Pipelines section 2 : Changes to Pipelines/Installation files (#2306)

* Update overview.md

* Update awslandingzone.md

* Update authoverview.md

* Update viagithubapp.md

* Update viamachineusers.md

* Update addingnewrepo.md

* Update addingexistingrepo.md

* Update branch-protection.md

* Update destroying-infrastructure.md

* Update addingexistingrepo.md

* Update docs/2.0/docs/pipelines/installation/addingexistingrepo.md

* Update docs/2.0/docs/pipelines/installation/addingexistingrepo.md

* Update docs/2.0/docs/pipelines/installation/addingexistingrepo.md

* Update docs/2.0/docs/pipelines/installation/addingexistingrepo.md

* Fix customizablevalue

* Update docs/2.0/docs/pipelines/installation/addingexistingrepo.md

* Update docs/2.0/docs/pipelines/installation/addingnewrepo.md

* Update docs/2.0/docs/pipelines/installation/addingnewrepo.md

* Update branch-protection.md

* Update docs/2.0/docs/pipelines/installation/overview.md

* Update docs/2.0/docs/pipelines/installation/overview.md

* Update docs/2.0/docs/pipelines/installation/overview.md

* Update docs/2.0/docs/pipelines/installation/viamachineusers.md

* Update docs/2.0/docs/pipelines/installation/viamachineusers.md

* Update docs/2.0/docs/pipelines/installation/viamachineusers.md

* Update branch-protection.md

* Update branch-protection.md

* Update branch-protection.md

* Update branch-protection.md

* Update addingexistingrepo.md

* Update viamachineusers.md

* Update authoverview.md

* Update awslandingzone.md

* Update overview.md

* Update authoverview.md

* Update viagithubapp.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* Update viamachineusers.md

* updates

* more values

* more landing zone changes

* underscores

* add existing repo updates

* WIP - via machine users edits

* updates

---------

Co-authored-by: Zach Goldberg <[email protected]>
Co-authored-by: Zach Goldberg <[email protected]>

Author: EdifyContent

docs/2.0/docs/pipelines/installation/addingexistingrepo.md

@@ -1,51 +1,51 @@
-# Initial setup
+# Initial Setup
 
-To set up Gruntwork Pipelines in a new repository you'll need to complete the following steps:
-1. Create your `infrastructure-live-root` repository from Gruntwork's GitHub template.
-2. Configure the Gruntwork.io GitHub App to authorize your `infrastructure-live-root` repository, alternatively ensure that the appropriate machine user tokens have been setup as repository or organization secrets.
-3. Update the Bootstrap Workflow to configure your AWS settings.
-4. Run the Bootstrap Workflow in your `infrastructure-live-root` repository to create pull requests and repositories.
+To configure Gruntwork Pipelines in a new repository, complete the following steps:
 
+1. Create your `infrastructure-live-root` repository using Gruntwork's GitHub template.
+2. Configure the Gruntwork.io GitHub App to authorize your `infrastructure-live-root` repository, or ensure that the appropriate machine user tokens are set up as repository or organization secrets.
+3. Update the Bootstrap Workflow to configure your AWS settings.
+4. Execute the Bootstrap Workflow in your `infrastructure-live-root` repository to generate pull requests and additional repositories.
 
-## Creating Infrastructure Live Root
+## Creating the infrastructure-live-root repository
 
-To set up IaC Foundations, we use a pre-configured git repository template that includes best practices and also allows for customization.
+Gruntwork provides a pre-configured git repository template that incorporates best practices while allowing for customization.
 
 [infrastructure-live-root-template](https://github.com/gruntwork-io/infrastructure-live-root-template)
 
-This template creates an infrastructure-live-root repository with a bootstrap workflow that can be run to create scaffolding for a best practices Terragrunt configuration, including patterns for module defaults, global variables, and account baselines. It also configures Gruntwork Pipelines, which is easy to remove if you don't want it.
+This template generates an `infrastructure-live-root` repository with a bootstrap workflow designed to scaffold a best-practices Terragrunt configuration. It includes patterns for module defaults, global variables, and account baselines. Additionally, it integrates Gruntwork Pipelines, which can be removed if not required.
 
-The workflow also optionally creates and scaffolds your `infrastructure-live-access-control` and `infrastructure-catalog` repositories.
+The workflow can optionally scaffold the `infrastructure-live-access-control` and `infrastructure-catalog` repositories.
 
