Merge branch 'main' into docs/CE-1060-add-change-organization-owners

Author: boruszak

.github/workflows/create-tfe-release-notes.yml

@@ -34,20 +34,20 @@ env:
   LAST_RELEASE_TAG: ${{ inputs.last-release-tag }}
 
 jobs:
-    copy-docs:
-      uses: ./.github/workflows/copy-cloud-docs-for-tfe.yml
+    sync-docs:
+      uses: ./.github/workflows/sync-docs-for-tfe.yml
       with:
         version: ${{ inputs.version }}
       secrets: inherit
     release-notes:
-      needs: copy-docs
+      needs: sync-docs
       runs-on: ubuntu-latest
       steps:
-        - name: Print outputs from copy-docs
+        - name: Print outputs from sync-docs
           run: |
-            echo "release_branch_name: ${{ needs.copy-docs.outputs.release_branch_name }}"
-            echo "diff_branch_pr_url: ${{ needs.copy-docs.outputs.diff_branch_pr_url }}"
-            echo "release_branch_pr_url: ${{ needs.copy-docs.outputs.release_branch_pr_url }}"
+            echo "release_branch_name: ${{ needs.sync-docs.outputs.release_branch_name }}"
+            echo "diff_branch_pr_url: ${{ needs.sync-docs.outputs.diff_branch_pr_url }}"
+            echo "release_branch_pr_url: ${{ needs.sync-docs.outputs.release_branch_pr_url }}"
 
         - name: Only run in hashicorp/web-unified-docs-internal
           run: |
@@ -59,7 +59,7 @@ jobs:
         - name: Checkout web-unified-docs repository
           uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
           with:
-            ref: '${{ needs.copy-docs.outputs.release_branch_name }}'
+            ref: '${{ needs.sync-docs.outputs.release_branch_name }}'
 
         - name: Install and cache Ruby gems at root
           uses: ruby/setup-ruby@52753b7da854d5c07df37391a986c76ab4615999 # v1.191.0
@@ -74,7 +74,7 @@ jobs:
 
         - name: Turn branch into PR
           run: |
-            export RELEASE_BRANCH_NAME="${{ needs.copy-docs.outputs.release_branch_name }}"
+            export RELEASE_BRANCH_NAME="${{ needs.sync-docs.outputs.release_branch_name }}"
             RELEASE_NOTES_PR_URL=$(scripts/tfe-releases/ci/create-pull-request.sh)
             echo "RELEASE_NOTES_PR_URL=$RELEASE_NOTES_PR_URL" >> $GITHUB_ENV
 
@@ -134,10 +134,10 @@ jobs:
               - ${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}
 
               Changes since last release, diff PR:
-              - ${{ needs.copy-docs.outputs.diff_branch_pr_url }}
+              - ${{ needs.sync-docs.outputs.diff_branch_pr_url }}
 
               Release Notes PR:
-              - ${{ needs.copy-docs.outputs.release_branch_pr_url }}
+              - ${{ needs.sync-docs.outputs.release_branch_pr_url }}
 
 
               ❗ This is the Release PR that will be merged into main, once the release notes and diff PR are merged into it. ❗
@@ -149,5 +149,5 @@ jobs:
             git config --global user.email "[email protected]"
             git config --global user.name "tfe-release-bot"
 
-            gh pr edit ${{ needs.copy-docs.outputs.release_branch_pr_url }} \
+            gh pr edit ${{ needs.sync-docs.outputs.release_branch_pr_url }} \
               --body="${{env.docs_pr_body}}"

