Merge branch 'main' into RADAR-6812-adding-documentation-for-aws-secrets-manager-indexing

Author: jonathanfrappier

content/terraform-docs-common/docs/cloud-docs/api-docs/state-versions.mdx

@@ -49,7 +49,7 @@ Some of the information returned in a state version API object might be **popula
 | `billable-rum-count`             | Count of billable Resources Under Management (RUM). Only present for organization members on HCP Terraform RUM plans with visibility of billable RUM usage.                                                                                               |
 | `hosted-json-state-download-url` | A URL from which you can download the state data in a [stable format](/terraform/internals/json-format) appropriate for external integrations to consume. Only available if the state was created by Terraform 1.3+.                                                         |
 | `hosted-state-download-url`      | A URL from which you can download the raw state data, in the format used internally by Terraform.                                                                                                                                                                            |
-| `sanitized-state-download-url`   | A URL to which you can download state data with sensitive values redacted.                                                                                                                                                                                                   |
+| `sanitized-state-download-url`   | A URL to which you can download state data with sensitive values redacted. This URL is only available for workspaces using [hold your own key](/terraform/cloud-docs/hold-your-own-key) encryption.                                                                                                                                                                                                  |
 | `hosted-json-state-upload-url`   | A URL to which you can upload state data in a [stable format](/terraform/internals/json-format) appropriate for external integrations to consume. You can upload JSON state content once per state version.                                                                  |
 | `hosted-state-upload-url`        | A URL to which you can upload state data in the format used Terraform uses internally. You can upload state data once per state version.                                                                                                                                     |
 | `hyok-encrypted-data-key`        | A reference to the HYOK encrypted data key used to secure this state version. Hold your own key is only available in HCP Terraform, [learn more](/terraform/cloud-docs/hold-your-own-key).                                                                                                                                                                                                   |

content/terraform/v1.13.x/docs/language/resources/index.mdx

@@ -42,4 +42,4 @@ As your infrastructure needs change, you may want to add or remove resources fro
 - [Remove a resource from state](/terraform/language/state/remove) describes how to remove a resource from state without destroying the actual infrastructure object.
 - [Destroy a resource](/terraform/language/resources/destroy) describes how to remove a resource from state and destroy the actual infrastructure.
 
-Many providers also allow you to read data from the provider so that you can use data from exisitng infrastructure without provisioning actual infrastructure objects. Refer to [Query data sources](/terraform/language/data-sources) for more information.
+Many providers also allow you to read data from the provider so that you can use data from existing infrastructure without provisioning actual infrastructure objects. Refer to [Query data sources](/terraform/language/data-sources) for more information.

content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -71,7 +71,12 @@ environment variables or files on disk in predefined locations.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -87,7 +92,11 @@ environment variables or files on disk in predefined locations.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+   KMS encryption, the associated AWS account must have the following
+   permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -98,23 +107,27 @@ environment variables or files on disk in predefined locations.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
+  on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes.
   The raw value looks like this:
-
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+    ```
+  
+  The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -128,7 +141,12 @@ environment variables or files on disk in predefined locations.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_account_key` `(string)` - Azure account key.
 

content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -81,7 +81,12 @@ parameters in the context of AWS EKS & S3 configuration.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -97,7 +102,10 @@ parameters in the context of AWS EKS & S3 configuration.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+  KMS encryption, the associated account must have the following permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -108,23 +116,28 @@ parameters in the context of AWS EKS & S3 configuration.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
-  The raw value looks like this:
+on how you invoke the API, you may need to JSON-escape the account key. For
+example, to include data with newlines and double quotes the raw value would
+look like:
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+  ```
 
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -138,7 +151,12 @@ parameters in the context of AWS EKS & S3 configuration.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. 
 

content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -81,7 +81,15 @@ parameters in the context of AWS EKS & S3 configuration.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
+
+  To load a snapshot with your configuration, the account also needs:
+  - `s3:GetObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -97,7 +105,10 @@ parameters in the context of AWS EKS & S3 configuration.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+  KMS encryption, the associated AWS account must have the following permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -108,23 +119,32 @@ parameters in the context of AWS EKS & S3 configuration.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
-  The raw value looks like this:
+on how you invoke the API, you may need to JSON-escape the account key. For
+example, to include data with newlines and double quotes the raw value would
+look like:
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+    ```
 
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  The associated Google service account must have following permissions in
+  Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
+
+  To load a snapshot with your configuration, the account also needs:
+  - `storage.objects.get`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -138,7 +158,12 @@ parameters in the context of AWS EKS & S3 configuration.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. 
 

content/vault/v1.20.x/content/docs/sysadmin/snapshots/index.mdx

@@ -33,7 +33,7 @@ Step-by-step instructions:
 - [Restore a snapshot](/vault/docs/sysadmin/snapshots/restore)
 - [Recover discrete secrets in a replicated environment](/vault/docs/sysadmin/snapshots/recover-a-secret/replicated-cluster) <EnterpriseAlert inline="true" />
 - [Recover discrete secrets in a non-replicated environment](/vault/docs/sysadmin/snapshots/recover-a-secret/single-cluster) <EnterpriseAlert inline="true" />
-- [Automate snapshots](/vault/docs/sysadmin/snapshots/recover-a-secret) <EnterpriseAlert inline="true" />
+- [Automate snapshots](/vault/docs/sysadmin/snapshots/automate) <EnterpriseAlert inline="true" />
 - [Recover discrete secrets](/vault/docs/sysadmin/snapshots/recover-a-secret) <EnterpriseAlert inline="true" />
 
 </Tab>
@@ -59,4 +59,4 @@ Detailed tutorials:
 
 </Tab>
 
-</Tabs>
+</Tabs>