DOC-1186 Redpanda Connect for BYOVPC on AWS (#274)

* Add config to AWS BYOVPC docs for RPCN

* Correct IAM instance profile list

* PM review comments

* PM review comments

* minor rewording

* PM review comments

* Update note

* docs review comments

Author: asimms41

modules/develop/partials/availability-message.adoc

@@ -2,6 +2,6 @@
 ====
 
 * Redpanda Connect is available in limited availability (LA) for BYOC and Dedicated clusters. Features in LA are production-ready and are covered by Redpanda Support for early adopters. To unlock Redpanda Connect for your account, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^].  
-* Redpanda Connect is in beta for BYOVPC clusters on GCP but not on AWS or Azure.
+* Redpanda Connect is in beta for BYOVPC clusters on AWS and GCP. It is not yet available for BYOVPC clusters on Azure.
 * Redpanda Connect is available in beta for Serverless clusters. Features in beta are not covered by Redpanda Support and should not be used in production environments.
 ==== 

modules/get-started/pages/cloud-overview.adoc

@@ -264,7 +264,7 @@ Features in limited availability are production-ready and are covered by Redpand
 
 The following features are currently in limited availability in Redpanda Cloud:
 
-* Redpanda Connect for Dedicated and BYOC (not BYOVPC on AWS or Azure)
+* Redpanda Connect for Dedicated and BYOC (excluding BYOVPC on Azure)
 * Serverless
 * Dedicated and BYOC for Azure
 * BYOVPC for GCP
@@ -276,7 +276,7 @@ Features in beta are available for testing and feedback. They are not covered by
 
 The following features are currently in beta in Redpanda Cloud:
 
-* Redpanda Connect for BYOVPC on GCP and Serverless
+* Redpanda Connect on Serverless, and for BYOVPC on GCP and AWS
 * Redpanda Terraform provider
 * BYOVPC for AWS and Azure
 * Integration with Apache Iceberg

modules/get-started/pages/cluster-types/byoc/aws/vpc-byo-aws.adoc

@@ -52,7 +52,21 @@ The https://github.com/redpanda-data/cloud-examples/blob/main/customer-managed/a
 
 NOTE: For simplicity, these instructions assume that Terraform is configured to use local state. You may want to configure https://developer.hashicorp.com/terraform/language/state/remote[remote state^]. 
 
-Define a JSON file called `byovnet.auto.tfvars.json` inside the Terraform directory that contains information about the VPC. Optionally, you can enable PrivateLink. For example: 
+Define a JSON file called `byovnet.auto.tfvars.json` inside the Terraform directory that contains information about the VPC.
+
+You can update the example configuration to customize your setup:
+
+- Enable PrivateLink (`"enable_private_link": true`).
+- Preserve cluster data when deleting the cluster (`"force_destroy_cloud_storage": false`).
+- Use https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html[condition tags^] to control resource modifications based on AWS tags. For example:
++
+```json
+"condition_tags": {
+"redpanda-managed": "true"
+},
+```
+
+Example configuration:
 
 ```json
 cat > byoc.auto.tfvars.json <<EOF
@@ -67,15 +81,32 @@ cat > byoc.auto.tfvars.json <<EOF
   "ignore_tags": [
   ],
   "vpc_id": "${AWS_VPC_ID}",
-  "zones": [],
-  "enable_private_link": true,
+  "zones": [
+    "use2-az1",
+    "use2-az2",
+    "use2-az3"
+  ],
+  "create_rpk_user": true,
+  "enable_redpanda_connect": true,
+  "enable_private_link": false,
   "create_rpk_user": true,
-  "force_destroy_cloud_storage": true
+  "force_destroy_cloud_storage": true,
+  "public_subnet_cidrs": [
+    "10.0.1.0/24",
+    "10.0.3.0/24",
+    "10.0.5.0/24",
+    "10.0.7.0/24",
+    "10.0.9.0/24",
+    "10.0.11.0/24"
+  ]
 }
 EOF
 
 ```
 
+NOTE: At least one public subnet is required to create a cluster. The example configuration includes multiple public subnets to allow for future scaling. In addition, the VPC should have an Internet Gateway and an associated Route Table that exposes traffic into the VPC, and allows the Redpanda Control Plane to access the cluster.
+
+
 == Deploy Terraform
 
 Initialize, plan, and apply Terraform to set up the AWS infrastructure:
@@ -130,6 +161,7 @@ To create the Redpanda network:
 ```json
 cat > redpanda-network.json <<EOF
 {
+  "network": {
     "name":"sample-redpanda-network",
     "resource_group_id": "${REDPANDA_RG_ID}",
     "cloud_provider":"CLOUD_PROVIDER_AWS",
@@ -144,13 +176,14 @@ cat > redpanda-network.json <<EOF
           "arn": "${AWS_DYNAMODB_TABLE}"
         },
         "private_subnets": {
-          "arns": "${AWS_PRIVATE_SUBNETS}"
+          "arns": ${AWS_PRIVATE_SUBNETS}
         },
         "vpc": {
           "arn": "${AWS_VPC}"
         }
       }
-   }
+    }
+  } 
 } 
 EOF
 ```
@@ -162,7 +195,7 @@ export REDPANDA_NETWORK_ID=$(curl -X POST "https://api.redpanda.com/v1/networks"
  -H "accept: application/json" \
  -H "content-type: application/json" \
  -H "authorization: Bearer ${BEARER_TOKEN}" \
- --data-binary @redpanda-network.json | jq -r '.operation.id')
+ --data-binary @redpanda-network.json | jq -r '.operation.resource_id')
 ```
 +
 The Create Network request returns a `resource_id`. For example:
@@ -188,13 +221,28 @@ The Create Network request returns a `resource_id`. For example:
 
 To create the Redpanda cluster: 
 
-. Create environment variables for cluster information, like the version, tier, and availability zones. 
+. For all cluster information, including the version, tier, storage, security, and availability zones, create the following environment variables with values from Terraform. You can customize the cluster name, Repdanda version, usage tier, and AWS zones for your cluster using the environment variables.
 +
 ```bash
-export AWS_ZONES='["use-az1", "use-az2", "use-az3"]'
+export AWS_ZONES='["use2-az1", "use2-az2", "use2-az3"]'
 export REDPANDA_CLUSTER_NAME=sample-redpanda-cluster
-export REDPANDA_VERSION=24.3
+export REDPANDA_VERSION=25.1
 export REDPANDA_THROUGHPUT_TIER=tier-1-aws-v3-arm
+export AGENT_INSTANCE_PROFILE_ARN="$(terraform output -raw agent_instance_profile_arn)"
+export CONNECTORS_NODE_GROUP_INSTANCE_PROFILE="$(terraform output -raw connectors_node_group_instance_profile_arn)"
+export REDPANDA_NODE_GROUP_INSTANCE_PROFILE="$(terraform output -raw redpanda_node_group_instance_profile_arn)"
+export REDPANDA_CONNECT_NODE_GROUP_INSTANCE_PROFILE="$(terraform output -raw redpanda_connect_node_group_instance_profile_arn)"
+export UTILITY_NODE_GROUP_INSTANCE_PROFILE="$(terraform output -raw utility_node_group_instance_profile_arn)"
+export CONNECTORS_SECURITY_GROUP="$(terraform output -raw connectors_security_group_arn)" 
+export REDPANDA_CONNECT_SECURITY_GROUP="$(terraform output -raw redpanda_connect_security_group_arn)"
+export NODE_SECURITY_GROUP="$(terraform output -raw node_security_group_arn)"
+export UTILITY_SECURITY_GROUP="$(terraform output -raw utility_security_group_arn)"
+export REDPANDA_AGENT_SECURITY_GROUP="$(terraform output -raw redpanda_agent_security_group_arn)"
+export REDPANDA_NODE_GROUP_SECURITY_GROUP="$(terraform output -raw redpanda_node_group_security_group_arn)"
+export CLUSTER_SECURITY_GROUP="$(terraform output -raw cluster_security_group_arn)"
+export K8S_CLUSTER_ROLE="$(terraform output -raw k8s_cluster_role_arn)"
+export CLOUD_STORAGE_BUCKET="$(terraform output -raw cloud_storage_bucket_arn)"
+export PERMISSIONS_BOUNDARY_POLICY="$(terraform output -raw permissions_boundary_policy_arn)"
 ```
 +
 TIP: See the full list of zones and tiers available with each provider in the xref:api:ROOT:cloud-controlplane-api.adoc#api-description[Control Plane API reference].
@@ -204,56 +252,64 @@ TIP: See the full list of zones and tiers available with each provider in the xr
 ```json
 cat > redpanda-cluster.json <<EOF
 {
-  "cloud_provider":"CLOUD_PROVIDER_AWS",
-  "connection_type":"CONNECTION_TYPE_PRIVATE",
-  "name": "${REDPANDA_CLUSTER_NAME}",
-  "resource_group_id": "${REDPANDA_RG_ID}",
