Support passing a SecretsManager Secret or SSM SecureString parameter ARN for lambda-promtail secrets

[blimmer]

Is your feature request related to a problem? Please describe.

Currently, secret values are passed to the lambda-promtail lambda function as environment variables:

CloudFormation:

loki/tools/lambda-promtail/template.yaml

Lines 98 to 99 in 5190dda

	PASSWORD: !Ref Password
	BEARER_TOKEN: !Ref BearerToken

Terraform:

loki/tools/lambda-promtail/main.tf

Lines 172 to 173 in 5190dda

	PASSWORD = var.password
	BEARER_TOKEN = var.bearer_token

Passing secrets as an environment variable is not very secure and makes it difficult to rotate the secret (https://blog.jannikwempe.com/how-to-securely-use-secrets-in-aws-lambda). And, in CloudFormation/AWS CDK, dealing with secrets at template synthesis time is a challenge because, unlike Terraform, you can't fetch a secret from SSM/Secrets Manager at plan/deploy time.

A better practice would be to fetch the secret at runtime from Systems Manager Parameter Store (a SecureString) or Secrets Manager. This would be beneficial because:

• The secret would not be stored in plaintext in the environment variables of the Lambda
• You could update the secret value and automatically get the new value in the Lambda function
• You could avoid having secrets checked into your Terraform / CloudFormation templates.

Describe the solution you'd like

All secret values (right now, PASSWORD/BEARER_TOKEN) should accept an ARN of an SSM parameter or Secrets Manager. In the lambda logic, if an ARN is detected, it should use the AWS SDK to fetch the SSM parameter or Secrets Manager Secret at runtime.

Describe alternatives you've considered

Alternatively, you could create new parameters (e.g., PASSWORD_SECRET_ARN / PASSWORD_SECRET_PARAMETER_ARN) to make it more explicit. Then, the user would be expected to only set one of the parameters only.

Additional context