-Navigate to the template repository and select **Use this template** -> **Create a new Repository**. This will initiate repository creation. You should select your org as the owner, add a description if you like, make sure you are creating a **private** repo, and click **Create repository**.
+Navigate to the template repository and select **Use this template** -> **Create a new Repository**. Choose your organization as the owner, add a description if desired, set the repository to **private**, and click **Create repository**.
 
-## Configuring Gruntwork App Settings
+## Configuring Gruntwork app settings
 
-Configure the Gruntwork.io GitHub App to [add this repository as an Infra Root repository](/2.0/docs/pipelines/installation/viagithubapp#configuration).
+Use the Gruntwork.io GitHub App to [add the repository as an Infra Root repository](/2.0/docs/pipelines/installation/viagithubapp#configuration).
 
-If you're using our [machine user model](/2.0/docs/pipelines/installation/viamachineusers.md) then ensure the `INFRA_ROOT_WRITE_TOKEN` (and `ORG_REPO_ADMIN_TOKEN` for enterprise customers) is added to this repository as a secret and/or is set as an organization secret.
+If using the [machine user model](/2.0/docs/pipelines/installation/viamachineusers.md), ensure the `INFRA_ROOT_WRITE_TOKEN` (and `ORG_REPO_ADMIN_TOKEN` for enterprise customers) is added to the repository as a secret or configured as an organization secret.
 
-## Update The Bootstrap Workflow
+## Updating the Bootstrap Workflow
 
-Return to your `infrastructure-live-root` repository and follow the instructions in the `README` to update the bootstrap workflow for your IaC Foundations. You will need to provide details of your AWS organization and accounts, as well as default values to be used when vending new accounts.
+Return to your `infrastructure-live-root` repository and follow the `README` instructions to update the bootstrap workflow for IaC Foundations. Provide details about your AWS organization, accounts, and default values for new account provisioning.
 
-## Run The Workflow
+## Running the workflow
 
-Follow the instructions in your `infrastructure-live-root` to run the Bootstrap workflow. Gruntwork is available to assist with questions around other patterns as they arise. When running the workflow you can select options to create `infrastructure-live-access-control` and `infrastructure-catalog` repositories. These will be created in your GitHub organization using values defined in the workflow file.
+Follow the instructions in your `infrastructure-live-root` repository to execute the Bootstrap Workflow. Gruntwork support is available to address any questions that arise. During the workflow execution, you can choose to create the `infrastructure-live-access-control` and `infrastructure-catalog` repositories. These repositories will be created in your GitHub organization using values defined in the workflow configuration.
 
-### Infrastructure Live Access Control
+### Infrastructure live access control
 
-This repository is only necessary for Enterprise customers, but is recommended for all customers. When running the Bootstrap workflow in your `infrastructure-live-root` account, select the option to "Bootstrap the infrastructure-access-control repository".
+This repository is primarily for Enterprise customers but is recommended for all users. When running the Bootstrap Workflow in your `infrastructure-live-root` repository, select the option to "Bootstrap the infrastructure-access-control repository."
 
-### Infrastructure Modules
+### Infrastructure catalog
 
-The Bootstrap workflow creates an empty infrastructure-catalog repository that will be used to store Terraform/OpenTofu modules that your organization has authored and intends to use within your organization. When running the Bootstrap workflow in your `infrastructure-live-root` account, select the option to "Bootstrap the infrastructure-catalog repository".
+The Bootstrap Workflow also creates an empty `infrastructure-catalog` repository. This repository is used to store Terraform/OpenTofu modules authored by your organization for internal use. During the Bootstrap Workflow execution in your `infrastructure-live-root` repository, select the option to "Bootstrap the infrastructure-catalog repository."
 
-## Complete Instructions In The Bootstrap Pull Requests
+## Completing instructions in Bootstrap Pull Requests
 
-Each of your repositories will now contain a Bootstrap Pull Request. Follow the instructions in the Pull Requests to complete setup of your IaC repositories.
+Each of your repositories will contain a Bootstrap Pull Request. Follow the instructions in these Pull Requests to finalize the setup of your IaC repositories.
 
