From 72105f1f2f29d25039a2f157b4685d73402ce201 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 21 Apr 2026 09:31:45 -0400
Subject: [PATCH] Drop telegraf push from new-minion orch; highstate covers it

New minions run highstate as part of onboarding, which already applies
the telegraf state with the fresh pillar entry we just wrote. Pushing
telegraf a second time from the reactor is redundant.

- Remove the MINION-scoped salt.state block from the orch; keep only
  the manager-side postgres.auth + postgres.telegraf_users provisioning.
- Stop passing minion_id as pillar in the reactor; the orch doesn't
  reference it anymore.
---
 salt/orch/telegraf_postgres_sync.sls | 17 +++++------------
 salt/reactor/telegraf_user_sync.sls  |  2 --
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/salt/orch/telegraf_postgres_sync.sls b/salt/orch/telegraf_postgres_sync.sls
index 90c42fc07..f2a3d950f 100644
--- a/salt/orch/telegraf_postgres_sync.sls
+++ b/salt/orch/telegraf_postgres_sync.sls
@@ -3,9 +3,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set MINION = salt['pillar.get']('minion_id') %}
 {% set MANAGER = salt['pillar.get']('setup:manager') or salt['grains.get']('master') %}
 
+# Fired by salt/reactor/telegraf_user_sync.sls when salt-key accepts a new
+# minion. Only provisions the per-minion pillar entry and DB role on the
+# manager; the minion itself will pick up its telegraf config on its first
+# highstate during onboarding, so there's no need to push the telegraf state
+# from here.
 manager_sync_telegraf_pg_users:
   salt.state:
     - tgt: {{ MANAGER }}
@@ -13,14 +17,3 @@ manager_sync_telegraf_pg_users:
       - postgres.auth
       - postgres.telegraf_users
     - queue: True
-
-{% if MINION and MINION != MANAGER %}
-{{ MINION }}_apply_telegraf:
-  salt.state:
-    - tgt: {{ MINION }}
-    - sls:
-      - telegraf
-    - queue: True
-    - require:
-      - salt: manager_sync_telegraf_pg_users
-{% endif %}
diff --git a/salt/reactor/telegraf_user_sync.sls b/salt/reactor/telegraf_user_sync.sls
index ec0aec336..4830dbc53 100644
--- a/salt/reactor/telegraf_user_sync.sls
+++ b/salt/reactor/telegraf_user_sync.sls
@@ -10,8 +10,6 @@
   runner.state.orchestrate:
     - args:
       - mods: orch.telegraf_postgres_sync
-      - pillar:
-          minion_id: {{ data['id'] }}
 
 {% do salt.log.info('telegraf_user_sync reactor: syncing telegraf PG user for minion %s' % data['id']) %}