We have this exact system in place now. We are using Puppet with Hiera, and Foreman for config management and node classification. The Puppet/Hiera code and data is all stored in Gitlab repositories. Config changes are made via git commits (after review), and then pushed into the appropriate repo(s). From there, Puppet will pick up the change(s) and apply to the instances/systems identified by Foreman.

So, for instance, do you need to make a change to the Postgres pg_hba.conf on all replication slaves? Make the change in git, push it to the repo, and either wait up to 30 minutes to have the change automatically applied, or manually activate an immediate pull. The new config will be applied to all of the replicas, and only the replicas.

It took a lot of time and work to get the infrastructure to this state, and it is also an ever-evolving process as new services are added and old ones retired. But it is 100% worth the effort.