Condense docs sections into "Enroll Resources" (#43979)

The number of sections on the left sidebar makes the documentation
difficult to navigate. This change reduces the number of sidebar
sections by creating an "Enroll Resources" section from sidebar sections
related to protecting infrastructure resources with Teleport.

This change configures the sidebar for the Enroll Resources section to
be automatically generated. Since the generator expects each
subdirectory of a section to have a corresponding table of contents
page, this change also adds missing table of contents pages.

In some cases, we can repurpose an existing section introduction page
for a section's table of contents page. In other cases, the introduction
spends too much time on providing context to make for a useful table of
contents, so this change adds a separate table of contents page. Table
of contents pages use the `(!toc!)` syntax to list links automatically
based on the file system.

This change also adds redirects based on mentions of Teleport docs URLs
in the Web UI source, and removes all other redirects to avoid exceeding
the maximum number of routes in Vercel.

CHANGELOG.md

@@ -32,7 +32,7 @@ Support for disabling second factor authentication has been removed
 
 Users with custom `ssh_config` should modify their ProxyCommand to use the new,
 more performant, `tbot ssh-proxy-command`. See the
-[v16 upgrade guide](docs/pages/machine-id/reference/v16-upgrade-guide.mdx) for
+[v16 upgrade guide](docs/pages/enroll-resources/machine-id/reference/v16-upgrade-guide.mdx) for
 more details.
 
 #### Default keyboard shortcuts in Teleport Connect have been changed
@@ -130,7 +130,7 @@ Remote Desktop Services > Remote Desktop Session Host, enable:
 1. Remote Session Environment > Limit maximum color depth
 
 Detailed instructions are available in the
-[setup guide](docs/pages/desktop-access/active-directory.mdx#enable-remotefx).
+[setup guide](docs/pages/enroll-resources/desktop-access/active-directory.mdx#enable-remotefx).
 A reboot may be required for these changes to take effect.
 
 #### `tsh ssh`
@@ -383,7 +383,7 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or
 deployed as a Helm chart), Teleport discovery service will automatically find
 and enroll web applications for use with app access.
 
-See documentation [here](docs/pages/auto-discovery/kubernetes-applications.mdx).
+See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx).
 
 #### Extended Kubernetes per-resource RBAC
 
@@ -392,7 +392,7 @@ resources than just pods, including custom resources, and verbs. Note that this
 feature requires role version `v7`.
 
 See Kubernetes resources documentation to see a full list of [supported
-resources](docs/pages/kubernetes-access/controls.mdx#kubernetes_resources).
+resources](docs/pages/enroll-resources/kubernetes-access/controls.mdx#kubernetes_resources).
 
 #### ClickHouse support for database access
 
@@ -401,14 +401,14 @@ protocols. When using HTTP protocol, the user's query activity is captured in
 the Teleport audit log.
 
 See how to connect ClickHouse to Teleport
-[here](docs/pages/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx).
+[here](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx).
 
 #### Oracle database access audit logging support
 
 In Teleport 14, database access for Oracle integration is updated with query
 audit logging support.
 
-See documentation on how to configure it in the [Oracle guide](docs/pages/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx).
+See documentation on how to configure it in the [Oracle guide](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx).
 
 #### Limited passwordless access for local Windows users in OSS Teleport
 
@@ -416,7 +416,7 @@ In Teleport 14, access to Windows desktops with local Windows users has been
 extended to Community Edition. Teleport will permit users to register and
 connect to up to 5 desktops with local users without an enterprise license.
 
-For more information on using Teleport with local Windows users, see [docs](docs/pages/desktop-access/getting-started.mdx).
+For more information on using Teleport with local Windows users, see [docs](docs/pages/enroll-resources/desktop-access/getting-started.mdx).
 
 #### Discord and ServiceNow hosted plugins
 
@@ -447,7 +447,7 @@ credentials and configuration files directly to a Kubernetes secret rather than
 a directory on the local file system. This allows other services to more easily
 consume the credentials output by `tbot` .
 
-For more information, see [docs](docs/pages/machine-id/reference/configuration.mdx#kubernetes_secret).
+For more information, see [docs](docs/pages/enroll-resources/machine-id/reference/configuration.mdx#kubernetes_secret).
 
 ### Breaking changes and deprecations
 
@@ -457,7 +457,7 @@ Teleport 14 before upgrading.
 #### SSH node open dial no longer supported
 
 Teleport 14 no longer allows connecting to OpenSSH servers not registered with
-the cluster. Follow the updated agentless OpenSSH integration [guide](docs/pages/server-access/openssh/openssh.mdx)
+the cluster. Follow the updated agentless OpenSSH integration [guide](docs/pages/enroll-resources/server-access/openssh/openssh.mdx)
 to register your OpenSSH nodes in the cluster’s inventory.
 
 You can set `TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes` environment variable
@@ -500,7 +500,7 @@ All requests will still include `Teleport-JWT-Assertion` containing the JWT
 token.
 
 See documentation for details on how to inject the JWT token into any header
-using [header rewriting](docs/pages/application-access/jwt/introduction.mdx#inject-jwt).
+using [header rewriting](docs/pages/enroll-resources/application-access/jwt/introduction.mdx#inject-jwt).
 
 #### tsh db CLI commands changes
 
@@ -625,7 +625,7 @@ outputs:
 is recommended that you migrate to v2 as soon as possible to benefit from new
 Machine ID features.
 
-For more details and guidance on how to upgrade to v2, see [docs](docs/pages/machine-id/reference/v14-upgrade-guide.mdx).
+For more details and guidance on how to upgrade to v2, see [docs](docs/pages/enroll-resources/machine-id/reference/v14-upgrade-guide.mdx).
 
 ## 13.0.1 (05/xx/23)
 
@@ -706,7 +706,7 @@ This will allow users to view the OpenSSH nodes in Web UI and using `tsh ls`
 and use RBAC to control access to them.
 
 See the updated [OpenSSH integration
-guide](docs/pages/server-access/openssh/openssh.mdx).
+guide](docs/pages/enroll-resources/server-access/openssh/openssh.mdx).
 
 ### Cross-cluster search for Teleport Connect
 
@@ -1355,7 +1355,7 @@ Visit the individual repositories to find out more and see usage examples:
 - https://github.com/teleport-actions/auth-k8s
 
 For a more in-depth guide, see our
-[documentation](./docs/pages/machine-id/deployment/github-actions.mdx) for using
+[documentation](./docs/pages/enroll-resources/machine-id/deployment/github-actions.mdx) for using
 Teleport with GitHub Actions.
 
 ### Secure certificate mapping for Desktop Access
@@ -1624,8 +1624,8 @@ editing files on remote systems.
 The following guides explain how to use IDEs to connect to a remote machine via
 Teleport:
 
-- [VS Code](./docs/pages/server-access/guides/vscode.mdx)
-- [JetBrains](./docs/pages/server-access/guides/jetbrains-sftp.mdx)
+- [VS Code](./docs/pages/enroll-resources/server-access/guides/vscode.mdx)
+- [JetBrains](./docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx)
 
 In addition, Teleport 11 clients will use SFTP protocol for file transfer under
 the hood instead of the obsolete scp protocol. Server-side scp is still
@@ -1655,7 +1655,7 @@ label resources.
 
 Teleport database access now supports auto-discovery for Azure-hosted PostgreSQL
 and MySQL databases. See the [Azure
-guide](docs/pages/database-access/enroll-azure-databases/azure-postgres-mysql.mdx) for more
+guide](docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx) for more
 details.
 
 In addition, Teleport database access will now use Azure AD managed identity
@@ -1843,7 +1843,7 @@ login without having to use Teleport's PAM integration. Users can be added to sp
 Linux groups and assigned appropriate “sudoer” privileges.
 
 To learn more about configuring automatic user provisioning read the
-[documentation](docs/pages/server-access/guides/host-user-creation.mdx).
+[documentation](docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx).
 
 ### Audit Logging for Microsoft SQL Server database access
 
@@ -1855,7 +1855,7 @@ to other supported database protocols.
 Teleport database access for SQL Server remains in Preview mode with more UX
 improvements coming in future releases.
 
-Refer to [the guide](docs/pages/database-access/enroll-aws-databases/sql-server-ad.mdx) to set
+Refer to [the guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/sql-server-ad.mdx) to set
 up access to a SQL Server with Active Directory authentication.
 
 ### Snowflake database access (Preview)
@@ -1866,7 +1866,7 @@ standard database access features like role-based access control and audit
 logging, including query activity.
 
 Connect your Snowflake database to Teleport following the
-[documentation](docs/pages/database-access/enroll-managed-databases/snowflake.mdx).
+[documentation](docs/pages/enroll-resources/database-access/enroll-managed-databases/snowflake.mdx).
 
 ### Elasticache/MemoryDB database access (Preview)
 
@@ -1876,7 +1876,7 @@ MemoryDB, including auto-discovery and automatic credential management in some
 deployment configurations.
 
 Learn more about it in the [documentation](
-docs/pages/database-access/enroll-aws-databases/redis-aws.mdx).
+docs/pages/enroll-resources/database-access/enroll-aws-databases/redis-aws.mdx).
 
 ### Teleport Connect for server and database access (Preview)
 
@@ -1893,7 +1893,7 @@ In Teleport 10 we’ve added database access support to Machine ID. Applications
 can use Machine ID to access databases protected by Teleport.
 
 You can find Machine ID guide for database access in the
-[documentation](docs/pages/machine-id/access-guides/databases.mdx).
+[documentation](docs/pages/enroll-resources/machine-id/access-guides/databases.mdx).
 
 ### Breaking changes
 
@@ -1929,7 +1929,7 @@ and we recommend upgrading to them. The old repositories will be maintained for
 the foreseeable future.
 
 See the [installation
-instructions](docs/pages/server-access/getting-started.mdx#step-14-install-teleport-on-your-linux-host).
+instructions](docs/pages/enroll-resources/server-access/getting-started.mdx#step-14-install-teleport-on-your-linux-host).
 
 #### Removed “tctl access ls”
 
@@ -2097,7 +2097,7 @@ secure cipher suites for desktop access.
 
 As a result of these changes, desktop access users with desktops running Windows
 Server 2012R2 will need to perform [additional
-configuration](docs/pages/desktop-access/getting-started.mdx) to force Windows
+configuration](docs/pages/enroll-resources/desktop-access/getting-started.mdx) to force Windows
 to use compatible cipher suites.
 
 Windows desktops running Windows Server 2016 and newer will continue to operate
@@ -2355,7 +2355,7 @@ Some of the things you can do with Machine ID:
 - Configure role-based access controls and locking for machines.
 - Capture access events in the audit log.
 
-[Machine ID getting started guide](docs/pages/machine-id/getting-started.mdx)
+[Machine ID getting started guide](docs/pages/enroll-resources/machine-id/getting-started.mdx)
 
 ### Database access
 
@@ -2366,7 +2366,7 @@ Redis cluster and view Redis commands in the Teleport audit log. We will be
 adding support for AWS Elasticache in the coming weeks.
 
 [Self-hosted Redis
-guide](docs/pages/database-access/enroll-self-hosted-databases/redis.mdx)
+guide](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis.mdx)
 
 #### SQL Server (Preview)
 
@@ -2375,7 +2375,7 @@ Directory authentication support for database access. Audit logging of query
 activity is not included in the preview release and will be implemented in a
 later 9.x release.
 
-[SQL Server guide](docs/pages/database-access/enroll-aws-databases/sql-server-ad.mdx)
+[SQL Server guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/sql-server-ad.mdx)
 
 #### RDS MariaDB
 
@@ -2383,7 +2383,7 @@ Teleport 9 updates MariaDB support with auto-discovery and connection to AWS RDS
 MariaDB databases using IAM authentication. The minimum MariaDB version that
 supports IAM authentication is 10.6.
 
-[Updated RDS guide](docs/pages/database-access/enroll-aws-databases/rds.mdx)
+[Updated RDS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx)
 
 #### Other Improvements
 
@@ -2395,8 +2395,8 @@ Database Service when running on AWS.
 
 CLI commands reference:
 - [`teleport db configure
-  create`](./docs/pages/database-access/reference/cli.mdx#teleport-db-configure-create)
-- [`teleport db configure bootstrap`](./docs/pages/database-access/reference/cli.mdx#teleport-db-configure-bootstrap)
+  create`](./docs/pages/enroll-resources/database-access/reference/cli.mdx#teleport-db-configure-create)
+- [`teleport db configure bootstrap`](./docs/pages/enroll-resources/database-access/reference/cli.mdx#teleport-db-configure-bootstrap)
 
 ### Moderated Sessions
 
@@ -2432,7 +2432,7 @@ Teleport users can connect to Active Directory enrolled Windows hosts running
 Windows 10, Windows Server 2012 R2 and newer Windows versions.
 
 To try this feature yourself, check out our
-[Getting Started Guide](docs/pages/desktop-access/getting-started.mdx).
+[Getting Started Guide](docs/pages/enroll-resources/desktop-access/getting-started.mdx).
 
 Review the desktop access design in:
 
@@ -2470,7 +2470,7 @@ to log into their AWS console using `tsh apps login` and use `tsh aws` commands
 to interact with AWS APIs.
 
 See more info in the
-[documentation](docs/pages/application-access/cloud-apis/aws-console.mdx).
+[documentation](docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx).
 
