Learning as I deploy: Figured out initial rollout, now how to make changes to existing infra?

So, through plenty of trial and error, I finally managed to figure out how to use Terraform to create and deploy a Vault/Consul cluster. It’s up and running, but I screwed up the public CA cert, and I need to redo it. The trouble is, I’ve already let my IT guy in to set up LDAP, etc. so now would be an excellent time to move my experience from “I can deploy stuff using terraform” to “I can use terraform to reconfigure existing infrastructure”.

If I hadn’t reached the point where I needed to keep this instance live, I would simply nuke it, update the cert, re-roll the AMI with Packer, then re-deploy everything with the correct cert in the updated AMI. Obviously, I’ll update the AMI for future use, but I’m a little less clear on my options for mass configuration of an existing system using terraform. What would be the best way to do this without starting over?

Hi @0rsu,

Unfortunately the answer to this will depend a lot on how you configured your cluster. If what you’ve created is a set of virtual machines with Vault and Consul installed on them then unfortunately as far as Terraform is concerned the content of those machines is totally opaque: Terraform’s responsible for booting up the machines, but managing the software installed in them is the responsibility of other systems such as traditional configuration management.

If you can say some more about what you’ve set up so far then I or someone else may be able to give some pointers as to what your options are. With that said, I can’t promise that there will be a good answer to your question because making a system so you can maintain it over time is unfortunately one of the design tradeoffs that influences how you set it up, and so it’s possible to define something where the only way to change it is to have Terraform replace parts of it with fresh infrastructure. But we can see what your options are once we know more about what you’ve set up already.

Thank you for this. This is a great answer. I think that answer the question, so we can leave it there. I figured out how to replace things like AMIs without nuking the whole cluster, so I think I get the gist. I am having some persistent problems with certs, but I’m going to post in the Vault forum about it. Thank you again.