Merged in dev/gideon/update_linode_ems_readme_2022.08.31 (pull request …

…elastic#874) Trivial: edit linode readme to consolidate cert management in one section. Approved-by: Can Yildiz Approved-by: Andre Sodermans Approved-by: Gabi Davar Approved-by: Hiroshi Ishii
mindw · Sep 2, 2022 · d38d9eb · d38d9eb
1 parent a62177b
commit d38d9eb
Showing 1 changed file with 26 additions and 26 deletions.
diff --git a/linode/README.md b/linode/README.md
@@ -15,18 +15,7 @@ Save the token somewhere safe such as your password manager. We'll use it in the
 
 * `export LINODE_TOKEN=<your secret token>`
 
-* Generate certificate with `devops/aws/misc/certbot-dns-validate.sh <username>-linode.us.engageli-dev.com`
-
-* Upload private key into AWS Secrets Manager
-(Make sure to update file path and change the region if needed)
-```
-aws secretsmanager create-secret \
-    --name <username>-linode-key \
-    --description "Private key for <username>-linode.us.engageli-dev.com" \
-    --secret-string file://privkey.pem \
-    --tags "Key=FQDN,Value=<username>-linode.us.engageli-dev.com" "Key=StackName,Value=dev" \
-    --region us-east-1
-```
+* Generate certificate - see [Certificate Generation](#certificate-generation) below
 
 * Copy the example tfvars below into `tfvars/<username>.tfvars` and update the values as instructed/needed
 
@@ -43,6 +32,31 @@ terraform init
 terraform workspace new <username>
 ```
 
+### Certificate Generation
+
+* Generate certificate with `devops/aws/misc/certbot-dns-validate.sh <username>-linode.us.engageli-dev.com`.
+  Certificates are  valid for 90 days
+
+* For a new certificate - upload private key into AWS Secrets Manager
+(Make sure to use the appropriate `AWS_PROFILE`, update file path and change the region if needed)
+```
+aws secretsmanager create-secret \
+    --name <username>-linode-key \
+    --description "Private key for <username>-linode.us.engageli-dev.com" \
+    --secret-string file://privkey.pem \
+    --tags "Key=FQDN,Value=<username>-linode.us.engageli-dev.com" "Key=StackName,Value=dev" \
+    --region us-east-1
+```
+If you are updating an expired certificate, regenerate it (see above) and update
+the private key in AWS Secrets Manager. You’ll also have to update `lb_cert_pem`
+in your `tfvars` file.:
+```
+aws secretsmanager update-secret \
+    --secret-id <username>-linode-key \
+    --secret-string file://privkey<N>.pem
+    --region us-east-1
+```
+
 ### Steps to follow for daily work
 * `aws sso login`
 
@@ -52,20 +66,6 @@ terraform workspace new <username>
 * Run terraform destroy at the end of the day for cost savings
 `terraform destroy -var-file=tfvars/<username>.tfvars`
 
-* Every 90 days or before, update your certificate
-Generate certificate with `devops/aws/misc/certbot-dns-validate.sh <username>-linode.us.engageli-dev.com`
-```
-export AWS_PROFILE=<dev account profile name>
-
-# Change the region if needed
-aws secretsmanager put-secret-value \
-    --secret-id <username>-linode-key \
-    --secret-string file://privkey.pem
-    --region us-east-1
-
-unset AWS_PROFILE
-```
-
 ## Example tfvars file
 ```
 linode_ssh_key = "<username>" # must match the "label" of your ssh key in linode