gravitational · ptgott · May 1, 2023 · May 2, 2023 · May 2, 2023 · May 17, 2023
diff --git a/docs/config.json b/docs/config.json
@@ -613,6 +613,20 @@
           "title": "Introduction",
           "slug": "/management/introduction/"
         },
+	{
+	  "title": "Using Dynamic Configuration Resources",
+	  "slug": "/management/dynamic-configuration/",
+	  "entries": [            
+	    {
+              "title": "Kubernetes Operator (Preview)",
+              "slug": "/management/dynamic-configuration/teleport-operator/"
+            },
+            {
+              "title": "Terraform Provider",
+              "slug": "/management/dynamic-configuration/terraform-provider/"
+            }
+	  ]
+	},
         {
           "title": "Joining Teleport Services",
           "slug": "/management/join-services-to-your-cluster/",
@@ -764,14 +778,6 @@
           "title": "Integrations",
           "slug": "/management/guides/",
           "entries": [
-            {
-              "title": "Kubernetes Operator (Preview)",
-              "slug": "/management/guides/teleport-operator/"
-            },
-            {
-              "title": "Terraform Provider",
-              "slug": "/management/guides/terraform-provider/"
-            },
             {
               "title": "EC2 Tags",
               "slug": "/management/guides/ec2-tags/"
@@ -2383,12 +2389,12 @@
     },
     {
       "source": "/setup/guides/teleport-operator/",
-      "destination": "/management/guides/teleport-operator/",
+      "destination": "/management/dynamic-configuration/teleport-operator/",
       "permanent": true
     },
     {
       "source": "/setup/guides/terraform-provider/",
-      "destination": "/management/guides/terraform-provider/",
+      "destination": "/management/dynamic-configuration/terraform-provider/",
       "permanent": true
     },
     {
@@ -2790,6 +2796,16 @@
       "source": "/choose-an-edition/teleport-cloud/",
       "destination": "/choose-an-edition/teleport-cloud/introduction/",
       "permanent": true
+    },
+    {
+      "source": "/management/guides/teleport-operator/",
+      "destination": "/management/dynamic-configuration/teleport-operator/",
+      "permanent": true
+    },
+    {
+      "source": "/management/guides/terraform-provider/",
+      "destination": "/management/dynamic-configuration/terraform-provider/",
+      "permanent": true
     }
   ]
 }
diff --git a/docs/pages/access-controls/login-rules/kubernetes.mdx b/docs/pages/access-controls/login-rules/kubernetes.mdx
@@ -44,7 +44,7 @@ This guide is applicable if you self-host Teleport in Kubernetes using the
   </Admonition>
 
 - Follow Step 1 of the
-  [Teleport operator guide](../../management/guides/teleport-operator.mdx#step-13-install-teleport-cluster-helm-chart-with-the-operator)
+  [Teleport operator guide](../../management/dynamic-configuration/teleport-operator.mdx#step-13-install-teleport-cluster-helm-chart-with-the-operator)
   to install the Teleport Operator in your Kubernetes cluster.
   Make sure to follow the Enterprise instructions.
 
@@ -250,7 +250,7 @@ logins:
 
 ## Next Steps
 
-- Read the [Teleport Operator Guide](../../management/guides/teleport-operator.mdx) to
+- Read the [Teleport Operator Guide](../../management/dynamic-configuration/teleport-operator.mdx) to
   learn more about the Teleport Operator.
 - Read the [Login Rules reference](./reference.mdx) to learn mode about the
   Login Rule expression syntax.
diff --git a/docs/pages/access-controls/login-rules/terraform.mdx b/docs/pages/access-controls/login-rules/terraform.mdx
@@ -31,7 +31,7 @@ For simplicity, this guide will configure the Terraform provider to use your
 current logged-in user's Teleport credentials obtained from `tsh login`.
 
 <Admonition type="note">
-The [Terraform provider guide](../../management/guides/terraform-provider.mdx)
+The [Terraform provider guide](../../management/dynamic-configuration/terraform-provider.mdx)
 includes instructions for configuring a dedicated `terraform` user and role,
 which is a better option when running Terraform in a non-interactive
 environment.
@@ -156,7 +156,7 @@ logins:
 
