From a81ac4b704bb503438fbfde0e58640ca0cd08553 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Thu, 6 Nov 2025 20:40:03 +0000
Subject: [PATCH] prometheus: Use aws databag

---
 cookbooks/prometheus/recipes/server.rb                     | 7 ++++---
 cookbooks/prometheus/templates/default/aws-credentials.erb | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb
index 4a4986333..1e297ebd3 100644
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -24,6 +24,7 @@ include_recipe "networking"
 
 passwords = data_bag_item("prometheus", "passwords")
 tokens = data_bag_item("prometheus", "tokens")
+aws = data_bag_item("prometheus", "aws")
 admins = data_bag_item("apache", "admins")
 
 prometheus_exporter "fastly" do
@@ -62,8 +63,8 @@ prometheus_exporter "cloudwatch" do
     --enable-feature=aws-sdk-v2
     --enable-feature=always-return-info-metrics
   ]
-  environment "AWS_ACCESS_KEY_ID" => "AKIASQUXHPE7JHG37EA6",
-              "AWS_SECRET_ACCESS_KEY" => tokens["cloudwatch"]
+  environment "AWS_ACCESS_KEY_ID" => aws["cloudwatch_access_key_id"],
+              "AWS_SECRET_ACCESS_KEY" => aws["cloudwatch_secret_access_key"]
   subscribes :restart, "template[/etc/prometheus/cloudwatch.yml]"
 end
 
@@ -396,7 +397,7 @@ template "/var/lib/prometheus/.aws/credentials" do
   user "prometheus"
   group "prometheus"
   mode "600"
-  variables :passwords => passwords
+  variables :aws => aws
 end
 
 template "/usr/local/bin/prometheus-backup-data" do
diff --git a/cookbooks/prometheus/templates/default/aws-credentials.erb b/cookbooks/prometheus/templates/default/aws-credentials.erb
index dd691415c..7831be373 100644
--- a/cookbooks/prometheus/templates/default/aws-credentials.erb
+++ b/cookbooks/prometheus/templates/default/aws-credentials.erb
@@ -1,6 +1,6 @@
 [osm-prometheus-data]
-aws_access_key_id = <%= @passwords["aws_access_key_id"] %>
-aws_secret_access_key = <%= @passwords["aws_secret_access_key"] %>
+aws_access_key_id = <%= @aws["prometheus_access_key_id"] %>
+aws_secret_access_key = <%= @aws["prometheus_secret_access_key"] %>
 
 [osm-prometheus-data-upload]
 role_arn=arn:aws:iam::173189593406:role/osm-prometheus-data-upload-role
-- 
2.39.5