Situation:

Using saltstack salt 2016.3.1 (Boron). Fresh install to new Ubuntu 14.04 x64 VM

Using pillarstack with the following config.

# Set up environment
environments/{{ pillar.get('environment', '') }}.sls

#Set up roles
roles/defaults.sls
{% for role in pillar.get('roles', []) -%}
roles/{{ role }}.sls
roles/{{ role }}_{{ pillar.get('environment', '') }}.sls
{% endfor -%}

# The exception is the rule
{% set hostname, domainname = minion_id.split('.',1) %}
minions/{{ domainname | replace('.','_') }}/{{ hostname }}.sls

Pillar files on salt master under /srv/pillar

This is currently the simplest setup of a salt master/minion on one machine.

Using mine to collect internal ip addresses, minion configuration in pillar, as follows.

# Configure all minions to report internal ip addresses to mine
mine_functions:
  network.interfaces: []
  internal_ip_addrs:
    mine_function: network.ip_addrs
    interface: eth1
    cidr: '10.0.0.0/8'

So far, so good.

# salt \* mine.get '*' internal_ip_addrs
mgt001.mon.haraka-services.com:
    ----------
    mgt001.mon.haraka-services.com:
        - 10.131.23.164

Mine seems to have the data I want.

Also fine via salt master (same machine, but I thought it worth checking)

# salt-run mine.get '*' internal_ip_addrs
mgt001.mon.haraka-services.com:
    - 10.131.23.164

Why? Someone's bound to ask. I'm using DigitalOcean and the internal network, while not internet facing, is not private and I need to sure up security using iptables to isolate my system somewhat. (I'd probably do a lot of this anyway, but this is the specific motivation this time :) )

Now the troublesome part.

In pillar (configuration for iptables formula to strictly limit access to the master to my minions)

firewall:
  services:
    '4505':
      block_nomatch: False
      ips_allow:
        {%- for server, ip in __salt__['mine.get']('*', 'internal_ip_addrs') %}
        - {{ ip[0] }}/32
        {%- endfor %}
      interfaces:
        - eth1
    '4506':
      block_nomatch: False
      ips_allow:
        {%- for server, ip in __salt__['mine.get']('*', 'internal_ip_addrs') %}
        - {{ ip[0] }}/32
        {%- endfor %}
      interfaces:
        - eth1

Note, found I had to use __salt__ rather than salt (something to do with the pillarstack?), but otherwise as per examples I've seen online.

Problem:

Sadly, not working. This produces the following pillar data

# salt \* pillar.get firewall
mgt001.mon.haraka-services.com:
    ----------
    enabled:
        True
    install:
        True
    services:
        ----------
        4505:
            ----------
            block_nomatch:
                False
            interfaces:
                - eth1
            ips_allow:
                None
        4506:
            ----------
            block_nomatch:
                False
            interfaces:
                - eth1
            ips_allow:
                None
        ssh:
            ----------
            block_nomatch:
                False
            interfaces:
                - eth1
            ips_allow:
                - /32

Note The final entry of ssh is configured elsewhere as follows.

firewall:
  enabled: True
  install: True
  services:
    ssh:
      block_nomatch: False
      ips_allow:
         - {{ __salt__['mine.get']('mgt001.mon.*', 'internal_ip_addrs')[0] }}/32
      interfaces:
        - eth1

As you can see, I'm getting no result back from __salt__['mine.get']('*', 'internal_ip_addrs')

I've been bashing this over the head for a couple of hours and I'm thinking I've missed something blindingly obvious. Any ideas much appreciated.