 #### Application and Database Dynamic Registration
 
@@ -2479,9 +2479,9 @@ without needing to update static YAML configuration or restart application or
 database agents.
 
 See dynamic registration guides for
-[apps](docs/pages/application-access/guides/dynamic-registration.mdx)
+[apps](docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx)
 and
-[databases](docs/pages/database-access/guides/dynamic-registration.mdx).
+[databases](docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx).
 
 #### RDS Automatic Discovery
 
@@ -2489,7 +2489,7 @@ With RDS auto discovery Teleport database agents can automatically discover RDS
 instances and Aurora clusters in an AWS account.
 
 See updated
-[RDS guide](docs/pages/database-access/enroll-aws-databases/rds.mdx) for
+[RDS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx) for
 more information.
 
 #### WebAuthn
@@ -2593,19 +2593,19 @@ Teleport 7.0 is a major release of Teleport that contains new features, improvem
 
 Added support for [MongoDB](https://www.mongodb.com) to Teleport database access. [#6600](https://github.com/gravitational/teleport/issues/6600).
 
-View the [database access with MongoDB](docs/pages/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx) for more details.
+View the [database access with MongoDB](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx) for more details.
 
 #### Cloud SQL MySQL
 
 Added support for [GCP Cloud SQL MySQL](https://cloud.google.com/sql/docs/mysql) to Teleport database access. [#7302](https://github.com/gravitational/teleport/pull/7302)
 
-View the Cloud SQL MySQL [guide](docs/pages/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx) for more details.
+View the Cloud SQL MySQL [guide](docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx) for more details.
 
 #### AWS Console
 
 Added support for [AWS Console](https://aws.amazon.com/console) to Teleport application access. [#7590](https://github.com/gravitational/teleport/pull/7590)
 
-Teleport application access can now automatically sign users into the AWS Management Console using [Identity federation](https://aws.amazon.com/identity/federation). View AWS Management Console [guide](docs/pages/application-access/cloud-apis/aws-console.mdx) for more details.
+Teleport application access can now automatically sign users into the AWS Management Console using [Identity federation](https://aws.amazon.com/identity/federation). View AWS Management Console [guide](docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx) for more details.
 
 #### Restricted Sessions
 
@@ -2662,7 +2662,7 @@ before upgrading.
 
 Added support for [Amazon Redshift](https://aws.amazon.com/redshift) to Teleport database access.[#6479](https://github.com/gravitational/teleport/pull/6479).
 
-View the [database access with Redshift on AWS guide](docs/pages/database-access/enroll-aws-databases/postgres-redshift.mdx) for more details.
+View the [database access with Redshift on AWS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/postgres-redshift.mdx) for more details.
 
 ### Improvements
 
@@ -2798,7 +2798,7 @@ This release of Teleport contains multiple bug fixes.
 
 Teleport 6.0 is a major release with new features, functionality, and bug fixes.
 
-We have implemented [database access](./docs/pages/database-access/introduction.mdx),
+We have implemented [database access](./docs/pages/enroll-resources/database-access/database-access.mdx),
 open sourced role-based access control (RBAC), and added official API and a Go client library.
 
 Users can review the [6.0 milestone](https://github.com/gravitational/teleport/milestone/33?closed=1) on Github for more details.
@@ -2813,26 +2813,26 @@ With database access users can connect to PostgreSQL and MySQL databases using s
 
 ##### Getting Started
 
-Configure database access following the [Getting Started](./docs/pages/database-access/introduction.mdx#get-started/) guide.
+Configure database access following the [Getting Started](./docs/pages/enroll-resources/database-access/getting-started.mdx/) guide.
 
 ##### Guides
 
 * [AWS RDS/Aurora
-  PostgreSQL](./docs/pages/database-access/enroll-aws-databases/rds.mdx)
-* [AWS RDS/Aurora MySQL](./docs/pages/database-access/enroll-aws-databases/rds.mdx)
-* [Self-hosted PostgreSQL](./docs/pages/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx)
-* [Self-hosted MySQL](./docs/pages/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx)
+  PostgreSQL](./docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx)
+* [AWS RDS/Aurora MySQL](./docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx)
+* [Self-hosted PostgreSQL](./docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx)
+* [Self-hosted MySQL](./docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx)
 * [GUI clients](docs/pages/connect-your-client/gui-clients.mdx)
 
 ##### Resources
 
-To learn more about configuring role-based access control for database access, check out the [RBAC](./docs/pages/database-access/introduction.mdx) section.
+To learn more about configuring role-based access control for database access, check out the [RBAC](./docs/pages/enroll-resources/database-access/database-access.mdx) section.
 
-[Architecture](./docs/pages/database-access/introduction.mdx) provides a more in-depth look at database access internals such as networking and security.
+[Architecture](./docs/pages/enroll-resources/database-access/database-access.mdx) provides a more in-depth look at database access internals such as networking and security.
 
-See [Reference](./docs/pages/database-access/reference.mdx) for an overview of database access related configuration and CLI commands.
+See [Reference](./docs/pages/enroll-resources/database-access/reference.mdx) for an overview of database access related configuration and CLI commands.
 
-Finally, check out [Frequently Asked Questions](docs/pages/database-access/faq.mdx).
+Finally, check out [Frequently Asked Questions](docs/pages/enroll-resources/database-access/faq.mdx).
 
