Don't enforce /etc/enroll if no firewall rules to set in subdir

tests/test_manifest_salt.py

@@ -626,7 +626,9 @@ def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path):
     assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls
 
 
-def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path: Path):
+def test_manifest_salt_omits_firewall_runtime_when_no_rules_were_sampled(
+    tmp_path: Path,
+):
     bundle = tmp_path / "bundle"
     out = tmp_path / "salt"
     state = {
@@ -652,16 +654,7 @@ def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path:
     manifest.manifest(str(bundle), str(out), target="salt")
 
     top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8"))
-    assert "roles.enroll_runtime" in top["base"]["*"]
-    assert "roles.firewall_runtime" in top["base"]["*"]
-    assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index(
-        "roles.firewall_runtime"
-    )
-    runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text(
-        encoding="utf-8"
-    )
-    firewall_sls = (
-        out / "states" / "roles" / "firewall_runtime" / "init.sls"
-    ).read_text(encoding="utf-8")
-    assert '"/etc/enroll":' in runtime_sls
-    assert '- file: "/etc/enroll"' in firewall_sls
+    assert "roles.enroll_runtime" not in top["base"]["*"]
+    assert "roles.firewall_runtime" not in top["base"]["*"]
+    assert not (out / "states" / "roles" / "enroll_runtime").exists()
+    assert not (out / "states" / "roles" / "firewall_runtime").exists()