.github/workflows/sync-docs-for-tfe.yml

@@ -0,0 +1,119 @@
+name: Sync Cloud Docs For TFE
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'The TFE version for the upcoming TFE release, format is either vYYYYMM-# or MAJOR.MINOR.PATCH (without a "v" prefix).'
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      version:
+        description: 'The TFE version for the upcoming TFE release, format is either vYYYYMM-# or MAJOR.MINOR.PATCH (without a "v" prefix).'
+        required: true
+        type: string
+    outputs:
+      release_branch_name:
+        description: 'The name of the branch created for the new TFE version docs.'
+        value: ${{ jobs.sync-docs.outputs.release_branch_name }}
+      release_branch_pr_url:
+        description: 'The URL of the release branch created for the new TFE version docs.'
+        value: ${{ jobs.sync-docs.outputs.release_branch_pr_url }}
+      diff_branch_pr_url:
+        description: 'The URL of the diff branch created for the new TFE version docs.'
+        value: ${{ jobs.sync-docs.outputs.diff_branch_pr_url }}
+
+jobs:
+  sync-docs:
+    name: Sync Cloud Docs
+    runs-on: ubuntu-latest
+    outputs:
+      release_branch_name: ${{ steps.check-docs-pr.outputs.docs_branch_name }}
+      release_branch_pr_url: ${{ steps.check-docs-pr.outputs.release_branch_pr_url }}
+      diff_branch_pr_url: ${{ steps.update-diff-branch.outputs.diff_branch_pr_url }}
+    steps:
+      - name: Series/Release Summary
+        run: |
+          echo "# Summary"                                                                            >> $GITHUB_STEP_SUMMARY
+          echo "**Workflow ref**: ${{github.ref_name}}"                                               >> $GITHUB_STEP_SUMMARY
+          echo ""                                                                                     >> $GITHUB_STEP_SUMMARY
+          echo "Triggered by branch creation (or manual workflow):"                                   >> $GITHUB_STEP_SUMMARY
+          echo ""                                                                                     >> $GITHUB_STEP_SUMMARY
+          echo ""                                                                                     >> $GITHUB_STEP_SUMMARY
+          echo "---"                                                                                  >> $GITHUB_STEP_SUMMARY
+
+      - name: Checkout main for new docs version
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          path: '${{github.workspace}}/new-docs'
+
+      - name: Check if new TFE version docs branch already exist
+        id: check-docs-pr
+        working-directory: '${{github.workspace}}/new-docs'
+        env:
+          docs_branch_name: tfe-release/${{inputs.version}}
+          diff_branch_name: HCPTF-diff/${{inputs.version}}
+        run: |
+          echo ${{ secrets.TFE_GITHUB_TOKEN }} | gh auth login --with-token
+          git config --global user.email "[email protected]"
+          git config --global user.name "tfe-release-bot"
+
+          if [ "$(git ls-remote --heads origin ${{env.docs_branch_name}})" == "" ]; then
+            echo "❌ branch name ${{env.docs_branch_name}} does not exists, please run copy cloud docs for tfe workflow first to create the branch."
+
+            echo "❌ branch name ${{env.docs_branch_name}} does not exists, please run copy cloud docs for tfe workflow first to create the branch." >> $GITHUB_STEP_SUMMARY
+
+            exit 1
+          fi
+
+          if [ "$(git ls-remote --heads origin ${{env.diff_branch_name}})" == "" ]; then
+            echo "❌ branch name ${{env.diff_branch_name}} does not exists, please run copy cloud docs for tfe workflow first to create the branch."
+
+            echo "❌ branch name ${{env.diff_branch_name}} does not exists, please run copy cloud docs for tfe workflow first to create the branch." >> $GITHUB_STEP_SUMMARY
+
+            exit 1
+          fi
+
+          echo "docs_branch_name=${{env.docs_branch_name}}" >> $GITHUB_OUTPUT
+          docs_pr_url=$(gh pr view ${{env.docs_branch_name}} --json url --jq '.url')
+          echo "release_branch_pr_url=${docs_pr_url}" >> $GITHUB_OUTPUT
+          echo "**TFE Release PR URL**: ${docs_pr_url}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Generate version-metadata for workflow
+        working-directory: '${{github.workspace}}/new-docs'
+        run: |
+          npm i
+          npm run prebuild -- --only-build-version-metadata
+
+      - name: Checkout HCPTF-diff for new docs version DIFF PR
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          path: '${{github.workspace}}/new-docs-diff-pr'
+          ref: 'HCPTF-diff/${{inputs.version}}'
+
+      - name: Copy files for new docs version DIFF PR
+        uses: ./new-docs/.github/actions/copy-cloud-docs-for-tfe
+        with:
+          source_path: '${{github.workspace}}/new-docs'
+          target_path: '${{github.workspace}}/new-docs-diff-pr'
+          new_TFE_version: ${{inputs.version}}
+
+      - name: Update existing docs version DIFF branch
+        id: update-diff-branch
+        working-directory: '${{github.workspace}}/new-docs-diff-pr'
+        env:
+          diff_branch_name: HCPTF-diff/${{inputs.version}}
+        run: |
+          echo ${{ secrets.TFE_GITHUB_TOKEN }} | gh auth login --with-token
+          git config --global user.email "[email protected]"
+          git config --global user.name "tfe-release-bot"
+
+          git add .
+          git commit -m "HCP TF changes for TFE release" --no-verify || echo "No changes to commit"
+          git push origin HEAD
+
+          diff_pr_url=$(gh pr view --json url --jq '.url')
+          echo "diff_branch_pr_url=${diff_pr_url}" >> $GITHUB_OUTPUT
+          echo "**Updated DIFF branch**: ${{env.diff_branch_name}}" >> $GITHUB_STEP_SUMMARY
+          echo "**TFE DIFF PR URL**: ${diff_pr_url}" >> $GITHUB_STEP_SUMMARY

