diff --git a/conversion/ecs-update-cert.md b/conversion/ecs-update-cert.md
new file mode 100644
index 0000000..357bd65
--- /dev/null
+++ b/conversion/ecs-update-cert.md
@@ -0,0 +1,217 @@
+# Validate using TF 1.x
+
+```
+tf-cli version
+```
+
+If not 1.x, you need to upgrade the directory first.
+
+# Changes
+
+## certs.tf
+
+1. comment old stuff
+2. add new stuff
+
+## load-balanacer.tf
+
+1. remove count from listenters
+1. remove app_80 listener
+
+## settings.tf
+
+1. add app_cert_contact_email
+
+# Apply
+
+## create new cert
+
+```
+rm -rf .terraform/modules/certs
+tf-init -upgrade
+tf-plan -target=module.cert.aws_acm_certificate.certificate
+tf-apply -target=module.cert.aws_acm_certificate.certificate
+```
+
+## update ALB with new cert
+
+```
+tf-plan -target=aws_lb_listener.app_443
+tf-apply -target=aws_lb_listener.app_443
+```
+
+## verify for any other changes
+
+```
+tf-plan
+# fix as needed, a lot of changes have been noted as being different from what is in aws
+# once fixed
+tf-apply
+```
+
+You'll also need to rmeove the tls key, and the certs/ directory (once all the cert resources are destroyed).
+
+```
+git-secret remove -c certs/*.key
+rm -rf certs/
+```
+
+## Commit/push/PR
+
+```
+tf-fmt
+git commit -a "update to use new acmpca certificae"
+git push
+# do PR
+```
+
+
+# diffs
+
+```
+diff --git a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/certs.tf b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/certs.tf
+index e2c4cc1..c8f9f0c 100644
+--- a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/certs.tf
++++ b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/certs.tf
+@@ -1,12 +1,25 @@
++## module "cert" {
++##   source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate?ref=tf-upgrade"
++## 
++##   certificate_cn       = local.app_alb_dns_name
++##   certificate_download = local.app_cert_download
++## 
++##   tags = merge(
++##     local.base_tags,
++##     #local.common_tags,
++##     #var.application_tags,
++##   )
++## }
++
+ module "cert" {
+-  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate?ref=tf-upgrade"
++  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acm"
+ 
+-  certificate_cn       = local.app_alb_dns_name
+-  certificate_download = local.app_cert_download
++  certificate_dns = local.app_alb_dns_name
++  contact_email   = local.app_cert_contact_email
+ 
+   tags = merge(
+     local.base_tags,
+-    #local.common_tags,
+-    #var.application_tags,
++    local.common_tags,
++    var.application_tags,
+   )
+ }
+diff --git a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/load-balancer.tf b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/load-balancer.tf
+index 6a7a9b7..f713a89 100644
+--- a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/load-balancer.tf
++++ b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/load-balancer.tf
+@@ -27,7 +27,7 @@ resource "aws_lb_target_group" "app" {
+     local.base_tags,
+     #local.common_tags,
+     #var.application_tags,
+-    {"Name" = local.app_albtg_name},
++    { "Name" = local.app_albtg_name },
+   )
+ }
+ 
+@@ -50,24 +50,11 @@ resource "aws_lb" "app" {
+     local.base_tags,
+     #local.common_tags,
+     #var.application_tags,
+-    {"Name" = local.app_alb_name},
++    { "Name" = local.app_alb_name },
+   )
+ }
+ 
+-resource "aws_lb_listener" "app_80" {
+-  count             = module.cert.certificate_arn == null ? 1 : 0
+-  load_balancer_arn = aws_lb.app.arn
+-  port              = 80
+-  protocol          = "HTTP"
+-
+-  default_action {
+-    type             = "forward"
+-    target_group_arn = aws_lb_target_group.app.arn
+-  }
+-}
+-
+ resource "aws_lb_listener" "app_80_redirect" {
+-  count             = module.cert.certificate_arn != null ? 1 : 0
+   load_balancer_arn = aws_lb.app.arn
