diff --git a/manifests/database/sql.pp b/manifests/database/sql.pp
index 23ac1b52..96995547 100644
--- a/manifests/database/sql.pp
+++ b/manifests/database/sql.pp
@@ -212,22 +212,11 @@ class cloud::database::sql (
     unless      => 'test `du -sh /var/lib/mysql/ib_logfile0 | cut -f1` = "256M"',
   }
 
-
   file{'/etc/mysql/sys.cnf':
-    content => "# Managed by Puppet
-# Module cloud::database::sql
-[client]
-host     = localhost
-user     = sys-maint
-password = ${mysql_sys_maint_password}
-socket   = /var/run/mysqld/mysqld.sock
-[mysql_upgrade]
-host     = localhost
-user     = sys-maint
-password = ${mysql_sys_maint_password}
-socket   = /var/run/mysqld/mysqld.sock
-basedir  = /usr
-",
+    ensure  => file,
+    content => template('cloud/database/sys.cnf.erb'),
+    owner   => 'root',
+    group   => 'root',
     mode    => '0600',
     require => Exec['clean-mysql-binlog'],
   }
diff --git a/spec/classes/cloud_database_sql_spec.rb b/spec/classes/cloud_database_sql_spec.rb
index 82b84253..7236c653 100644
--- a/spec/classes/cloud_database_sql_spec.rb
+++ b/spec/classes/cloud_database_sql_spec.rb
@@ -76,7 +76,7 @@ describe 'cloud::database::sql' do
           :config_hash  => { 'bind_address' => '10.0.0.1', 'root_password' => params[:mysql_root_password] },
           :notify       => 'Service[xinetd]'
         )
-    end
+    end # configure mysql galera server
 
     context 'configure mysqlchk http replication' do
       it { should contain_file_line('mysqlchk-in-etc-services').with(
@@ -91,7 +91,7 @@ describe 'cloud::database::sql' do
       it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_PASSWORD="#{params[:galera_clustercheck_dbpassword]}"/)}
       it { should contain_file('/etc/xinetd.d/mysqlchk').with_content(/bind            = #{params[:galera_clustercheck_ipaddress]}/)}
 
-    end
+    end # configure mysqlchk http replication
 
     context 'configure databases on the galera master server' do
 
@@ -171,10 +171,22 @@ describe 'cloud::database::sql' do
           :password_hash => '*BE353D0D7826681F8B7C136ED9824915F5B99E7D',
           :provider      => 'mysql'
         )
-      end
-    end
+      end # configure monitoring database
+    end # configure databases on the galera master server
 
-  end
+    context 'configure MySQL sys config' do
+      it { should contain_file('/etc/mysql/sys.cnf').with(
+        :mode    => '0600',
+        :owner   => 'root',
+        :group   => 'root',
+        :require => 'Exec[clean-mysql-binlog]'
+      )}
+
+      it { should contain_file('/etc/mysql/sys.cnf').with_content(/password = #{params[:mysql_sys_maint_password]}/)}
+
+    end # configure MySQL sys config
+
+  end # openstack database sql
 
   context 'on Debian platforms' do
     let :facts do
diff --git a/templates/database/sys.cnf.erb b/templates/database/sys.cnf.erb
new file mode 100644
index 00000000..ea94fbca
--- /dev/null
+++ b/templates/database/sys.cnf.erb
@@ -0,0 +1,14 @@
+# Managed by Puppet
+# Module cloud::database::sql
+#
+[client]
+host     = localhost
+user     = sys-maint
+password = <%= @mysql_sys_maint_password %>
+socket   = /var/run/mysqld/mysqld.sock
+[mysql_upgrade]
+host     = localhost
+user     = sys-maint
+password = <%= @mysql_sys_maint_password %>
+socket   = /var/run/mysqld/mysqld.sock
+basedir  = /usr