Docs: Policy updates - removing 'Teleport Access Graph' (#43929)

* policy updates * policy updates - link issue * policy updates * policy updates * policy updates * policy updates * policy updates - postfeedback * empty commit to retrigger license/cla
gravitational · Jul 11, 2024 · 324f46f · 324f46f
1 parent 0ceb746
commit 324f46f
Show file tree

Hide file tree

Showing 12 changed files with 88 additions and 101 deletions.
diff --git a/docs/pages/access-controls/access-graph/aws-sync.mdx b/docs/pages/access-controls/access-graph/aws-sync.mdx
@@ -14,20 +14,18 @@ enhancing the permission model within your AWS environment. This functionality e
 - Which resources can be reached via identities associated with EC2 instances?
 - What AWS resources can Teleport users access when connecting to EC2 nodes?
 
-Utilizing the Access Graph to analyze IAM permissions within an AWS
-account necessitates the setup of the Teleport Access Graph (TAG)
+Utilizing the Access Graph to analyze IAM permissions within an AWS account necessitates the setup of the Access Graph (AG)
 service, a Discovery Service, and integration with your AWS account.
 
-Teleport Access Graph is a feature of the [Teleport
-Policy](https://goteleport.com/platform/policy/) product that is only available
-to Teleport Enterprise customers.
+Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is 
+available to Teleport Enterprise customers.
 
 After logging in to the Teleport UI, go to the Management tab. If enabled, 
 Access Graph options can be found under the Permission Management section.
 
 ## How it works
 
-Teleport Access Graph discovers AWS access patterns, synchronizes various AWS resources,
+Access Graph discovers AWS access patterns, synchronizes various AWS resources,
 including IAM Policies, Groups, Users, User Groups, EC2 instances, EKS clusters, and RDS databases. 
 These resources are then visualized using the graph representation detailed in the
 [Access Graph page](../teleport-policy/getting-started-policy.mdx).
@@ -49,14 +47,12 @@ At intervals of 15 minutes, it retrieves the following resources from your AWS a
 - RDS Databases
 - S3 Buckets
 
-Once all the necessary resources are fetched, the Teleport Discovery
-Service pushes them to the Teleport Access Graph (TAG) service, 
-ensuring that the Access Graph remains updated with the latest
-information from your AWS environment.
+Once all the necessary resources are fetched, the Teleport Discovery Service pushes them to the 
+Access Graph, ensuring that it remains updated with the latest information from your AWS environment.
 
 ### Importing resources
 
-Teleport Access Graph delves into the IAM policies, identities,
+Teleport Policy’s Access Graph feature delves into the IAM policies, identities,
 and resources retrieved from your AWS account, crafting a 
 graphical representation thereof.
 
@@ -65,9 +61,9 @@ graphical representation thereof.
 
 - A running Teleport Enterprise cluster v14.3.9/v15.2.0 or later.
 - For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
-- For self-hosted clusters, a running Teleport Access Graph node v1.17.0 or later. 
+- For self-hosted clusters, a running Access Graph node v1.17.0 or later. 
 Check [Access Graph page](../teleport-policy/getting-started-policy.mdx) for details on
-how to setup Teleport Access Graph.
+how to set up Access Graph.
 - The node running the Access Graph service must be reachable
 from Teleport Auth Service and Discovery Service. 
 

diff --git a/docs/pages/access-controls/access-graph/self-hosted-helm.mdx b/docs/pages/access-controls/access-graph/self-hosted-helm.mdx
@@ -1,21 +1,19 @@
 ---
-title: Run Teleport Access Graph on Self-Hosted Clusters with Helm
+title: Run Teleport Policy's Access Graph feature on Self-Hosted Clusters with Helm
+description: How to deploy Access Graph on self-hosted clusters using Helm.
 ---
 
-Using Access Graph with a self-hosted Teleport cluster requires
-setting up the Teleport Access Graph (TAG) service.
-TAG is a dedicated service which uses PostgreSQL as its backing storage
-and communicates with Auth Service and Proxy Service
+Using Teleport Policy's Access Graph with a self-hosted Teleport cluster requires
+setting up the Access Graph, a dedicated service which uses PostgreSQL 
+as its backing storage and communicates with Auth Service and Proxy Service
 to collect information about resources and access.
 
-This guide will help you set up the TAG service
-in a Kubernetes cluster using a Helm Chart,
+This guide will help you set up the Access Graph service in a Kubernetes cluster using a Helm Chart,
 and enable the Access Graph feature in your Teleport cluster.
 
-The full listing of supported parameters can be found in the [`teleport-access-graph` Helm chart reference](../../reference/helm-reference/teleport-access-graph.mdx).
+The full listing of supported parameters can be found in the [Helm chart reference](../../reference/helm-reference/teleport-access-graph.mdx).
 
