change so-elasticsearch-cluster settings to include heavynode, and only run on managers

salt/elasticsearch/enabled.sls

@@ -145,6 +145,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
 {%       endfor %}
 {%     endif %}
 
+{% if GLOBALS.role in GLOBALS.manager_roles %}
 so-es-cluster-settings:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-cluster-settings
@@ -153,6 +154,7 @@ so-es-cluster-settings:
     - require:
       - docker_container: so-elasticsearch
       - file: elasticsearch_sbin_jinja
+{% endif %}
 
 so-elasticsearch-ilm-policy-load:
   cmd.run:

salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-cluster-settings

@@ -3,6 +3,8 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
+{%- from 'vars/globals.map.jinja' import GLOBALS %}
+{%- set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
 
 . /usr/sbin/so-common
 
@@ -32,9 +34,12 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
   exit
 fi
 
-# Check to see if config already exists
-CLUSTER_SETTINGS=$(so-elasticsearch-query _cluster/settings | jq .persistent.cluster.remote)
-if [[ ! -z "$CLUSTER_SETTINGS" ]]; then
+{%- if GLOBALS.role in [ 'so-manager', 'so-managersearch', 'so-standalone'] %}
   echo "Applying cross cluster search config..."
   so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ GLOBALS.manager }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT
-fi
+{%-   if node_data['heavynode'] is defined %}
+{%-     for hostname, node_details in node_data['heavynode'].items() %}
+  so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ hostname }}\": {\"seeds\": [\"{{node_details.ip}}:9300\"]}}}}}" -XPUT
+{%-     endfor %}
+{%-   endif %}
+{%- endif %}