The mariadb grants file for m2 (modules/profile/templates/mariadb/grants/production-m2.sql.erb) need to reference the VTRS db passwords. This is currently not possible, as those passwords live in a part of hiera that is not accessible to the mariadb profile.
@jbond suggested that if we move the VRTS passwords to hieradata/common/profile/vrts.yaml, then they can be referenced from both the VTRS and mariadb roles.
I have a CR that makes the required changes to the mariadb code: https://gerrit.wikimedia.org/r/c/operations/puppet/+/764744, but the VTRS side needs to change first.