CODEOWNERS

@@ -27,29 +27,27 @@
 
 /content/terraform-enterprise @hashicorp/team-docs-packer-and-terraform @hashicorp/ptfe-review
 
-
 # Vault documentation ownership
-
 /content/vault/                                    @hashicorp/vault-education-approvers
 
 # Sentinel documentation ownership
 /content/sentinel/ @hashicorp/team-docs-packer-and-terraform @hashicorp/tf-compliance
 
 # Well-architected framework
-
 /content/well-architected-framework/ @hashicorp/well-architected-education-approvers
 
-
 # HCP-docs documentation ownership
+/content/hcp-docs/* @hashicorp/education
+
 # HCP Consul Docs
 /content/hcp-docs/content/docs/consul/* @hashicorp/consul-docs
 
-# HCP Vault & HCP Vault Secrets docs
-/content/hcp-docs/content/docs/vault/*          @hashicorp/vault-education-approvers
-/content/hcp-docs/content/docs/vault-secrets/*  @hashicorp/vault-education-approvers
+# HCP Vault & HCP Vault Radar docs
+/content/hcp-docs/content/docs/vault* @hashicorp/vault-education-approvers
+/content/hcp-docs/content/partials/vault* @hashicorp/vault-education-approvers
 
 # HCP Boundary docs
-/content/hcp-docs/content/docs/boundary/*       @hashicorp/boundary-education-approvers
+/content/hcp-docs/content/docs/boundary/* @hashicorp/boundary-education-approvers
 
 #HCP IAM
 /content/hcp-docs/content/partials/hcp-administration/* @hashicorp/cloud-access-control @hashicorp/cloud-identity

content/hcp-docs/content/docs/vault-radar/agent/correlate-aws-secrets-manager.mdx

