sls b/salt/kafka/config.sls
index 1cfd1d3eb..e9222388b 100644
--- a/salt/kafka/config.sls
+++ b/salt/kafka/config.sls
@@ -14,6 +14,7 @@ kafka_group:
 
 kafka_user:
   user.present:
+    - name: kafka
     - uid: 960
     - gid: 960
     - home: /opt/so/conf/kafka
diff --git a/salt/kafka/ssl.sls b/salt/kafka/ssl.sls
index c4e46ac8a..50a01b22c 100644
--- a/salt/kafka/ssl.sls
+++ b/salt/kafka/ssl.sls
@@ -4,10 +4,9 @@
 # Elastic License 2.0.
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% set kafka_password = salt['pillar.get']('kafka:password') %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   set kafka_password = salt['pillar.get']('kafka:password') %}
 
 include:
   - ca.dirs
@@ -20,10 +19,9 @@ include:
     {% endfor %}
     {% set ca_server = global_ca_server[0] %}
 
-
 {% if GLOBALS.pipeline == "KAFKA" %}
 
-{%   if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %}
+{%   if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone'] %}
 kafka_client_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka-client.key
@@ -71,7 +69,7 @@ kafka_client_crt_perms:
     - group: 939
 {%   endif %}
 
-{%   if grains['role'] in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %}
+{%   if GLOBALS.role in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %}
 kafka_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka.key
@@ -132,7 +130,7 @@ kafka_pkcs12_perms:
 
 # Standalone needs kafka-logstash for automated testing. Searchnode/manager search need it for logstash to consume from Kafka.
 # Manager will have cert, but be unused until a pipeline is created and logstash enabled.
-{%   if grains['role'] in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %}
+{%   if GLOBALS.role in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %}
 kafka_logstash_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka-logstash.key
@@ -191,6 +189,13 @@ kafka_logstash_pkcs12_perms:
     - user: 931
     - group: 939
 
+{%   endif %}
 {% endif %}
 
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
 {% endif %}
\ No newline at end of file