openshift · EricPonvelle · Dec 2, 2024
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -270,6 +270,8 @@ Topics:
     File: rosa-hcp-creating-a-cluster-quickly-terraform
 - Name: Creating ROSA with HCP clusters using a custom AWS KMS encryption key
   File: rosa-hcp-creating-cluster-with-aws-kms-key
+- Name: Configuring a shared virtual private cloud for ROSA with HCP clusters
+  File: rosa-hcp-shared-vpc-config
 - Name: Creating a private cluster on ROSA with HCP
   File: rosa-hcp-aws-private-creating-cluster
 - Name: Creating ROSA with HCP clusters with egress zero
@@ -299,7 +301,7 @@ Topics:
   File: rosa-sts-interactive-mode-reference
 - Name: Creating an AWS PrivateLink cluster on ROSA
   File: rosa-aws-privatelink-creating-cluster
-- Name: Configuring a shared virtual private cloud for ROSA clusters
+- Name: Configuring a shared virtual private cloud for ROSA (classic architecture) clusters
   File: rosa-shared-vpc-config
 - Name: Accessing a ROSA cluster
   File: rosa-sts-accessing-cluster

diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml
@@ -201,6 +201,8 @@ Topics:
     File: rosa-hcp-creating-a-cluster-quickly-terraform
 - Name: Creating ROSA with HCP clusters using a custom AWS KMS encryption key
   File: rosa-hcp-creating-cluster-with-aws-kms-key
+- Name: Configuring a shared virtual private cloud for ROSA with HCP clusters
+  File: rosa-hcp-shared-vpc-config
 - Name: Creating a private cluster on ROSA with HCP
   File: rosa-hcp-aws-private-creating-cluster
 - Name: Creating ROSA with HCP clusters with egress zero

diff --git a/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc b/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc
@@ -71,6 +71,7 @@ ManagedOpenShift-Worker-Role        Worker         arn:aws:iam::<aws_account_id>
 ----
 endif::sts[]
 ifdef::hcp[]
++
 [source,terminal]
 ----
 I: Fetching account roles
@@ -80,14 +81,24 @@ ManagedOpenShift-HCP-ROSA-Support-Role    Support        arn:aws:iam::<aws_accou
 ManagedOpenShift-HCP-ROSA-Worker-Role     Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role     4.19               Yes
 ----
 endif::hcp[]
-.. Delete the account-wide roles:
++
+.. Delete the account-wide roles by running one of the following commands:
+*** For clusters without a shared Virtual Private Cloud (VPC):
 +
 [source,terminal]
 ----
 $ rosa delete account-roles --prefix <prefix> --mode auto <1>
 ----
 <1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
 +
+*** For clusters with a shared VPC:
++
+[source,terminal]
+----
+$ rosa delete account-roles --prefix <prefix> --delete-hosted-shared-vpc-policies --mode auto <1>
+----
+<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
++
 [IMPORTANT]
 ====
 The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

diff --git a/modules/rosa-hcp-aws-private-security-groups.adoc b/modules/rosa-hcp-aws-private-security-groups.adoc
@@ -6,7 +6,13 @@
 :_mod-docs-content-type: PROCEDURE
 = Adding additional AWS security groups to the AWS PrivateLink endpoint
 
-With {hcp-title} clusters, the AWS PrivateLink endpoint exposed in the customer's VPC has a security group that limits access to requests that originate from within the cluster's Machine CIDR range. In order to grant access to the cluster's API to any entities outside of the VPC, through VPC peering, transit gateways, or other network connectivity, you must create and attach another security group to the PrivateLink endpoint to grant the necessary access.
+ifdef::openshift-rosa[]
+With {hcp-title} clusters, the AWS PrivateLink endpoint exposed in the customer's Virtual Private Cloud (VPC) has a security group that limits access to requests that originate from within the cluster's Machine CIDR range. You must create and attach another security group to the PrivateLink endpoint to grant API access to entities outside of the VPC through VPC peering, transit gateways, or other network connectivity.
+endif::openshift-rosa[]
+
+ifdef::openshift-rosa-hcp[]
+With {hcp-title} clusters, the AWS PrivateLink endpoint exposed in the host's Virtual Private Cloud (VPC) has a security group that limits access to requests that originate from within the cluster's Machine CIDR range. You must create and attach another security group to the PrivateLink endpoint to grant API access to entities outside of the VPC through VPC peering, transit gateways, or other network connectivity.
+endif::openshift-rosa-hcp[]
 