-  "network_id": "${REDPANDA_NETWORK_ID}",
-  "region": "${AWS_REGION}",
-  "throughput_tier": "${REDPANDA_THROUGHPUT_TIER}",
-  "type": "TYPE_BYOC",
-  "zones": ${AWS_ZONES},
-  "redpanda_version": "${REDPANDA_VERSION}",
-  "customer_managed_resources": {
-    "aws": {
-      "agent_instance_profile": {
-        "arn": "<agent_instance_profile_arn from terraform outputs>"
-      },
-      "connectors_node_group_instance_profile": {
-        "arn": "<connectors_node_group_instance_profile_arn from terraform outputs>"
-      },
-      "redpanda_node_group_instance_profile": {
-        "arn": "<redpanda_node_group_instance_profile_arn from terraform outputs>"
-      },
-      "utility_node_group_instance_profile": {
-        "arn": "<utility_node_group_instance_profile_arn from terraform outputs>"
-      },
-      "connectors_security_group": {
-        "arn": "<connectors_security_group_arn from terraform outputs>"
-      },
-      "node_security_group": {
-        "arn": "<node_security_group_arn from terraform outputs>"
-      },
-      "utility_security_group": {
-        "arn": "<utility_security_group_arn from terraform outputs>"
-      },
-      "redpanda_agent_security_group": {
-        "arn": "<redpanda_agent_security_group_arn from terraform outputs>"
-      },
-      "redpanda_node_group_security_group": {
-        "arn": "<redpanda_node_group_security_group_arn from terraform outputs>"
-      },
-      "cluster_security_group": {
-        "arn": "<cluster_security_group_arn from terraform outputs>"
-      },
-      "k8s_cluster_role": {
-        "arn": "<k8s_cluster_role_arn from terraform outputs>"
-      },
-      "cloud_storage_bucket": {
-        "arn": "<cloud_storage_bucket_arn from terraform outputs>"
-      },
-      "permissions_boundary_policy": {
-        "arn": "<permissions_boundary_policy_arn from terraform outputs>"
+  "cluster": {
+    "cloud_provider":"CLOUD_PROVIDER_AWS",
+    "connection_type":"CONNECTION_TYPE_PRIVATE",
+    "name": "${REDPANDA_CLUSTER_NAME}",
+    "resource_group_id": "${REDPANDA_RG_ID}",
+    "network_id": "${REDPANDA_NETWORK_ID}",
+    "region": "${AWS_REGION}",
+    "throughput_tier": "${REDPANDA_THROUGHPUT_TIER}",
+    "type": "TYPE_BYOC",
+    "zones": ${AWS_ZONES},
+    "redpanda_version": "${REDPANDA_VERSION}",
+    "customer_managed_resources": {
+      "aws": {
+        "agent_instance_profile": {
+          "arn": "${AGENT_INSTANCE_PROFILE_ARN}"
+        },
+        "connectors_node_group_instance_profile": {
+          "arn": "${CONNECTORS_NODE_GROUP_INSTANCE_PROFILE}"
+        },
+        "redpanda_connect_node_group_instance_profile": {
+          "arn": "${REDPANDA_CONNECT_NODE_GROUP_INSTANCE_PROFILE}"
+        },
+        "redpanda_node_group_instance_profile": {
+          "arn": "${REDPANDA_NODE_GROUP_INSTANCE_PROFILE}"
+        },
+        "utility_node_group_instance_profile": {
+          "arn": "${UTILITY_NODE_GROUP_INSTANCE_PROFILE}"
+        },
+        "connectors_security_group": {
+          "arn": "${CONNECTORS_SECURITY_GROUP}"
+        },
+        "redpanda_connect_security_group": {
+          "arn": "${REDPANDA_CONNECT_SECURITY_GROUP}"
+        },
+        "node_security_group": {
+          "arn": "${NODE_SECURITY_GROUP}"
+        },
+        "utility_security_group": {
+          "arn": "${UTILITY_SECURITY_GROUP}"
+        },
+        "redpanda_agent_security_group": {
+          "arn": "${REDPANDA_AGENT_SECURITY_GROUP}"
+        },
+        "redpanda_node_group_security_group": {
+          "arn": "${REDPANDA_NODE_GROUP_SECURITY_GROUP}"
+        },
+        "cluster_security_group": {
+          "arn": "${CLUSTER_SECURITY_GROUP}"
+        },
+        "k8s_cluster_role": {
+          "arn": "${K8S_CLUSTER_ROLE}"
+        },
+        "cloud_storage_bucket": {
+          "arn": "${CLOUD_STORAGE_BUCKET}"
+        },
+        "permissions_boundary_policy": {
+          "arn": "${PERMISSIONS_BOUNDARY_POLICY}"
+        }
       }
     }
   }
@@ -342,7 +398,7 @@ The `rpk cloud byoc aws apply` command performs validation checks before proceed
 * RPK user: Checks if the user running the command has sufficient privileges to provision the agent. Any
 missing permissions are displayed in the output.
 