+   port              = 80
+   protocol          = "HTTP"
+@@ -84,7 +71,6 @@ resource "aws_lb_listener" "app_80_redirect" {
+ }
+ 
+ resource "aws_lb_listener" "app_443" {
+-  count             = module.cert.certificate_arn != null ? 1 : 0
+   load_balancer_arn = aws_lb.app.arn
+   port              = 443
+   protocol          = "HTTPS"
+diff --git a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/settings.tf b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/settings.tf
+index 4e65e0b..89ead70 100644
+--- a/vpc/east/vpc7/apps/dice-centurion/ecs-rome/settings.tf
++++ b/vpc/east/vpc7/apps/dice-centurion/ecs-rome/settings.tf
+@@ -1,8 +1,8 @@
+ locals {
+-  app_program     = "dice"
+-  app_project     = "centurion"
+-  app_environment = "uat"
+-  app_db_port                 = "5432"
++  app_program      = "dice"
++  app_project      = "centurion"
++  app_environment  = "uat"
++  app_db_port      = "5432"
+   app_name         = "rome"
+   app_fullname     = format("%v-%v-%v", local.app_program, local.app_project, local.app_name)
+   app_kms_key_name = format("k-kms-%v-%v-%v", local.app_program, local.app_project, local.app_environment)
+@@ -20,10 +20,10 @@ locals {
+   #  app_dns_zone_id  = data.terraform_remote_state.vpc_east_vpc3_apps_dns.outputs.domain_zone_id
+   # customize these two per app as needed
+ 
+- #app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc3-us-gov-east-1"
++  #app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc3-us-gov-east-1"
+   app_execution_role_arn = module.app_ecs_task_role.role_arn
+   #app_execution_role_arn = "arn:aws-us-gov:iam::412271945539:role/r-instance-vpc4-us-gov-east-1-dice-centurion-ite-rome"
+-  app_s3_endpoint = format("https://%v",module.bucket.s3_module_settings["bucket_regional_domain_name"])
++  app_s3_endpoint            = format("https://%v", module.bucket.s3_module_settings["bucket_regional_domain_name"])
+   app_task_role_arn          = module.app_ecs_task_role.role_arn
+   app_lb_port                = 3000
+   app_lb_health_monitor_path = "/health-check"
+@@ -32,19 +32,19 @@ locals {
+   app_task_cpu               = "2048"
+   app_task_memory            = "8192"
+   app_cert_download          = false
++  app_cert_contact_email     = "asd.eis.notify.list@census.gov"
+ 
+   # db stuff
+-  app_db_identifier           = format("%v-%v", local.app_fullname, local.app_environment)
+-  app_db_dns_name             = format("%v-%v.db.%v", local.app_fullname, local.app_environment, local.app_alb_dns_zone)
+-  app_db_engine               = "postgres"
+-  app_db_engine_version       = "14.3"
+-  app_db_family               = "postgres14"
+-  app_db_major_engine_version = "14"
+-  app_db_instance_class       = "db.t3.large"
+-  app_db_allocated_storage    = 10
+-  app_db_username             = format("%v_admin", local.app_name)
+-  app_db_parameter_group      = "census-baseline-postgres-14"
+-  common_s3_bucket = "arn:aws-us-gov:s3:::v-s3-dice-centurion-aqueduct-187944776148-us-gov-east-1"
++  app_db_identifier            = format("%v-%v", local.app_fullname, local.app_environment)
++  app_db_dns_name              = format("%v-%v.db.%v", local.app_fullname, local.app_environment, local.app_alb_dns_zone)
++  app_db_engine                = "postgres"
++  app_db_engine_version        = "15.3"
++  app_db_family                = "postgres14"
++  app_db_major_engine_version  = "14"
++  app_db_instance_class        = "db.t3.large"
++  app_db_allocated_storage     = 200
++  app_db_max_allocated_storage = 500
++  app_db_username              = format("%v_admin", local.app_name)
++  app_db_parameter_group       = "centurion-postgres-15-pg"
++  common_s3_bucket             = "arn:aws-us-gov:s3:::v-s3-dice-centurion-aqueduct-187944776148-us-gov-east-1"
+ }
+-
+-
+```