[aws] exclude session recordings from S3 sync in teleport-renew-cert (

#47622) This PR excludes `records` directory from the sync when renewing the letsencrypt certificate. When doing the wildcard sync, `aws sync` downloads the `records` folder which contains audit logs for the cluster which causes failures because of no space left on the disk. The certbot hook `teleport-upload-cert` doesn't use the `--delete` flag so the records are never purged from S3 on upload Fixes #27884 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
gravitational · Oct 16, 2024 · 2908d2a · 2908d2a
1 parent 7483745
commit 2908d2a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/assets/aws/files/bin/teleport-renew-cert b/assets/aws/files/bin/teleport-renew-cert
@@ -17,7 +17,7 @@ if [ ! -f /etc/teleport.d/role.auth ] && [ ! -f /etc/teleport.d/role.all ]; then
 fi
 
 # Fetching certbot state
-aws s3 sync --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
+aws s3 sync '--exclude=records/*' --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
 
 # s3 does not support symlinks, we have to create them after the sync, else certbot will fail.
 # live/ symlinks point to the latest archive/<domain>/<object>XX.pem where XX is incremented at each cert-renewal.