requires and ordering for socusersroles state

2025-12-06 01:02:46 +01:00 · 2022-01-10 14:39:00 -05:00
parent beb9a33628
commit 716c98ec61
4 changed files with 39 additions and 27 deletions
--- a/salt/elasticsearch/files/curl.config.template
+++ b/salt/elasticsearch/files/curl.config.template
@@ -1 +1 @@
-user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"
+user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', 'NO_USER_SET') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', 'NO_PW_SET') }}"
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -21,10 +21,9 @@
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}

 include:
-  - elasticsearch.auth
-  - kibana.secrets
  - salt.minion
-  - kratos
+  - kibana.secrets
+  - manager.sync_es_users
  - manager.elasticsearch

 socore_own_saltstack:
@@ -111,21 +110,6 @@ strelka_yara_update:
    - hour: '7'
    - minute: '1'

-# Must run before elasticsearch docker container is started!
-syncesusers:
-  cmd.run:
-    - name: so-user sync
-    - env:
-      - SKIP_STATE_APPLY: 'true'
-    - creates:
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
-      - /opt/so/conf/soc/soc_users_roles
-    - show_changes: False
-    - require:
-      - docker_container: so-kratos
-      - http: wait_for_kratos
-
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/manager/sync_es_users.sls
+++ b/salt/manager/sync_es_users.sls
@@ -0,0 +1,31 @@
+include:
+  - elasticsearch.auth
+  - kratos
+
+so-user.lock:
+  file.missing:
+    - name: /var/tmp/so-user.lock
+
+# Must run before elasticsearch docker container is started!
+sync_es_users:
+  cmd.run:
+    - name: so-user sync
+    - env:
+      - SKIP_STATE_APPLY: 'true'
+    - creates:
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
+      - /opt/so/conf/soc/soc_users_roles
+    - show_changes: False
+    - require:
+      - docker_container: so-kratos
+      - http: wait_for_kratos
+      - file: so-user.lock # require so-user.lock file to be missing
+
+# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
+# is in the minion config. That line is added before the final highstate during setup
+sosyncusers:
+  cron.present:
+    - user: root
+    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
+    - onlyif: "grep 'startup_states: highstate' /etc/salt/minion"
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -5,6 +5,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}

+include:
+  - manager.sync_es_users
+
 socdir:
  file.directory:
    - name: /opt/so/conf/soc
@@ -84,14 +87,8 @@ soccustomroles:
 socusersroles:
  file.exists:
    - name: /opt/so/conf/soc/soc_users_roles
-
-# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
-# is in the minion config. That line is added before the final highstate during setup
-sosyncusers:
-  cron.present:
-    - user: root
-    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
-    - onlyif: "grep 'startup_states: highstate' /etc/salt/minion"
+    - require:
+      - sls: manager.sync_es_users

 so-soc:
  docker_container.running: