in reply to Holding site variables

Assuming your server is Linux, and you are splitting the site/lib/myvars.pm into several files putting site/lib/test_vars.pm site/lib/prod_vars.pm (it's not site/prod/lib/vars.pm ?)

Which are off limits to everybody, by default (chmod 600 owned by root). Now, by adding users to one or more groups, and setting ACL's on files using the groups keep you save. (and rx on the directory, to get in). And in similar fashion, the user your application runs under, is not in the groups that get access to the dev credentials.

https://www.geeksforgeeks.org/access-control-listsacl-linux/

And should a developer have two hats, how about creating 2 userid's for that user? so "oops" are minimized.

Now that's all nice and all, but you need your perl myvars.pm to load in what it can and skip what it doesnt. And do some sanity checks when it's missing a variable it expects, but you can program that in.

./readsomevars.pl

#!/usr/bin/perl
use strict;
use warnings;
use feature 'say';

use File::Basename qw(dirname);
use Cwd  qw(abs_path);
use lib dirname( abs_path $0) . '/MYLIB';

use myvars qw(get_pass %VARSETS);
     
say "PASS=".&get_pass();

say "DEBUG: Got variables set '$_' from file: $VARSETS{$_}"
  for (sort keys %VARSETS);

[download]

./MYLIB/myvars.pm 

package myvars; # still not a cromulent package name

use strict;
use warnings;

use Exporter qw(import);
our @EXPORT_OK = qw(get_pass %VARSETS);

use feature 'say';
use Cwd qw(abs_path);
use File::Basename qw(dirname);

our %VARSETS;
my $me = 'myvars.pm';
my $medir = dirname( abs_path $0 ). '/MYLIB';

opendir( my $dh, $medir ) || die "Can't opendir $_[0] $!";
my @list = grep { !/^\\./ &&/.pm$/ && !/^$me$/ && -f "$medir/$_" } sor
+t readdir($dh); 
closedir $dh;

our $env_db_pass ="";

for my $file (@list){
        my $fqfile=$medir . '/'. $file;
        my ( $varset ) = $file =~ /^([^-]+)/;
        if (-r $fqfile){
                say "DEBUG: reading $fqfile";
                if ($VARSETS{$varset}){
                  warn "ERROR($varset): Already have $VARSETS{$varset}
+, discarding $file\n";
                  # die? croak? use Carp; ?
                }else{
                    require "$fqfile";
                    $VARSETS{$varset} = $file;
                }
        }else{
                say "DEBUG: skip $fqfile"
        }
}

say "myvars.pm: CREDENTIALS($env_db_pass)";

sub get_pass {
        return $env_db_pass;
}

1;

[download]

./MYLIB/database-et.pm

our $env_db_pass = 'devpass';

[download]

./MYLIB/database-pr.pm

our $env_db_pass = 'prodpass';

[download]

Which would: 

DEBUG: reading /home/fbrm/CODE/PERL/monks/11158449/MYLIB/database-et.p
+m
DEBUG: skip /home/fbrm/CODE/PERL/monks/11158449/MYLIB/database-pr.pm
myvars.pm: CREDENTIALS(devpass)
PASS=devpass
DEBUG: Got variables set 'database' from file: database-et.pm

[download]

or:

reading /home/fbrm/CODE/PERL/monks/11158449/MYLIB/database-et.pm
reading /home/fbrm/CODE/PERL/monks/11158449/MYLIB/database-pr.pm
ERROR(database): Already have database-et.pm, discarding database-pr.p
+m at /home/fbrm/CODE/PERL/monks/11158449/MYLIB/myvars.pm
myvars.pm: CREDENTIALS(devpass)
PASS=devpass

[download]

In Section Seekers of Perl Wisdom