gravitational · strideynet · Sep 11, 2024 · Sep 10, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/docs/config.json b/docs/config.json
@@ -1043,7 +1043,7 @@
     },
     {
       "source": "/machine-id/deployment/spacelift/",
-      "destination": "/enroll-resources/machine-id/deployment/spacelift/",
+      "destination": "/admin-guides/infrastructure-as-code/terraform-provider/spacelift/",
       "permanent": true
     },
     {
@@ -2575,6 +2575,11 @@
       "source": "/choose-an-edition/teleport-enterprise/introduction/",
       "destination": "/admin-guides/deploy-a-cluster/deploy-a-cluster/",
       "permanent": true
+    },
+    {
+      "source": "/enroll-resources/machine-id/deployment/spacelift/",
+      "destination": "/admin-guides/infrastructure-as-code/terraform-provider/spacelift/",
+      "permanent": true
     }
   ]
 }
diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx
@@ -19,6 +19,7 @@ is executed. You must pick the correct guide for your setup:
 |---------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
 | [Run the Teleport Terraform provider locally](./terraform-provider/local.mdx)                                       | This is the best way to get started with the Teleport terraform provider, write some initial Terraform code and get familiar with IaC.                                                                           | You're using you local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables. |
 | [Run the Teleport Terraform provider in CI or a cloud VM](./terraform-provider/ci-or-cloud.mdx)                     | You already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git).                                  | You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID.             |
+| [Run the Teleport Terraform provider on Spacelift](./terraform-provider/spacelift.mdx)                              | You already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform.                                                                                                   | You're using a proof provided by Spacelift to prove your identity and join using MachineID.                                            |
 | [Run the Teleport Terraform provider from a server](./terraform-provider/dedicated-server.mdx)                      | You have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner.                                                                             | You setup a MachineID daemon (`tbot`) that obtains and refreshes credentials for the Terraform provider.                               |
 | [Run the Teleport Terraform provider with long-lived credentials.](./terraform-provider/long-lived-credentials.mdx) | This method is discouraged as less secure than the 3 others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods). | You sign one long lived certificate allowing the Terraform provider to connect to Teleport.                                            |
 

diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx
@@ -25,10 +25,11 @@ join method and token to the provider.
 
 </Admonition>
 
-This guide does not cover running Teleport locally or on a dedicated server.
-If you are in one of those cases, follow the dedicated guides:
+This guide does not cover running Teleport locally, on a dedicated server or on
+certain platforms. See the following more specific guides for those cases:
 - [Run the Terraform Provider locally](./local.mdx)
 - [Run the Teleport Terraform Provider on a server](./dedicated-server.mdx)
+- [Run the Teleport Terraform Provider on Spacelift](./spacelift.mdx)
 
 ## How it works
 

diff --git a/...urces/machine-id/deployment/spacelift.mdx → ...-as-code/terraform-provider/spacelift.mdx b/...urces/machine-id/deployment/spacelift.mdx → ...-as-code/terraform-provider/spacelift.mdx
@@ -1,6 +1,6 @@
 ---
-title: Deploying Machine ID on Spacelift
-description: How to install and configure Machine ID on Spacelift
+title: Run the Teleport Terraform Provider on Spacelift
+description: How to manage dynamic resources using the Teleport Terraform provider on the Spacelift platform.
 ---
 
 You can use Spacelift with the Teleport Terraform provider to manage dynamic
@@ -32,56 +32,9 @@ resources.
 
 ## Step 1/3. Create a role and Machine ID bot
 
-Create `example-bot-role.yaml`, which declares a Teleport role that we will
-assign to the bot user for Spacelift. `tbot` generates short-lived credentials
-that grant the user access to this role, allowing Spacelift to manage dynamic
-Teleport resources using Terraform:
-
-```yaml
-kind: role
-version: v5
-metadata:
-  name: example-bot
-spec:
-  allow:
-    rules:
-    - resources:
-      - app
-      - cluster_auth_preference
-      - cluster_networking_config
-      - db
-      - device
-      - github
-      - login_rule
-      - oidc
-      - okta_import_rule
-      - role
-      - saml
-      - session_recording_config
-      - token
-      - trusted_cluster
-      - user
-      verbs:
-      - create
-      - read
-      - update
-      - delete
-      - list
-  deny: {}
-  options: {}
-```
-
-This role grants access to create, update, delete, and list a number of Teleport
-resources. You may wish to remove resources that you do not intend to configure
-with Terraform from this list to reduce blast radius. See the [Teleport Role
-Reference](../../../reference/access-controls/roles.mdx)
-for the dynamic resources you can grant access to in a Teleport role.
-
-Create this role by applying the manifest:
-
-```
-$ tctl create example-bot-role.yaml
-```
+First, we'll create a Machine ID Bot for our Spacelift job to act as. We'll
+grant it the `terraform-provider` role, which automatically grants access to
+every resource supported by the Teleport terraform provider.
 
 Create `bot.yaml`:
 
@@ -92,9 +45,10 @@ metadata:
   # name is a unique identifier for the Bot in the cluster.
   name: example
 spec:
-  # we specify the role that we just created to grant it to the Bot
+  # The terraform-provider is a default role shipped in Teleport granting access
+  # to every resource supported by the terraform provider.
   roles:
-    - example-bot
+    - terraform-provider
 ```
 
 Make sure you replace `example` with a unique, descriptive, name for your Bot.

diff --git a/docs/pages/enroll-resources/machine-id/deployment.mdx b/docs/pages/enroll-resources/machine-id/deployment.mdx
@@ -66,10 +66,10 @@ on-prem infrastructure.
 Read the following guides for how to deploy Machine ID on a continuous
 integration and continuous deployment platform
 
-| Platform                                          | Installation method                                           | Join method                        |
-|---------------------------------------------------|---------------------------------------------------------------|------------------------------------|
-| [CircleCI](./deployment/circleci.mdx)             | TAR archive                                                   | CircleCI-signed identity document  |
-| [GitLab](./deployment/gitlab.mdx)                 | TAR archive                                                   | GitLab-signed identity document    |
-| [GitHub Actions](./deployment/github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document.   |
-| [Jenkins](./deployment/jenkins.mdx)               | Package manager or TAR archive                                | Static join token                  |
-| [Spacelift](./deployment/spacelift.mdx)           | Docker Image                                                  | Spacelift-signed identity document |
+| Platform                                                                                | Installation method                                           | Join method                        |
+|-----------------------------------------------------------------------------------------|---------------------------------------------------------------|------------------------------------|
+| [CircleCI](./deployment/circleci.mdx)                                                   | TAR archive                                                   | CircleCI-signed identity document  |
+| [GitLab](./deployment/gitlab.mdx)                                                       | TAR archive                                                   | GitLab-signed identity document    |
+| [GitHub Actions](./deployment/github-actions.mdx)                                       | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document.   |
+| [Jenkins](./deployment/jenkins.mdx)                                                     | Package manager or TAR archive                                | Static join token                  |
+| [Spacelift](../../admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx) | Docker Image                                                  | Spacelift-signed identity document |