Merge branch 'main' into harshitchaudhary94/TF-30688-1-0-2-patch-release-notes

Author: harshitchaudhary94

.github/PULL_REQUEST_TEMPLATE/hcp_pull_request_template.md

@@ -0,0 +1,55 @@
+## Description
+
+<!-- ID for Jira ticket e.g [SPE-1234] -->
+
+:ticket: [Jira ticket]
+
+<!-- Add a brief description of changes here. Include any other necessary relevant links -->
+
+<!-- Help your reviewer understand the type of review you need by selecting the scope and urgency. -->
+
+### Requested review scope:
+
+- [ ] Content touched by the PR _only_ (typos, clarifications, tips)
+- [ ] Code test (command and code block changes)
+- [ ] Flow and language near changes (new/rearranged steps)
+- [ ] Review everything (rewrites, major changes)
+
+### Review urgency:
+
+- [ ] ASAP (bug fixes, broken content, imminent releases)
+- [ ] 3 days (small changes, easy reviews)
+- [ ] 1 week (default)
+- [ ] Best effort (very non-urgent)
+
+<!-- Fill out only the appropriate checklist for your type of feature (or both if necessary) and delete the other one! -->
+
+## All updates:
+
+<!-- This section is mandatory for all PRs: -->
+
+I have:
+
+- [ ] Verified that all status checks have passed
+- [ ] Verified that preview environment has successfully deployed
+- [ ] Verified appropriate `label` applied (`hcp` + `product name`)
+- [ ] Added all required reviewers (code owners and external)
+
+## Content checklist (optional)
+
+Please do these things before requesting a review. I have:
+
+- [ ] Made any associated code repositories public
+- [ ] Added the `hashicorp-education/teamName` to any additional code or example repos as repo admin
+- [ ] Added redirects for any moved or removed pages
+- [ ] Spell checked the tutorial(s)
+- [ ] Followed the [unified style guide](https://github.com/hashicorp/web-unified-docs/tree/main/docs/style-guide)
+- [ ] Linted code snippets (Details per language [here](https://github.com/hashicorp/engineering-docs/blob/master/writing/markdown.md#code-blocks))
+- [ ] Checked the steps for completeness (no steps are implied or hidden)
+- [ ] Looked at the local or vercel build and checked each new or changed page for:
+  - display on the product curriculum page
+  - callout box formatting
+  - code block highlighting
+  - right-hand navigation
+  - next and back buttons
+  - URL path

.github/labeler.yml

@@ -216,3 +216,16 @@ Waypoint:
     - any-glob-to-any-file: [
         'content/hcp-docs/content/docs/waypoint/**'
       ]
+
+# Add 'HCP Docs' label to changes under 'content/hcp-docs'
+#
+# Label           | Rule
+# --------------- | ------------------------------------------------------------
+# HCP Docs        | Default; applies to all doc updates
+
+HCP Docs:
+- any:
+  - changed-files:
+    - any-glob-to-any-file: [
+        'content/hcp-docs/**'
+      ]

.github/pull_request_template.md

@@ -0,0 +1,4 @@
+Please go to the `Preview` tab and select the appropriate template:
+
+* [HCP services](?expand=1&template=hcp_pull_request_template.md)
+* [Terraform Enterprise](?expand=1&template=ptfe_release_pull_request_template.md)

