diff --git a/aws/infrastructure.tf b/aws/infrastructure.tf
index c3ee6386..6ea83ada 100644
--- a/aws/infrastructure.tf
+++ b/aws/infrastructure.tf
@@ -45,6 +45,7 @@ module "provision" {
   hieradata_dir   = var.hieradata_dir
   sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
+  puppetfile      = var.puppetfile
   depends_on      = [aws_instance.instances, aws_eip.public_ip]
 }
 
diff --git a/azure/infrastructure.tf b/azure/infrastructure.tf
index 4a896dcb..94261b35 100644
--- a/azure/infrastructure.tf
+++ b/azure/infrastructure.tf
@@ -45,6 +45,7 @@ module "provision" {
   hieradata_dir   = var.hieradata_dir
   sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
+  puppetfile      = var.puppetfile
   depends_on      = [ azurerm_linux_virtual_machine.instances ]
 }
 
diff --git a/common/configuration/puppet.yaml b/common/configuration/puppet.yaml
index ff28317e..67890488 100644
--- a/common/configuration/puppet.yaml
+++ b/common/configuration/puppet.yaml
@@ -78,20 +78,15 @@ runcmd:
   - git clone ${puppetenv_git} /etc/puppetlabs/code/environments/main
   - ln -s /etc/puppetlabs/code/environments/main /etc/puppetlabs/code/environments/production
   - "(cd /etc/puppetlabs/code/environments/production; git checkout ${puppetenv_rev})"
-%{ if puppetfile != "" ~}
-%{ if strcontains(puppetfile, "forge") ~}
-  - cat /etc/puppetlabs/Puppetfile  > /etc/puppetlabs/code/environments/production/Puppetfile
-%{ else }
-  - cat /etc/puppetlabs/Puppetfile >> /etc/puppetlabs/code/environments/production/Puppetfile
-%{ endif ~}
-  - rm /etc/puppetlabs/Puppetfile
-%{ endif ~}
   - mkdir -p /etc/puppetlabs/data /etc/puppetlabs/facts
   - chgrp -R puppet /etc/puppetlabs/data /etc/puppetlabs/facts
   - ln -sf /etc/puppetlabs/data/{user_data,user_data.yaml,terraform_data.yaml} /etc/puppetlabs/code/environments/production/data/
   - ln -sf /etc/puppetlabs/facts/terraform_facts.yaml /etc/puppetlabs/code/environments/production/site/profile/facts.d
 # We use r10k solely to install the modules of the main branch environment.
-  - "(cd /etc/puppetlabs/code/environments/production; /opt/puppetlabs/puppet/bin/r10k puppetfile install)"
+  - /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/etc/puppetlabs/code/environments/production/modules --puppetfile=/etc/puppetlabs/code/environments/production/Puppetfile
+%{ if puppetfile != "" ~}
+  - /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/etc/puppetlabs/code/modules --puppetfile=/etc/puppetlabs/code/Puppetfile
+%{ endif ~}
 # Wait for Terraform to scp its YAML data
 %{ if ! include_tf_data ~}
   - while [ ! -e "/etc/puppetlabs/data/terraform_data.yaml" ]; do echo "$(date -I'seconds') Waiting for terraform to scp terraform_data.yaml"; sleep 5; done
@@ -172,10 +167,10 @@ write_files:
     permissions: "0640"
 %{ endif ~}
 %{ if puppetfile != "" ~}
-  - path: /etc/puppetlabs/Puppetfile
+  - path: /etc/puppetlabs/code/Puppetfile
     content: |
       ${indent(6, puppetfile)}
-    permissions: "0640"
+    permissions: "0644"
 %{ endif ~}
 %{ endif ~}
   - content: |
diff --git a/common/provision/main.tf b/common/provision/main.tf
index d81397f8..f4b7e441 100644
--- a/common/provision/main.tf
+++ b/common/provision/main.tf
@@ -7,9 +7,10 @@ variable "hieradata_dir" { }
 variable "sudoer_username" { }
 variable "tf_ssh_key" { }
 variable "eyaml_key" { }
+variable "puppetfile" { }
 
 locals {
-  provision_folder = "puppetserver_etc"
+  provision_folder = "etc_puppetlabs"
 }
 
 data "archive_file" "puppetserver_files" {
@@ -47,6 +48,15 @@ data "archive_file" "puppetserver_files" {
       filename = "${local.provision_folder}/puppet/eyaml/private_key.pkcs7.pem"
     }
   }
+
+  dynamic "source" {
+    for_each = var.puppetfile != "" ? [var.puppetfile]: []
+    iterator = filename
+    content {
+      content  = var.puppetfile
+      filename = "${local.provision_folder}/code/Puppetfile"
+    }
+  }
 }
 
 resource "terraform_data" "deploy_puppetserver_files" {
@@ -71,17 +81,15 @@ resource "terraform_data" "deploy_puppetserver_files" {
     destination = "${local.provision_folder}.zip"
   }
 