@@ -0,0 +1,120 @@
+---
+page_title: Correlate findings with AWS Secrets Manager
+description: >-
+  Correlate findings from HCP Vault Radar with secrets stored in AWS Secrets Manager.
+---
+
+# Correlate findings with AWS Secrets Manager
+
+When HCP Vault Radar connects to AWS Secrets Manager, Vault Radar can correlate
+findings with secrets stored in AWS Secrets Manager. This allows you to identify
+what secrets you need to rotate.
+
+## Connect AWS Secrets Manager
+
+Before you can correlate findings with AWS Secrets Manager, you need to [deploy
+the Radar agent](/hcp/docs/vault-radar/agent/deploy). Once you deploy the agent,
+you can configure and connect AWS Secrets Manager to the agent.
+
+## Prerequisites
+
+You need one of the following AWS authentication methods:
+
+- IAM role authentication with an EC2 instance or configured IAM role
+- Environment variables authentication with AWS Access Key ID and Secret Access Key
+
+Both authentication methods support an optional assume role ARN for
+cross-account access or elevated permissions. For more information about
+assuming roles, refer to the [AWS STS AssumeRole
+documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
+
+### Required permissions
+
+The IAM user, role, or assumed role must have the following permissions:
+
+| Service | Permission | Documentation |
+|---------|------------|---------------|
+| Secrets Manager | `secretsmanager:ListSecrets` | [ListSecrets API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html) |
+| Secrets Manager | `secretsmanager:DescribeSecret` | [DescribeSecret API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html) |
+| Secrets Manager | `secretsmanager:GetSecretValue` | [GetSecretValue API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) |
+| Secrets Manager | `secretsmanager:ListSecretVersionIds` | [ListSecretVersionIds API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecretVersionIds.html) |
+| EC2 | `ec2:DescribeRegions` | [DescribeRegions API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html) |
+| STS | `sts:GetCallerIdentity` | [GetCallerIdentity API](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) |
+
+**Example AWS IAM policy:**
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeRegions"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Agent configuration with AWS Secrets Manager
+
+Set up and manage AWS Secrets Manager from the Vault Radar module in the [HCP
+Portal](https://portal.cloud.hashicorp.com/). 
+
+1. Click **Settings**.
+
+1. Click **Secret Managers**.
+
+1. Click **Connect new secret manager**.
+
+1. Select **AWS Secrets Manager** and click **Next**.
+
+1. Select an AWS authentication method from the **Authentication method** pulldown menu.
+
+1. Enter the details for the selected method and click **Next** to validate the connection.
+
+   <Tabs>
+   <Tab heading="IAM Role">
+   
+   - Select **IAM Role** if you want to use instance profile or role-based authentication.
+   
+   ![IAM Role](/img/docs/vault-radar/indexing/aws-secrets-manager/iam-role.png)
+   
+   - (Optional) Enter an assume role ARN in the **Assume Role ARN** text field if you need to assume a different role for access.
+   
+   </Tab>
+   <Tab heading="Environment Variables">
+   
+   - Select **AWS Credentials from environment variables** if you want to use access keys.
+   
+   ![Environment Variables](/img/docs/vault-radar/indexing/aws-secrets-manager/environment-variables.png)
+   
+   - Enter your AWS Access Key ID location in the **AWS Access Key ID Env variable** text field (default: `env://AWS_ACCESS_ID_LOCATION`).
+   
+   - Enter your AWS Secret Access Key location in the **AWS Secret Access Key Env variable** text field (default: `env://AWS_SECRET_KEY_LOCATION`).
+   
+   - (Optional) Enter an assume role ARN in the **Assume Role ARN** text field if you need to assume a different role for access.
+   
+   </Tab>
+   </Tabs>
+
+Vault Radar fetches all active regions for the account and automatically starts index scan for each region.

content/hcp-docs/content/docs/vault-radar/agent/correlate-vault.mdx

@@ -13,15 +13,26 @@ Vault Dedicated or Vault Enterprise clusters.
 
 </Highlight>
 
-When the HCP Vault Radar agent connects to a HCP Vault Dedicated or Vault Enterprise cluster, 
+When the Vault Radar agent connects to a Vault Dedicated or Vault Enterprise cluster, 
 Vault Radar can correlate findings with secrets stored in Vault. This allows you to identify 
 what secrets you need to rotate.
 
 ## Connect a Vault cluster
 
 Before you can correlate findings with Vault, you need to [deploy the Radar
 agent](/hcp/docs/vault-radar/agent/deploy). Once you deploy the agent, you can
-configured and connect Vault to the agent.
+configure and connect Vault to the agent.
+
+## Prerequisites
+
+You need one of the following Vault authentication methods:
+
+- Kubernetes
+- AppRole
+- Token
+
+The authentication methods require a policy that allows the Vault Radar agent to
+read all KV secrets from Vault.
 
 ### Create a Vault policy
 

content/hcp-docs/data/docs-nav-data.json

@@ -931,6 +931,10 @@
           {
             "title": "Integrate Vault Enterprise",
             "path": "vault-radar/agent/correlate-vault"
+          },
+          {
+            "title": "Integrate AWS Secrets Manager",
+            "path": "vault-radar/agent/correlate-aws-secrets-manager"
           }
         ]
       },

content/hcp-docs/img/docs/vault-radar/indexing/aws-secrets-manager/environment-variables.png

@@ -86,6 +86,12 @@ The workspace begins using the agent for Terraform runs. Runs involving an agent
 
 ## Configure Stacks to use the agent
 
+<Note>
+
+Your agents must use v1.25.0 or above to execute Stack deployment runs. To learn more about agent versioning, refer to [Updates](/terraform/cloud-docs/agents/agents#updates).
+
+</Note>
+
 Use the following steps to configure a Stack to use an agent pool.
 
 ### Step 1: Manage existing runs