 #### OSS RBAC
 
@@ -3032,7 +3032,7 @@ proxy_service:
     cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem
 ```
 
-You can learn more in the [Application Access introduction](./docs/pages/application-access/introduction.mdx).
+You can learn more in the [Application Access introduction](./docs/pages/enroll-resources/application-access/introduction.mdx).
 
 ##### Teleport Kubernetes access
 
@@ -3480,7 +3480,7 @@ can limit access by changing the options on the new `event` resource.
 The minimum set of Kubernetes permissions that need to be granted to Teleport
 proxies has been updated. If you use the Kubernetes integration, please make
 sure that the ClusterRole used by the proxy has [sufficient
-permissions](./docs/pages/kubernetes-access/controls.mdx).
+permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx).
 
 ##### Path prefix for etcd
 

docs/pages/access-controls/access-graph/self-hosted-helm.mdx

@@ -40,7 +40,7 @@ to Teleport Enterprise customers.
 
 ## Step 1/4. Add the Teleport Helm chart repository
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 ## Step 2/4. Set up the Teleport Access Graph service
 

docs/pages/access-controls/compliance-frameworks/soc2.mdx

@@ -55,7 +55,7 @@ Each principle has many "Points of Focus" which will apply differently to differ
 | CC6.1 - Manages Points of Access | Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. | [Label Nodes to inventory and create rules](../../management/admin/labels.mdx) <br/><br/> [Create Labels from AWS Tags](../../management/guides/ec2-tags.mdx) <br/><br/>Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |
 | CC6.1 - Restricts Access to Information Assets | Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. | [Teleport uses Certificates to grant access and create access control rules](../../core-concepts.mdx) | 
 | CC6.1 - Manages Identification and Authentication | Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. | Teleport makes setting policies for SSH requirements easy since it works in the cloud and on premise with the same authentication security standards. | 
-| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../agents/join-services-to-your-cluster/join-token.mdx) | 
+| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx) | 
 | CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. | 
 | CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically  | 
 | CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system&#39;s asset owner or authorized custodian. | [Request Approval from the command line](../../reference/cli/tctl.mdx#tctl-request-approve) <br/><br/> [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) <br/><br/> [Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx) |
@@ -70,14 +70,14 @@ Each principle has many "Points of Focus" which will apply differently to differ
 | CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx) |
 | CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../../management/admin/trustedclusters.mdx) | 
 | CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#start-teleport-in-fips-mode) |
-| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx) <br/><br/> [Use BPF Session Recording to catch malicious program execution](../../server-access/guides/bpf-session-recording.mdx) |
-| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | [Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../server-access/guides/bpf-session-recording.mdx) | 
+| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx) <br/><br/> [Use BPF Session Recording to catch malicious program execution](../../enroll-resources/server-access/guides/bpf-session-recording.mdx) |
+| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | [Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | 
 | CC7.3 - Communicates and Reviews Detected Security Events | Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. | [Use Session recording to replay and review suspicious sessions](../../architecture/session-recording.mdx). | 
-| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. | [Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../../server-access/guides/bpf-session-recording.mdx) | 
+| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. | [Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | 
 | CC7.4 - Contains Security Incidents | Procedures are in place to contain security incidents that actively threaten entity objectives. | [Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx) <br/><br/> [Use Shared Sessions so Multiple On-Call Engineers can collaborate and fight fires together.](../../connect-your-client/tsh.mdx#sharing-sessions) |
 | CC7.4 - Ends Threats Posed by Security Incidents | Procedures are in place to mitigate the effects of ongoing security incidents. | [Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx)   | 
 | CC7.4 - Obtains Understanding of Nature of Incident and Determines Containment Strategy | An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. | [Use Teleport’s Session Recording and Replay along with logs to understand what actions led to an incident.](../../reference/audit.mdx#recorded-sessions) | 
-| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. | [Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../../server-access/guides/bpf-session-recording.mdx). | 
-| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | [Use Session recording and audit logs to find patterns that lead to incidents.](../../server-access/guides/bpf-session-recording.mdx)  | 
-| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. | [Use Session recording and audit logs to find root cause.](../../server-access/guides/bpf-session-recording.mdx) | 
-| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. | [Replay Session recordings at your &#39;after action review&#39; or postmortem meetings](../../server-access/guides/bpf-session-recording.mdx) | 
+| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. | [Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../../enroll-resources/server-access/guides/bpf-session-recording.mdx). | 
+| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | [Use Session recording and audit logs to find patterns that lead to incidents.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)  | 
+| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. | [Use Session recording and audit logs to find root cause.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | 
+| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. | [Replay Session recordings at your &#39;after action review&#39; or postmortem meetings](../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | 

docs/pages/access-controls/guides/mfa-for-admin-actions.mdx

@@ -26,7 +26,7 @@ their on-disk Teleport certificates.
   with `tctl auth sign` will no longer be suitable for automation due to the
   additional MFA checks.
 
-  We recommend using [Machine ID](../../machine-id/getting-started.mdx) to
+  We recommend using [Machine ID](../../enroll-resources/machine-id/getting-started.mdx) to
   issue certificates for automated workflows, which uses role impersonation
   that is not subject to MFA checks.
 

docs/pages/access-controls/reference.mdx

@@ -70,7 +70,7 @@ user:
 | `pin_source_ip` | Enable source IP pinning for SSH certificates. | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination |
 | `cert_extensions` | Specifies extensions to be included in SSH certificates | |
 | `create_host_user_mode` | Allow users to be automatically created on a host |  Logical "AND" i.e. if all roles matching a server specify host user creation (`off`, `keep`, `insecure-drop`), it will evaluate to the option specified by all of the roles. If some roles specify both `insecure-drop` or `keep` it will evaluate to `keep`|
-| `create_db_user_mode` | Allow [database user auto provisioning](../database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed |
+| `create_db_user_mode` | Allow [database user auto provisioning](../enroll-resources/database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed |
 
 ## Preset roles
 
@@ -100,7 +100,7 @@ Label              | `v3` Default   | `v4` and higher Default
 `db_labels`         | `[{"*": "*"}]` | `[]`
 
 Role `v6` introduced a new field `kubernetes_resources` that allows
-fine-grained control over Kubernetes resources. See [Kubernetes RBAC](../kubernetes-access/controls.mdx) for more details.
+fine-grained control over Kubernetes resources. See [Kubernetes RBAC](../enroll-resources/kubernetes-access/controls.mdx) for more details.
 
 Version              |  `kubernetes_resources`
 ------------------ | --------------

docs/pages/access-controls/teleport-policy/policy-integrations.mdx

@@ -67,7 +67,7 @@ spec:
 The preset `editor` role has the required permissions by default.
 </Admonition>
 
-Teleport can also import and grant access to resources from an Okta organizations, such as user profiles, groups and applications. You can view connection data in Access Graph. Follow the steps here to add an (../../application-access/okta/hosted-guide.mdx) in your cluster.
+Teleport can also import and grant access to resources from an Okta organizations, such as user profiles, groups and applications. You can view connection data in Access Graph. Follow the steps here to add an (../../enroll-resources/application-access/okta/hosted-guide.mdx) in your cluster.
 
 ## Next steps
 - Explore [connections and resource paths](./policy-connections.mdx) with Access Graph.

docs/pages/api/access-plugin.mdx

@@ -467,6 +467,6 @@ management.
 In this example, we used the `tctl auth sign` command to fetch credentials for
 the plugin. For production usage, we recommend provisioning short-lived
 credentials via Machine ID, which reduces the risk of these credentials becoming
-stolen. View our [Machine ID documentation](../machine-id/introduction.mdx) to
+stolen. View our [Machine ID documentation](../enroll-resources/machine-id/introduction.mdx) to
 learn more.
 

docs/pages/api/architecture.mdx

@@ -64,7 +64,7 @@ benefits, here's a quick breakdown:
  - Identity File credentials are the most well-rounded in terms of usability,
    functionality, and customizability. Identity files can be generated through
    `tsh login`, `tctl auth sign`, or with
-   [Machine ID](../machine-id/introduction.mdx).
+   [Machine ID](../enroll-resources/machine-id/introduction.mdx).
  - Dynamic Identity File credentials are Identity File credentials with support for
    reloading credentials from disk. This makes them appropriate for Machine ID
    integrations, as you can reload the credentials when Machine ID rotates the

docs/pages/api/automatically-register-agents.mdx

@@ -7,10 +7,11 @@ You can use Teleport's API to automatically register resources in your
 infrastructure with your Teleport cluster.
 
 Teleport already supports the automatic discovery of [Kubernetes
-clusters](../auto-discovery/kubernetes.mdx) in AWS, Azure, and Google Cloud,
-as well as [servers](../auto-discovery/servers/ec2-discovery.mdx) on Amazon EC2.
-To support other resources and cloud providers, you can use the API to write
-your own workflow.
+clusters](../enroll-resources/auto-discovery/kubernetes.mdx) in AWS, Azure, and
+Google Cloud, as well as
+[servers](../enroll-resources/auto-discovery/servers/ec2-discovery.mdx) on
+Amazon EC2.  To support other resources and cloud providers, you can use the API
+to write your own workflow.
 
 In this guide, we will demonstrate some libraries you can use to automatically
 register resources with Teleport. We will use an example you can run locally on
@@ -967,5 +968,5 @@ In this example, we used the `tctl auth sign` command to fetch credentials for
 the program you wrote. For production usage, we recommend provisioning
 short-lived credentials via Machine ID, which reduces the risk of these
 credentials becoming stolen. View our [Machine ID
-documentation](../machine-id/introduction.mdx) to learn more.
+documentation](../enroll-resources/machine-id/introduction.mdx) to learn more.
 

docs/pages/api/rbac.mdx

@@ -318,7 +318,7 @@ authorizing them. While this step is not strictly necessary with a local
 `minikube` cluster, it demonstrates one way to use Teleport to securely access
 your external RBAC system's API.
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 Request a token that the Kubernetes Service will use to join your Teleport
 cluster:
@@ -937,11 +937,11 @@ infrastructure resources you want to manage access to.
 See the links below for guides to fields related to different infrastructure
 resources:
 
-- [Servers](../server-access/rbac.mdx)
-- [Databases](../database-access/rbac.mdx)
-- [Kubernetes clusters](../kubernetes-access/controls.mdx)
-- [Windows Desktops](../desktop-access/rbac.mdx)
-- [Applications](../application-access/controls.mdx)
+- [Servers](../enroll-resources/server-access/rbac.mdx)
+- [Databases](../enroll-resources/database-access/rbac.mdx)
+- [Kubernetes clusters](../enroll-resources/kubernetes-access/controls.mdx)
+- [Windows Desktops](../enroll-resources/desktop-access/rbac.mdx)
+- [Applications](../enroll-resources/application-access/controls.mdx)
 
 For general guidance, read our [Access Controls
 Reference](../access-controls/reference.mdx).
@@ -956,9 +956,9 @@ based on your cloud provider's RBAC solution.
 Read our guides for how to set up the Teleport Application Service for cloud
 provider APIs:
 
-- [AWS](../application-access/cloud-apis/aws-console.mdx)
-- [Google Cloud](../application-access/cloud-apis/google-cloud.mdx)
-- [Azure](../application-access/cloud-apis/azure.mdx)
+- [AWS](../enroll-resources/application-access/cloud-apis/aws-console.mdx)
+- [Google Cloud](../enroll-resources/application-access/cloud-apis/google-cloud.mdx)
+- [Azure](../enroll-resources/application-access/cloud-apis/azure.mdx)
 
 ### Consult examples
 
@@ -974,4 +974,4 @@ In this example, we used the `tctl auth sign` command to fetch credentials for
 the program you wrote. For production usage, we recommend provisioning
 short-lived credentials via Machine ID, which reduces the risk of these
 credentials becoming stolen. View our [Machine ID
-documentation](../machine-id/introduction.mdx) to learn more.
+documentation](../enroll-resources/machine-id/introduction.mdx) to learn more.

docs/pages/architecture/agents.mdx

@@ -69,7 +69,7 @@ following components:
 
 The Teleport Auth Service runs a certificate authority that issues a host
 certificate to an agent when it joins the cluster for the first time. Read [Join
-Services to your Teleport Cluster](../agents/join-services-to-your-cluster.mdx)
+Services to your Teleport Cluster](../enroll-resources/agents/join-services-to-your-cluster.mdx)
 for the available methods you can use to join an agent to your Teleport cluster.
 
 All agents in a Teleport cluster keep the Auth Service updated on their status
@@ -119,7 +119,7 @@ agent.
 <Details title="Connecting to agents without reverse tunnels">
 
 It is possible to join Teleport agents to a cluster [through the Teleport Auth
-Service](../agents/join-services-to-your-cluster/join-token.mdx#start-your-teleport-process-with-the-invite-token).
+Service](../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx#start-your-teleport-process-with-the-invite-token).
 Once an agent joins a cluster through the Teleport Auth Service, the Teleport
 Proxy Service dials the agent directly, without creating a reverse tunnel. This
 mode supports the following services:
@@ -172,13 +172,13 @@ To learn more about the mechanism an agent uses to authenticate to an
 infrastructure resource, read the guide to enrolling that resource in your
 Teleport cluster:
 
-- [Applications](../application-access/guides.mdx)
-- [Cloud provider APIs](../application-access/cloud-apis.mdx)
-- [Databases](../database-access/guides.mdx)
-- [Kubernetes clusters](../kubernetes-access/register-clusters.mdx)
-- [Linux hosts with Teleport](../server-access/getting-started.mdx)
-- [OpenSSH servers](../server-access/openssh.mdx)
-- [Windows desktops](../desktop-access/getting-started.mdx)
+- [Applications](../enroll-resources/application-access/guides.mdx)
+- [Cloud provider APIs](../enroll-resources/application-access/cloud-apis.mdx)
+- [Databases](../enroll-resources/database-access/guides.mdx)
+- [Kubernetes clusters](../enroll-resources/kubernetes-access/register-clusters.mdx)
+- [Linux hosts with Teleport](../enroll-resources/server-access/getting-started.mdx)
+- [OpenSSH servers](../enroll-resources/server-access/openssh.mdx)
+- [Windows desktops](../enroll-resources/desktop-access/getting-started.mdx)
 
 ## Clients to agents
 
@@ -248,11 +248,11 @@ CLI:
 
 |`tsh` command|Upstream infrastructure resource|
 |---|---|
-|`tsh proxy app`|HTTP and [TCP](../application-access/guides/tcp.mdx) applications|
-|`tsh proxy aws`|[AWS SDK applications](../application-access/cloud-apis/aws-console.mdx)|
-|`tsh proxy azure`|[Azure SDK applications](../application-access/cloud-apis/azure.mdx)|
-|`tsh proxy gcloud`|[Google Cloud SDK applications](../application-access/cloud-apis/google-cloud.mdx)|
-|`tsh proxy ssh`|[OpenSSH client traffic](../server-access/openssh/openssh.mdx)|
+|`tsh proxy app`|HTTP and [TCP](../enroll-resources/application-access/guides/tcp.mdx) applications|
+|`tsh proxy aws`|[AWS SDK applications](../enroll-resources/application-access/cloud-apis/aws-console.mdx)|
+|`tsh proxy azure`|[Azure SDK applications](../enroll-resources/application-access/cloud-apis/azure.mdx)|
+|`tsh proxy gcloud`|[Google Cloud SDK applications](../enroll-resources/application-access/cloud-apis/google-cloud.mdx)|
+|`tsh proxy ssh`|[OpenSSH client traffic](../enroll-resources/server-access/openssh/openssh.mdx)|
 |`tsh proxy db`|[Native database clients](../connect-your-client/gui-clients.mdx)|
 |`tsh proxy kube`|[Kubernetes clusters behind L7 load balancers](tls-routing.mdx#kubernetes)|
 
@@ -276,4 +276,4 @@ Reference](../reference/audit.mdx).
 ## Further reading
 
 - For instructions on deploying agents, see the [Teleport agent
-  guides](../agents/introduction.mdx).
+  guides](../enroll-resources/agents/introduction.mdx).

docs/pages/architecture/authentication.mdx

@@ -143,7 +143,7 @@ services and rotates SSH and X.509 certificates.
 
 Teleport internal services - the Auth Service, Proxy Service, Agents, and Machine ID Bots - use certificates to identify themselves
 within a cluster. To join services to the cluster and receive certificates, admins should use
-[short-lived tokens or cloud identity services](../agents/join-services-to-your-cluster/join-token.mdx).
+[short-lived tokens or cloud identity services](../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx).
 
 Unlike users and services, internal services receive long-lived certificates.
 

docs/pages/architecture/session-recording.mdx

@@ -20,7 +20,7 @@ Note that the design of session recording carries some security risks. Namely,
 users can conceal terminal commands by encoding them (e.g., using `base64`),
 running scripts from disk or the internet, or changing the terminal settings. If
 this presents an issue for your environment, consider using the BPF-based
-[Enhanced Session Recording](../server-access/guides/bpf-session-recording.mdx)
+[Enhanced Session Recording](../enroll-resources/server-access/guides/bpf-session-recording.mdx)
 instead.
 
 ### Kubernetes sessions
@@ -220,6 +220,6 @@ complete it.
 
 ## Related reading
 
-- [Recording Proxy Mode](../server-access/guides/recording-proxy-mode.mdx)
+- [Recording Proxy Mode](../enroll-resources/server-access/guides/recording-proxy-mode.mdx)
 - [SSH recording modes](../reference/audit.mdx#modes)
-- [Desktop Access recording](../desktop-access/reference/sessions.mdx)
+- [Desktop Access recording](../enroll-resources/desktop-access/reference/sessions.mdx)

docs/pages/architecture/tls-routing.mdx

@@ -77,7 +77,7 @@ which can be used as a `ProxyCommand`.
 Similarly to `tsh ssh`, `tsh proxy ssh` establishes a TLS tunnel to Teleport
 proxy with `teleport-proxy-ssh` ALPN protocol, which `ssh` then connects over.
 
-See the [OpenSSH client](../server-access/openssh/openssh.mdx) guide for details on
+See the [OpenSSH client](../enroll-resources/server-access/openssh/openssh.mdx) guide for details on
 how it's configured.
 
 ## Reverse tunnels

docs/pages/choose-an-edition/migrate-to-cloud.mdx

@@ -257,7 +257,7 @@ In general, you can migrate a Machine ID bot using the following steps:
 1. Restart `tbot`.
 
 To learn how to restart and configure a Machine ID bot in your infrastructure,
-read the [full documentation](../machine-id/deployment.mdx) on deploying a
+read the [full documentation](../enroll-resources/machine-id/deployment.mdx) on deploying a
 Machine ID Bot.
 
 ### Access Request plugins and the Event Handler

docs/pages/choose-an-edition/teleport-cloud/faq.mdx

@@ -78,7 +78,7 @@ S3, are established using encryption provided by AWS, both at rest and in transi
 
 You can connect servers, Kubernetes clusters, databases, desktops, and
 applications using [reverse
-tunnels](../../agents/join-services-to-your-cluster.mdx).
+tunnels](../../enroll-resources/agents/join-services-to-your-cluster.mdx).
 
 There is no need to open any ports on your infrastructure for inbound traffic.
 
@@ -92,7 +92,7 @@ If you plan on connecting more than 10,000 nodes or agents, please contact your
 ### Are dynamic node tokens available?
 
 After [connecting](#how-can-i-access-the-tctl-admin-tool) `tctl` to Teleport Enterprise Cloud, users can generate
-[dynamic tokens](../../agents/join-services-to-your-cluster/join-token.mdx):
+[dynamic tokens](../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx):
 
 ```code
 $ tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

docs/pages/choose-an-edition/teleport-cloud/get-started.mdx

@@ -50,7 +50,7 @@ sessions, so you can review them later.
   instructions for Docker on [Docker's
   website](https://docs.docker.com/get-docker/). If you want to register servers
   in Teleport without using Docker, see the getting started guide for
-  [server access](../../server-access/getting-started.mdx).
+  [server access](../../enroll-resources/server-access/getting-started.mdx).
 
 - The `tsh` client tool. 
   
@@ -249,4 +249,4 @@ Role-based access control ensures that only authorized users are allowed access
 to those resources.
 
 To learn more information about deploying agents, see [Deploy Teleport Agents 
-with Terraform](../../agents/deploy-agents-terraform.mdx).
+with Terraform](../../enroll-resources/agents/deploy-agents-terraform.mdx).

docs/pages/connect-your-client/gui-clients.mdx

@@ -14,7 +14,7 @@ work with Teleport.
 
 - (!docs/pages/includes/tctl.mdx!)
 - The Teleport Database Service configured to access a database. See one of our
-  [guides](../database-access/guides.mdx) for how to set up the Teleport
+  [guides](../enroll-resources/database-access/guides.mdx) for how to set up the Teleport
   Database Service for your database.
 
 ### Get connection information

docs/pages/connect-your-client/putty-winscp.mdx

@@ -79,7 +79,7 @@ Added PuTTY session for ubuntu@ip-172-31-30-140 [proxy:teleport.example.com]
 If you don't provide a login to this command, your local Windows username is used instead.
 