 ## Next Steps
 
-- Read the [Terraform Guide](../../management/guides/terraform-provider.mdx) to
+- Read the [Terraform Guide](../../management/dynamic-configuration/terraform-provider.mdx) to
   learn more about configuring the Terraform provider.
 - Read the [Login Rules reference](./reference.mdx) to learn mode about the
   Login Rule expression syntax.
diff --git a/docs/pages/management/dynamic-configuration.mdx b/docs/pages/management/dynamic-configuration.mdx
@@ -0,0 +1,277 @@
+---
+title: Using Dynamic Configuration Resources
+description: An introduction to Teleport's dynamic configuration resources, which make it possible to apply settings to remote clusters using infrastructure as code.
+tocDepth: 3
+---
+
+This section includes guides for managing Teleport's dynamic configuration
+resources, which make it possible to adjust the behavior of your Teleport
+cluster as your infrastructure changes.
+
+## What is a dynamic configuration resource?
+
+There are two ways to configure a Teleport cluster:
+
+- **Static configuration file:** At startup, a Teleport process reads a
+  configuration file from the local filesystem (the default path is
+  `/etc/teleport.yaml`). Static configuration settings control aspects of a
+  cluster that are not expected to change frequently, like the ports that
+  services listen on. 
+- **Dynamic configuration resources:** Dynamic configuration resources control
+  aspects of your cluster that are likely to change over time, such as roles,
+  local users, and registered infrastructure resources.
+
+This approach makes it possible to incrementally adjust your Teleport
+configuration without restarting Teleport instances. 
+
+```mermaid
+flowchart TB
+subgraph backend["Cluster state backend"]
+  direction LR
+  resources["Dynamic config resources"]
+end 
+
+subgraph cluster[Teleport cluster]
+  subgraph auth[Auth Service]
+    conf1["Static config"]
+  end 
+  subgraph proxy[Proxy Service]
+    conf2["Static config"]
+  end 
+end
+
+auth--"Reads, writes"-->backend
+subgraph clients["API clients"]
+  terraform["Terraform Provider"]
+  operator["Kubernetes Operator"]
+  tctl
+end
+terraform & operator & tctl-- "API calls" -->proxy
+proxy-.->auth
+```
+
+A cluster is composed of different objects (i.e., resources) and there are three
+common operations that can be performed on them: `get` , `create` , and `remove`
+.
+
+Every resource in Teleport has three required fields:
+
+- `kind`: The type of resource
+- `name`: A required field in the `metadata` to uniquely identify the resource
+- `version`: The version of the resource format
+
+All other fields are specific to a resource.
+
+While Teleport Enterprise Cloud and Teleport Team do not expose the static
+configuration file to operators, they do use a static configuration file for
+certain settings. Read how Teleport [reconciles static and dynamic
+resources](#reconciling-the-configuration-file-with-dynamic-resources) to
+understand how to see the values of static configuration settings that also
+appear in dynamic configuration resources.
+
+When examining a dynamic configuration resource, note that some of the fields
+you will see are used only internally and are not meant to be changed. Others
+are reserved for future use.
+
+## Managing dynamic configuration resources
+
+Teleport provides three methods for applying dynamic configuration resources:
+the `tctl` client tool, Teleport Terraform provider, and Kubernetes Operator.
+
+All three methods connect to the Teleport Auth Service's gRPC endpoint in order
+to manipulate cluster configuration resources stored on the Auth Service
+backend. The design of Teleport's configuration interface makes it well suited
+for infrastructure-as-code and GitOps approaches.
+
+### YAML documents with `tctl`
+
+You can define configuration resources as YAML documents and apply them using
+the `tctl` client tool. Here is an example of a `role` resource that allows
+access to servers with the label `env:test`:
+
+```yaml
+kind: role
+version: v6
+metadata:
+  name: developer
+spec:
+  allow:
+    logins: ['ubuntu', 'debian', '{{internal.logins}}']
+    node_labels:
+      'env': 'test'
+```
+
+Since `tctl` works from the local filesystem, you can write commands that apply
+all configuration documents in a directory tree. See the [CLI
+reference](../reference/cli.mdx#tctl) for more information on `tctl`.
+
+### Teleport Terraform provider
+
+Teleport's Terraform provider lets you manage your Teleport configuration
+resources within the same infrastructure-as-code source as the rest of your
+infrastructure. There is a Terraform resource for each Teleport configuration
+resource. For example:
+
+```text
+resource "teleport_role" "developer" {
+  metadata = {
+    name = "developer"
+  }
+
+  spec = {
+    allow = {
+      logins = ["ubuntu", "debian", "{{internal.logins}}"]
+
+      node_labels = {
+        key   = ["env"]
+        value = ["test"]
+      }
+    }
+  }
+}
+```
+
+[Get started with the Terraform provider](./dynamic-configuration/terraform-provider.mdx).
+
+### Teleport Kubernetes Operator
+
+The Teleport Kubernetes Operator lets you apply Teleport configuration resources
+as Kubernetes resources so you can manage your Teleport settings alongside the
+rest of your Kubernetes infrastructure. Here is an example of a `TeleportRole`
+resource, which is equivalent to the two roles shown above:
+
+```yaml
+
+apiVersion: resources.teleport.dev/v5
+kind: TeleportRole
+metadata:
+  name: developer
+spec:
+  allow:
+    logins: ['ubuntu', 'debian', '{{internal.logins}}']
+    node_labels:
+      'env': 'test'
+```
+