 [IMPORTANT]
 ====
@@ -27,7 +33,7 @@ Adding additional AWS security groups to the AWS PrivateLink endpoint is only su
 $ export CLUSTER_NAME=<cluster_name>
 ----
 +
-You can verify that the variable has been set by running the following command:
+Verify that the variable exists by running the following command:
 +
 [source,terminal]
 ----
@@ -75,4 +81,4 @@ $ aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions Fr
 $ aws ec2 modify-vpc-endpoint --vpc-endpoint-id $VPCE_ID --add-security-group-ids $SG_ID
 ----
 
-You now can access the API of your {hcp-title} private cluster from the specified CIDR block.
+You can now access the API of your {hcp-title} private cluster from the specified CIDR block.
diff --git a/modules/rosa-hcp-deleting-cluster.adoc b/modules/rosa-hcp-deleting-cluster.adoc
@@ -113,12 +113,20 @@ $ rosa delete cluster --cluster=<cluster_name> --watch
 You must wait for cluster deletion to complete before you remove the Operator roles and the OIDC provider.
 ====
 
-. Delete the cluster-specific Operator IAM roles by running the following command:
+. Delete the cluster-specific Operator IAM roles by running one of the following commands:
+** For clusters without a shared Virtual Private Cloud (VPC):
 +
 [source,terminal]
 ----
 $ rosa delete operator-roles --prefix <operator_role_prefix>
 ----
++
+** For clusters with a shared VPC:
++
+[source,terminal]
+----
+$ rosa delete operator-roles --prefix <operator_role_prefix> --delete-hosted-shared-vpc-policies
+----
 
 .  Delete the OIDC provider by running the following command:
 +

diff --git a/modules/rosa-hcp-sharing-vpc-cluster-creation.adoc b/modules/rosa-hcp-sharing-vpc-cluster-creation.adoc
@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * networking/rosa-hcp-shared-vpc-config.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-sharing-vpc-cluster-creation_{context}"]
+= Step Four - Cluster Creator: Creating your cluster in a shared VPC
+To create a cluster in a shared VPC, complete the following steps.
+
+[NOTE]
+====
+Installing a cluster in a shared VPC is supported only for OpenShift 4.17.9 and later.
+====
+
+image::372_OpenShift_on_AWS_persona_worflows_0923_4.png[]
+.Prerequisites
+
+* You have the hosted zone IDs from the *VPC Owner*.
+* You have the AWS region from the *VPC Owner*.
+* You have the subnet IDs from the *VPC Owner*.
+* You have the `Route 53 role` ARN from the *VPC Owner*.
+* You have the `VPC endpoint role` ARN from the *VPC Owner*.
+
+.Procedure
+* In a terminal, enter the following command to create the shared VPC:
++
+[source,terminal]
+----
+$ rosa create cluster --cluster-name <cluster_name> --sts --operator-roles-prefix <prefix> --oidc-config-id <oidc_config_id> --region us-east-1 --subnet-ids <subnet_ids> --hcp-internal-communication-hosted-zone-id <private_hosted_zone_ID> --ingress-private-hosted-zone-id <local_hosted_zone_ID> --route53-role-arn <route_53_role_arn> vpc-endpoint-role-arn <vpc_endpoint_role_arn> --base-domain <dns-domain> --additional-allowed-principals --hosted-cp
+----