-Teleport Access Graph is a feature of the [Teleport
-Policy](https://goteleport.com/platform/policy/) product that is only available
+Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is only available
 to Teleport Enterprise customers.
 
 ## Prerequisites
@@ -25,27 +23,27 @@ to Teleport Enterprise customers.
 - A running Teleport Enterprise cluster v14.3.6 or later.
   - For the purposes of this guide, we assume that the Teleport cluster is set up
     [using the `teleport-cluster` Helm chart](../../deploy-a-cluster/helm-deployments.mdx)
-    in the same Kubernetes cluster that will be used to deploy Teleport Access Graph.
+    in the same Kubernetes cluster that will be used to deploy Access Graph.
 - An updated `license.pem` with Teleport Policy enabled.
 - A PostgreSQL database server v14 or later.
   - Access Graph needs a dedicated [database](https://www.postgresql.org/docs/current/sql-createdatabase.html) to store its data.
-    The user that TAG connects to the database with needs to be the owner of this database, or have similar broad permissions:
+    The user that Teleport connects to the database with needs to be the owner of this database, or have similar broad permissions:
     at least the `CREATE TABLE` privilege on the `public` schema, and the `CREATE SCHEMA` privilege.
   - Amazon RDS for PostgreSQL is supported.
 - A TLS certificate for the Access Graph service
   - The TLS certificate must be issued for "server authentication" key usage,
-    and must contain an X.509 v3 `subjectAltName` extension with the Kubernetes service name for TAG
+    and must contain an X.509 v3 `subjectAltName` extension with the Kubernetes service name for Access Graph
     (<span style="white-space: nowrap;">`teleport-access-graph.teleport-access-graph.svc.cluster.local`</span> by default).
 
 
 ## Step 1/4. Add the Teleport Helm chart repository
 
 (!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
-## Step 2/4. Set up the Teleport Access Graph service
+## Step 2/4. Set up Access Graph
 
 You will need a copy of your Teleport cluster's host certificate authority (CA).
-TAG requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.
+Access Graph requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.
 
 The host CA can be retrieved in one of the following ways:
 
@@ -74,9 +72,9 @@ MIIDqjCCApKgAwIBAgIQMIK8/WiQ/rUOrjlmB0IHVTANBgkqhkiG9w0BAQsFADBv
 </TabItem>
 </Tabs>
 
-Then, create the namespace and required secrets for the TAG deployment.
+Then, create the namespace and required secrets for the Access Graph deployment.
 You can skip the final command if you are instead using cert-manager to issue the certificate,
-or otherwise have already provisioned the TLS certificate for Teleport Access Graph in your Kubernetes cluster.
+or otherwise have already provisioned the TLS certificate for Access Graph in your Kubernetes cluster.
 
 ```code
 $ kubectl create namespace teleport-access-graph 
@@ -85,10 +83,10 @@ $ kubectl -n teleport-access-graph create secret generic teleport-access-graph-p
 $ kubectl -n teleport-access-graph create secret tls teleport-access-graph-tls --cert=./certs/cert.crt --key=./certs/cert.key
 ```
 
-The above commands assume that you have the TLS certificate and private key for the TAG server stored under the `./certs` directory.
+The above commands assume that you have the TLS certificate and private key for the Access Graph server stored under the `./certs` directory.
 
 <Details title="Generating TLS certificates for development">
-The following script can be used to quickly generate a certificate authority and server TLS certificate for deploying TAG.
+The following script can be used to quickly generate a certificate authority and server TLS certificate for deploying Access Graph.
 
 ```sh
 #!/usr/bin/env bash
@@ -110,13 +108,13 @@ echo "Certificates issued successfully"
 The script will ask to input the same password 4 times:
 twice to create and confirm the password to encrypt the CA private key material with,
 then once to use the private key to self-sign the CA certificate,
-and finally once to use for signing the TAG server certificate.
+and finally once to use for signing the Access Graph server certificate.
 
 Please note that this script is only provided for proof-of-concept deployments,
 and may not follow the best security practices.
 </Details>
 
-After provisioning the secrets, create the following file named `tag-values.yaml` file for the TAG deployment,
+After provisioning the secrets, create the following file named `tag-values.yaml` file for the Access Graph deployment,
 replacing the value under the `clusterHostCAs` key with the Teleport Host CA certificate retrieved previously.
 