 If you are adding a session for a registered OpenSSH node within your cluster (added with
-[`teleport join openssh`](../server-access/openssh/openssh.mdx)), you must specify the `sshd` port
+[`teleport join openssh`](../enroll-resources/server-access/openssh/openssh.mdx)), you must specify the `sshd` port
 (usually 22) when adding a session with `tsh puttyconfig`:
 
 ```bash

docs/pages/connect-your-client/teleport-connect.mdx

@@ -141,7 +141,7 @@ with that command executed.
 Teleport Connect supports launching applications in the browser, as well as creating
 authenticated tunnels for web and TCP applications.
 
-When it comes to [cloud APIs secured with Application Access](../application-access/cloud-apis.mdx),
+When it comes to [cloud APIs secured with Application Access](../enroll-resources/application-access/cloud-apis.mdx),
 Teleport Connect supports launching the AWS console in the browser, but other CLI applications can
 be used only through tsh in [a local terminal tab](#opening-a-local-terminal).
 
@@ -249,7 +249,7 @@ that's why it's not listed in the partial. */}
   for [the `role` resource](../access-controls/reference.mdx#rbac-for-dynamic-teleport-resources)).
 
 The agent runs as the current system user, not as root. Some features are thus not available, such
-as logging in as other system users or [host user creation](../server-access/guides/host-user-creation.mdx).
+as logging in as other system users or [host user creation](../enroll-resources/server-access/guides/host-user-creation.mdx).
 
 ### Setup and usage
 
@@ -361,7 +361,7 @@ INFO [AUTH]      Attempting registration via proxy server. auth/register.go:279
 ERRO [PROC:1]    Can not join the cluster as node, the token expired or not found. Regenerate the token and try again. pid:54364.1 service/connect.go:106
 ```
 
-During the setup, Connect My Computer creates [a join token](../agents/join-services-to-your-cluster/join-token.mdx)
+During the setup, Connect My Computer creates [a join token](../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx)
 that is valid for up to five minutes. If the logs say that the token has expired, it most likely
 means that the initial attempt to join the cluster has failed and you started another one after more
 than five minutes.

docs/pages/connect-your-client/tsh.mdx

@@ -381,7 +381,7 @@ every day. This doesn't work for non-interactive scripts, like cron jobs or a
 CI/CD pipeline.
 
 The most secure way to generate certificates for automation purposes is to use
-[Machine ID](../machine-id/introduction.mdx). This ensures that your automation
+[Machine ID](../enroll-resources/machine-id/introduction.mdx). This ensures that your automation
 is taking advantage of the security properties of short-lived credentials.
 
 If Machine ID does not support your preferred CI/CD platform, you can create a

docs/pages/core-concepts.mdx

@@ -68,7 +68,7 @@ Proxies HTTP and TCP traffic to user-configured endpoints, e.g., internal web
 applications or the AWS Console.
 
 Read more about the [Teleport Application
-Service](./application-access/introduction.mdx).
+Service](./enroll-resources/application-access/introduction.mdx).
 
 ### Teleport Database Service
 
@@ -76,21 +76,21 @@ Proxies TCP traffic in the native protocols of popular databases, including
 PostgreSQL and MySQL. 
 
 Read more about the [Teleport Database
-Service](./database-access/introduction.mdx).
+Service](./enroll-resources/database-access/database-access.mdx).
 
 ### Teleport Desktop Service
 
 Proxies Remote Desktop Protocol traffic to Windows desktops.
 
 Read more about the [Teleport Desktop
-Service](./desktop-access/introduction.mdx).
+Service](./enroll-resources/desktop-access/introduction.mdx).
 
 ### Teleport Kubernetes Service
 
 Proxies HTTP traffic to the Kubernetes API server.
 
 Read more about the [Teleport Kubernetes
-Service](./kubernetes-access/introduction.mdx)
+Service](./enroll-resources/kubernetes-access/introduction.mdx)
 
 ### Teleport SSH Service 
 
@@ -98,7 +98,7 @@ An SSH server implementation that allows users to execute commands on remote
 machines while taking advantage of Teleport's built-in access controls,
 auditing, and session recording.
 
-Read more about the [Teleport SSH Service](./server-access/introduction.mdx).
+Read more about the [Teleport SSH Service](./enroll-resources/server-access/introduction.mdx).
 
 ### Machine ID
 
@@ -113,7 +113,7 @@ vulnerable to attacks the longer they remain in use.
 Unlike other **Teleport services**, Machine ID runs via the `tbot` binary,
 rather than the `teleport` binary.
 
-Read more in our [Machine ID guide](./machine-id/introduction.mdx).
+Read more in our [Machine ID guide](./enroll-resources/machine-id/introduction.mdx).
 
 ### Agent
 

docs/pages/database-access/introduction.mdx

@@ -1,72 +0,0 @@
----
-title: Database Access
-description: Teleport database access introduction, demo and resources.
----
-
-Teleport can provide secure connections to your databases while improving both
-access control and visibility.
-
-Some of the things you can do with database access:
-
-- Enable users to retrieve short-lived database certificates using a Single Sign-On
-  flow, thus maintaining their organization-wide identity.
-- Configure role-based access controls for databases and implement custom
-  [Access Request](../access-controls/access-requests.mdx) workflows.
-- Capture database activity in the Teleport audit log.
-
-Teleport protects databases through the Teleport Database Service, which is a
-Teleport agent service. For more information on agent services, read [Teleport
-Agent Architecture](../architecture/agents.mdx). You can also learn how to
-deploy a [pool of Teleport agents](../agents/introduction.mdx) to run multiple
-agent services.
-
-![Teleport Database Access Diagram](../../img/database-access/architecture.svg)
-
-## Get started
-
-- [Getting started](./getting-started.mdx): Connect Aurora PostgreSQL in a 10
-  minute guide.
-
-## Connect your database
-
-Learn how to set up secure access to databases in your infrastructure.
-
-- [Self-hosted](./enroll-self-hosted-databases.mdx) databases, regardless of
-  cloud provider
-- Managed [Amazon Web Services](./enroll-aws-databases.mdx) databases
-- Managed [Google Cloud](./enroll-google-cloud-databases.mdx) databases
-- Managed [Microsoft Azure](./enroll-azure-databases.mdx) databases
-- [Database-specific cloud platforms](./enroll-managed-databases.mdx) such as
-  Snowflake and MongoDB Atlas
-
-## Manage the Teleport Database Service
-
-The Teleport Database Service proxies connections to databases protected by
-Teleport. Read more about deploying the Teleport Database Service and
-enrolling databases:
-
-- [High Availability](./guides/ha.mdx): Learn how to deploy
-  multiple instances of the Teleport Database Service to proxy the same set of
-  databases.
-- [Dynamic Registration](./guides/dynamic-registration.mdx): Learn how to enroll
-  databases without re-deploying the Teleport Database Service.
-
-## Learn more
-
-To learn more about configuring role-based access control for database access,
-check out the [RBAC](./rbac.mdx) section.
-
-Learn how to configure [automatic user
-provisioning](./auto-user-provisioning.mdx), which removes the need for creating
-individual user accounts in advance or using the same set of shared database
-accounts for all users.
-
-See [Reference](./reference.mdx) for an overview of database access-related
-configuration and CLI commands.
-
-If you hit any issues, check out the [Troubleshooting
-documentation](./troubleshooting.mdx) for common problems and solutions.
-
-## FAQ
-
-Finally, check out [Frequently Asked Questions](./faq.mdx).

docs/pages/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx

@@ -794,7 +794,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to:
 - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx)
 - [Set the correct settings in /etc/teleport.yaml](../../reference/config.mdx)
 - [Add Nodes to the Teleport
-  cluster](../../agents/join-services-to-your-cluster.mdx)
+  cluster](../../enroll-resources/agents/join-services-to-your-cluster.mdx)
 
