Merge pull request #402 from hashicorp/repo-sync

Repo sync

Author: hashibot-web

content/terraform-docs-common/docs/cloud-docs/workspaces/dynamic-provider-credentials/vault-configuration.mdx

@@ -111,8 +111,9 @@ To understand all the available options for matching bound claims, refer to the
 !> **Warning:** you should always check, at minimum, the audience and the name of the organization in order to prevent unauthorized access from other HCP Terraform organizations!
 
 #### Token TTLs
-We recommend setting token_ttl to a relatively short value. HCP Terraform can renew the token periodically until the plan or apply is complete, then revoke it to prevent it from being used further.
+We recommend creating a role which issues a renewable token, and setting `token_ttl` to a relatively short value, such as 20 minutes. HCP Terraform can renew the token periodically until the plan or apply is complete, then revoke it to prevent it from being used further.
 
+If you use a non-renewable token with HCP Terraform, the `token_ttl` has a maximum limit of 2 hours. If you use a non-renewable token with Terraform Enterprise, then the `token_ttl` of that token must match or exceed the [run phase timeout](/terraform/enterprise/application-administration/general#terraform-run-timeout-settings).
 ## Configure HCP Terraform
 You’ll need to set some environment variables in your HCP Terraform workspace in order to configure HCP Terraform to authenticate with Vault using dynamic credentials. You can set these as workspace variables, or if you’d like to share one Vault role across multiple workspaces, you can use a variable set. When you configure dynamic provider credentials with multiple provider configurations of the same type, use either a default variable or a tagged alias variable name for each provider configuration. Refer to [Specifying Multiple Configurations](#specifying-multiple-configurations) for more details.