Merge pull request #607 from hashicorp/repo-sync

Repo sync

Author: williamdalessandro

.github/workflows/label-content-prs.yml

@@ -5,7 +5,9 @@
 
 name: 🏷️ Label content PRs
 
-on: [pull_request_target]
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 jobs:
 

CODEOWNERS

@@ -27,29 +27,27 @@
 
 /content/terraform-enterprise @hashicorp/team-docs-packer-and-terraform @hashicorp/ptfe-review
 
-
 # Vault documentation ownership
-
 /content/vault/                                    @hashicorp/vault-education-approvers
 
 # Sentinel documentation ownership
 /content/sentinel/ @hashicorp/team-docs-packer-and-terraform @hashicorp/tf-compliance
 
 # Well-architected framework
-
 /content/well-architected-framework/ @hashicorp/well-architected-education-approvers
 
-
 # HCP-docs documentation ownership
+/content/hcp-docs/* @hashicorp/education
+
 # HCP Consul Docs
 /content/hcp-docs/content/docs/consul/* @hashicorp/consul-docs
 
-# HCP Vault & HCP Vault Secrets docs
-/content/hcp-docs/content/docs/vault/*          @hashicorp/vault-education-approvers
-/content/hcp-docs/content/docs/vault-secrets/*  @hashicorp/vault-education-approvers
+# HCP Vault & HCP Vault Radar docs
+/content/hcp-docs/content/docs/vault* @hashicorp/vault-education-approvers
+/content/hcp-docs/content/partials/vault* @hashicorp/vault-education-approvers
 
 # HCP Boundary docs
-/content/hcp-docs/content/docs/boundary/*       @hashicorp/boundary-education-approvers
+/content/hcp-docs/content/docs/boundary/* @hashicorp/boundary-education-approvers
 
 #HCP IAM
 /content/hcp-docs/content/partials/hcp-administration/* @hashicorp/cloud-access-control @hashicorp/cloud-identity

content/hcp-docs/content/docs/vault-radar/agent/correlate-aws-secrets-manager.mdx

@@ -0,0 +1,120 @@
+---
+page_title: Correlate findings with AWS Secrets Manager
+description: >-
+  Correlate findings from HCP Vault Radar with secrets stored in AWS Secrets Manager.
+---
+
+# Correlate findings with AWS Secrets Manager
+
+When HCP Vault Radar connects to AWS Secrets Manager, Vault Radar can correlate
+findings with secrets stored in AWS Secrets Manager. This allows you to identify
+what secrets you need to rotate.
+
+## Connect AWS Secrets Manager
+
+Before you can correlate findings with AWS Secrets Manager, you need to [deploy
+the Radar agent](/hcp/docs/vault-radar/agent/deploy). Once you deploy the agent,
+you can configure and connect AWS Secrets Manager to the agent.
+
+## Prerequisites
+
+You need one of the following AWS authentication methods:
+
+- IAM role authentication with an EC2 instance or configured IAM role
+- Environment variables authentication with AWS Access Key ID and Secret Access Key
+
+Both authentication methods support an optional assume role ARN for
+cross-account access or elevated permissions. For more information about
+assuming roles, refer to the [AWS STS AssumeRole
+documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
+
+### Required permissions
+
+The IAM user, role, or assumed role must have the following permissions:
+
+| Service | Permission | Documentation |
+|---------|------------|---------------|
+| Secrets Manager | `secretsmanager:ListSecrets` | [ListSecrets API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html) |
+| Secrets Manager | `secretsmanager:DescribeSecret` | [DescribeSecret API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html) |
+| Secrets Manager | `secretsmanager:GetSecretValue` | [GetSecretValue API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) |
+| Secrets Manager | `secretsmanager:ListSecretVersionIds` | [ListSecretVersionIds API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecretVersionIds.html) |
+| EC2 | `ec2:DescribeRegions` | [DescribeRegions API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html) |
+| STS | `sts:GetCallerIdentity` | [GetCallerIdentity API](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) |
+
+**Example AWS IAM policy:**
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeRegions"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Agent configuration with AWS Secrets Manager
+
+Set up and manage AWS Secrets Manager from the Vault Radar module in the [HCP
+Portal](https://portal.cloud.hashicorp.com/). 
+
+1. Click **Settings**.
+
+1. Click **Secret Managers**.
+
+1. Click **Connect new secret manager**.
+
+1. Select **AWS Secrets Manager** and click **Next**.
+
+1. Select an AWS authentication method from the **Authentication method** pulldown menu.
+
+1. Enter the details for the selected method and click **Next** to validate the connection.
+
+   <Tabs>
+   <Tab heading="IAM Role">
+   
+   - Select **IAM Role** if you want to use instance profile or role-based authentication.
+   
+   ![IAM Role](/img/docs/vault-radar/indexing/aws-secrets-manager/iam-role.png)
+   
+   - (Optional) Enter an assume role ARN in the **Assume Role ARN** text field if you need to assume a different role for access.
+   
+   </Tab>
+   <Tab heading="Environment Variables">
+   
+   - Select **AWS Credentials from environment variables** if you want to use access keys.
+   
+   ![Environment Variables](/img/docs/vault-radar/indexing/aws-secrets-manager/environment-variables.png)
+   
+   - Enter your AWS Access Key ID location in the **AWS Access Key ID Env variable** text field (default: `env://AWS_ACCESS_ID_LOCATION`).
+   
+   - Enter your AWS Secret Access Key location in the **AWS Secret Access Key Env variable** text field (default: `env://AWS_SECRET_KEY_LOCATION`).
+   
+   - (Optional) Enter an assume role ARN in the **Assume Role ARN** text field if you need to assume a different role for access.
+   
+   </Tab>
+   </Tabs>
+
+Vault Radar fetches all active regions for the account and automatically starts index scan for each region.

content/hcp-docs/content/docs/vault-radar/agent/correlate-vault.mdx

@@ -13,15 +13,26 @@ Vault Dedicated or Vault Enterprise clusters.
 