 :::info
 
-These bootstrapping pull requests include some stock configuration, such as a `mise.toml` file which specifies versions of OpenTofu and Terragrunt to use.  Please make sure you review these files and update the configuration to match your organization's requirements.
-:::
+The bootstrapping pull requests include pre-configured files, such as a `mise.toml` file that specifies versions of OpenTofu and Terragrunt. Ensure you review and update these configurations to align with your organization's requirements.
+:::

docs/2.0/docs/pipelines/installation/addingnewrepo.md

@@ -1,25 +1,25 @@
 # Authenticating Gruntwork Pipelines
 
-Gruntwork Pipelines needs to authenticate with GitHub for various reasons, including:
-* Downloading Gruntwork code (e.g. the pipelines binary, Terraform modules, etc.) from the `gruntwork-io` GitHub organization.
-* Interacting with your repositories, e.g.:
-  * Creating pull requests
-  * Commenting on pull requests
-  * (via Account Factory) Creating new repositories
-  * (via Account Factory) Updating repository settings, e.g. enforcing branch protection
+Gruntwork Pipelines requires authentication with GitHub to perform various functions, including:
+* Downloading Gruntwork code, such as the Pipelines binary and Terraform modules, from the `gruntwork-io` GitHub organization.
+* Interacting with your repositories, such as:
+  * Creating pull requests.
+  * Commenting on pull requests.
+  * Creating new repositories via Account Factory.
+  * Updating repository settings, such as enforcing branch protection, via Account Factory.
 
-Gruntwork provides two mechanisms to achieve this authentication: a [GitHub App](/2.0/docs/pipelines/installation/viagithubapp.md) and a strategy of using CI Users (aka [Machine Users](/2.0/docs/pipelines/installation/viamachineusers.md)) for generating/installing personal access tokens for pipelines to use.
+Gruntwork provides two authentication methods: a [GitHub App](/2.0/docs/pipelines/installation/viagithubapp.md) and CI Users ([Machine Users](/2.0/docs/pipelines/installation/viamachineusers.md)) with personal access tokens for Pipelines.
 
-Broadly the two approaches achieve the same result and core pipelines functionality will work with either mechanism.  There are, however, some features and benefits only available with authenticating using the GitHub app and as such it is our recommended approach. As we roll out new features to pipelines we endeavor to ensure they are available to both authentication mechanisms. However, we do anticipate that the list of features that are GitHub App exclusive will grow over time.
+Both approaches support the core functionality of Pipelines. However, the GitHub App provides additional features and benefits, making it the recommended method. While Gruntwork strives to ensure feature parity between the two authentication mechanisms, certain advanced features are exclusive to the GitHub App, and this list is expected to grow over time.
 
-In summary:
+## Summary of authentication mechanisms
 
-**Reasons to use the GitHub App**:
-* _Dramatically_ streamlined setup
-* Access to more features and functionality
-* Improved day to day user experience
-* Less maintenance overhead (no need to install, maintain and rotate powerful tokens)
+**Advantages of the GitHub App**:
+- Simplified setup process.
+- Access to enhanced features and functionality.
+- Improved user experience during regular operations.
+- Reduced maintenance, as there is no need to install, maintain, or rotate powerful tokens.
 
-**Reasons to use Machine Users**
-* You need to work with GitHub on-prem Enterprise and your on-premise install doesn't allow interacting with third party servers (e.g. Gruntwork's backend)
-* You want a fallback solution to ensure that Pipelines can continue to function even if the Gruntwork-hosted backend that powers the GitHub App goes down
+**Advantages of Machine Users**:
+- Compatibility with on-premises GitHub Enterprise installations that cannot interact with third-party servers (e.g., Gruntwork's backend).
+- Provides a fallback solution to ensure Pipelines continue functioning in the unlikely event of an outage affecting the Gruntwork-hosted backend that powers the GitHub App.

docs/2.0/docs/pipelines/installation/authoverview.md

@@ -1,50 +1,47 @@
 # Branch Protection
 
-Gruntwork Pipelines is designed to be used with a PR based workflow.
-This means an approval on a PR is an approval to deploy infrastructure, making the configuration of repository settings and branch protection especially important.
+Gruntwork Pipelines is designed to function within a PR-based workflow. Approving a pull request (PR) signals approval to deploy infrastructure, so it's important to configure repository settings and branch protection accurately.
 
-## Recommended Settings
+## Recommended settings
 
-By default, Gruntwork pipelines runs a plan on every push to a PR and an apply on every push to `main`.
-Branch protection should be enabled on `main` to prevent changes from being applied without approval.
+By default, Gruntwork Pipelines runs a `plan` on every push to a PR and an `apply` on every push to `main`. To ensure that infrastructure changes are reviewed and approved before deployment, branch protection should be enabled on `main` to prevent unauthorized changes.
+
+- Enable **Require a pull request before merging** to ensure all changes go through a pull request.
+- Enable **Require approvals** to require at least one approval before merging. Optionally, configure more than one required approval.
+- Enable **Require review from code owners** for controlled reviews of specific code areas. For more details, see [GitHub Documentation](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+- Enable **Require status checks to pass before merging** to ensure the `apply` does not run if the `plan` fails, or if organizational validation rules fail.
+- Enable **Require branches to be up to date before merging** and select the `Pipelines` workflow as required.
 
