# Vault Upgrade Notes

How do I upgrade Vault? XDR has an HA installation. Vault upgrades are designed that large jumps are supported.

## Backups

### DynamoDB Backup
AWS Console > DynamoDB > Tables > vault-dynamodb > Backups > Create backup > Create on-demand backup > Customize settings > Backup with DynamoDB 

Naming Scheme: `vault-pre-upgrade-backup-<current-version>`

### Instance Backup
Update the profile, InstanceId, and tag and run this command to create snapshots of all volumes.
NOTICE: Update InstanceId, profile, and Value first!
```
aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-0afe11fb13db84d2c,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=vault-pre-upgrade-backup-1.5.5}]'
```

## Upgrade Steps

READ THIS: https://www.vaultproject.io/docs/upgrading
READ ALL Upgrade guides for desired version and all skipped versions 

- Update the vault/init.sls salt file to the desired version. 
- Identify the ACTIVE/SANDBY nodes
    - `salt vault* cmd.run cmd='VAULT_SKIP_VERIFY=1 VAULT_ADDR=https://127.0.0.1 vault status'`
    - if you see "connection refused", the Vault service is not running
    - STANDBY nodes will show "HA Mode standby"
- Properly shutdown the STANDBY Vault nodes. 
    - `cmd.run 'systemctl stop vault'`
- Prep the upgrade by backing up the current Vault binary
    - Vault salt state will not upgrade if the current Vault binary is present
    - `cmd.run 'mv /usr/local/bin/vault /usr/local/bin/vault.backup'`
- Apply the salt state on the STANDBY Vault nodes which will replace the vault binary, start the Vault service, and unseal the nodes.
    - `state.sls vault --output-diff test=true`
- Verify each STANDBY node is at the correct version and is in standby mode. 
    - `salt vault* cmd.run cmd='VAULT_SKIP_VERIFY=1 VAULT_ADDR=https://127.0.0.1 vault status'`
- Properly shutdown the ACTIVE node.
- Prep the upgrade by backing up the current Vault binary
    - Vault salt state will not upgrade if the current Vault binary is present
    - `cmd.run 'mv /usr/local/bin/vault /usr/local/bin/vault.backup'`
- Apply the salt state on the previously ACTIVE Vault node which will replace the vault binary, start the Vault service, and unseal the node.
- Verify the version and HA Mode