openshift · EricPonvelle · Jul 15, 2025
diff --git a/modules/rosa-getting-started-deleting-a-cluster.adoc b/modules/rosa-getting-started-deleting-a-cluster.adoc
@@ -5,7 +5,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-getting-started-deleting-a-cluster_{context}"]
-= Deleting a ROSA cluster and the AWS STS resources
+= Deleting a ROSA cluster and the AWS IAM STS resources
 
 ifeval::["{context}" == "rosa-getting-started"]
 :getting-started:
@@ -15,15 +15,15 @@ ifeval::["{context}" == "rosa-quickstart"]
 endif::[]
 
 ifdef::openshift-rosa-hcp[]
-You can delete a ROSA cluster by using the {product-title} (ROSA) CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console.
+You can delete a ROSA cluster by using the ROSA CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide and Operator policies, you can use the AWS IAM Console or the AWS CLI.
 endif::openshift-rosa-hcp[]
 ifndef::openshift-rosa-hcp[]
-You can delete a ROSA cluster that uses the AWS Security Token Service (STS) by using the {product-title} (ROSA) CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console.
+You can delete a ROSA cluster that uses the AWS Security Token Service (STS) by using the ROSA CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console or the AWS CLI.
 endif::openshift-rosa-hcp[]
 
 [IMPORTANT]
 ====
-Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are **not** required by other clusters.
 ====
 
 ifdef::getting-started[]
@@ -45,10 +45,10 @@ $ rosa delete cluster --cluster=<cluster_name> --watch
 +
 [IMPORTANT]
 ====
-You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.
+You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate with AWS APIs.
 ====
 
-.  Delete the OIDC provider that the cluster Operators use to authenticate:
+.  After the cluster is deleted, delete the OIDC provider that the cluster Operators use to authenticate:
 +
 [source,terminal]
 ----
@@ -73,27 +73,27 @@ $ rosa delete operator-roles -c <cluster_id> --mode auto <1>
 +
 [IMPORTANT]
 ====
-Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are **not** required by other clusters.
 ====
 +
 [source,terminal]
 ----
 $ rosa delete account-roles --prefix <prefix> --mode auto <1>
 ----
-<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
+<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, depending on how they were created, `HCP-ROSA` or `ManagedOpenShift`.
 
 ifdef::openshift-rosa-hcp[]
-. Delete the account-wide inline and Operator IAM policies that you created for ROSA deployments:
+. Delete the account-wide and Operator IAM policies that you created for ROSA deployments:
 endif::openshift-rosa-hcp[]
 ifndef::openshift-rosa-hcp[]
-. Delete the account-wide inline and Operator IAM policies that you created for ROSA deployments that use STS:
+. Delete the account-wide and Operator IAM policies that you created for ROSA deployments that use STS:
 endif::openshift-rosa-hcp[]
 +
 .. Log in to the link:https://console.aws.amazon.com/iamv2/home#/home[AWS IAM Console].
 .. Navigate to *Access management* -> *Policies* and select the checkbox for one of the account-wide policies.
 .. With the policy selected, click on *Actions* -> *Delete* to open the delete policy dialog.
 .. Enter the policy name to confirm the deletion and select *Delete* to delete the policy.
-.. Repeat this step to delete each of the account-wide inline and Operator policies for the cluster.
+.. Repeat this step to delete each of the account-wide and Operator policies for the cluster.
 
 ifeval::["{context}" == "rosa-getting-started"]
 :getting-started:

