paha/gist:4fadf2028d53935be6cd

## gistfile1.txt
in top.sls file
...
    {% set roles = salt['grains.get']('roles', []) %}
    {% for role in roles -%}
    - {{ role }}
    {% endfor %}
...

#!pyobjects
# salt://roles/init.sls

if config('cornerstone'):
    roles = grains('roles', None)
    if roles is None:
        include('roles.set')

    # Scheduling a job fails due to known bug (fixed for v2015.2)
    # https://github.com/saltstack/salt/issues/18969
    Schedule.present('verify_roles', function='state.sls',
        args=['roles.verify'], seconds=86400, splay=28800)
else:
    Test.configurable_test_state('Roles_mgt_skipped',
        comment='No cornerstone configuration found.')

#!pyobjects
# salt://roles/set.sls

roles = salt.publish.runner('cs.roles', grains('fqdn'))

# Test if there is a corresponding state to each role
current_states_list = salt.cp.list_states()
for role in roles:
    if role not in current_states_list:
        roles.remove(role)
        Test.configurable_test_state('Role without state',
            result=False, comment='Role; {0}, has no corresponding state.'
                ' Skipped'.format(role))

Test.configurable_test_state('Roles_update',
    comment='Roles update requested. Setting roles to {0}'.format(roles))

if isinstance(roles, list):
    salt.grains.setval('roles', roles)
    # include(','.join(roles))
    for role in roles:
        include(role)

#!pyobjects
# salt://roles/verify.sls

cs_roles = salt.publish.runner('cs.roles', grains('fqdn'))
Test.configurable_test_state('Role_verification',
    comment='Verifying that CS roles: {0} matching grains.'.format(cs_roles))

if not sorted(grains('roles')) == sorted(cs_roles):
    # Grains.absent('roles')
    include('roles.set')
	in top.sls file
	...
	{% set roles = salt['grains.get']('roles', []) %}
	{% for role in roles -%}
	- {{ role }}
	{% endfor %}
	...

	#!pyobjects
	# salt://roles/init.sls

	if config('cornerstone'):
	roles = grains('roles', None)
	if roles is None:
	include('roles.set')

	# Scheduling a job fails due to known bug (fixed for v2015.2)
	# https://github.com/saltstack/salt/issues/18969
	Schedule.present('verify_roles', function='state.sls',
	args=['roles.verify'], seconds=86400, splay=28800)
	else:
	Test.configurable_test_state('Roles_mgt_skipped',
	comment='No cornerstone configuration found.')

	#!pyobjects
	# salt://roles/set.sls

	roles = salt.publish.runner('cs.roles', grains('fqdn'))

	# Test if there is a corresponding state to each role
	current_states_list = salt.cp.list_states()
	for role in roles:
	if role not in current_states_list:
	roles.remove(role)
	Test.configurable_test_state('Role without state',
	result=False, comment='Role; {0}, has no corresponding state.'
	' Skipped'.format(role))

	Test.configurable_test_state('Roles_update',
	comment='Roles update requested. Setting roles to {0}'.format(roles))

	if isinstance(roles, list):
	salt.grains.setval('roles', roles)
	# include(','.join(roles))
	for role in roles:
	include(role)

	#!pyobjects
	# salt://roles/verify.sls

	cs_roles = salt.publish.runner('cs.roles', grains('fqdn'))
	Test.configurable_test_state('Role_verification',
	comment='Verifying that CS roles: {0} matching grains.'.format(cs_roles))

	if not sorted(grains('roles')) == sorted(cs_roles):
	# Grains.absent('roles')
	include('roles.set')