 ### Getting the SSH Service join token
 
@@ -806,13 +806,13 @@ $ aws ssm get-parameter --region <Var name="us-west-2" /> --name "/teleport/${CL
 # 992a9725-0a64-428d-8e5e-308e6877743d
 ```
 
-You can also generate an SSH Service join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../../agents/join-services-to-your-cluster/join-token.mdx).
+You can also generate an SSH Service join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx).
 
 ### Joining agents to the cluster
 
 The easiest way to quickly join nodes to your cluster is to use the "Enroll New Resource" wizard in the Teleport web UI.
 
-To manually join Teleport agents to your cluster, you will need [a join token](../../agents/join-services-to-your-cluster/join-token.mdx).
+To manually join Teleport agents to your cluster, you will need [a join token](../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx).
 
 You should join your agents using the public facing Proxy Service address - `teleport.example.com:443` for our
 example.

docs/pages/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx

@@ -726,7 +726,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to:
 - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx)
 - [Set the correct settings in /etc/teleport.yaml](../../reference/config.mdx)
 - [Add Nodes to the Teleport
-  cluster](../../agents/join-services-to-your-cluster.mdx)
+  cluster](../../enroll-resources/agents/join-services-to-your-cluster.mdx)
 
 ## Troubleshooting
 

docs/pages/deploy-a-cluster/helm-deployments.mdx

@@ -15,7 +15,7 @@ order to protect a Kubernetes cluster with Teleport, and it is possible to
 enroll a Kubernetes cluster on Teleport Cloud or by running the Teleport
 Kubernetes Service on a Linux server. For instructions on enrolling a Kubernetes
 cluster with Teleport, read the [Kubernetes
-Access](../kubernetes-access/introduction.mdx) documentation.
+Access](../enroll-resources/kubernetes-access/introduction.mdx) documentation.
 
 ## Helm deployment guides
 

docs/pages/deploy-a-cluster/helm-deployments/aws.mdx

@@ -8,7 +8,7 @@ In this guide, we'll use Teleport Helm charts to set up a high-availability Tele
 <Admonition type="tip" title="Have an existing Teleport cluster?">
 If you are already running Teleport on another platform, you can use your
 existing Teleport deployment to access your Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 </Admonition>
 
@@ -16,7 +16,7 @@ cluster to Teleport.
 
 ## Prerequisites
 
-(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx!)
 
 ### Choose a Kubernetes namespace and Helm release name
 
@@ -33,11 +33,11 @@ cluster to Teleport.
 
 ## Step 1/7. Install Helm
 
-(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-install.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/teleport-cluster-install.mdx!)
 
 ## Step 2/7. Add the Teleport Helm chart repository
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 ## Step 3/7. Set up AWS IAM configuration
 

docs/pages/deploy-a-cluster/helm-deployments/azure.mdx

@@ -11,7 +11,7 @@ Blob Storage).
 <Admonition type="tip" title="Have an existing Teleport cluster?">
 If you are already running Teleport on another platform, you can use your
 existing Teleport deployment to access your Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 </Admonition>
 
@@ -19,7 +19,7 @@ cluster to Teleport.
 
 ## Prerequisites
 
-(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx!)
 
 In addition, you will need `azure-cli` 2.51 or later to follow along these
 instructions. Reference the Azure docs on [how to install the Azure
@@ -47,7 +47,7 @@ $ az aks update --resource-group <Var name="aks-rg" /> --name <Var name="aks-nam
 
 ## Step 1/5. Add the Teleport Helm chart repository
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 ## Step 2/5. Set up PostgreSQL and Blob Storage
 

docs/pages/deploy-a-cluster/helm-deployments/custom.mdx

@@ -15,7 +15,7 @@ version of the Helm charts.
 
 If you are already running Teleport on another platform, you can use your
 existing Teleport deployment to access your Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 
 ## Prerequisites
@@ -26,11 +26,11 @@ If you are running an older Teleport version, use the version selector at the to
 of this page to choose the correct version.
 </Admonition>
 
-(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx!)
 
 ## Step 1/3. Add the Teleport Helm chart repository
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 ## Step 2/3. Setting up a Teleport cluster with Helm using a custom config
 
@@ -235,7 +235,7 @@ If you didn't set up DNS for your hostname earlier, remember to replace
 `teleport.example.com` with the external IP or hostname of the Kubernetes load
 balancer.
 
-(!docs/pages/kubernetes-access/helm/includes/kubernetes-externaladdress.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/kubernetes-externaladdress.mdx!)
 
 You should modify your command accordingly and replace `teleport.example.com` with
 either the IP or hostname depending on which you have available. You may need

docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx

@@ -8,7 +8,7 @@ Kubernetes.
 
 If you are already running Teleport on another platform, you can use your
 existing Teleport deployment to access your Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 
 (!docs/pages/includes/cloud/call-to-action.mdx!)
@@ -33,7 +33,7 @@ While the Kubernetes cluster is being provisioned, follow the "Getting Started"
 
 ## Step 2/4. Install Teleport
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 Install Teleport in your Kubernetes cluster using the `teleport-cluster` Helm
 chart:
@@ -276,7 +276,7 @@ guide](../../reference/helm-reference/teleport-cluster.mdx).
 Read our guides to additional ways you can protect a Kubernetes cluster with
 Teleport:
 
-- Connect another Kubernetes cluster to Teleport by [deploying the Teleport Kubernetes Service](../../kubernetes-access/getting-started.mdx)
-- [Set up Machine ID with Kubernetes](../../machine-id/access-guides/kubernetes.mdx)
-- [Single-Sign On and Kubernetes Access Control](../../kubernetes-access/controls.mdx)
+- Connect another Kubernetes cluster to Teleport by [deploying the Teleport Kubernetes Service](../../enroll-resources/kubernetes-access/getting-started.mdx)
+- [Set up Machine ID with Kubernetes](../../enroll-resources/machine-id/access-guides/kubernetes.mdx)
+- [Single-Sign On and Kubernetes Access Control](../../enroll-resources/kubernetes-access/controls.mdx)
 

docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx

@@ -8,18 +8,18 @@ using Teleport Helm charts and Google Cloud Platform products (Firestore and Goo
 
 If you are already running Teleport on another platform, you can use your
 existing Teleport deployment to access your Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 
 (!docs/pages/includes/cloud/call-to-action.mdx!)
 
 ## Prerequisites
 
-(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx!)
 
 ## Step 1/6. Add the Teleport Helm chart repository
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 <Admonition
   type="note"

docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx

@@ -14,7 +14,7 @@ Kubernetes cluster via the Teleport cluster running within it.
 If you are already running the Teleport Auth Service and Proxy Service on
 another platform, you can use your existing Teleport deployment to access your
 Kubernetes cluster. [Follow our
-guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes
+guide](../../enroll-resources/kubernetes-access/getting-started.mdx) to connect your Kubernetes
 cluster to Teleport.
 
 (!docs/pages/includes/cloud/call-to-action.mdx!)
@@ -102,7 +102,7 @@ It is worth noting that this guide shows you how to set up Kubernetes access
 with the broadest set of permissions. This is suitable for a personal demo
 cluster, but if you would like to set up Kubernetes RBAC for production usage,
 we recommend getting familiar with the [Teleport Kubernetes RBAC
-guide](../../kubernetes-access/controls.mdx) before you begin.
+guide](../../enroll-resources/kubernetes-access/controls.mdx) before you begin.
 
 </Notice>
 
@@ -121,7 +121,7 @@ To deploy the Teleport Auth Service and Proxy Service on your Kubernetes
 cluster, follow the instructions below to install the `teleport-cluster` Helm
 chart.
 
-1. (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+1. (!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 1. Create a namespace for Teleport and configure its Pod Security Admission,
    which enforces security standards on pods in the namespace:
@@ -378,11 +378,11 @@ cluster.
   [reference guide](../../reference/helm-reference/teleport-cluster.mdx).
 - **Register resources:** You can register all of the Kubernetes clusters in
   your infrastructure with Teleport. To start, read our [Auto-Discovery
-  guides](../../auto-discovery/kubernetes.mdx) to see how to automatically
+  guides](../../enroll-resources/auto-discovery/kubernetes.mdx) to see how to automatically
   register every cluster in your cloud. You can also register servers,
   databases, applications, and Windows desktops.
 - **Fine-tune your Kubernetes RBAC:** While the user you created in this guide
   can access the `system:masters` role, you can set up Teleport's RBAC to enable
   fine-grained controls for accessing Kubernetes resources. See our [Kubernetes
-  Access Controls Guide](../../kubernetes-access/controls.mdx) for more
+  Access Controls Guide](../../enroll-resources/kubernetes-access/controls.mdx) for more
   information.

docs/pages/deploy-a-cluster/high-availability.mdx

@@ -560,9 +560,9 @@ separate network from your Teleport cluster.
 
 To get started, read about registering:
 
-- [Applications](../application-access/getting-started.mdx)
-- [Servers](../server-access/getting-started.mdx)
-- [Kubernetes clusters](../kubernetes-access/getting-started.mdx)
-- [Databases](../database-access/getting-started.mdx)
-- [Windows desktops](../desktop-access/introduction.mdx)
-- [Bot users](../machine-id/getting-started.mdx)
+- [Applications](../enroll-resources/application-access/getting-started.mdx)
+- [Servers](../enroll-resources/server-access/getting-started.mdx)
+- [Kubernetes clusters](../enroll-resources/kubernetes-access/getting-started.mdx)
+- [Databases](../enroll-resources/database-access/getting-started.mdx)
+- [Windows desktops](../enroll-resources/desktop-access/introduction.mdx)
+- [Bot users](../enroll-resources/machine-id/getting-started.mdx)

docs/pages/deploy-a-cluster/linux-demo.mdx

@@ -142,7 +142,7 @@ Visit the provided URL in order to create your Teleport user.
   will get authentication errors later in this tutorial.
 
   If a user does not already exist, you can create it with `adduser <login>` or
-  use [host user creation](../server-access/guides/host-user-creation.mdx).
+  use [host user creation](../enroll-resources/server-access/guides/host-user-creation.mdx).
 
   If you do not have the permission to create new users on the Linux host, run
   `tctl users add teleport $(whoami)` to explicitly allow Teleport to
@@ -205,4 +205,4 @@ Step 4 showed you how to install agents manually, and you can also launch agents
 and enroll resources with them using infrastructure-as-code tools. For example,
 you can use Terraform to declare a pool of Teleport agents and configure them to
 proxy your infrastructure. Read [Deploy Teleport Agents with
-Terraform](../agents/deploy-agents-terraform.mdx) to get started.
+Terraform](../enroll-resources/agents/deploy-agents-terraform.mdx) to get started.

docs/pages/documentation-overview.mdx

@@ -84,19 +84,20 @@ protocol it supports. To enable access to a protocol, deploy the appropriate
 Teleport service and configure it to communicate with resources in your
 infrastructure.
 
-Set up the [Teleport Discovery Service](./auto-discovery/introduction.mdx) to
-automatically enroll infrastructure resources in your Teleport cluster.
+Set up the [Teleport Discovery
+Service](./enroll-resources/auto-discovery/auto-discovery.mdx) to automatically
+enroll infrastructure resources in your Teleport cluster.
 
 Read about how to enable access to:
 
-- [Servers](./server-access/getting-started.mdx), including OpenSSH servers that
-  [do not have Teleport installed](./server-access/openssh/openssh.mdx)
-- [Kubernetes clusters](./kubernetes-access/introduction.mdx)
-- [Databases](./database-access/introduction.mdx)
-- [Applications](./application-access/introduction.mdx)
-- [Remote desktops](./desktop-access/introduction.mdx)
+- [Servers](./enroll-resources/server-access/getting-started.mdx), including OpenSSH servers that
+  [do not have Teleport installed](./enroll-resources/server-access/openssh/openssh.mdx)
+- [Kubernetes clusters](./enroll-resources/kubernetes-access/introduction.mdx)
+- [Databases](./enroll-resources/database-access/database-access.mdx)
+- [Applications](./enroll-resources/application-access/introduction.mdx)
+- [Remote desktops](./enroll-resources/desktop-access/introduction.mdx)
 
-You can also set up [Machine ID](./machine-id/introduction.mdx) to enable
+You can also set up [Machine ID](./enroll-resources/machine-id/introduction.mdx) to enable
 service accounts to access resources in your infrastructure with short-lived
 credentials.
 

docs/pages/enroll-resources/agents/agents.mdx

@@ -0,0 +1,6 @@
+---
+title: Using Teleport Agents
+description: How to use Teleport Agents, which allow you to enroll infrastructure resources with Teleport
+---
+
+(!toc!)

docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx

@@ -23,7 +23,7 @@ resources:
 - Compute instances to run Teleport services
 - A join token for each compute instance in the agent pool
 
-![A Teleport agent pool](../../img/tf-agent-diagram.png)
+![A Teleport agent pool](../../../img/tf-agent-diagram.png)
 
 ## Prerequisites
 
@@ -35,7 +35,7 @@ We recommend following this guide on a fresh Teleport demo cluster so you can
 see how an agent pool works. After you are familiar with the setup, apply the
 lessons from this guide to protect your infrastructure. You can get started with
 a demo cluster using:
-- A demo deployment on a [Linux server](../index.mdx)
+- A demo deployment on a [Linux server](../../index.mdx)
 - A [Teleport Enterprise Cloud trial](https://goteleport.com/signup)
 
 </Admonition>
@@ -56,7 +56,7 @@ a demo cluster using:
 
 - An identity file for the Teleport Terraform provider. Make sure you are
   familiar with [how to set up the Teleport Terraform
-  provider](../management/dynamic-resources/terraform-provider.mdx) before
+  provider](../../management/dynamic-resources/terraform-provider.mdx) before
   following this guide.
 
 - (!docs/pages/includes/tctl.mdx!)
@@ -416,7 +416,7 @@ directory.
 The Teleport Terraform provider creates these on the Auth Service backend, and
 the relevant Teleport services query them in order to proxy user traffic. For a
 full list of supported resources and fields, see the [Terraform provider
-reference](../reference/terraform-provider.mdx).
+reference](../../reference/terraform-provider.mdx).
 
 <Tabs>
 <TabItem label="Application">
@@ -477,7 +477,7 @@ each instance to add configuration settings to, for example, the
 To see how to configure each service, read its section of the documentation:
 
 - [SSH Service](../server-access/introduction.mdx)
-- [Database Service](../database-access/introduction.mdx)
+- [Database Service](../database-access/database-access.mdx)
 - [Kubernetes Service](../kubernetes-access/introduction.mdx)
 - [Windows Desktop Service](../desktop-access/introduction.mdx)
 - [Application Service](../application-access/introduction.mdx)

docs/pages/enroll-resources/agents/introduction.mdx

@@ -19,14 +19,14 @@ To protect infrastructure resources with Teleport, you deploy Teleport Agents
 and configure them to proxy traffic to and from the resources.
 
 We recommend getting started with [Teleport
-Auto-Discovery](../auto-discovery/introduction.mdx), in which the Teleport
+Auto-Discovery](../auto-discovery/auto-discovery.mdx), in which the Teleport
 Discovery Service registers infrastructure resources with your cluster by
 polling service discovery endpoints. For information on enrolling a specific
 type of infrastructure resource, read the following sections of the
 documentation:
 
 - [Servers](../server-access/introduction.mdx)
-- [Databases](../database-access/introduction.mdx)
+- [Databases](../database-access/database-access.mdx)
 - [Kubernetes clusters](../kubernetes-access/introduction.mdx)
 - [Windows desktops](../desktop-access/introduction.mdx)
 - [Applications](../application-access/introduction.mdx)
@@ -35,14 +35,14 @@ documentation:
 
 This section provides a brief outline of how Teleport Agents run in a Teleport
 cluster. For more information on the architecture of Teleport Agents, read
-[Teleport Agent Architecture](../architecture/agents.mdx).
+[Teleport Agent Architecture](../../architecture/agents.mdx).
 
 ### Services
 
 Each Teleport process can run one or more **services**. A Teleport instance runs
 a service if it is enabled within the instance's configuration file. See the
 [Teleport Configuration
-Reference](../reference/config.mdx#enabling-teleport-services) for which
+Reference](../../reference/config.mdx#enabling-teleport-services) for which
 services are enabled by default and how to enable a particular service.
 
 ### Agent pools
@@ -59,7 +59,7 @@ The Teleport Proxy Service uses these reverse tunnels to forward traffic in
 Teleport's supported protocols to an available Agent. Agents apply RBAC
 rules and forward the traffic to resources in your infrastructure.
 
-![Diagram showing the architecture of an Agent pool](../../img/agent-pool-diagram.png)
+![Diagram showing the architecture of an Agent pool](../../../img/agent-pool-diagram.png)
 
 Read our guide for how to use Terraform to [deploy a pool of
 Agents](deploy-agents-terraform.mdx). 

docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-token.mdx

@@ -220,7 +220,7 @@ Copy the CA pin and assign it to the value of <Var name="ca-pin" />.
 <Notice type="warning">
 
 The CA pin becomes invalid if a Teleport administrator performs the CA rotation
-by executing [`tctl auth rotate`](../../reference/cli/tctl.mdx#tctl-auth-rotate).
+by executing [`tctl auth rotate`](../../../reference/cli/tctl.mdx#tctl-auth-rotate).
 
 </Notice>
 
@@ -334,4 +334,4 @@ $ tctl tokens rm <Var name="token-to-delete"/>
 ## Next steps
 
 - If you have workloads split across different networks or clouds, we recommend
-  setting up trusted clusters. Read how to get started in [Configure Trusted Clusters](../../management/admin/trustedclusters.mdx).
+  setting up trusted clusters. Read how to get started in [Configure Trusted Clusters](../../../management/admin/trustedclusters.mdx).

docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx

@@ -27,7 +27,7 @@ as the Auth Service.
 ## Prerequisites
 
 - A running Teleport cluster in Kubernetes. For details on how to set this up,
-  see [Guides for running Teleport using Helm](../../deploy-a-cluster/helm-deployments.mdx).
+  see [Guides for running Teleport using Helm](../../../deploy-a-cluster/helm-deployments.mdx).
 - Editor access to the Kubernetes cluster running the Teleport cluster.
   You must be able to create Namespaces and Deployments.
 - A Teleport user with `access` role, or any other role that allows access to
@@ -36,7 +36,7 @@ as the Auth Service.
   existing Teleport Auth Service pods.
 - The Auth Service ServiceAccount must be granted the `system:auth-delegator`
   ClusterRole. Clusters deployed with the [`teleport-cluster` Helm
-  chart](../../reference/helm-reference/teleport-cluster.mdx) version 12 or
+  chart](../../../reference/helm-reference/teleport-cluster.mdx) version 12 or
   higher have the correct role by default.
 
 ## Step 1/5. Create a Kubernetes join token
@@ -240,6 +240,6 @@ namespace "teleport-agent" deleted
 ## Going further
 
 - The possible values for `teleport-kube-agent` chart are documented
-  [in its reference](../../reference/helm-reference/teleport-kube-agent.mdx).
+  [in its reference](../../../reference/helm-reference/teleport-kube-agent.mdx).
 - See [Application Access Guides](../../application-access/guides.mdx)
 - See [Database Access Guides](../../database-access/guides.mdx)

docs/pages/enroll-resources/application-access/application-access.mdx

@@ -0,0 +1,6 @@
+---
+title: Applications
+description: Guides to using Teleport to protect web applications, cloud provider APIs, and more.
+---
+
+(!toc!)

docs/pages/enroll-resources/application-access/cloud-apis.mdx

@@ -19,4 +19,4 @@ Learn how to protect your cloud provider APIs with Teleport:
 - [Azure CLI applications](./cloud-apis/azure.mdx)
 - [Azure CLI applications (AKS with Workload ID deployment)](./cloud-apis/azure-aks-workload-id.mdx)
 - [Google Cloud CLI applications](./cloud-apis/google-cloud.mdx)
-- [GCP Web Console Access with Workforce Identity Federation and Teleport SAML IdP](../access-controls/idps/saml-gcp-workforce-identity-federation.mdx)
+- [GCP Web Console Access with Workforce Identity Federation and Teleport SAML IdP](../../access-controls/idps/saml-gcp-workforce-identity-federation.mdx)

docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx

@@ -459,7 +459,7 @@ Application Service:
        uri: "https://console.aws.amazon.com/ec2/v2/home"
    ```
 
-1. (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+1. (!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 1. Install the Helm chart for Teleport agent services, `teleport-kube-agent`:
 
@@ -558,13 +558,13 @@ to AWS, users can access AWS resources through Teleport.
 1. Click the **Launch** button for the AWS Console application, then click on
    the role you would like to assume when signing in to the AWS Console:
 
-   ![IAM role selector](../../../img/application-access/iam-role-selector.png)
+   ![IAM role selector](../../../../img/application-access/iam-role-selector.png)
 
 1. You will get redirected to the AWS Management Console, signed in with the
    selected role. You should see your Teleport user name as a federated login
    assigned to `ExampleReadOnlyRole` in the top-right corner of the AWS Console:
 
-   ![Federated login](../../../img/application-access/federated-login@2x.png)
+   ![Federated login](../../../../img/application-access/federated-login@2x.png)
 
 ### Access the AWS CLI
 
@@ -666,7 +666,7 @@ To view CloudTrail events for your federated sessions, navigate to the CloudTrai
 Each Teleport federated login session uses a Teleport username as the federated
 username which you can search for to get the events history:
 
-![CloudTrail](../../../img/application-access/cloud-trail.png)
+![CloudTrail](../../../../img/application-access/cloud-trail.png)
 
 ## Troubleshooting
 
@@ -798,7 +798,7 @@ user's permitted ARNs based on data from the IdP:
 ```
 