 ```yaml
@@ -138,7 +136,7 @@ clusterHostCAs:
     -----END CERTIFICATE-----
 ```
 
-Finally, deploy the TAG service using Helm:
+Finally, deploy the Access Graph service using Helm:
 
 ```code
 $ helm install -n teleport-access-graph -f tag-values.yaml --version (=access_graph.version=) teleport-access-graph teleport/teleport-access-graph
@@ -147,10 +145,10 @@ $ kubectl -n teleport-access-graph rollout status deployment/teleport-access-gra
 
 ## Step 3/4. Update the Teleport Auth Service configuration
 
-To enable connectivity between the Teleport Auth Service and the Teleport Access Graph Service,
+To enable connectivity between the Teleport Auth Service and the Access Graph Service,
 the Auth Service configuration needs to be updated with:
-- The TAG service address
-- The path to the CA which issued the TAG service TLS certificate.
+- The Access Graph service address
+- The path to the CA which issued the Access Graph service TLS certificate.
   - This path must refer to a volume containing the CA, mounted on the Teleport pods.
   - Specifying the CA certificate file can be skipped if you are using a CA that is already trusted by the Teleport cluster
     (e.g. via the [`tls.existingCASecretName` option](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)),
@@ -170,14 +168,14 @@ auth:
   teleportConfig:
     # <...>
 
-    # Add a section for configuring the Teleport Access Graph connection.
+    # Add a section for configuring the Access Graph connection.
     access_graph:
       enabled: true
       endpoint: teleport-access-graph.teleport-access-graph.svc.cluster.local:443
       # Omit the `ca` key if your Teleport cluster already trusts the issuing CA.
       ca: /var/run/access-graph/ca.pem
 
-# Provide the TAG CA to the Teleport Auth Service as a volume.
+# Provide the Access Graph CA to the Teleport Auth Service as a volume.
 # Omit all of the below if your Teleport cluster already trusts the issuing CA.
 extraVolumes:
   - name: tag-ca

diff --git a/docs/pages/access-controls/access-graph/self-hosted.mdx b/docs/pages/access-controls/access-graph/self-hosted.mdx
@@ -1,20 +1,13 @@
 ---
-title: Run Teleport Access Graph on Self-Hosted Clusters
-description: Describes how to deploy Teleport Access Graph on self-hosted clusters.
+title: Run Teleport Policy on Self-Hosted Clusters
+description: Describes how to deploy Access Graph on self-hosted clusters.
 ---
 
-Using Access Graph with a self-hosted Teleport cluster requires
-setting up the Teleport Access Graph (TAG) service.
-TAG is a dedicated service which uses PostgreSQL as its backing storage
-and communicates with Auth Service and Proxy Service
-to collect information about resources and access.
+Teleport Policy's Access Graph with a self-hosted Teleport cluster requires setting up 
+Access Graph, a dedicated service which uses PostgreSQL as its backing storage and communicates 
+with Auth Service and Proxy Service to collect information about resources and access.
 
-This guide will help you set up the TAG service
-and enable the Access Graph feature in your Teleport cluster.
-
-Teleport Access Graph is a feature of the [Teleport
-Policy](https://goteleport.com/platform/policy/) product that is only available
-to Teleport Enterprise customers.
+This guide will help you set up the service and enable Access Graph in your Teleport cluster.
 
 ## Prerequisites
 
@@ -23,12 +16,12 @@ to Teleport Enterprise customers.
 - Docker version v(=docker.version=) or later.
 - A PostgreSQL database server v14 or later.
   - Access Graph needs a dedicated [database](https://www.postgresql.org/docs/current/sql-createdatabase.html) to store its data.
-    The user that TAG connects to the database with needs to be the owner of this database, or have similar broad permissions:
+    The user that Access Graph connects to the database with needs to be the owner of this database, or have similar broad permissions:
     at least the `CREATE TABLE` privilege on the `public` schema, and the `CREATE SCHEMA` privilege.
   - Amazon RDS for PostgreSQL is supported.
 - A TLS certificate for the Access Graph service
   - The TLS certificate must be issued for "server authentication" key usage,
-    and must list the IP or DNS name of the TAG service in an X.509 v3 `subjectAltName` extension.
+    and must list the IP or DNS name of the Access Graph service in an X.509 v3 `subjectAltName` extension.
   - Starting from version 1.20.4 of the Access Graph service, the container runs as a non-root user by default.
     Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command:
     ```code
@@ -38,14 +31,14 @@ to Teleport Enterprise customers.
 
 <Notice type="warning">
     The deployment with Docker is suitable for testing and development purposes. For production deployments,
-    consider using the Teleport Access Graph Helm chart to deploy this service on Kubernetes.
+    consider using the Access Graph Helm chart to deploy this service on Kubernetes.
     Refer to [Helm chart for Access Graph](self-hosted-helm.mdx) for instructions.
 </Notice>
 
-## Step 1/3. Set up the Teleport Access Graph service
+## Step 1/3. Set up Access Graph
 
 You will need a copy of your Teleport cluster's host certificate authority (CA) on the machine that hosts the Access Graph service.
-TAG requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.
+The service requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.
 
