Merge branch 'main' into biazmoreira/VAULT-38804

Author: biazmoreira

CODEOWNERS

@@ -2,6 +2,7 @@
 * @hashicorp/web-devdot
 
 # Content CODEOWNERS
+/docs @hashicorp/vault-education-approvers @hashicorp/education
 
 # Terraform documentation ownership
 /content/terraform-plugin-framework @hashicorp/terraform-devex @hashicorp/terraform-education
@@ -20,7 +21,7 @@
 /content/terraform/*/docs/language/backend/s3.mdx  @hashicorp/terraform-education @hashicorp/terraform-core @hashicorp/team-docs-packer-and-terraform @hashicorp/terraform-aws
 
 /content/terraform-docs-common/ @hashicorp/team-docs-packer-and-terraform
-/content/terraform-docs-common/docs/plugin/ @hashicorp/terraform-devex 
+/content/terraform-docs-common/docs/plugin/ @hashicorp/terraform-devex
 /content/terraform-docs-common/data/plugin-nav-data.json @hashicorp/terraform-devex
 
 /content/terraform-enterprise @hashicorp/team-docs-packer-and-terraform @hashicorp/ptfe-review

content/terraform-docs-common/docs/cloud-docs/run/run-environment.mdx

@@ -124,6 +124,7 @@ HCP Terraform automatically injects the following environment variables for each
 | `TFC_CONFIGURATION_VERSION_GIT_COMMIT_SHA` | The full commit hash of the commit that the associated Terraform configuration version was ingressed from.                           | `abcd1234...`                   |
 | `TFC_CONFIGURATION_VERSION_GIT_TAG`        | The name of the tag that the associated Terraform configuration version was ingressed from.                                          | `v0.1.0`                        |
 | `TFC_PROJECT_NAME`                         | The name of the project used in this run.                                                                                            | `proj-name`                     |
+| `TFC_PROJECT_ID`.                          | The id of the project used in this run.                                                                                              | `proj-91XJpbLvbdohC6RD`         |
 
 They are also available as Terraform input variables by defining a variable with the same name. For example:
 

content/vault/global/partials/important-changes/summary-tables/1_19.mdx

@@ -39,3 +39,4 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.19.0 | 1.19.4 | **Yes**    | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.19.x/updates/important-changes#external-ent-plugins)
 1.19.0 | 1.19.1 | Upgrade    | All        | [Vault log file missing subsystem logs](/vault/docs/v1.19.x/updates/important-changes#missing-logs)
 1.19.1 | 1.19.4 | **Yes**    | All        | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.19.x/updates/important-changes#azure-vmss)
+1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.19.x/updates/important-changes#snowflake-keypair-refresh)

content/vault/global/partials/important-changes/summary-tables/1_20.mdx

@@ -25,5 +25,5 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.20.0 | 1.20.1 | **Yes**    | Enterprise | [Secondary cluster reload overwrites development cluster setting](/vault/docs/v1.20.x/updates/important-changes#development-cluster-reload)
 1.20.0 | 1.20.1 | **Yes**    | All        | [UI login fails for auth mounts with underscores and unauthenticated listing](/vault/docs/v1.20.x/updates/important-changes#ui-login-underscore)
 1.20.0 | 1.20.1 | **Yes**    | All        | [GUI navigation error for KV v2 secret paths containing underscores](/vault/docs/v1.20.x/updates/important-changes#ui-kvv2-underscore-secrets)
-1.20.0 | 1.20.1 | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-refresh)
+1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-refresh)
 1.20.0 | 1.20.1 | **Yes**    | All        | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin)