 See the [Teleport Access Controls
-Reference](../../access-controls/reference.mdx#template-expressions-for-access-to-infrastructure-resources)
+Reference](../../../access-controls/reference.mdx#template-expressions-for-access-to-infrastructure-resources)
 for all of the variables and functions you can use in the `aws_role_arns` field.
 
 ### Register the AWS application dynamically

docs/pages/enroll-resources/application-access/cloud-apis/azure-aks-workload-id.mdx

@@ -221,8 +221,8 @@ teleport-azure-access-agent-0   1/1     Running   0          99s
   your Teleport users can only manage Azure resources temporarily, with no
   longstanding admin roles for attackers to hijack. View our documentation on
   [Role Access
-  Requests](../../access-controls/access-requests/role-requests.mdx) and
-  [Access Request plugins](../../access-controls/access-request-plugins.mdx).
+  Requests](../../../access-controls/access-requests/role-requests.mdx) and
+  [Access Request plugins](../../../access-controls/access-request-plugins.mdx).
 - Consult the Azure documentation for information about [Azure managed
   identities](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
   and how to [manage user-assigned managed
@@ -233,5 +233,5 @@ teleport-azure-access-agent-0   1/1     Running   0          99s
 - For full details on how Teleport populates the `internal` and `external`
   traits we illustrated in the Teleport roles within this guide, see
   the [Teleport Access Controls
-  Reference](../../access-controls/reference.mdx).
+  Reference](../../../access-controls/reference.mdx).
 

docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx

@@ -78,7 +78,7 @@ your VM belongs to.
 In the **Name** field, enter `teleport-azure`.
 
 ![Creating an Azure managed
-identity](../../../img/application-access/azure/create-identity.png)
+identity](../../../../img/application-access/azure/create-identity.png)
 
 Click **Review + create**, then **Create**.
 
@@ -107,7 +107,7 @@ Within the **Add role assignment** screen, click **Reader**, a built-in role
 with view-only access to resources. 
 
 ![Add a role
-assignment](../../../img/application-access/azure/add-role-assignment.png)
+assignment](../../../../img/application-access/azure/add-role-assignment.png)
 
 Scroll to the bottom of the screen and click **Next**.
 
@@ -119,7 +119,7 @@ On the right sidebar, find the **Managed identity** dropdown menu and select
 created earlier. 
 
 ![Select managed
-identities](../../../img/application-access/azure/select-managed-identities.png)
+identities](../../../../img/application-access/azure/select-managed-identities.png)
 
 Click **Select**, then **Review + assign**.
 
@@ -145,13 +145,13 @@ On the right side panel, click the **Identity** tab, then within the
 the `teleport-azure` identity. Click **Add**.
 
 ![Add an identity to a
-VM](../../../img/application-access/azure/vm-identity.png)
+VM](../../../../img/application-access/azure/vm-identity.png)
 
 Navigate back to **Identity** tab in the page for your Azure VM. You should see
 the new identity listed in the **User assigned** sub-tab:
 
 ![Verifying that you added the
-identity](../../../img/application-access/azure/verify-id.png)
+identity](../../../../img/application-access/azure/verify-id.png)
 
 ## Step 2/4. Deploy the Teleport Application Service
 
@@ -223,8 +223,8 @@ Application Service host.
   your Teleport users can only manage Azure resources temporarily, with no
   longstanding admin roles for attackers to hijack. View our documentation on
   [Role Access
-  Requests](../../access-controls/access-requests/role-requests.mdx) and
-  [Access Request plugins](../../access-controls/access-request-plugins.mdx).
+  Requests](../../../access-controls/access-requests/role-requests.mdx) and
+  [Access Request plugins](../../../access-controls/access-request-plugins.mdx).
 - Consult the Azure documentation for information about [Azure managed
   identities](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
   and how to [manage user-assigned managed
@@ -235,5 +235,5 @@ Application Service host.
 - For full details on how Teleport populates the `internal` and `external`
   traits we illustrated in the Teleport roles within this guide, see
   the [Teleport Access Controls
-  Reference](../../access-controls/reference.mdx).
+  Reference](../../../access-controls/reference.mdx).
 

docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx

@@ -630,8 +630,8 @@ command.
   ensure that your Teleport users can only manage Google Cloud resources
   temporarily, with no longstanding admin roles for attackers to hijack. View
   our documentation on [Role Access
-  Requests](../../access-controls/access-requests/role-requests.mdx) and [Access
-  Request plugins](../../access-controls/access-request-plugins.mdx).
+  Requests](../../../access-controls/access-requests/role-requests.mdx) and [Access
+  Request plugins](../../../access-controls/access-request-plugins.mdx).
 - You can proxy any `gcloud` or `gsutil` command via Teleport. For a full
   reference of commands, view the Google Cloud documentation for
   [`gcloud`](https://cloud.google.com/sdk/gcloud/reference) and
@@ -639,5 +639,5 @@ command.
 - For full details on how Teleport populates the `internal` and `external`
   traits we illustrated in the Teleport roles within this guide, see
   the [Teleport Access Controls
-  Reference](../../access-controls/reference.mdx).
+  Reference](../../../access-controls/reference.mdx).
 

docs/pages/enroll-resources/application-access/controls.mdx

@@ -132,19 +132,19 @@ for more information on enabling access to Azure managed identities.
 
 ## Next steps
 
-- View access controls [Getting Started](../access-controls/getting-started.mdx)
-  and other available [guides](../access-controls/guides.mdx).
+- View access controls [Getting Started](../../access-controls/getting-started.mdx)
+  and other available [guides](../../access-controls/guides.mdx).
 - For full details on how Teleport populates the `internal` and `external`
   traits we illustrated in this guide, see the [Teleport Access
-  Controls Reference](../access-controls/reference.mdx).
-- View access controls [Getting Started](../access-controls/getting-started.mdx)
-  and other available [guides](../access-controls/guides.mdx).
+  Controls Reference](../../access-controls/reference.mdx).
+- View access controls [Getting Started](../../access-controls/getting-started.mdx)
+  and other available [guides](../../access-controls/guides.mdx).
 - Learn about using [JWT tokens](./jwt/introduction.mdx) to implement access
   controls in your application.
 - Integrate with your identity provider:
-  - [OIDC](../access-controls/sso/oidc.mdx)
-  - [ADFS](../access-controls/sso/adfs.mdx)
-  - [Azure AD](../access-controls/sso/azuread.mdx)
-  - [Google Workspace](../access-controls/sso/google-workspace.mdx)
-  - [Onelogin](../access-controls/sso/one-login.mdx)
-  - [Okta](../access-controls/sso/okta.mdx)
+  - [OIDC](../../access-controls/sso/oidc.mdx)
+  - [ADFS](../../access-controls/sso/adfs.mdx)
+  - [Azure AD](../../access-controls/sso/azuread.mdx)
+  - [Google Workspace](../../access-controls/sso/google-workspace.mdx)
+  - [Onelogin](../../access-controls/sso/one-login.mdx)
+  - [Okta](../../access-controls/sso/okta.mdx)

docs/pages/enroll-resources/application-access/getting-started.mdx

@@ -123,7 +123,7 @@ $ helm install example-grafana grafana/grafana \
 
 <Tabs>
 <TabItem label="Docker">
-Select a Teleport edition, then follow the [Installation](../installation.mdx) instructions 
+Select a Teleport edition, then follow the [Installation](../../installation.mdx) instructions 
 for your environment.
 
 To install on Linux:
@@ -154,7 +154,7 @@ access to a different web application.
 </TabItem>
 <TabItem label="Kubernetes cluster">
 
-(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
+(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
 
 Install the `teleport-kube-agent` Helm chart into your Kubernetes cluster to proxy Grafana
 with a command similar to the following:

docs/pages/enroll-resources/application-access/guides/amazon-athena.mdx

@@ -155,10 +155,10 @@ Connect to Athena with the ODBC or JDBC driver:
 
   Start DBeaver and add an "Athena" connection. Enter the username (AWS access
   key) and password (AWS secret key) from the `tsh proxy aws` output:
-  ![DBeaver main](../../../img/application-access/guides/athena-dbeaver-main.png)
+  ![DBeaver main](../../../../img/application-access/guides/athena-dbeaver-main.png)
 
   Then fill in the `ProxyHost` and `ProxyPort` settings in "Driver properties":
-  ![DBeaver main](../../../img/application-access/guides/athena-dbeaver-properties.png)
+  ![DBeaver main](../../../../img/application-access/guides/athena-dbeaver-properties.png)
 
   Click "Finish". Now you can connect to your Athena database.
 

docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx

@@ -4,7 +4,7 @@ description: In this getting started guide, learn how to connect an application
 ---
 
 Download the latest version of Teleport for your platform from the [downloads page](https://goteleport.com/download)
-and follow the installation [instructions](../../installation.mdx).
+and follow the installation [instructions](../../../installation.mdx).
 
 ## Start Auth/Proxy service
 
@@ -327,7 +327,7 @@ rewritten:
 - Any header matching the pattern `X-Forwarded-*`
 
 Rewritten header values support the same templating variables as
-[role templates](../../access-controls/guides/role-templates.mdx). In the
+[role templates](../../../access-controls/guides/role-templates.mdx). In the
 example above, `X-Internal-Trait` header will be populated with the value of
 internal user trait `logins` and `X-External-Trait` header will get the value of
 the user's external `env` trait coming from the identity provider.
@@ -338,7 +338,7 @@ a JWT token signed by Teleport that contains user identity information. See
 
 For full details on configuring Teleport roles, including how Teleport
 populates the `external` and `internal` traits, see the [Teleport Access
-Controls Reference](../../access-controls/reference.mdx).
+Controls Reference](../../../access-controls/reference.mdx).
 
 ### Configuring the JWT token
 

docs/pages/enroll-resources/application-access/guides/dynamodb.mdx

@@ -14,10 +14,10 @@ This guide will help you to:
 
 <Tabs>
 <TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
-![DynamoDB Self-Hosted](../../../img/application-access/guides/dynamodb_selfhosted.png)
+![DynamoDB Self-Hosted](../../../../img/application-access/guides/dynamodb_selfhosted.png)
 </TabItem>
 <TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
-![DynamoDB Cloud](../../../img/application-access/guides/dynamodb_cloud.png)
+![DynamoDB Cloud](../../../../img/application-access/guides/dynamodb_cloud.png)
 </TabItem>
 
 </Tabs>

docs/pages/enroll-resources/application-access/guides/tcp.mdx

@@ -149,5 +149,5 @@ $ psql postgres://postgres@localhost:55868/postgres
 ## Next steps
 
 - Learn about [access controls](../controls.mdx) for applications.
-- Learn how to [connect to TCP apps with VNet](../../connect-your-client/vnet.mdx) and
+- Learn how to [connect to TCP apps with VNet](../../../connect-your-client/vnet.mdx) and
   [configure VNet for custom `public_addr`](vnet.mdx).

docs/pages/enroll-resources/application-access/guides/vnet.mdx

@@ -109,7 +109,7 @@ app_service:
 
 ## Step 4/4. Connect
 
-Once you [start VNet](../../connect-your-client/vnet.mdx), you should be able to connect to the
+Once you [start VNet](../../../connect-your-client/vnet.mdx), you should be able to connect to the
 application over the custom `public_addr` using the application client you would normally use to
 connect to it. You might need to restart VNet if it was already running while you were making
 changes to the cluster.
@@ -161,7 +161,7 @@ an address for the TUN device from a range offered by one of those clusters.
 
