include:
  - elasticsearch


# enforce that elasticsearch only starts if the AppArmor profile is loaded
/etc/systemd/system/elasticsearch.service.d:
  file.directory

/etc/systemd/system/elasticsearch.service.d/es-apparmor.conf:
  file.managed:
    - contents:
      - '[service]'
      - AppArmorProfile=elasticsearch
    - require_in:
      - elasticsearch
  cmd.run:
    - name: systemctl daemon-reload
    - onchanges:
      - file: /etc/systemd/system/elasticsearch.service.d/es-apparmor.conf