From 6f9d49cf4e86ccc4a32c62e47a02537dfa5fd7ba Mon Sep 17 00:00:00 2001
From: Sarah Gibson <drsarahlgibson@gmail.com>
Date: Fri, 28 Jun 2024 11:31:19 +0100
Subject: [PATCH 1/5] Rename file

---
 .../{regenerate-smce-password.md => regenerate-smce-creds.md}   | 0
 docs/index.md                                                   | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename docs/howto/{regenerate-smce-password.md => regenerate-smce-creds.md} (100%)

diff --git a/docs/howto/regenerate-smce-password.md b/docs/howto/regenerate-smce-creds.md
similarity index 100%
rename from docs/howto/regenerate-smce-password.md
rename to docs/howto/regenerate-smce-creds.md
diff --git a/docs/index.md b/docs/index.md
index bed83e1d95..41122079e4 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -71,7 +71,7 @@ howto/grafana-github-auth.md
 howto/update-env.md
 howto/upgrade-cluster/index.md
 howto/troubleshoot/index.md
-howto/regenerate-smce-password.md
+howto/regenerate-smce-creds.md
 ```
 
 ## Topic guides

From 9311aa90e56fa815a7197bb86044bf511a817c30 Mon Sep 17 00:00:00 2001
From: Sarah Gibson <drsarahlgibson@gmail.com>
Date: Fri, 28 Jun 2024 11:41:22 +0100
Subject: [PATCH 2/5] Update a myst reference

---
 docs/howto/regenerate-smce-creds.md           | 2 +-
 docs/hub-deployment-guide/new-cluster/smce.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/howto/regenerate-smce-creds.md b/docs/howto/regenerate-smce-creds.md
index 1d6db9bee5..4b88caf4dd 100644
--- a/docs/howto/regenerate-smce-creds.md
+++ b/docs/howto/regenerate-smce-creds.md
@@ -1,4 +1,4 @@
-(nasa-smce:regenerate-password)=
+(nasa-smce:regenerate-user-password)=
 # Regenerate a password for a user in a NASA SMCE account
 
 The AWS accounts associated with NASA's [Science Managed Cloud Environment](https://smce.nasa.gov)
diff --git a/docs/hub-deployment-guide/new-cluster/smce.md b/docs/hub-deployment-guide/new-cluster/smce.md
index a3be2e7ae4..cefcfa5e19 100644
--- a/docs/hub-deployment-guide/new-cluster/smce.md
+++ b/docs/hub-deployment-guide/new-cluster/smce.md
@@ -66,6 +66,6 @@ setup the cluster?
 ```
 
 ```{note}
-See [](nasa-smce:regenerate-password) for how to reset an expired password for
+See [](nasa-smce:regenerate-user-password) for how to reset an expired password for
 a _user_, e.g., a member of the engineering team.
-```
\ No newline at end of file
+```

From 9263b73a64715e6f44411972febd06fe5168b8be Mon Sep 17 00:00:00 2001
From: Sarah Gibson <drsarahlgibson@gmail.com>
Date: Fri, 28 Jun 2024 11:41:44 +0100
Subject: [PATCH 3/5] Add instructions on how to replace deployer credentials
 in SMCE accounts

---
 docs/howto/regenerate-smce-creds.md | 61 ++++++++++++++++++++++++++++-
 1 file changed, 60 insertions(+), 1 deletion(-)

diff --git a/docs/howto/regenerate-smce-creds.md b/docs/howto/regenerate-smce-creds.md
index 4b88caf4dd..62b9b5c139 100644
--- a/docs/howto/regenerate-smce-creds.md
+++ b/docs/howto/regenerate-smce-creds.md
@@ -1,5 +1,64 @@
+# Regenerating credentials for NASA SMCE accounts
+
+This document describes how we regenerate credentials for _users_ and the `deployer` when they expire in NASA SMCE accounts.
+
+(nasa-smce:regenerate-deployer-credentials)=
+## Regenerate credentials for the `deployer`
+
+1. Set the cluster name as an environment variable
+
+   ```bash
+   export CLUSTER_NAME=...
+   ```
+
+1. Authenticate yourself using the `deployer exec aws` command.
+   See the `--help` information for more details.
+
+1. Navigate to the AWS terraform folder in the infrastructure repo.
+
+   ```bash
+   cd terraform/aws
+   ```