-- **Require a pull request before merging** should be enabled.
-- **Require approvals** should be enabled. Optionally, more than one approval could be required.
-- **Require review from Code Owners** should be enabled if you need control over which users are required to review specific code areas. See the [GitHub Documentation](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) for more information.
-- **Require status checks to pass before merging** should be enabled.
-  :::info
-    This prevents `apply` from running when `plan` fails and ensures any validation rules your organization has put in place have been run.
-  :::
-- **Require branches to be up to date before merging** should be enabled with the `Pipelines` workflow selected as required.
   :::info
-    This option prevents `apply` from running with an inaccurate `plan`, but has a tradeoff of increased GitHub Actions minute usage.
-    When the PR is not up to date you will see the following message:
+  
+    This prevents running an inaccurate `apply` by ensuring the PR is up-to-date. However, it increases GitHub Actions minute usage. If disabled, another PR merged into `main` after the `plan` could lead to an inaccurate `apply`. Evaluate whether this tradeoff aligns with your organization's risk tolerance.
+  
+    Example warning when PR is not up-to-date:
+  
     ![Recommended Branch Protection Settings](/img/pipelines/pr-sync.png)
-    With this option disabled, another PR could be merged into `main` after this PR has run `plan`. No new plan would be run
-    in that scenario, so the `apply` has a higher likelihood of failure. If this risk is acceptable to your organization you may
-    choose to ignore this recommendation.
+  
   :::
 
-The following is an example of the recommended settings for branch protection:
+Below is an example of the recommended branch protection settings:
+
 ![Recommended Branch Protection Settings](/img/pipelines/repo-settings.png)
 
 :::info
-  You may wish to enable **Do not allow bypassing the above settings** to prevent admins from bypassing the branch
-  protection rules. This will limit your options for applying emergency fixes, but is more secure.
+  Consider enabling **Do not allow bypassing the above settings** to prevent admins from bypassing branch protection rules. While this improves security, it may limit options for emergency fixes.
 :::
 
 :::info
-  As of writing, GitHub has also released new functionality that is broadly only available to GitHub Enterprise customers.
-  This beta functionality allows for configuring [push rulesets](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets). To configure it, follow the documentation [here](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#creating-a-push-ruleset).
-  Enabling this feature is recommended if it is available for you, as it allows you to prevent edits to `.github/workflows` files, ensuring that all infrastructure changes are reviewed, approved and propagated through Pipelines.
-
-## PR Workflow
-
-1. Developers make infrastructure changes on a branch and create a PR against `main`
-1. On PR creation, Gruntwork Pipelines runs `plan` on any changes and posts the results as a comment
-1. Gruntwork Pipelines re-runs `plan` on every push to the branch and posts results as a comment
-1. Approvals are gathered. If codeowners is enabled, the owner of each changed folder/file must approve the PR before it can be merged
-1. Once approved, the PR is merged into `main`
-1. Gruntwork Pipelines runs `apply` on any changes from the PR
-   - On Success, the PR is updated to communicate the success of the apply
-   - On Failure, the PR is updated to communicate the failure of the apply. If the apply cannot be fixed by retrying, a new PR must be created to resolve any failures.
+  GitHub Enterprise customers can also configure [push rulesets](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets). This feature allows restricting edits to `.github/workflows` files, ensuring infrastructure changes are properly reviewed and approved through Pipelines. Follow the documentation [here](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#creating-a-push-ruleset) to enable push rulesets if available.
+:::
+
+
+## PR workflow
+
+1. Developers make infrastructure changes on a branch and create a PR against `main`.
+2. On PR creation, Gruntwork Pipelines runs `plan` for any changes and posts the results as a comment.
+3. Gruntwork Pipelines re-runs `plan` on every push to the branch and updates the results in a comment.
+4. Gather approvals. If Code Owners is enabled, all relevant code owners must approve the PR.
+5. Once approved, merge the PR into `main`.
+6. Gruntwork Pipelines runs `apply` for the changes from the PR.
+   - On success, the PR is updated to indicate the successful `apply`.
+   - On failure, the PR is updated to indicate the failure of the `apply`. If the failure cannot be resolved by retrying, a new PR must be created to address the issues.