content/vault/v1.19.x/content/docs/updates/important-changes.mdx

@@ -473,3 +473,15 @@ to the billing start date for the cluster.
 To avoid issues and unexpected behavior with Vault Community, always provide a
 valid `start_time` value when calling `/sys/internal/counters/activity` or
 upgrade to v1.20.x.
+
+### Failing credential refresh for Snowflake DB secrets engine key pair authentication ((#snowflake-keypair-refresh))
+
+| Change      | Affected version                       | Fixed version
+| ----------- | -------------------------------------- | --------------------
+| Known issue | 1.20.x, 1.19.x, 1.18.x+ent, 1.17.x+ent, 1.16.x+ent | None
+
+Users using keypair or username and password authentication with Snowflake databases may receive errors
+due to improper credential refreshes and stale connections in the connection pool.
+When two or more concurrent operations occur, Vault tries to reuse an idle
+connection from the pool and the request fails due to session timeout in the
+Snowflake database.

content/vault/v1.20.x/content/docs/about-vault/how-vault-works.mdx

@@ -7,7 +7,6 @@ description: >-
 
 # How Vault works
 
-
 Vault is an identity-based secrets and encryption management system
 that centralizes secret management, rotates old credentials, generates
 credentials on demand, audits client interactions, and supports regulatory
@@ -35,7 +34,12 @@ them access to secrets or stored sensitive data.
 
 ## Core Vault workflow
 
-Vault works primarily with tokens and a token is associated to the client's policy. Each policy is path-based and policy rules constrains the actions and accessibility to the paths for each client. With Vault, you can create tokens manually and assign them to your clients, or the clients can log in and obtain a token. The illustration below displays Vault's core workflow.
+Vault works primarily with tokens associated to a client policy. The path-based
+policy defines rules that constrain the actions and accessibility of the
+associated paths for each client.
+
+Clients can authenticate against Vault to log in and obtain a token automatically
+or you can create tokens manually and explicitly assign them to your clients.
 
 ![Vault Workflow](/img/vault-workflow-diagram1.png)
 

