Vault 1.10.0 and 1.10.1 both have reported regression bugs. Strongly consider updating to 1.10.2 before migrating.
I’ve never had to do exactly this, but here are some thoughts on where I’d start:
As this is a Raft to Raft migration, I’d first try to do it by saving a snapshot from the old cluster, and loading it into the new cluster. This seems like it could potentially be easier and faster than the generic storage migration process between arbitrary backends. (Do test that, though!)
I’m pretty sure you need to split your migration into two separate migrations:
Migrating from one cluster to another
Migrating from one seal to another
So, for example, get the new cluster up and running using your old data but manual unseal, and only once that’s finished, look into migrating to AWS KMS auto-unseal.
Or the other way around if you prefer - migrate the old cluster to AWS KMS auto-unseal first - just don’t try to move the data and change the seal at the same time.
There are multiple options - I have tried all of them at various times with various versions – I’d recommend using the same version then upgrading to the latest version you’re going to go to production with.
Before you implement, talk to your HashiCorp’s TAM, they can possibly setup time with someone who can review your steps for you before you start and point out any pitfalls.
My choice is #1 but it involves down time, #2 can be made with very little down time but is a lot more complex and has “watch out for” pits.
migration from autounseal to shamir,
backup on OSS
restore on Enterprise
rotate your keys,
migrate from shamir to autounseal.
Option 2 (if you have direct connectivity over tcp/443)
Use your vault enterprise binary on your OSS install – it’ll be upgraded to enterprise.
Setup a DR connection between the two cluster.
promote the new cluster to primary
demote the old cluster, delete, and remove.
Rotate your keys.
Good luck, update us with how you ended up doing it.