content/hcp-docs/content/docs/boundary/audit-logging.mdx

@@ -0,0 +1,212 @@
+---
+page_title: Audit log streaming
+description: |-
+  Set up audit log streaming for HCP Boundary with AWS CloudWatch or Datadog.
+---
+
+# Audit log streaming
+
+HCP Boundary supports near real-time streaming of audit events to existing customer managed accounts of supported providers. Audit events capture all create, list, update, and delete operations performed by an authenticated Boundary client (Desktop, CLI, or the browser-based admin UI) on any of the following Boundary resources:
+
+- Sessions
+- Scopes
+- Workers
+- Credential stores, credential libraries, credentials
+- Auth methods, roles, managed groups, groups, users, accounts, grants
+- Host catalogs, host sets, host, targets
+
+The captured data includes the user ID of the user performing the operation, the timestamp, and the full request and response payloads.
+
+Audit logs allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements.
+
+The documentation outlines the steps required to enable and configure audit log streaming to the supported providers AWS CloudWatch and Datadog. You can stream logs to one account at a time.
+
+## Configure streaming with AWS CloudWatch
+
+To configure audit log streaming with AWS CloudWatch, you must create an [IAM role](https://docs.aws.amazon.com/iam/?id=docs_gateway) that HCP Boundary can use to send logs to AWS CloudWatch. Below are the steps to create the IAM role with necessary configuration.
+
+### Create IAM policy
+
+1. Launch [AWS Management Console](https://console.aws.amazon.com/) and navigate to **IAM > Policies**, and click **Create policy**.
+1. Choose **JSON** and enter the following policy in the policy editor.
+
+  ```json
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "HCPLogStreaming",
+        "Effect": "Allow",
+        "Action": [
+          "logs:PutLogEvents",
+          "logs:DescribeLogStreams",
+          "logs:DescribeLogGroups",
+          "logs:CreateLogStream",
+          "logs:CreateLogGroup",
+          "logs:TagLogGroup"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }
+  ```
+
+1. Click **Next**.
+1. Enter a name for the new policy, for example, `hcp-log-streaming`.
+1. Click **Create policy** to create the IAM policy.
+
+### Configure the IAM role
+
+Before you create a new IAM role, get the HashiCorp generated external ID from the HCP Portal.
+
+1. Launch the [HCP Portal](https://portal.cloud.hashicorp.com/).
+1. Navigate to Boundary, and select your cluster.
+1. Select **Audit logs**.
+  ![Enable audit log streaming](/img/docs/boundary/enable-logs.png)
+1. Click **Enable log streaming**.
+1. Select **AWS CloudWatch**.
+1. Copy the **External ID** value.
+  ![HCP Portal - audit log streaming page](/img/docs/boundary/ui-audit-log-streaming.png)
+  You will need this value during the IAM role creation.
+
+Next, create the IAM role using AWS Management Console or HashiCorp Terraform.
+
+<Tabs>
+<Tab heading="AWS Management Console">
+
+1. Launch **AWS Management Console** and navigate to **IAM > Roles**, and click **Create role**.
+1. For **Trusted entity type**, select **AWS account**.
+1. For **An AWS account**, select **Another AWS account**.
+1. Enter **711430482607** in the **Account ID** field.
+1. Under **Options**, select **Require external ID**.
+1. Enter the **External ID** value you copied from the [HCP portal](https://portal.cloud.hashicorp.com/).
+1. Click **Next**.
+1. Select the policy you created earlier, and click **Next** to attach the policy to the role.
+1. Click **Create role** to complete.
+
+
+</Tab>
+<Tab heading="Terraform">
+
+Use the following Terraform configuration to create the IAM role necessary to enable audit log streaming.
+
+```hcl
+data "aws_iam_policy_document" "allow_hcp_to_stream_logs" {
+ statement {
+   effect = "Allow"
+   actions = [
+     "logs:PutLogEvents",       # To write logs to cloudwatch
+     "logs:DescribeLogStreams", # To get the latest sequence token of a log stream
+     "logs:DescribeLogGroups",  # To check if a log group already exists
+     "logs:CreateLogGroup",     # To create a new log group
+     "logs:CreateLogStream"     # To create a new log stream
+   ]
+   resources = [
+     "*"
+   ]
+ }
+}
+
+data "aws_iam_policy_document" "trust_policy" {
+ statement {
+   sid     = "HCPLogStreaming"
+   effect  = "Allow"
+   actions = ["sts:AssumeRole"]
+   principals {
+     identifiers = ["711430482607"]
+     type        = "AWS"
+   }
+   condition {