-* IAM instance profile: Checks that `connectors_node_group_instance_profile`, `redpanda_node_group_instance_profile`,
+* IAM instance profile: Checks that `connectors_node_group_instance_profile`, `redpanda_node_group_instance_profile`, `redpanda_connect_node_group_instance_profile`,
 `utility_node_group_instance_profile`, and `k8s_cluster_role` have the minimum required permissions. Any missing permissions are displayed in the output.
 
 * Storage: Checks that the `management_bucket` exists and is versioned, checks that the `cloud_storage_bucket` exists and is not versioned, and checks that the `dynamodb_table` exists.

modules/get-started/pages/whats-new-cloud.adoc

@@ -41,6 +41,10 @@ Data transforms are supported for BYOC and Dedicated clusters running Redpanda v
 
 Redpanda Cloud is starting to introduce beta versions of xref:develop:agents/about.adoc[AI agents] for enterprise agentic applications driven by a continuous data feed.
 
+=== Redpanda Connect for BYOVPC on AWS and GCP: beta
+
+Redpanda Connect is now enabled when you create a BYOVPC cluster on xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[AWS] or xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[GCP]. You can also add Redpanda Connect to an xref:get-started:cluster-types/byoc/gcp/enable-rpcn-byovpc-gcp.adoc[existing BYOVPC GCP cluster].
+
 == March 2025
 
 === Serverless

modules/shared/partials/feature-flag-rpcn.adoc

@@ -2,5 +2,5 @@
 ====
 
 * BYOVPC is an add-on feature that may require an additional purchase. To unlock this feature for your account, contact your Redpanda account team or https://www.redpanda.com/price-estimator[Redpanda Sales^]. 
-* Redpanda Connect is in beta for BYOVPC clusters on GCP.
+* Redpanda Connect is in beta for BYOVPC clusters on AWS and GCP. It is not yet available for BYOVPC clusters on Azure.
 ====