content/vault/v1.20.x/content/docs/audit/best-practices.mdx

@@ -0,0 +1,104 @@
+---
+layout: docs
+page_title: Audit logging best practices
+description: Recommendations for setting up audit logging in HashiCorp Vault.
+---
+
+# Best practices for audit logging
+
+The following recommendations apply generally to most Vault deployments. You should always independently evaluate whether a given recommendation makes sense in the context of your deployment and use of Vault.
+
+## Test configuration changes
+
+Always test your audit logging changes in a non-production environment that closely mirrors your production environment. Your test environment should include performance benchmarking under production-like loads and match in all aspects relevant to the audit logging configuration you want to test.
+
+## Enable audit devices at cluster initialization
+
+Enable at least one audit device immediately after you initialize a new Vault cluster, and ensure that the configuration of your audit device is [valid for all Vault cluster nodes](/vault/docs/audit#enabling-and-disabling-audit-devices).
+
+Audit logging is disabled by default on new Vault clusters. By enabling at least one audit device post-initialization, you ensure that Vault will audit all subsequent API requests, including those for initial cluster configuration and root token revocation.
+
+## Enable at least two audit devices
+
+Enable at least two audit devices, of different types, on each Vault cluster. Configure *at least one* of those devices to forward logs to a remote system for analysis and long-term storage.
+
+Vault does not respond to client requests it cannot log. Enabling at least two audit devices reduces the risk of Vault not responding to client requests when the only audit device becomes partially or fully unavailable.
+
+<Warning>
+
+  Vault sends each audit log entry to all enabled devices, and guarantees that it writes the audit log entry successfully to at least one audit device. To ensure that you have a complete record of all API requests and responses, you **must** analyze audit log entries across all configured devices. You may deduplicate audit log entries based on the value of `.request.id`.
+
+</Warning>
+
+<Tabs>
+
+<Tab heading="File devices">
+
+If you enable a `file` audit device, use a dedicated volume or partition for Vault's audit logs to protect against other workloads on the system taking up the disk space intended for your log files.
+
+Additionally, establish a log rotation process that is appropriate for your organization, deployment, and policies, using a purpose-built system like *logrotate*. Configure your log rotation system to send Vault an `HUP` signal, which causes Vault to start writing audit log entries to the new log file.
+
+<Tip title="Logging with Kubernetes">
+
+  When running Vault on a Kubernetes cluster, a common approach is to configure a `file` audit device with `file_path` set to `stdout`. Vault will write audit logs to the standard output for the container, which lets you process the logs with a Kubernetes cluster-level log collector.
+  
+  If you choose this approach, we suggest configuring the audit device with a `prefix`, so your log collector can separate audit logs from server logs.
+
+</Tip>
+
+</Tab>
+
+<Tab heading="Syslog devices">
+
+To configure a `syslog` audit device, you must deploy Vault on Unix, and you must use the default syslog service running on the same host as the Vault server. If you enable a `syslog` audit device, use a TCP listener so that Vault can record large audit log entries that may exceed the size limit of UDP listeners.
+
+</Tab>
+
+<Tab heading="Socket devices">
+
+If you configure a `socket` audit device, configure a local service to bind a Unix socket.
+
+Socket devices using TCP and UDP listeners can result in lost audit log data if the TCP connection is interrupted or the receiving UDP endpoint becomes unavailable. Using a local socket helps protect against data loss.
+
+</Tab>
+
+</Tabs>
+
+## Configure audit devices
+
+Review the configuration options that are specific to the type of audit device, as well as those [common](/vault/api-docs/system/audit#parameters) to all audit device types, and ensure that you configure all audit devices in a way that is appropriate for your organization and deployment.
+
+In general, we recommend the following options for all audit devices:
+
+- Set `elide_list_responses = true` to reduce the volume of log data produced by API list requests (see [Eliding list response bodies](/vault/docs/audit#eliding-list-response-bodies)).  
+- Set `hmac_accessor = false`. A token accessor is generally not considered sensitive information: it does not grant any access to Vault, but rather serves as a unique identifier for a single Vault token. A token accessor enables you to [revoke](/vault/docs/commands/token/revoke) its corresponding Vault token, even when you do not know the token itself. By disabling token accessor hashing, if you identify unusual access patterns in your audit logs, you can quickly revoke the corresponding Vault token through its accessor.
+
+## Monitor audit device health
+
+Configure monitoring and alerting on the health of your audit devices through Vault telemetry and device-specific monitoring (such as available disk space, disk IOPS, and log rotation status for `file` type audit devices).
+
+Vault produces several audit logging [telemetry metrics](/vault/docs/internals/telemetry/metrics/audit). We especially recommend monitoring the following metrics for spikes, which can indicate one or more audit devices failing:
+
+- [`vault.audit.log_request_failure`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-log_request_failure)
+- [`vault.audit.log_response_failure`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-log_response_failure)
+- [`vault.audit.{DEVICE}.log_request`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-device-log_request)
+- [`vault.audit.{DEVICE}.log_response`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-device-log_response)
+
+## Configure attribute hashing
+
+Evaluate which request and response attributes need *not* be [hashed](/vault/docs/audit#hashing-sensitive-values) in the audit logs for each authentication backend and secrets engine mount you configure in Vault. Leave hashing enabled for attributes that are sensitive (e.g., passwords, private keys) or that may be excessively large for your audit log.
+
+You can disable hashing for individual request and response attributes with the `audit_non_hmac_request_keys` and `audit_non_hmac_response_keys` attributes in the following tuning endpoints:
+
+- [`/sys/auth/{path}/tune`](/vault/api-docs/system/auth#tune-auth-method)
+- [`/sys/mounts/{path}/tune`](/vault/api-docs/system/mounts#tune-mount-configuration)
+
+## Monitor suspicious activity
+
+Configure monitoring and alerting for unusual or suspicious activity in your audit logs. Examples of events to monitor include:
+
+- Root token creation
+- Root token usage
+- Modifications to audit logging configuration
+- Spikes in authentication failures
+- Spikes in permission denied failures