+     test     = "StringEquals"
+     variable = "sts:ExternalId"
+     values = [
+       "<ExternalID-generated-by-Hashicorp>"
+     ]
+   }
+ }
+}
+
+resource "aws_iam_role" "role" {
+ name               = "hcp-log-streaming"
+ description        = "iam role that allows hcp to send logs to cloudwatch logs"
+ assume_role_policy = data.aws_iam_policy_document.trust_policy.json
+ inline_policy {
+   name   = "inline-policy"
+   policy = data.aws_iam_policy_document.allow_hcp_to_stream_logs.json
+ }
+}
+```
+
+</Tab>
+</Tabs>
+
+Once you have created the IAM role, you can configure the audit log streaming in HCP Boundary.
+
+1. Launch the [HCP Portal](https://portal.cloud.hashicorp.com/).
+1. From the HCP Boundary **Overview** page, select the **Audit logs** view.
+1. Click **Enable log streaming**.
+1. Select **AWS CloudWatch**.
+  ![AWS audit log configuration](/img/docs/boundary/aws-enable-logs.png)
+1. Under the **CloudWatch configuration** section, enter your **Destination name**, and **Role ARN**.
+1. Select the **Region** that matches where you want your data stored.
+1. Click **Save**.
+
+Logs should arrive within your AWS CloudWatch environment in a few minutes after Boundary usage.
+
+HashiCorp dynamically creates the log group and log streams for you. You can find the log group in your AWS CloudWatch with the prefix `/hashicorp` after setting up your configuration. The log group lets you filter the HashiCorp generated logs separately from other logs you may have in CloudWatch.
+
+Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) for details on log exploration.
+
+## Configure streaming with Datadog
+
+To configure audit log streaming with Datadog, you will need the following:
+
+- The region your Datadog account is in
+- Your Datadog [API key](https://docs.datadoghq.com/account_management/api-app-keys/)
+
+Complete the following steps:
+
+1. Launch the [HCP Portal](https://portal.cloud.hashicorp.com/).
+1. Navigate to Boundary, and select your cluster.
+1. Select **Audit logs**.
+  ![Enable audit log streaming](/img/docs/boundary/enable-logs.png)
+1. Click **Enable log streaming**.
+1. Select **Datadog**.
+  ![Datadog audit log configuration](/img/docs/boundary/datadog-enable-logs.png)
+1. Under the **Datadog configuration**, enter your **Destination name** and **API Key**.
+1. Select the **Datadog site region** that matches your existing Datadog environment.
+1. Click **Save**
+
+Logs should arrive within your Datadog environment in a few minutes after using Boundary.
+Refer to the [Datadog documentation](https://docs.datadoghq.com/getting_started/logs/#explore-your-logs) for details on log exploration.
+
+## Test your streaming configuration
+
+During the streaming configuration setup, you can test that the streaming configuration is working within HCP. Testing the configuration can be helpful when you want to verify you entered the correct credentials and other parameters on the configuration page. To test the configuration, enter the parameters for the logging provider you want to test, then click **Test connection**.
+
+  ![Test Connection button](/img/docs/boundary/test-connection.png)
+
+HCP sends a test message to the logging provider and shares the status of success or failure on the **Enable log streaming** page.
+
+You can also test the configuration when you update a streaming configuration that you have already configured.
+
+## Update your streaming configuration
+
+You can update the configuration of the existing audit log streaming. For example, you may need to rotate a secret used for your logging provider, or you may need to switch from one logging provider to another.
+
+1. Launch the [HCP Portal](https://portal.cloud.hashicorp.com/).
+1. Navigate to Boundary, and select your cluster.
+1. Select **Audit logs**.
+1. Select **Edit streaming configuration** under the **Manage** menu.
+  ![Update Connection menu](/img/docs/boundary/update-connection.png)
+
+  You can:
+    - Select a new provider
+    - Enter new parameters for the provider
+    - Test the connection by selecting **Test connection**
+
+1. Click **Save**.
+
+## Retention
+
+HCP Boundary stores the audit logs for a minimum of one year within the platform. HCP began archiving audit logs in October of 2022. The logs are available after the deletion of the cluster that created them. Please submit a request to the [HashiCorp Help Center](https://support.hashicorp.com/hc/en-us/requests/new) if you need access to logs from deleted clusters or have further questions.

