Use Environment File in Systemd for AWS Settings for remote_write configuration

[lchopfpt]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.25.1
• Ruby:
• Distribution:
• Module version: 12.3.0 and 12.4.0

How to reproduce (e.g Puppet code you use)

any puppet code that will spin up a prometheus server instance

What are you seeing

To use prometheus remote_write sigv4 settings, and supplying AWS Key and Secret, using hiera, the key/secret would only be able to be applied via the remote_write_configs option in the array who then will put those values right into the prometheus.yaml.

What behaviour did you expect instead

An option to supply an Environment File to be used by Systemd to hide the configuration more.

Output log

N/A

Any additional information you'd like to impart

[TheMeier]

The config directory has mode 0750, the config file itself has mode 0640 with owner root, group prometheus for both. So one would need to be a member of the prometheus group to read the file.

The config file may contain many other secrets like webook urls, tokens etc. So you need to treat it as a file containing secrets anyway. (Anything <secret> in https://prometheus.io/docs/prometheus/latest/configuration/configuration/)

For systems using systemd (which is quite widespread now) you could simply set environment variables using https://github.com/voxpupuli/puppet-systemd/blob/master/REFERENCE.md#systemd--manage_dropin to achieve what you want.

@lchopfpt I am closing this, since I think it is not an issue. Please re-open if you think I missed something here.