 </Highlight>
 
-When the HCP Vault Radar agent connects to a HCP Vault Dedicated or Vault Enterprise cluster, 
+When the Vault Radar agent connects to a Vault Dedicated or Vault Enterprise cluster, 
 Vault Radar can correlate findings with secrets stored in Vault. This allows you to identify 
 what secrets you need to rotate.
 
 ## Connect a Vault cluster
 
 Before you can correlate findings with Vault, you need to [deploy the Radar
 agent](/hcp/docs/vault-radar/agent/deploy). Once you deploy the agent, you can
-configured and connect Vault to the agent.
+configure and connect Vault to the agent.
+
+## Prerequisites
+
+You need one of the following Vault authentication methods:
+
+- Kubernetes
+- AppRole
+- Token
+
+The authentication methods require a policy that allows the Vault Radar agent to
+read all KV secrets from Vault.
 
 ### Create a Vault policy
 

content/hcp-docs/data/docs-nav-data.json

@@ -762,10 +762,6 @@
         "title": "Secrets inventory reporting<sup>Beta</sup>",
         "path": "vault/secrets-inventory"
       },
-      {
-        "title": "HCP Vault API",
-        "href": "/hcp/api-docs/vault"
-      },
       {
         "title": "Additional resources",
         "routes": [
@@ -935,6 +931,10 @@
           {
             "title": "Integrate Vault Enterprise",
             "path": "vault-radar/agent/correlate-vault"
+          },
+          {
+            "title": "Integrate AWS Secrets Manager",
+            "path": "vault-radar/agent/correlate-aws-secrets-manager"
           }
         ]
       },

content/hcp-docs/img/docs/vault-radar/indexing/aws-secrets-manager/environment-variables.png

@@ -86,6 +86,12 @@ The workspace begins using the agent for Terraform runs. Runs involving an agent
 
 ## Configure Stacks to use the agent
 
+<Note>
+
+Your agents must use v1.25.0 or above to execute Stack deployment runs. To learn more about agent versioning, refer to [Updates](/terraform/cloud-docs/agents/agents#updates).
+
+</Note>
+
 Use the following steps to configure a Stack to use an agent pool.
 
 ### Step 1: Manage existing runs

content/hcp-docs/img/docs/vault-radar/indexing/aws-secrets-manager/iam-role.png

@@ -88,6 +88,12 @@ The workspace begins using the agent for Terraform runs. Runs involving an agent
 
 ## Configure Stacks to use the agent
 
+<Note>
+
+Your agents must use v1.25.0 or above to execute Stack deployment runs. To learn more about agent versioning, refer to [Updates](/terraform/cloud-docs/agents/agents#updates).
+
+</Note>
+
 Use the following steps to configure a Stack to use an agent pool.
 
 ### Step 1: Manage existing runs

content/terraform-docs-agents/v1.24.x/docs/cloud-docs/agents/agent-pools.mdx

@@ -49,7 +49,7 @@ Some of the information returned in a state version API object might be **popula
 | `billable-rum-count`             | Count of billable Resources Under Management (RUM). Only present for organization members on HCP Terraform RUM plans with visibility of billable RUM usage.                                                                                               |
 | `hosted-json-state-download-url` | A URL from which you can download the state data in a [stable format](/terraform/internals/json-format) appropriate for external integrations to consume. Only available if the state was created by Terraform 1.3+.                                                         |
 | `hosted-state-download-url`      | A URL from which you can download the raw state data, in the format used internally by Terraform.                                                                                                                                                                            |
-| `sanitized-state-download-url`   | A URL to which you can download state data with sensitive values redacted.                                                                                                                                                                                                   |
+| `sanitized-state-download-url`   | A URL to which you can download state data with sensitive values redacted. This URL is only available for workspaces using [hold your own key](/terraform/cloud-docs/hold-your-own-key) encryption.                                                                                                                                                                                                  |
 | `hosted-json-state-upload-url`   | A URL to which you can upload state data in a [stable format](/terraform/internals/json-format) appropriate for external integrations to consume. You can upload JSON state content once per state version.                                                                  |
 | `hosted-state-upload-url`        | A URL to which you can upload state data in the format used Terraform uses internally. You can upload state data once per state version.                                                                                                                                     |
 | `hyok-encrypted-data-key`        | A reference to the HYOK encrypted data key used to secure this state version. Hold your own key is only available in HCP Terraform, [learn more](/terraform/cloud-docs/hold-your-own-key).                                                                                                                                                                                                   |