content/hcp-docs/content/docs/boundary/configure-ttl.mdx

@@ -0,0 +1,24 @@
+---
+page_title: Configure auth token time to live (TTL)
+description: >-
+  Learn how to configure the time to live (TTL) for the auth token that Boundary controllers issue.
+---
+
+# Configure authentication time to live
+
+You can configure the time-to-live (TTL) and time-to-stale (TTS) settings that control how often Boundary requires a user to authenticate.
+The TTL setting controls the lifespan of an auth token, while the TTS setting controls how long Boundary permits an auth token to be inactive.
+
+Complete the following steps to configure the time-to-live and time-to-stale settings for any auth tokens your HCP controllers issue.
+
+1. Log in to [the HCP Portal](https://portal.cloud.hashicorp.com/), and navigate to the **Overview** page for the Boundary cluster you want to configure.
+1. In the **Controller configuration** section, click **Edit**.
+1. Complete the following fields on the **Auth Token TTL** tab:
+   - **Time to Live**: Enter the number of hours you want to let auth tokens be valid before requiring a user to authenticate again.
+   Click **Set to default** to set the time-to-live setting to the default value.
+   - **Time to Stale**: Enter the number of hours you want to let auth tokens be inactive before requiring a user to authenticate again.
+   Click **Set to default** to set the time-to-stale setting to the default value.
+1. Click **Save**.
+
+The updated settings apply to any new sessions you create.
+You can view the updated settings on the cluster **Overview** page in the **Controller configuration** section.

content/hcp-docs/content/docs/boundary/how-boundary-works.mdx

@@ -0,0 +1,50 @@
+---
+page_title: How HCP Boundary Works
+description: |-
+  Describe the access model and deployment options of HCP Boundary.
+---
+
+# How HCP Boundary works
+
+HCP Boundary is an intelligent proxy that automates user and host onboarding, and provisions access permissions. Boundary creates a workflow for
+accessing infrastructure remotely with a number of key steps:
+
+- **User authentication:** Integrates with trusted identity platforms (such as Azure Active Directory, Okta, Ping,
+[and many others that support OpenID Connect](/boundary/tutorials/access-management/oidc-auth)).
+- **Granular user authorization:** Allows operators to tightly control access to remote systems, and the actions against those systems.
+- **Automated connections to hosts:** As you deploy or update workloads, HCP Boundary updates connections to targets and hosts using automated service discovery. Dynamic host catalogs are available with [AWS](/boundary/docs/concepts/host-discovery/aws), [Azure](/boundary/docs/concepts/host-discovery/azure), and [GCP](/boundary/docs/concepts/host-discovery/gcp). This is critical in ephemeral, cloud-based environments so that operators don't need to reconfigure access lists.
+- **Integrated credential management:** HCP Boundary brokers access to target credentials natively or via integration with
+[HashiCorp Vault](/boundary/tutorials/access-management/oss-vault-cred-brokering-quickstart).
+- **Time-limited network access to targets:** Boundary provides time-limited proxies to private endpoints, avoiding the need to expose your network to users.
+- **Session monitoring and management:** Provides visibility into the sessions Boundary creates.
+
+
+## Access model
+
+HCP Boundary provides a solution to protect and safeguard access to applications and critical systems by leveraging trusted identities, without exposing the underlying network. HCP Boundary is an identity-aware proxy that sits between users and the infrastructure they wish to connect.
+
+The proxy has two components:
+
+- **Controllers:** manage state for users, hosts, and access policies, and the external providers HCP Boundary can query for service discovery.
+- **Workers:** are a stateless proxy with end-network access to hosts under management. The control plane assigns each worker node to a target system once an authenticated user selects the target to connect.
+
+The session starts for the user as a TCP tunnel wrapped in mutual TLS. This mitigates the risk of a man-in-the-middle attack. If a user is connecting to a
+host over SSH through an HCP Boundary tunnel, there are two layers of encryption: the SSH session that user creates, and the underlying TLS that HCP Boundary creates.
+
+![Diagram of user requests flow through the worker node before HCP Boundary connects the user to the target system.](/img/docs/boundary/access-model.png)
+
+
+## Deployment options
+
+HCP Boundary is fully managed by HashiCorp, but organizations can choose to self-manage Boundary workers (Boundary's gateway nodes). Self-managed workers enable
+organizations to proxy all session data through their own networks, while still providing the convenience of a managed service. In the standard fully-managed
+deployment model, HashiCorp manages the control plane and worker nodes, making it easy to get started with Boundary while facilitating scaling over time.
+
+###  Self-managed workers
+
+Self-managed workers allow Boundary users to securely connect to private endpoints without exposing an organization's networks to the public, or to HashiCorp-managed
+resources. The organization's worker nodes proxy all session activities. To learn more about self-managed workers see the
+self-managed workers [tutorial](/boundary/tutorials/hcp-administration/hcp-manage-workers) and
+[operations document](/hcp/docs/boundary/self-managed-workers).
+
+![Diagram of user requests flow through the self-managed worker before connecting to the target system.](/img/docs/boundary/self-managed-workers.png)