Drop telegraf push from new-minion orch; highstate covers it

New minions run highstate as part of onboarding, which already applies
the telegraf state with the fresh pillar entry we just wrote. Pushing
telegraf a second time from the reactor is redundant.

- Remove the MINION-scoped salt.state block from the orch; keep only
  the manager-side postgres.auth + postgres.telegraf_users provisioning.
- Stop passing minion_id as pillar in the reactor; the orch doesn't
  reference it anymore.

salt/orch/telegraf_postgres_sync.sls

@@ -3,9 +3,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set MINION = salt['pillar.get']('minion_id') %}
 {% set MANAGER = salt['pillar.get']('setup:manager') or salt['grains.get']('master') %}
 
+# Fired by salt/reactor/telegraf_user_sync.sls when salt-key accepts a new
+# minion. Only provisions the per-minion pillar entry and DB role on the
+# manager; the minion itself will pick up its telegraf config on its first
+# highstate during onboarding, so there's no need to push the telegraf state
+# from here.
 manager_sync_telegraf_pg_users:
   salt.state:
     - tgt: {{ MANAGER }}
@@ -13,14 +17,3 @@ manager_sync_telegraf_pg_users:
       - postgres.auth
       - postgres.telegraf_users
     - queue: True
-
-{% if MINION and MINION != MANAGER %}
-{{ MINION }}_apply_telegraf:
-  salt.state:
-    - tgt: {{ MINION }}
-    - sls:
-      - telegraf
-    - queue: True
-    - require:
-      - salt: manager_sync_telegraf_pg_users
-{% endif %}