From a149ea7e8f39a5da7ca1db2c569ab4072bfad527 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Apr 2026 09:59:46 -0400 Subject: [PATCH] Skip per-minion pillar fan-out when cred is already in place Every postgres.auth run was rewriting every minion pillar file via two so-yaml.py replace calls, even when nothing had changed. Passwords are only generated on first encounter (see the `if key not in telegraf_users` guard) and never rotate, so re-writing the same values on every apply is wasted work and noisy state output. Add an `unless:` check that compares the already-written postgres.telegraf.user to the one we'd set. If they match, skip the fan-out entirely. On first apply for a new minion the key isn't there, so the replace runs; on subsequent applies it's a no-op. --- salt/postgres/auth.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/postgres/auth.sls b/salt/postgres/auth.sls index 0b94ece99..44c89c581 100644 --- a/salt/postgres/auth.sls +++ b/salt/postgres/auth.sls @@ -73,6 +73,13 @@ postgres_telegraf_minion_pillar_{{ safe }}: fi /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.user '{{ entry.user }}' /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.pass '{{ entry.pass }}' + {#- Skip if this minion's pillar file already carries a matching user. + Passwords are generated once per minion (see the `if key not in telegraf_users` + guard above) and never rotate, so once a cred is fanned out the file + doesn't need to be rewritten on subsequent auth runs. If we ever add + rotation, we'd need to delete postgres.telegraf to force a re-fan. #} + - unless: | + [ "$(/usr/sbin/so-yaml.py get -r /opt/so/saltstack/local/pillar/minions/{{ mid }}.sls postgres.telegraf.user 2>/dev/null)" = '{{ entry.user }}' ] - require: - file: postgres_auth_pillar