 ### Configuring leaf cluster apps
 
-To make a [leaf cluster](../../management/admin/trustedclusters.mdx) app accessible over a custom
+To make a [leaf cluster](../../../management/admin/trustedclusters.mdx) app accessible over a custom
 `public_addr`, you need to follow the same steps while being logged in directly to the leaf cluster.
 
 ```code
@@ -187,7 +187,7 @@ app is [a TCP app](tcp.mdx), so they can be made available over VNet as well. Yo
 - [JWT Token](../jwt/introduction.mdx), [redirect](connecting-apps.mdx#rewrite-redirect) and
   [header rewrites](connecting-apps.mdx#headers-passthrough) are not available for TCP apps.
 - Teleport records the start and the end of a session for TCP apps in the audit log, but [session
-  chunks](../../architecture/session-recording.mdx#app-sessions) are not captured.
+  chunks](../../../architecture/session-recording.mdx#app-sessions) are not captured.
 
 When accessing an HTTP API through VNet, the same caveats apply as above, with one main exception.
 Since API clients don't need to respect HSTS, the API itself does not need to be served over HTTPS.

docs/pages/enroll-resources/application-access/introduction.mdx

@@ -1,5 +1,5 @@
 ---
-title: Protect Applications with Teleport
+title: Introduction to Enrolling Applications
 description: How to set up Teleport to protect applications and cloud provider APIs
 ---
 
@@ -15,14 +15,14 @@ Examples include:
 - Infrastructure dashboards, such as Kubernetes or Grafana.
 - Developer tools, such as Jenkins, GitLab, or Opsgenie.
 
-![Application access architecture](../../img/application-access/architecture.png)
+![Application access architecture](../../../img/application-access/architecture.png)
 
 If you are running applications on Kubernetes, you can [enroll them in your
 Teleport cluster automatically](../auto-discovery/kubernetes-applications.mdx).
 
 Teleport protects applications through the Teleport Application Service, which
 is a Teleport agent service. For more information on agent services, read
-[Teleport Agent Architecture](../architecture/agents.mdx). You can also learn
+[Teleport Agent Architecture](../../architecture/agents.mdx). You can also learn
 how to deploy a [pool of Teleport agents](../agents/introduction.mdx) to run
 multiple agent services.
 

docs/pages/enroll-resources/application-access/okta/hosted-guide.mdx

@@ -96,7 +96,7 @@ top of the screen.
 On the left sidebar, click **Enroll New Integration** to visit the 
 "Enroll New Integration" page:
 
-![Enroll an Access Request plugin](../../../img/enterprise/plugins/enroll.png)
+![Enroll an Access Request plugin](../../../../img/enterprise/plugins/enroll.png)
 
 Select the Okta tile, and then Teleport will then ask for  
  - your Okta organization URL, and 
@@ -165,7 +165,7 @@ When filters are added, the results of the user group or application list will u
 the results of your filter applied. This allows you to see what will be imported at this
 particular time.
 
-![Filtering Okta User Groups](../../../img/enterprise/plugins/okta/okta-access-list-group-filtering.png)
+![Filtering Okta User Groups](../../../../img/enterprise/plugins/okta/okta-access-list-group-filtering.png)
 
 ## Configuring SCIM provisioning
 
@@ -189,7 +189,7 @@ To recap the enrollment "Set Up SCIM" guide:
  1. Click **Edit** on the Okta **App Settings** page, check the box marked
     **Enable SCIM provisioning**, and click **Save**.
 
-![Enable SCIM](../../../img/enterprise/plugins/okta/scim-enable.png)
+![Enable SCIM](../../../../img/enterprise/plugins/okta/scim-enable.png)
 
 ### Configure Okta SCIM Client
  1. Click on the new **Provisioning** tab and then click **Edit**.
@@ -207,7 +207,7 @@ To recap the enrollment "Set Up SCIM" guide:
     page.
  1. Click **Save**
 
-![Configure SCIM Client](../../../img/enterprise/plugins/okta/scim-configure.png)
+![Configure SCIM Client](../../../../img/enterprise/plugins/okta/scim-configure.png)
 
 ### Configure Okta-To-App Provisioning
  1. Staying on the **Provisioning** tab, go to the new **To App** Okta
@@ -218,7 +218,7 @@ To recap the enrollment "Set Up SCIM" guide:
     1. Deactivate Users
  1. Click **Save**
 
-![Configure SCIM Provisioning](../../../img/enterprise/plugins/okta/scim-provisioning.png)
+![Configure SCIM Provisioning](../../../../img/enterprise/plugins/okta/scim-provisioning.png)
 
 For more information about how the Okta integration manages Teleport resources,
 see the [Synchronization with Okta and SCIM](./sync-scim.mdx) guide.
@@ -266,7 +266,7 @@ to delete the corresponding Teleport accounts. Once the Teleport accounts have
 been automatically deleted you can proceed to delete the integration.
 
 Teleport user accounts can also be manually deleted with `tctl`. For more
-information, see the Teleport [Local Users](../../management/admin/users.mdx#deleting-users)
+information, see the Teleport [Local Users](../../../management/admin/users.mdx#deleting-users)
 guide.
 
 <Admonition type="note">

docs/pages/enroll-resources/application-access/okta/scim-only.mdx

@@ -42,7 +42,7 @@ Okta does not send SCIM updates to Teleport when a user is merely suspended. Eve
 ## Prerequisites
 
 (!docs/pages/includes/commercial-prereqs-tabs.mdx!)
-- [Authentication With Okta as an SSO Provider](../../access-controls/sso/okta.mdx)
+- [Authentication With Okta as an SSO Provider](../../../access-controls/sso/okta.mdx)
 
 
 ## Step 1/2. Installing the Teleport SCIM integration
@@ -106,7 +106,7 @@ If your Okta app has assigned users *before* SCIM provisioning is enabled, you
 will need to trigger their provisioning explicitly. This can be done by
 selecting the *Provision Users* button on the Okta app Assignments page.
 
-![Provision Existing Users](../../../img/enterprise/plugins/okta/scim-provision-existing-users.png)
+![Provision Existing Users](../../../../img/enterprise/plugins/okta/scim-provision-existing-users.png)
 
 <Admonition>
 We have seen some Okta instances that are missing the Provision Users button.

docs/pages/enroll-resources/application-access/okta/sync-scim.mdx

@@ -44,7 +44,7 @@ a specific Okta application.
 
 The integration [enrolment process](./hosted-guide.mdx) creates an Okta SAML
 Application to use as the identity provider for a new
-[SAML Authentication Connector](../../access-controls/sso/okta.mdx). The enrolment
+[SAML Authentication Connector](../../../access-controls/sso/okta.mdx). The enrolment
 process automatically configures the Okta integration to use this same
 application, giving the Okta administrator a single point of integration to
 administer and secure.

docs/pages/enroll-resources/application-access/reference.mdx

@@ -65,7 +65,7 @@ app_service:
 
 For full details on configuring Teleport roles, including how Teleport
 populates the `external` traits, see the [Teleport Access Controls
-Reference](../access-controls/reference.mdx).
+Reference](../../access-controls/reference.mdx).
 
 ## Application resource
 

docs/pages/enroll-resources/auto-discovery/auto-discovery.mdx

@@ -17,7 +17,4 @@ registered on the Auth Service backend.
 
 Set up Teleport auto-discovery for resources in your infrastructure:
 
-- [Servers](./servers.mdx)
-- [Kubernetes clusters](./kubernetes.mdx)
-- [Databases](./databases.mdx)
-- [Applications deployed on Kubernetes](./kubernetes-applications.mdx)
+(!toc!)

docs/pages/enroll-resources/auto-discovery/databases.mdx

@@ -151,7 +151,7 @@ Here's how it works in detail:
 
 For more information about Discovery Service configuration, refer to
 [one of the guides above](#supported-clouds) or the
-[Discovery Service Configuration Reference](../reference/config.mdx#discovery-service).
+[Discovery Service Configuration Reference](../../reference/config.mdx#discovery-service).
 
 ## How the Database Service works
 
@@ -168,7 +168,7 @@ database that the `db` resource represents.
 The Database Service must have network connectivity to the database endpoint and
 permissions to authenticate to the database.
 The permissions it needs vary by database type, so refer to Teleport's
-[database access guides](../database-access/introduction.mdx#connect-your-database)
+[database access guides](../database-access/database-access.mdx)
 for detailed permissions information.
 
 ## Database Service configuration

docs/pages/enroll-resources/auto-discovery/kubernetes-applications/get-started.mdx

@@ -102,6 +102,6 @@ For the Application Service, make sure that labels in `resources` field are defi
 
 You can configure the scope of the Discovery Service. For more information, see
 [`teleport-kube-agent` helm chart
-documentation](../../reference/helm-reference/teleport-kube-agent.mdx).
+documentation](../../../reference/helm-reference/teleport-kube-agent.mdx).
 
 

docs/pages/enroll-resources/auto-discovery/kubernetes-applications/reference.mdx

@@ -6,7 +6,7 @@ description: This guide is a comprehensive reference of configuration options fo
 ## Configuring Teleport agent Helm chart
 
 You can configure scope of services discovery by setting value `kubernetesDiscovery` of the chart. For more information
-please see [helm chart documentation](../../reference/helm-reference/teleport-kube-agent.mdx#kubernetesdiscovery).
+please see [helm chart documentation](../../../reference/helm-reference/teleport-kube-agent.mdx#kubernetesdiscovery).
 
 `values.yaml` example:
 
@@ -61,7 +61,7 @@ app_service:
 
 Label `teleport.dev/kubernetes-cluster` should match value of `discovery_group` field in the Discovery Service config.
 
-For more information you can take a look at [`discovery_service`](../../reference/config.mdx#discovery-service) and [`app_service`](../../reference/config.mdx#application-service) configuration references.
+For more information you can take a look at [`discovery_service`](../../../reference/config.mdx#discovery-service) and [`app_service`](../../../reference/config.mdx#application-service) configuration references.
 
 ## Annotations
 

docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx

@@ -79,20 +79,20 @@ resources:
   page in your Azure portal and click *Create* to create a new user-assigned
   managed identity:
 
-  ![Managed identities](../../../img/azure/managed-identities@2x.png)
+  ![Managed identities](../../../../img/azure/managed-identities@2x.png)
 
   Pick a name and resource group for the new identity and create it:
 
-  ![New identity](../../../img/server-access/guides/azure/new-identity@2x.png)
+  ![New identity](../../../../img/server-access/guides/azure/new-identity@2x.png)
 
   Take note of the created identity's *Client ID*:
 
-  ![Created identity](../../../img/server-access/guides/azure/created-identity@2x.png)
+  ![Created identity](../../../../img/server-access/guides/azure/created-identity@2x.png)
 
   Next, navigate to the Azure VM that will run your Discovery Service instance and
   add the identity you've just created to it:
 
-  ![VM identity](../../../img/server-access/guides/azure/vm-identity@2x.png)
+  ![VM identity](../../../../img/server-access/guides/azure/vm-identity@2x.png)
 
   Attach this identity to all Azure VMs that will be running the Discovery
   Service.
@@ -108,18 +108,18 @@ resources:
   Go to the [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)
   page of your Azure Active Directory and click on *New registration*:
 
-  ![App registrations](../../../img/azure/app-registrations@2x.png)
+  ![App registrations](../../../../img/azure/app-registrations@2x.png)
 
   Pick a name (e.g. *DiscoveryService*) and register a new application. Once the
   app has been created, take note of its *Application (client) ID* and click on
   *Add a certificate or secret*:
 
-  ![Registered app](../../../img/server-access/guides/azure/registered-app@2x.png)
+  ![Registered app](../../../../img/server-access/guides/azure/registered-app@2x.png)
 
   Create a new client secret that the Discovery Service agent will use to
   authenticate with the Azure API:
 
-  ![Registered app secrets](../../../img/azure/registered-app-secrets@2x.png)
+  ![Registered app secrets](../../../../img/azure/registered-app-secrets@2x.png)
 
   The Teleport Discovery Service uses Azure SDK's default credential provider chain to
   look for credentials. Refer to [Azure SDK Authorization](https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authorization)
@@ -183,13 +183,13 @@ Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Bil
 
 Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*:
 <Figure align="left">
-![IAM custom role](../../../img/azure/add-custom-role@2x.png)
+![IAM custom role](../../../../img/azure/add-custom-role@2x.png)
 </Figure>
 
 In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example
 and replace the subscription in `assignableScopes` with your own subscription id:
 <Figure align="left">
-![Create JSON role](../../../img/server-access/guides/azure/vm-create-role-from-json@2x.png)
+![Create JSON role](../../../../img/server-access/guides/azure/vm-create-role-from-json@2x.png)
 </Figure>
 
 ### Create a role assignment for the Teleport Discovery Service principal
@@ -305,6 +305,6 @@ logs can be found on the targeted VM at
 - Read [Joining Nodes via Azure Managed Identity](../../agents/join-services-to-your-cluster/azure.mdx)
   for more information on Azure tokens.