+
+1. Initialise terraform.
+
+   ```bash
+   terraform init
+   ```
+
+1. Select the correct workspace, either by using the terraform command or setting another environment variable.
+
+   ```bash
+   # Using terraform command
+   terraform workspace select $CLUSTER_NAME
+
+   # Using an environment variable
+   export TF_WORKSPACE=$CLUSTER_NAME
+   ```
+
+1. Replace the previous deployer credentials with new ones.
+
+   ```bash
+   terraform apply -replace=aws_iam_access_key.continuous_deployer -var-file=projects/$CLUSTER_NAME.tfvars
+   ```
+
+1. Export the new credentials to a file and then encrypt them in-place with `sops`.
+
+   ```bash
+   terraform output -raw continuous_deployer_creds > ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json
+   sops -i -e ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json
+   ```
+
+1. `git add` the modified files and then commit them.
+
+   ```bash
+   git commit -m "nasa smce clusters: re-generate deployer credentials"
+   ```
+
+   You can then open a Pull Request and merge it.
+
 (nasa-smce:regenerate-user-password)=
-# Regenerate a password for a user in a NASA SMCE account
+## Regenerate a password for a user in a NASA SMCE account
 
 The AWS accounts associated with NASA's [Science Managed Cloud Environment](https://smce.nasa.gov)
 have a 60 day password expiry policy. If someone on the team misses this

From 682614b713c971c4f705a27c0c9bbeaa0ff51b59 Mon Sep 17 00:00:00 2001
From: Sarah Gibson <drsarahlgibson@gmail.com>
Date: Fri, 28 Jun 2024 11:43:29 +0100
Subject: [PATCH 4/5] Update the section discussing credential expiry

---
 docs/hub-deployment-guide/new-cluster/smce.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/docs/hub-deployment-guide/new-cluster/smce.md b/docs/hub-deployment-guide/new-cluster/smce.md
index cefcfa5e19..791f7cc325 100644
--- a/docs/hub-deployment-guide/new-cluster/smce.md
+++ b/docs/hub-deployment-guide/new-cluster/smce.md
@@ -53,10 +53,7 @@ Once this exemption has been processed, you can continue as usual with deploymen
 The `hub-continuous-deployer` has an access key and secret associated with it, this is how it
 authenticates with AWS to perform actions. SMCE accounts have a 60 day password/access key
 regeneration policy and so we need to prepare to regularly regenerate this access key.
-
-We track which clusters have had their `hub-continuous-deployer` access key regenerated
-and when in this issue <https://github.com/2i2c-org/infrastructure/issues/2434> which
-also includes the steps for regeneration. Make sure to add the new cluster to this issue.
+See [](nasa-smce:regenerate-deployer-creds) for how to reset the credentials.
 
 ```{warning}
 We only receive **5 days notice** that a password/access key will expire via email!

From 636e7f395d42567a859ee609eff0b203b8bb37bc Mon Sep 17 00:00:00 2001
From: Sarah Gibson <drsarahlgibson@gmail.com>
Date: Fri, 28 Jun 2024 11:45:07 +0100
Subject: [PATCH 5/5] Fix myst reference

---
 docs/howto/regenerate-smce-creds.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/howto/regenerate-smce-creds.md b/docs/howto/regenerate-smce-creds.md
index 62b9b5c139..b5040a118e 100644
--- a/docs/howto/regenerate-smce-creds.md
+++ b/docs/howto/regenerate-smce-creds.md
@@ -2,7 +2,7 @@
 
 This document describes how we regenerate credentials for _users_ and the `deployer` when they expire in NASA SMCE accounts.
 
-(nasa-smce:regenerate-deployer-credentials)=
+(nasa-smce:regenerate-deployer-creds)=
 ## Regenerate credentials for the `deployer`
 
 1. Set the cluster name as an environment variable