+[Get started with the Kubernetes Operator](dynamic-configuration/teleport-operator.mdx). 
+
+## Reconciling the configuration file with dynamic resources
+
+Some dynamic configuration resources assign the same settings as fields within
+Teleport's static configuration file. For these fields, the Teleport Auth
+Service reconciles static and dynamic configurations on startup and when you
+create or remove a configuration resource.
+
+### Configuration resources that apply to static configuration fields
+
+There are three dynamic configuration resources that share fields with the
+static configuration file:
+
+- `session_recording_config`
+- `cluster_auth_preference`
+- `cluster_networking_config`
+
+#### `session_recording_config`
+
+|Dynamic resource field|Static configuration field|
+|---|---|
+|`spec.mode`|`auth_service.session_recording`|
+|`spec.proxy_checks_host_keys`|`auth_service.proxy_checks_host_keys`|
+
+#### `cluster_auth_preference`
+
+|Dynamic resource field|Static configuration field|
+|---|---|
+|`spec.type`|`auth_service.authentication.type`|
+|`spec.second_factor`|`auth_service.authentication.second_factor`|
+|`spec.connector_name`|`auth_service.authentication.connector_name`
+|`spec.u2f`|`auth_service.authentication.u2f`|
+|<nobr>`spec.disconnect_expired_cert`</nobr>|`auth_service.disconnect_expired_cert`|
+|`spec.allow_local_auth`|`auth_service.authentication.local_auth`|
+|`spec.message_of_the_day`|`auth_service.message_of_the_day`|
+|`spec.locking_mode`|`auth_service.authentication.locking_mode`|
+|`spec.webauthn`|`auth_service.authentication.webauthn`|
+|`spec.require_session_mfa`|<nobr>`auth_service.authentication.require_session_mfa`</nobr>|
+|`spec.allow_passwordless`|`auth_service.authentication.passwordless`|
+|`spec.device_trust`|`auth_service.authentication.device_trust`|
+|`spec.idp`|`proxy_service.idp`|
+|`spec.allow_headless`|`auth_service.authentication.headless`|
+
+#### `cluster_networking_config`
+
+|Dynamic resource field|Static configuration field|
+|---|---|
+|`spec.client_idle_timeout`|`auth_service.client_idle_timeout`|
+|`spec.keep_alive_interval`|`auth_service.keep_alive_interval`|
+|`spec.keep_alive_count_max`|`auth_service.keep_alive_count_max`|
+|`spec.session_control_timeout`|`auth_service.session_control_timeout`|
+|`spec.idle_timeout_message`|`auth_service.client_idle_timeout_message`|
+|`spec.web_idle_timeout`|`auth_service.web_idle_timeout`|
+|`spec.proxy_listener_mode`|`auth_service.proxy_listener_mode`|
+|`spec.routing_strategy`|`auth_service.routing_strategy`|
+|`spec.tunnel_strategy`|`auth_service.tunnel_strategy`|
+|`spec.proxy_ping_interval`|`auth_service.proxy_ping_interval`|
+
+#### `ui_config`
+
+|Dynamic resource field|Static configuration field|
+|---|---|
+|`spec.scrollback_lines`|`proxy_service.ui.scrollback_lines`|
+
+### Origin labels
+
+The Teleport Auth Service applies the `teleport.dev/origin` label to
+configuration resources to indicate whether they originated from the static
+configuration file, a dynamic configuration resource, or the default value.
+
+Here are possible values of the `teleport.dev/origin` label:
+
+- `defaults`
+- `config-file`
+- `dynamic`
+
+When the Auth Service starts up, it looks up the values of static configuration
+fields that correspond to fields in dynamic configuration resources. If any of
+these have values, it creates the corresponding dynamic configuration resources
+and stores them in its backend. 
+
+For any static configuration fields without a value, the Auth Service checks
+whether the backend contains the corresponding dynamic configuration resource.
+If not, it creates one with default values and the
+`teleport.dev/origin=defaults` label.
+
+If you attempt to create a dynamic configuration resource after the Auth Service
+has already loaded the configuration from a static configuration file, the Auth
+Service will return an error.
+
+If you remove a dynamic configuration resource, the Auth Service will restore
+its configuration fields to the default values and add the
+`teleport.dev/origin=defaults` label.
+
+<Notice type="tip">
+
+Cloud-hosted Teleport deployments use configuration files, but these are not
+available for operators to modify. Users of Teleport Enterprise Cloud and
+Teleport Team may see configuration resources with the
+`teleport.dev/origin=config-file` label.
+
+</Notice>
+
+## Further reading
+
+### Configuration references
+
+- For a comprehensive reference of Teleport's static configuration options, read
+  the [Configuration Reference](../reference/config.mdx).
+- To see the dynamic configuration resources available to apply, read the
+  [Configuration Resource Reference](../reference/resources.mdx). There are also
+  dedicated configuration resource references for
+  [applications](../application-access/reference.mdx#application-resource) and
+  [databases](../database-access/reference/configuration.mdx#database-resource).
+
+### Other ways to use the Teleport API
+
+The Teleport Kubernetes Operator, Terraform provider, and `tctl` are all clients
+of the Teleport Auth Service's gRPC API. To build your own API client to extend
+Teleport for your organization's needs, read our [API
+guides](../api/introduction.mdx).
diff --git a/...s/management/guides/teleport-operator.mdx → ...namic-configuration/teleport-operator.mdx b/...s/management/guides/teleport-operator.mdx → ...namic-configuration/teleport-operator.mdx
diff --git a/.../management/guides/terraform-provider.mdx → ...amic-configuration/terraform-provider.mdx b/.../management/guides/terraform-provider.mdx → ...amic-configuration/terraform-provider.mdx