 - Full documentation on Azure discovery configuration can be found through the [
-  config file reference documentation](../../reference/config.mdx).
+  config file reference documentation](../../../reference/config.mdx).
 - The complete default installer can be found [with the Teleport source
 ](https://github.com/gravitational/teleport/blob/branch/v(=teleport.major_version=)/api/types/installers/installer.sh.tmpl).

docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery.mdx

@@ -351,6 +351,6 @@ for more information on IAM Invite Tokens.
 Manager can be found for in the [AWS Cloud Operations & Migrations Blog
 ](https://aws.amazon.com/blogs/mt/applying-managed-instance-policy-best-practices/).
 - Full documentation on EC2 discovery configuration can be found through the [
-config file reference documentation](../../reference/config.mdx).
+config file reference documentation](../../../reference/config.mdx).
 - The complete default installer can be found [with the Teleport source
 ](https://github.com/gravitational/teleport/blob/branch/v(=teleport.major_version=)/api/types/installers/installer.sh.tmpl).

docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx

@@ -77,7 +77,7 @@ discover instances.
   - `iam.serviceAccounts.get`
   - `iam.serviceAccounts.list`
 
-  ![Custom role](../../../img/server-access/guides/gcp/custom-role@2x.png)
+  ![Custom role](../../../../img/server-access/guides/gcp/custom-role@2x.png)
 
   Click *Create*.
 
@@ -86,13 +86,13 @@ discover instances.
   (e.g. `teleport-discovery`) and copy its email address to your clipboard.
   Click *Create and Continue*.
 
-  ![Service account](../../../img/server-access/guides/gcp/create-service-account@2x.png)
+  ![Service account](../../../../img/server-access/guides/gcp/create-service-account@2x.png)
 
   Go to [IAM](https://console.cloud.google.com/iam-admin/iam) and click *Grant Access*.
   Paste the service account's email into the *New principals* field and select
   your custom role. Click *Save*.
 
-  ![Role assignment](../../../img/server-access/guides/gcp/assign-role-to-service-account@2x.png)
+  ![Role assignment](../../../../img/server-access/guides/gcp/assign-role-to-service-account@2x.png)
 </TabItem>
 <TabItem label="gcloud">
   Copy the following and paste it into a file called `teleport-discovery-role.yaml`:
@@ -272,9 +272,9 @@ for details on alternate methods.
 
 ## Next steps
 
-- Read [Joining Services via GCP](../../agents/join-services-to-your-cluster/gcp.mdx)
+- Read [Joining Services via GCP](../../../enroll-resources/agents/join-services-to-your-cluster/gcp.mdx)
   for more information on GCP tokens.
 - Full documentation on GCP discovery configuration can be found through the [
-  config file reference documentation](../../reference/config.mdx).
+  config file reference documentation](../../../reference/config.mdx).
 - The complete default installer can be found [with the Teleport source
 ](https://github.com/gravitational/teleport/blob/branch/v(=teleport.major_version=)/api/types/installers/installer.sh.tmpl).

docs/pages/enroll-resources/database-access/auto-user-provisioning/aws-redshift.mdx

@@ -62,6 +62,6 @@ Users created within the database will:
 
 ## Next steps
 
-- Connect using your [GUI database client](../../connect-your-client/gui-clients.mdx).
-- Learn about [role templating](../../access-controls/guides/role-templates.mdx#interpolation-rules).
+- Connect using your [GUI database client](../../../connect-your-client/gui-clients.mdx).
+- Learn about [role templating](../../../access-controls/guides/role-templates.mdx#interpolation-rules).
 - Read automatic user provisioning [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0113-automatic-database-users.md).

docs/pages/enroll-resources/database-access/auto-user-provisioning/mariadb.mdx

@@ -161,6 +161,6 @@ database queries in the Teleport Audit Logs, when the Teleport username is over
 
 ## Next steps
 
-- Connect using your [GUI database client](../../connect-your-client/gui-clients.mdx).
-- Learn about [role templating](../../access-controls/guides/role-templates.mdx#interpolation-rules).
+- Connect using your [GUI database client](../../../connect-your-client/gui-clients.mdx).
+- Learn about [role templating](../../../access-controls/guides/role-templates.mdx#interpolation-rules).
 - Read automatic user provisioning [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0113-automatic-database-users.md).

docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx

@@ -126,6 +126,6 @@ Users created within the database will:
 
 ## Next steps
 - Learn more about MongoDB [built-in roles](https://www.mongodb.com/docs/manual/reference/built-in-roles/) and [User-Defined Roles](https://www.mongodb.com/docs/manual/core/security-user-defined-roles/).
-- Connect using your [GUI database client](../../connect-your-client/gui-clients.mdx).
-- Learn about [role templating](../../access-controls/guides/role-templates.mdx#interpolation-rules).
+- Connect using your [GUI database client](../../../connect-your-client/gui-clients.mdx).
+- Learn about [role templating](../../../access-controls/guides/role-templates.mdx#interpolation-rules).
 - Read automatic user provisioning [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0113-automatic-database-users.md).

docs/pages/enroll-resources/database-access/auto-user-provisioning/mysql.mdx

@@ -130,6 +130,6 @@ endpoints. Please use auto-user provisioning on the primary endpoints.
 
 ## Next steps
 
-- Connect using your [GUI database client](../../connect-your-client/gui-clients.mdx).
-- Learn about [role templating](../../access-controls/guides/role-templates.mdx#interpolation-rules).
+- Connect using your [GUI database client](../../../connect-your-client/gui-clients.mdx).
+- Learn about [role templating](../../../access-controls/guides/role-templates.mdx#interpolation-rules).
 - Read automatic user provisioning [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0113-automatic-database-users.md).

docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx

@@ -272,13 +272,13 @@ admin user through Teleport.
 ## Next steps
 
 - Connect using your [GUI database
-  client](../../connect-your-client/gui-clients.mdx).
+  client](../../../connect-your-client/gui-clients.mdx).
 - Learn about [role
-  templating](../../access-controls/guides/role-templates.mdx#interpolation-rules).
+  templating](../../../access-controls/guides/role-templates.mdx#interpolation-rules).
 - Read automatic user provisioning [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0113-automatic-database-users.md).
 - Read database permission management [RFD](https://github.com/gravitational/teleport/blob/master/rfd/0151-database-permission-management.md).
 - The `internal.db_roles` traits we illustrated in this guide
   are replaced with values from the Teleport local user database. For full
   details on how variable expansion works in Teleport roles, see the [Teleport
-  Access Controls Reference](../../access-controls/reference.mdx).
+  Access Controls Reference](../../../access-controls/reference.mdx).
 

docs/pages/enroll-resources/database-access/database-access.mdx

@@ -0,0 +1,25 @@
+---
+title: Databases
+description: Teleport database access introduction, demo and resources.
+---
+
+Teleport can provide secure connections to your databases while improving both
+access control and visibility.
+
+Some of the things you can do with database access:
+
+- Enable users to retrieve short-lived database certificates using a Single Sign-On
+  flow, thus maintaining their organization-wide identity.
+- Configure role-based access controls for databases and implement custom
+  [Access Request](../../access-controls/access-requests.mdx) workflows.
+- Capture database activity in the Teleport audit log.
+
+Teleport protects databases through the Teleport Database Service, which is a
+Teleport agent service. For more information on agent services, read [Teleport
+Agent Architecture](../../architecture/agents.mdx). You can also learn how to
+deploy a [pool of Teleport agents](../agents/introduction.mdx) to run multiple
+agent services.
+
+![Teleport Database Access Diagram](../../../img/database-access/architecture.svg)
+
+(!toc!)

docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cassandra-keyspaces.mdx

@@ -11,10 +11,10 @@ description: How to configure Teleport database access with Amazon Keyspaces (Ap
 
 <Tabs>
 <TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
-![Teleport Database Access Redis Self-Hosted](../../../img/database-access/guides/cassandra_keyspaces_selfhosted.png)
+![Teleport Database Access Redis Self-Hosted](../../../../img/database-access/guides/cassandra_keyspaces_selfhosted.png)
 </TabItem>
 <TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
-![Teleport Database Access Redis Cloud](../../../img/database-access/guides/cassandra_keyspaces_cloud.png)
+![Teleport Database Access Redis Cloud](../../../../img/database-access/guides/cassandra_keyspaces_cloud.png)
 </TabItem>
 
 </Tabs>
@@ -90,7 +90,7 @@ Create an AWS IAM Role that will be used as your Keyspaces user.
 Go to the IAM -> Access Management -> [Roles](https://console.aws.amazon.com/iamv2/home#/roles).
 Press Create Role.
 
-![Create Role Step 1](../../../img/database-access/guides/keyspaces/create-role-step1.png)
+![Create Role Step 1](../../../../img/database-access/guides/keyspaces/create-role-step1.png)
 AWS provides the `AmazonKeyspacesReadOnlyAccess` and `AmazonKeyspacesFullAccess` IAM policies that you can incorporate into your Keyspaces user's role.
 You can choose `AmazonKeyspacesReadOnlyAccess` for read-only access to Amazon Keyspaces or `AmazonKeyspacesFullAccess` for full access.
 
@@ -101,9 +101,9 @@ You can choose `AmazonKeyspacesReadOnlyAccess` for read-only access to Amazon Ke
   You can also create your own custom Amazon Keyspaces Permissions Policies: [Amazon Keyspaces identity-based policy examples](https://docs.aws.amazon.com/keyspaces/latest/devguide/security_iam_id-based-policy-examples.html).
 </Admonition>
 
-![Create Role Step 1](../../../img/database-access/guides/keyspaces/create-role-step2.png)
+![Create Role Step 1](../../../../img/database-access/guides/keyspaces/create-role-step2.png)
 Enter a role name and press "Create role".
-![Create Role Step 1](../../../img/database-access/guides/keyspaces/create-role-step3.png)
+![Create Role Step 1](../../../../img/database-access/guides/keyspaces/create-role-step3.png)
 
 ## Step 4/5. Give Teleport permissions to assume roles
 

docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx

@@ -16,10 +16,10 @@ request with credentials from AWS, then forwards it to the DynamoDB API.
 
 <Tabs>
 <TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
-![DynamoDB Self-Hosted](../../../img/database-access/guides/aws-dynamodb_selfhosted.png)
+![DynamoDB Self-Hosted](../../../../img/database-access/guides/aws-dynamodb_selfhosted.png)
 </TabItem>
 <TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
-![DynamoDB Cloud](../../../img/database-access/guides/aws-dynamodb_cloud.png)
+![DynamoDB Cloud](../../../../img/database-access/guides/aws-dynamodb_cloud.png)
 </TabItem>
 
 </Tabs>
@@ -56,7 +56,7 @@ Visit the [IAM > Roles page](https://console.aws.amazon.com/iamv2/home#/roles) o
 the AWS Console, then press "Create Role". Under **Trusted entity type** select
 "AWS service". Under **Use case** select "EC2", then click **Next**.
 
-![Create Role to Identify EC2 Instance](../../../img/database-access/guides/dynamodb-create-ec2-role.png)
+![Create Role to Identify EC2 Instance](../../../../img/database-access/guides/dynamodb-create-ec2-role.png)
 
 On the "Add Permissions" page, you can simply click **Next** since this role does not require any permissions. In this guide, we will use the example name `TeleportDatabaseService` for this role. Once you have chosen a name, click **Create Role** to complete the process.
 
@@ -66,11 +66,11 @@ Navigate back to the Roles page and create a new role. Select the "AWS account"
 option, which creates a default trust policy to allow other entities in this
 account to assume this role:
 
-![Create Role Step 1](../../../img/database-access/guides/dynamodb-create-role-1.png)
+![Create Role Step 1](../../../../img/database-access/guides/dynamodb-create-role-1.png)
 
 Click **Next**. Find the AWS-managed policy `AmazonDynamoDBFullAccess` and then select the policy:
 
-![Create Role Step 2](../../../img/database-access/guides/dynamodb-create-role-2.png)
+![Create Role Step 2](../../../../img/database-access/guides/dynamodb-create-role-2.png)
 
 <Admonition type="note" title="Apply least-privilege permissions">
 The `AmazonDynamoDBFullAccess` policy may grant more permissions than desired.
@@ -216,7 +216,7 @@ $ aws dynamodb list-tables --endpoint-url=http://localhost:8000
 }
 ```
 
-You can also connect to this database from the AWS NoSQL Workbench, as documented in our [Database Access GUI Clients](../../connect-your-client/gui-clients.mdx#nosql-workbench) guide.
+You can also connect to this database from the AWS NoSQL Workbench, as documented in our [Database Access GUI Clients](../../../connect-your-client/gui-clients.mdx#nosql-workbench) guide.
 
 You can also use this tunnel for programmatic access. The example below uses the `boto3` SDK from AWS: