diff --git a/.gitignore b/.gitignore
index 995fa494afc..2fc7f49083f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -137,3 +137,10 @@ tools/missing/missing
 
 # allow security scanner file
 !scan.hcl
+
+# generated variables for upgrade tests
+enos.vars.hcl
+enos/modules/*/*.tfvars
+
+# local license files
+*.hclic
diff --git a/e2e/terraform/compute.tf b/e2e/terraform/compute.tf
index af4254825a9..9788ae17dbf 100644
--- a/e2e/terraform/compute.tf
+++ b/e2e/terraform/compute.tf
@@ -39,6 +39,8 @@ resource "aws_instance" "client_ubuntu_jammy_amd64" {
   }
 }
 
+
+
 resource "aws_instance" "client_windows_2016_amd64" {
   ami                    = data.aws_ami.windows_2016_amd64[0].image_id
   instance_type          = var.instance_type
@@ -48,7 +50,7 @@ resource "aws_instance" "client_windows_2016_amd64" {
   iam_instance_profile   = data.aws_iam_instance_profile.nomad_e2e_cluster.name
   availability_zone      = var.availability_zone
 
-  user_data = file("${path.root}/userdata/windows-2016.ps1")
+  user_data = file("${path.module}/userdata/windows-2016.ps1")
 
   # Instance tags
   tags = {
diff --git a/e2e/terraform/consul-clients.tf b/e2e/terraform/consul-clients.tf
index 33a59e8cb42..2d6501c9600 100644
--- a/e2e/terraform/consul-clients.tf
+++ b/e2e/terraform/consul-clients.tf
@@ -48,7 +48,7 @@ resource "local_sensitive_file" "consul_agents_cert" {
 resource "random_uuid" "consul_agent_token" {}
 
 resource "local_sensitive_file" "consul_agent_config_file" {
-  content = templatefile("etc/consul.d/clients.hcl", {
+  content = templatefile("${path.module}/provision-nomad/etc/consul.d/clients.hcl", {
     token          = "${random_uuid.consul_agent_token.result}"
     autojoin_value = "auto-join-${local.random_name}"
   })
@@ -61,7 +61,7 @@ resource "local_sensitive_file" "consul_agent_config_file" {
 resource "random_uuid" "consul_token_for_nomad" {}
 
 resource "local_sensitive_file" "nomad_client_config_for_consul" {
-  content = templatefile("etc/nomad.d/client-consul.hcl", {
+  content = templatefile("${path.module}/provision-nomad/etc/nomad.d/client-consul.hcl", {
     token               = "${random_uuid.consul_token_for_nomad.result}"
     client_service_name = "client-${local.random_name}"
     server_service_name = "server-${local.random_name}"
@@ -71,7 +71,7 @@ resource "local_sensitive_file" "nomad_client_config_for_consul" {
 }
 
 resource "local_sensitive_file" "nomad_server_config_for_consul" {
-  content = templatefile("etc/nomad.d/server-consul.hcl", {
+  content = templatefile("${path.module}/provision-nomad/etc/nomad.d/server-consul.hcl", {
     token               = "${random_uuid.consul_token_for_nomad.result}"
     client_service_name = "client-${local.random_name}"
     server_service_name = "server-${local.random_name}"
diff --git a/e2e/terraform/consul-servers.tf b/e2e/terraform/consul-servers.tf
index eaffbc65697..a0fbfdb98e2 100644
--- a/e2e/terraform/consul-servers.tf
+++ b/e2e/terraform/consul-servers.tf
@@ -15,7 +15,7 @@ resource "local_sensitive_file" "consul_initial_management_token" {
 }
 
 resource "local_sensitive_file" "consul_server_config_file" {
-  content = templatefile("etc/consul.d/servers.hcl", {
+  content = templatefile("${path.module}/provision-nomad/etc/consul.d/servers.hcl", {
     management_token = "${random_uuid.consul_initial_management_token.result}"
     token            = "${random_uuid.consul_agent_token.result}"
     nomad_token      = "${random_uuid.consul_token_for_nomad.result}"
@@ -69,7 +69,7 @@ resource "local_sensitive_file" "consul_server_cert" {
 
 # if consul_license is unset, it'll be a harmless empty license file
 resource "local_sensitive_file" "consul_environment" {
-  content = templatefile("etc/consul.d/.environment", {
+  content = templatefile("${path.module}/provision-nomad/etc/consul.d/.environment", {
     license = var.consul_license
   })
   filename        = "uploads/shared/consul.d/.environment"
@@ -117,7 +117,7 @@ resource "null_resource" "upload_consul_server_configs" {
     destination = "/tmp/consul_server.hcl"
   }
   provisioner "file" {
-    source      = "etc/consul.d/consul-server.service"
+    source      = "${path.module}/provision-nomad/etc/consul.d/consul-server.service"
     destination = "/tmp/consul.service"
   }
 }
diff --git a/e2e/terraform/ecs.tf b/e2e/terraform/ecs.tf
index 9c1c27e72ca..98ea555548d 100644
--- a/e2e/terraform/ecs.tf
+++ b/e2e/terraform/ecs.tf
@@ -8,7 +8,7 @@ resource "aws_ecs_cluster" "nomad_rtd_e2e" {
 
 resource "aws_ecs_task_definition" "nomad_rtd_e2e" {
   family                = "nomad-rtd-e2e"
-  container_definitions = file("ecs-task.json")
+  container_definitions = file("${path.module}/ecs-task.json")
 
   # Don't need a network for e2e tests
   network_mode = "awsvpc"
diff --git a/e2e/terraform/hcp_vault.tf b/e2e/terraform/hcp_vault.tf
index b148f25ef99..4bfbe9efcb3 100644
--- a/e2e/terraform/hcp_vault.tf
+++ b/e2e/terraform/hcp_vault.tf
@@ -16,7 +16,7 @@ data "hcp_vault_cluster" "e2e_shared_vault" {
 # between concurrent E2E clusters
 resource "vault_policy" "nomad" {
   name = "${local.random_name}-nomad-server"
-  policy = templatefile("${path.root}/etc/acls/vault/nomad-policy.hcl", {
+  policy = templatefile("${path.module}/provision-nomad/etc/acls/vault/nomad-policy.hcl", {
     role = "nomad-tasks-${local.random_name}"
   })
 }
@@ -42,7 +42,7 @@ resource "vault_token_auth_backend_role" "nomad_cluster" {
 
 # Nomad agent configuration for Vault
 resource "local_sensitive_file" "nomad_config_for_vault" {
-  content = templatefile("etc/nomad.d/vault.hcl", {
+  content = templatefile("${path.module}/provision-nomad/etc/nomad.d/vault.hcl", {
     token     = vault_token.nomad.client_token
     url       = data.hcp_vault_cluster.e2e_shared_vault.vault_private_endpoint_url
     namespace = var.hcp_vault_namespace
diff --git a/e2e/terraform/nomad-acls.tf b/e2e/terraform/nomad-acls.tf
index fbe3d7651b9..b5cce557f3e 100644
--- a/e2e/terraform/nomad-acls.tf
+++ b/e2e/terraform/nomad-acls.tf
@@ -23,7 +23,7 @@ resource "null_resource" "bootstrap_nomad_acls" {
 
 data "local_sensitive_file" "nomad_token" {
   depends_on = [null_resource.bootstrap_nomad_acls]
-  filename   = "${path.root}/keys/nomad_root_token"
+  filename   = "${path.module}/keys/nomad_root_token"
 }
 
 # push the token out to the servers for humans to use.
@@ -36,8 +36,8 @@ locals {
 cat <<ENV | sudo tee -a /root/.bashrc
 export NOMAD_ADDR=https://localhost:4646
 export NOMAD_SKIP_VERIFY=true
-export NOMAD_CLIENT_CERT=/etc/nomad.d/tls/agent.crt
-export NOMAD_CLIENT_KEY=/etc/nomad.d/tls/agent.key
+export NOMAD_CLIENT_CERT="/etc/nomad.d/tls/agent.crt"
+export NOMAD_CLIENT_KEY="/etc/nomad.d/tls/agent.key"
 export NOMAD_TOKEN=${data.local_sensitive_file.nomad_token.content}
 export CONSUL_HTTP_ADDR=https://localhost:8501
 export CONSUL_HTTP_TOKEN="${random_uuid.consul_initial_management_token.result}"
diff --git a/e2e/terraform/outputs.tf b/e2e/terraform/outputs.tf
index 43d760c0393..0441906b132 100644
--- a/e2e/terraform/outputs.tf
+++ b/e2e/terraform/outputs.tf
@@ -49,14 +49,13 @@ output "environment" {
   sensitive   = true
   value       = <<EOM
 export NOMAD_ADDR=https://${aws_instance.server[0].public_ip}:4646
-export NOMAD_CACERT=${abspath(path.root)}/keys/tls_ca.crt
-export NOMAD_CLIENT_CERT=${abspath(path.root)}/keys/tls_api_client.crt
-export NOMAD_CLIENT_KEY=${abspath(path.root)}/keys/tls_api_client.key
+export NOMAD_CACERT=${abspath(path.module)}/keys/tls_ca.crt
+export NOMAD_CLIENT_CERT=${abspath(path.module)}/keys/tls_api_client.crt
+export NOMAD_CLIENT_KEY=${abspath(path.module)}/keys/tls_api_client.key
 export NOMAD_TOKEN=${data.local_sensitive_file.nomad_token.content}
 export NOMAD_E2E=1
 export CONSUL_HTTP_ADDR=https://${aws_instance.consul_server.public_ip}:8501
 export CONSUL_HTTP_TOKEN=${local_sensitive_file.consul_initial_management_token.content}
-export CONSUL_CACERT=${abspath(path.root)}/keys/tls_ca.crt
-
+export CONSUL_CACERT=${abspath(path.module)}/keys/tls_ca.crt
 EOM
-}
+}
\ No newline at end of file
diff --git a/e2e/terraform/etc/acls/consul/consul-agent-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/consul-agent-policy.hcl
similarity index 100%
rename from e2e/terraform/etc/acls/consul/consul-agent-policy.hcl
rename to e2e/terraform/provision-nomad/etc/acls/consul/consul-agent-policy.hcl
diff --git a/e2e/terraform/etc/acls/consul/nomad-client-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-client-policy.hcl
similarity index 100%
rename from e2e/terraform/etc/acls/consul/nomad-client-policy.hcl
rename to e2e/terraform/provision-nomad/etc/acls/consul/nomad-client-policy.hcl
diff --git a/e2e/terraform/etc/acls/consul/nomad-server-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-server-policy.hcl
similarity index 100%
rename from e2e/terraform/etc/acls/consul/nomad-server-policy.hcl
rename to e2e/terraform/provision-nomad/etc/acls/consul/nomad-server-policy.hcl
diff --git a/e2e/terraform/etc/acls/vault/nomad-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/vault/nomad-policy.hcl
similarity index 100%
rename from e2e/terraform/etc/acls/vault/nomad-policy.hcl
rename to e2e/terraform/provision-nomad/etc/acls/vault/nomad-policy.hcl
diff --git a/e2e/terraform/etc/consul.d/.environment b/e2e/terraform/provision-nomad/etc/consul.d/.environment
similarity index 100%
rename from e2e/terraform/etc/consul.d/.environment
rename to e2e/terraform/provision-nomad/etc/consul.d/.environment
diff --git a/e2e/terraform/etc/consul.d/clients.hcl b/e2e/terraform/provision-nomad/etc/consul.d/clients.hcl
similarity index 100%
rename from e2e/terraform/etc/consul.d/clients.hcl
rename to e2e/terraform/provision-nomad/etc/consul.d/clients.hcl
diff --git a/e2e/terraform/etc/consul.d/consul-server.service b/e2e/terraform/provision-nomad/etc/consul.d/consul-server.service
similarity index 100%
rename from e2e/terraform/etc/consul.d/consul-server.service
rename to e2e/terraform/provision-nomad/etc/consul.d/consul-server.service
diff --git a/e2e/terraform/etc/consul.d/consul.service b/e2e/terraform/provision-nomad/etc/consul.d/consul.service
similarity index 100%
rename from e2e/terraform/etc/consul.d/consul.service
rename to e2e/terraform/provision-nomad/etc/consul.d/consul.service
diff --git a/e2e/terraform/etc/consul.d/servers.hcl b/e2e/terraform/provision-nomad/etc/consul.d/servers.hcl
similarity index 100%
rename from e2e/terraform/etc/consul.d/servers.hcl
rename to e2e/terraform/provision-nomad/etc/consul.d/servers.hcl
diff --git a/e2e/terraform/etc/nomad.d/.environment b/e2e/terraform/provision-nomad/etc/nomad.d/.environment
similarity index 100%
rename from e2e/terraform/etc/nomad.d/.environment
rename to e2e/terraform/provision-nomad/etc/nomad.d/.environment
diff --git a/e2e/terraform/etc/nomad.d/base.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/base.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/base.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/base.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-consul.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-consul.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-consul.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-consul.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-linux-0.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-0.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-linux-0.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-linux-0.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-linux-1.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-1.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-linux-1.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-linux-1.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-linux-2.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-2.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-linux-2.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-linux-2.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-linux-3.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-3.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-linux-3.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-linux-3.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-linux.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-linux.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-linux.hcl
diff --git a/e2e/terraform/etc/nomad.d/client-windows.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-windows.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/client-windows.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/client-windows.hcl
diff --git a/e2e/terraform/etc/nomad.d/index.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/index.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/index.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/index.hcl
diff --git a/e2e/terraform/etc/nomad.d/nomad-client.service b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-client.service
similarity index 100%
rename from e2e/terraform/etc/nomad.d/nomad-client.service
rename to e2e/terraform/provision-nomad/etc/nomad.d/nomad-client.service
diff --git a/e2e/terraform/etc/nomad.d/nomad-server.service b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-server.service
similarity index 100%
rename from e2e/terraform/etc/nomad.d/nomad-server.service
rename to e2e/terraform/provision-nomad/etc/nomad.d/nomad-server.service
diff --git a/e2e/terraform/etc/nomad.d/server-consul.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/server-consul.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/server-consul.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/server-consul.hcl
diff --git a/e2e/terraform/etc/nomad.d/server-linux.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/server-linux.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/server-linux.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/server-linux.hcl
diff --git a/e2e/terraform/etc/nomad.d/tls.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/tls.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/tls.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/tls.hcl
diff --git a/e2e/terraform/etc/nomad.d/vault.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/vault.hcl
similarity index 100%
rename from e2e/terraform/etc/nomad.d/vault.hcl
rename to e2e/terraform/provision-nomad/etc/nomad.d/vault.hcl
diff --git a/e2e/terraform/provision-nomad/install-linux.tf b/e2e/terraform/provision-nomad/install-linux.tf
index 1c25683d188..fd85b8bb367 100644
--- a/e2e/terraform/provision-nomad/install-linux.tf
+++ b/e2e/terraform/provision-nomad/install-linux.tf
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 resource "local_sensitive_file" "nomad_systemd_unit_file" {
-  content         = templatefile("etc/nomad.d/nomad-${var.role}.service", {})
+  content         = templatefile("${path.module}/etc/nomad.d/nomad-${var.role}.service", {})
   filename        = "${local.upload_dir}/nomad.d/nomad.service"
   file_permission = "0600"
 }
diff --git a/e2e/terraform/provision-nomad/main.tf b/e2e/terraform/provision-nomad/main.tf
index 80f974a6a05..a64d6d028a1 100644
--- a/e2e/terraform/provision-nomad/main.tf
+++ b/e2e/terraform/provision-nomad/main.tf
@@ -4,13 +4,12 @@
 locals {
   upload_dir = "uploads/${var.instance.public_ip}"
 
-  indexed_config_path = fileexists("etc/nomad.d/${var.role}-${var.platform}-${var.index}.hcl") ? "etc/nomad.d/${var.role}-${var.platform}-${var.index}.hcl" : "etc/nomad.d/index.hcl"
-
+  indexed_config_path = fileexists("${path.module}/etc/nomad.d/${var.role}-${var.platform}-${var.index}.hcl") ? "${path.module}/etc/nomad.d/${var.role}-${var.platform}-${var.index}.hcl" : "${path.module}/etc/nomad.d/index.hcl"
 }
 
 # if nomad_license is unset, it'll be a harmless empty license file
 resource "local_sensitive_file" "nomad_environment" {
-  content = templatefile("etc/nomad.d/.environment", {
+  content = templatefile("${path.module}/etc/nomad.d/.environment", {
     license = var.nomad_license
   })
   filename        = "${local.upload_dir}/nomad.d/.environment"
@@ -18,7 +17,7 @@ resource "local_sensitive_file" "nomad_environment" {
 }
 
 resource "local_sensitive_file" "nomad_base_config" {
-  content = templatefile("etc/nomad.d/base.hcl", {
+  content = templatefile("${path.module}/etc/nomad.d/base.hcl", {
     data_dir = var.platform != "windows" ? "/opt/nomad/data" : "C://opt/nomad/data"
   })
   filename        = "${local.upload_dir}/nomad.d/base.hcl"
@@ -26,7 +25,7 @@ resource "local_sensitive_file" "nomad_base_config" {
 }
 
 resource "local_sensitive_file" "nomad_role_config" {
-  content = templatefile("etc/nomad.d/${var.role}-${var.platform}.hcl", {
+  content = templatefile("${path.module}/etc/nomad.d/${var.role}-${var.platform}.hcl", {
     aws_region     = var.aws_region
     aws_kms_key_id = var.aws_kms_key_id
   })
@@ -41,7 +40,7 @@ resource "local_sensitive_file" "nomad_indexed_config" {
 }
 
 resource "local_sensitive_file" "nomad_tls_config" {
-  content         = templatefile("etc/nomad.d/tls.hcl", {})
+  content         = templatefile("${path.module}/etc/nomad.d/tls.hcl", {})
   filename        = "${local.upload_dir}/nomad.d/tls.hcl"
   file_permission = "0600"
 }
@@ -75,7 +74,7 @@ resource "null_resource" "upload_consul_configs" {
     destination = "/tmp/consul_client.hcl"
   }
   provisioner "file" {
-    source      = "etc/consul.d/consul.service"
+    source      = "${path.module}/etc/consul.d/consul.service"
     destination = "/tmp/consul.service"
   }
 }