 The host CA can be retrieved and saved into a file in one of the following ways:
 
@@ -68,7 +61,7 @@ $ tctl get cert_authorities --format=json \
 </TabItem>
 </Tabs>
 
-Then, on the same machine, create a configuration file for the TAG service, similar to this:
+Then, on the same machine, create a configuration file for the Access Graph service, similar to this:
 
 ```yaml
 backend:
@@ -83,22 +76,22 @@ backend:
     # iam:
     #   aws_region: us-west-2
 
-# IP address (optional) and port for the TAG service to listen to.
+# IP address (optional) and port for the Access Graph service to listen to.
 # This is the default value. This key can be omitted to listen on port 50051 on all interfaces.
 address: ":50051"
 
 tls:
-  # File paths of PEM-encoded TLS certificate and private key for the TAG server.
+  # File paths of PEM-encoded TLS certificate and private key for the Access Graph server.
   cert: /etc/access_graph/tls.crt
   key: /etc/access_graph/tls.key
 
-# This lists the file paths for host CAs of Teleport clusters that are allowed to register with this TAG service.
-# Several paths can be included to allow several Teleport clusters to connect to the TAG service.
+# This lists the file paths for host CAs of Teleport clusters that are allowed to register with this Access Graph service.
+# Several paths can be included to allow several Teleport clusters to connect to the Access Graph service.
 registration_cas:
   - /etc/access_graph/teleport_host_ca.pem # A full path to the file containing the Teleport cluster's host CA certificate.
 ```
 
-Finally, start the TAG service using Docker as follows:
+Finally, start the Access Graph service using Docker as follows:
 
 ```console
 $ docker run -p 50051:50051 -v <path-to-config>:/app/config.yaml -v /etc/access_graph:/etc/access_graph public.ecr.aws/gravitational/access-graph:(=access_graph.version=)
@@ -111,9 +104,9 @@ In the YAML config for the Auth Service, add a new top-level section for Access
 ```yaml
 access_graph:
   enabled: true
-  # host:port where the TAG service is listening
+  # host:port where the Access Graph service is listening
   endpoint: access-graph.example.com:50051
-  # Specify a trusted CA we expect the TAG server certificate to be signed by.
+  # Specify a trusted CA we expect the Access Graph server certificate to be signed by.
   # If not specified, the system trust store will be used.
   ca: /etc/access_graph_ca.pem
 ```

diff --git a/docs/pages/access-controls/teleport-policy/getting-started-policy.mdx b/docs/pages/access-controls/teleport-policy/getting-started-policy.mdx
@@ -3,8 +3,8 @@ title: Teleport Policy
 description: A reference for Access Graph with Teleport Policy.
 ---
 
-Teleport Policy streamlines and centralizes access management across your entire infrastructure. Access Graph provides a 
-visual representation of the relationships between users, roles, and resources in your organization. 
+Teleport Policy unifies management of access policies across your infrastructure. 
+It hardens your access controls and visually shows up-to-date relationships and policies of all users, groups, and computing resources
 It can help you answer questions like:
 
 - What resources can a specific user access?
@@ -13,15 +13,16 @@ It can help you answer questions like:
 
 ## Getting started with Teleport Policy
 
-Access Graph is a feature of the Teleport Policy product that is only 
-available to Teleport Enterprise customers.
+Teleport Policy is a separately licensed product and is available to Teleport Enterprise customers.
+Access Graph is a major capability of Teleport Policy that visually shows the relationships of 
+policies of users, groups, and computing resources.
 
-After logging into the Teleport UI, go to the Management tab. If enabled, Access Graph options can be found
-under the Permission Management section.
+After logging into the Teleport UI, go to the Management tab. If enabled, Teleport Policy’s Access Graph options 
+can be found under the Permission Management section.
 
 <Admonition type="note">
-Note: For managed Teleport Enterprise customers, Access Graph is enabled by default.
-If you are a self-hosted Teleport customer, you will need to set up [Access Graph](../access-graph/self-hosted.mdx) and ensure you have an updated 
+Note: For managed Enterprise customers, Teleport Policy is enabled by default.
+If you are a self-hosted Teleport customer, you will need to set up [Teleport Policy’s Access Graph](../access-graph/self-hosted.mdx) and ensure you have an updated 
 `license.pem` with Teleport Policy enabled to use it.
 </Admonition>