requires and ordering for socusersroles state

salt/elasticsearch/files/curl.config.template

@@ -1 +1 @@
-user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"
+user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', 'NO_USER_SET') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', 'NO_PW_SET') }}"

salt/manager/init.sls

@@ -21,10 +21,9 @@
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
 
 include:
-  - elasticsearch.auth
-  - kibana.secrets
   - salt.minion
-  - kratos
+  - kibana.secrets
+  - manager.sync_es_users
   - manager.elasticsearch
 
 socore_own_saltstack:
@@ -111,21 +110,6 @@ strelka_yara_update:
     - hour: '7'
     - minute: '1'
 
-# Must run before elasticsearch docker container is started!
-syncesusers:
-  cmd.run:
-    - name: so-user sync
-    - env:
-      - SKIP_STATE_APPLY: 'true'
-    - creates:
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
-      - /opt/so/conf/soc/soc_users_roles
-    - show_changes: False
-    - require:
-      - docker_container: so-kratos
-      - http: wait_for_kratos
-
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/manager/sync_es_users.sls

@@ -0,0 +1,31 @@
+include:
+  - elasticsearch.auth
+  - kratos
+
+so-user.lock:
+  file.missing:
+    - name: /var/tmp/so-user.lock
+
+# Must run before elasticsearch docker container is started!
+sync_es_users:
+  cmd.run:
+    - name: so-user sync
+    - env:
+      - SKIP_STATE_APPLY: 'true'
+    - creates:
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
+      - /opt/so/conf/soc/soc_users_roles
+    - show_changes: False
+    - require:
+      - docker_container: so-kratos
+      - http: wait_for_kratos
+      - file: so-user.lock # require so-user.lock file to be missing
+
+# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
+# is in the minion config. That line is added before the final highstate during setup
+sosyncusers:
+  cron.present:
+    - user: root
+    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
+    - onlyif: "grep 'startup_states: highstate' /etc/salt/minion"

salt/soc/init.sls

@@ -5,6 +5,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 
+include:
+  - manager.sync_es_users
+
 socdir:
   file.directory:
     - name: /opt/so/conf/soc
@@ -84,14 +87,8 @@ soccustomroles:
 socusersroles:
   file.exists:
     - name: /opt/so/conf/soc/soc_users_roles
-
+    - require:
-# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
+      - sls: manager.sync_es_users
-# is in the minion config. That line is added before the final highstate during setup
-sosyncusers:
-  cron.present:
-    - user: root
-    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
-    - onlyif: "grep 'startup_states: highstate' /etc/salt/minion"
 
 so-soc:
   docker_container.running: