SYSTEM Cited by 1 source
terraform-aws-redpanda-byovpc (Terraform module)¶
The terraform-aws-redpanda-byovpc module (github.com/redpanda-data/terraform-aws-redpanda-byovpc) is Redpanda's official opinionated Terraform module for provisioning the AWS substrate required by a Redpanda BYOVPC cluster. Alongside the 2026-03-11 BYOVPC GA announcement, Redpanda "formally establishes Terraform as the recommended provisioning path for BYOVPC clusters on AWS" (Source: sources/2026-03-11-redpanda-redpanda-clouds-byovpc-for-aws-is-now-generally-available).
What it provisions¶
Verbatim list from the GA post:
- VPC and subnet configuration, including CIDR block allocation across availability zones.
- IAM instance profiles for all five workload types — each scoped to exactly what the component needs:
agent— Redpanda Cloud agent VM.redpanda— broker nodes.utility— utility node group.connectors— Kafka Connect / Redpanda Connect connector node group.redpanda_connect— optionally enabled for systems/redpanda-connect inside BYOVPC.k8s_cluster_role— the EKS cluster IAM role.- Seven security groups — "with sensible defaults you can
customize before applying". The Terraform code block in the GA
post references:
redpanda_agent_security_group,connectors_security_group,redpanda_node_group_security_group,utility_security_group,cluster_security_group,node_security_group(6 named); the module README lists 7. - S3 bucket for tiered storage, pre-configured with encryption and appropriate bucket policies.
- Management bucket + DynamoDB table (referenced in the
redpanda_networkwiring but not enumerated in the "what it includes" list). - PrivateLink configuration (optional, enabled via variables).
- Redpanda Connect enablement (optional, configurable).
Permissions boundary policy¶
The module also provisions a permissions_boundary_policy ARN that
gets passed to the redpanda_cluster resource as
aws_permissions_boundary_policy_arn — this is the
permissions-boundary IAM policy that caps the maximum
permissions the Redpanda-created IAM entities can have within the
customer account, even if attached policies would grant more. A
safety invariant for customer IAM posture.
Skip-what-you-have composition¶
Verbatim (Source: post):
"Variables are provided throughout, so you can skip the creation of any resource that already exists in your environment. If your platform team has already provisioned a VPC with approved subnets, simply pass those IDs as inputs, and the module skips that step entirely. The same applies to the S3 bucket, security groups, and IAM roles — bring what you have, let Terraform create what you don't."
This is the composition hook for enterprise platform teams. See patterns/terraform-module-as-byoc-provisioning-path.
Integration with the Redpanda Terraform provider¶
The module outputs are consumed by redpanda_network +
redpanda_cluster resources from the
redpanda-data/redpanda
Terraform provider:
redpanda_network.customer_managed_resources.aws:management_bucket,dynamodb_table,vpc,private_subnets.redpanda_cluster.customer_managed_resources.aws:aws_permissions_boundary_policy_arn,agent_instance_profile,connectors_node_group_instance_profile,utility_node_group_instance_profile,redpanda_node_group_instance_profile,k8s_cluster_role, six+ security-group ARNs,cloud_storage_bucket,permissions_boundary_policy.
This separation — module provisions substrate, provider binds to substrate — is the wire between infrastructure-as-code (AWS resources) and infrastructure-as-service (Redpanda cluster).
Why Terraform (four reasons)¶
Verbatim from the "Why Terraform?" section of the GA post:
- Repeatability — define infrastructure once, deploy consistently across environments.
- Auditability — all changes tracked in version control; compliance reviews straightforward.
- Flexibility — customize every aspect via input variables, from CIDR ranges to PrivateLink settings.
- Speed — a single
terraform applyprovisions the full suite + outputs the ARNs needed for cluster creation.
High-level provisioning flow¶
From the GA post's "four main phases":
- Configure
tfvarsJSON with VPC ID + AWS account ID + region + subnet CIDRs + optional flags. terraform applythe module → outputs all the resource ARNs.- Use
redpanda_network+redpanda_clusterfrom the Redpanda Terraform provider; wire the module outputs to the provider inputs. - The Redpanda Cloud agent takes over once the cluster resource reports back the initial provisioned state (autoscaling group, agent VM, launch template).
Caveats¶
- AWS-only as of 2026-03-11. GCP + Azure equivalents not announced.
- Opinionated defaults. The seven security groups, five IAM instance profiles, and the permissions-boundary policy encode Redpanda's view of least-privilege; customers with stricter posture may need to override defaults.
- Not a lifecycle manager for the Redpanda cluster itself. Post-bootstrap, cluster lifecycle (upgrades, config changes, scaling) is handled by the Redpanda Cloud agent via the control plane, not by re-running the module.
- State-file consolidation required. Platform teams with pre-existing Terraform state for VPC/subnets/IAM/S3 need to import those resources into the same workspace or use data sources when calling the Redpanda module with skip variables. The post doesn't walk this through.
- No first-class module for Dedicated or Self-Managed. The
terraform-aws-redpanda-byovpcname scope is BYOVPC-specific.
Seen in¶
- sources/2026-03-11-redpanda-redpanda-clouds-byovpc-for-aws-is-now-generally-available
— canonical formal establishment of this module as the
recommended BYOVPC provisioning path. Includes the full
redpanda_network+redpanda_clusterTerraform code block demonstrating every required output-to-input wiring.
Related¶
- systems/redpanda-byovpc — the deployment mode this module provisions for.
- systems/redpanda-byoc — the superset deployment mode.
- systems/redpanda-cloud — the managed-service parent.
- systems/terraform — the substrate.
- systems/aws-privatelink · systems/aws-s3 · systems/aws-iam · systems/aws-eks — AWS resources the module creates.
- systems/redpanda-connect — the optional fifth workload.
- patterns/terraform-module-as-byoc-provisioning-path — the canonical pattern.
- patterns/customer-preprovisioned-network-substrate — the substrate-ownership pattern this module enables.
- companies/redpanda.