From ee89b78751b2cc4117ec9507ed82c5da14b0f0cd Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Mon, 20 Apr 2026 19:54:06 -0400
Subject: [PATCH] Fire telegraf user sync on salt/key accept, not salt/auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

salt/auth fires on every minion authentication — including every minion
restart and every master restart — so the reactor was re-running the
postgres.auth + postgres.telegraf_users + telegraf orchestration for
every already-accepted minion on every reconnect. The underlying states
are idempotent, so this was wasted work and log noise, not a correctness
issue.

Switch the subscription to salt/key, which fires only when the master
actually changes a key's state (accept / reject / delete). Match the
pattern used by salt/reactor/check_hypervisor.sls (registered in
salt/salt/cloud/reactor_config_hypervisor.sls) and add the result==True
guard so half-failed key operations don't trigger the orchestration.
---
 salt/reactor/telegraf_user_sync.sls | 4 ++--
 salt/salt/master.sls                | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/reactor/telegraf_user_sync.sls b/salt/reactor/telegraf_user_sync.sls
index abf35d3b2..ec0aec336 100644
--- a/salt/reactor/telegraf_user_sync.sls
+++ b/salt/reactor/telegraf_user_sync.sls
@@ -3,8 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{# Fires on salt/auth. Only act on accepted keys — ignore pending/reject. #}
-{% if data.get('act') == 'accept' and data.get('id') %}
+{# Fires on salt/key. Only act on successful key acceptance — not reauth. #}
+{% if data.get('act') == 'accept' and data.get('result') == True and data.get('id') %}
 
 {{ data['id'] }}_telegraf_pg_sync:
   runner.state.orchestrate:
diff --git a/salt/salt/master.sls b/salt/salt/master.sls
index 7e3e48074..e61b09d21 100644
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -67,7 +67,7 @@ reactor_config_telegraf:
     - name: /etc/salt/master.d/reactor_telegraf.conf
     - contents: |
         reactor:
-          - 'salt/auth':
+          - 'salt/key':
             - /opt/so/saltstack/default/salt/reactor/telegraf_user_sync.sls
     - user: root
     - group: root