+  provisioner "file" {
+    content     = file("${path.module}/update_etc_puppetlabs.sh")
+    destination = "update_etc_puppetlabs.sh"
+  }
+
   provisioner "remote-exec" {
     inline = [
-      # unzip is not necessarily installed when connecting, but python is.
-      "/usr/libexec/platform-python -c 'import zipfile; zipfile.ZipFile(\"${local.provision_folder}.zip\").extractall()'",
-      "sudo chmod g-w,o-rwx $(find ${local.provision_folder}/ -type f)",
-      "sudo chown -R root:52 ${local.provision_folder}",
-      "sudo mkdir -p -m 755 /etc/puppetlabs/",
-      "sudo rsync -avh --no-t --exclude 'data' ${local.provision_folder}/ /etc/puppetlabs/",
-      "sudo rsync -avh --no-t --del ${local.provision_folder}/data/ /etc/puppetlabs/data/",
-      "sudo rm -rf ${local.provision_folder}/ ${local.provision_folder}.zip",
-      "[ -f /usr/local/bin/consul ] && [ -f /usr/bin/jq ] && consul event -token=$(sudo jq -r .acl.tokens.agent /etc/consul/config.json) -name=puppet $(date +%s) || true",
+      "sudo bash update_etc_puppetlabs.sh ${local.provision_folder}.zip",
+      "rm ${local.provision_folder}.zip update_etc_puppetlabs.sh"
     ]
   }
 }
diff --git a/common/provision/update_etc_puppetlabs.sh b/common/provision/update_etc_puppetlabs.sh
new file mode 100644
index 00000000..f59adbf0
--- /dev/null
+++ b/common/provision/update_etc_puppetlabs.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+ZIP_FILE=${1}
+ZIP_DIR=${ZIP_FILE%.zip}
+
+# unzip is not necessarily installed when connecting, but python is.
+/usr/libexec/platform-python -c "import zipfile; zipfile.ZipFile('${ZIP_FILE}').extractall()"
+
+chmod g-w,o-rwx $(find ${ZIP_DIR}/ -type f ! -path ${ZIP_DIR}/code/*)
+chown -R root:52 ${ZIP_DIR}
+mkdir -p -m 755 /etc/puppetlabs/
+rsync -avh --no-t --exclude 'data' ${ZIP_DIR}/ /etc/puppetlabs/
+rsync -avh --no-t --del ${ZIP_DIR}/data/ /etc/puppetlabs/data/
+rm -rf ${ZIP_DIR}/
+
+if [ -f /opt/puppetlabs/puppet/bin/r10k ] && [ /etc/puppetlabs/code/Puppetfile -nt /etc/puppetlabs/code/modules ]; then
+    /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/etc/puppetlabs/code/modules --puppetfile=/etc/puppetlabs/code/Puppetfile
+    touch /etc/puppetlabs/code/modules
+fi
+
+if [ -f /usr/local/bin/consul ] && [ -f /usr/bin/jq ]; then
+    consul event -token=$(sudo jq -r .acl.tokens.agent /etc/consul/config.json) -name=puppet $(date +%s)
+fi
diff --git a/common/variables.tf b/common/variables.tf
index a002e390..4059aaa1 100644
--- a/common/variables.tf
+++ b/common/variables.tf
@@ -162,7 +162,7 @@ variable "skip_upgrade" {
 variable "puppetfile" {
   type        = string
   default     = ""
-  description = "Additional content for the pupet environment Puppetfile. If the string includes a `forge` setting, the string replaces the original Puppetfile completely."
+  description = "Additional Puppet modules to install in the Puppetfile format."
 }
 
 variable "eyaml_key" {
diff --git a/docs/README.md b/docs/README.md
index 6fd9c1c4..f5b33c71 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -966,14 +966,11 @@ whether they should upgrade the base image packages or not.
 
 **default_value** = `""`
 
-Defines a complement of modules to install with librarian puppet when initializing the Puppet environment
-on the first boot of the Puppet server. If the provided string include the
-[`forge` setting](https://www.puppet.com/docs/pe/2019.8/puppetfile.html#declare_puppet_forge_modules_in_the_puppetfile),
-the provided content will replace entirely the Magic Castle environment's
-[Puppetfile](https://github.com/ComputeCanada/puppet-magic_castle/blob/main/Puppetfile).
-
-**Post build modification effect**: None. To modify the Puppetfile after the cluster is initialized, log
-on the Puppet server and modify `/etc/puppetlabs/code/environments/production/Puppetfile`.
+Defines a second [Puppetfile](https://www.puppet.com/docs/pe/2023.2/puppetfile.html) used to
+install complementary modules with [r10k](https://github.com/puppetlabs/r10k).
+
+**Post build modification effect**: trigger scp of Puppetfile at next `terraform apply`.
+Each instance's Puppet agent will be reloaded following the installation of the new modules.
 
 ## 5. Cloud Specific Configuration
 
diff --git a/gcp/infrastructure.tf b/gcp/infrastructure.tf
index 6845a745..7a6959a3 100644
--- a/gcp/infrastructure.tf
+++ b/gcp/infrastructure.tf
@@ -45,6 +45,7 @@ module "provision" {
   hieradata_dir   = var.hieradata_dir
   sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
+  puppetfile      = var.puppetfile
   depends_on      = [ google_compute_instance.instances ]
 }
 
diff --git a/openstack/infrastructure.tf b/openstack/infrastructure.tf
index b0092042..306933e8 100644
--- a/openstack/infrastructure.tf
+++ b/openstack/infrastructure.tf
@@ -40,6 +40,7 @@ module "provision" {
   hieradata_dir   = var.hieradata_dir
   sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
+  puppetfile      = var.puppetfile
   depends_on      = [
     local.network_provision_dep,
     openstack_compute_instance_v2.instances,