From 2908d2af3ed7599e42c68513c40297d478dea3fa Mon Sep 17 00:00:00 2001
From: Tiago Silva <tiago.silva@goteleport.com>
Date: Wed, 16 Oct 2024 15:47:19 +0100
Subject: [PATCH] [aws] exclude session recordings from S3 sync in
 `teleport-renew-cert` (#47622)

This PR excludes `records` directory from the sync when renewing the letsencrypt certificate.
When doing the wildcard sync, `aws sync` downloads the `records` folder which contains audit logs for the cluster which causes failures because of no space left on the disk.
The certbot hook `teleport-upload-cert` doesn't use the `--delete` flag so the records are never purged from S3 on upload

Fixes #27884

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
---
 assets/aws/files/bin/teleport-renew-cert | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/aws/files/bin/teleport-renew-cert b/assets/aws/files/bin/teleport-renew-cert
index b0d3ec9824a0..13b8c03dce89 100755
--- a/assets/aws/files/bin/teleport-renew-cert
+++ b/assets/aws/files/bin/teleport-renew-cert
@@ -17,7 +17,7 @@ if [ ! -f /etc/teleport.d/role.auth ] && [ ! -f /etc/teleport.d/role.all ]; then
 fi
 
 # Fetching certbot state
-aws s3 sync --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
+aws s3 sync '--exclude=records/*' --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
 
 # s3 does not support symlinks, we have to create them after the sync, else certbot will fail.
 # live/ symlinks point to the latest archive/<domain>/<object>XX.pem where XX is incremented at each cert-renewal.