diff --git a/modules/rosa-getting-started-install-configure-cli-tools.adoc b/modules/rosa-getting-started-install-configure-cli-tools.adoc
@@ -2,6 +2,8 @@
 //
 // * rosa_getting_started/rosa-getting-started.adoc
 // * rosa_getting_started/rosa-quickstart-guide-ui.adoc
+// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
+// * rosa_planning/rosa-sts-setting-up-environment.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-getting-started-install-configure-cli-tools_{context}"]
@@ -19,8 +21,6 @@ Several command-line interface (CLI) tools are required to deploy and work with
 . Log in to your Red{nbsp}Hat and AWS accounts to access the download page for each required tool.
 .. Log in to your Red{nbsp}Hat account at link:https://console.redhat.com[console.redhat.com].
 .. Log in to your AWS account at link:https://aws.amazon.com[aws.amazon.com].
-
-//This should be a separate module
 . Install and configure the latest AWS CLI (`aws`).
 .. Install the AWS CLI by following the link:https://aws.amazon.com/cli/[AWS Command Line Interface] documentation appropriate for your workstation.
 .. Configure the AWS CLI by specifying your `aws_access_key_id`, `aws_secret_access_key`, and `region` in the `.aws/credentials` file. For more information, see link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html[AWS Configuration basics] in the AWS documentation.
@@ -41,8 +41,7 @@ $ aws sts get-caller-identity  --output text
 ----
 <aws_account_id>    arn:aws:iam::<aws_account_id>:user/<username>  <aws_user_id>
 ----
-
-//This should be a separate module
++
 . Install and configure the latest ROSA CLI (`rosa`).
 .. Navigate to link:https://console.redhat.com/openshift/downloads[*Downloads*].
 .. Find *Red Hat OpenShift Service on AWS command line interface (`rosa)* in the list of tools and click *Download*.
@@ -92,8 +91,6 @@ Your ROSA CLI is up to date.
 // For steps to configure `rosa` tab completion for different shell types, see the help menu by running `rosa completion --help`.
 // ====
 // endif::[]
-
-//The following should probably also be a separate module
 . Log in to the ROSA CLI using an offline access token.
 .. Run the login command:
 +
@@ -121,7 +118,6 @@ To login to your Red Hat account, get an offline access token at https://console
 ====
 In the future you can specify the offline access token by using the `--token="<offline_access_token>"` argument when you run the `rosa login` command.
 ====
-
 .. Verify that you are logged in and confirm that your credentials are correct before proceeding:
 +
 [source,terminal]
@@ -144,8 +140,6 @@ OCM Organization ID:          <org_id>
 OCM Organization Name:        Your organization
 OCM Organization External ID: <external_org_id>
 ----
-
-//This should be a separate module
 . Install and configure the latest OpenShift CLI (`oc`).
 .. Use the ROSA CLI to download the `oc` CLI.
 +

diff --git a/modules/rosa-hcp-create-network.adoc b/modules/rosa-hcp-create-network.adoc
@@ -10,11 +10,11 @@ ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
 endif::[]
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-hcp-create-network_{context}"]
-= Creating a Virtual Private Cloud using the ROSA CLI
+= Creating an AWS VPC using the ROSA CLI
 
-The `rosa create network` command is available in v.1.2.48 or later of the ROSA command-line interface (CLI). The command uses AWS CloudFormation to create a VPC and the other networking components used to install a ROSA cluster. CloudFormation is a native AWS infrastructure-as-code tool and is compatible with the AWS CLI.
+The `rosa create network` command is available in v.1.2.48 or later of the ROSA command-line interface (CLI). The command uses AWS CloudFormation to create a VPC and associated networking components necessary to install a ROSA cluster. CloudFormation is a native AWS infrastructure-as-code tool and is compatible with the AWS CLI.
 
-If you do not specify a template, CloudFormation uses a default template that creates the following parameters:
+If you do not specify a template, CloudFormation uses a default template that creates resources with the following parameters:
 
 [cols="2a,3a",options="header"]
 |===

diff --git a/modules/rosa-hcp-vpc-manual.adoc b/modules/rosa-hcp-vpc-manual.adoc
@@ -8,9 +8,9 @@ endif::[]
 
 :_mod-docs-content-type: PREFERENCE
 [id="rosa-hcp-vpc-manual_{context}"]
-= Creating a Virtual Private Cloud manually
+= Creating an AWS Virtual Private Cloud manually
 
-If you choose to manually create your Virtual Private Cloud (VPC) instead of using Terraform, go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console].
+If you choose to manually create your AWS Virtual Private Cloud (VPC) instead of using Terraform, go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console].
 
 include::snippets/rosa-existing-vpc-requirements.adoc[leveloffset=+0]
 
@@ -19,7 +19,7 @@ ifdef::rosa-egress-lockdown[]
 [id="rosa-hcp-vpc-subnet-tagging-manual_{context}"]
 == Tagging your subnets
 
-Before you can use your VPC to create a {hcp-title} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly. The following table shows how to tag your resources:
+Before you can use your VPC to create a {rosa-short} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly. The following table shows how to tag your resources:
 
 [cols="3a,8a,8a", options="header"]
 |===

diff --git a/modules/rosa-hcp-vpc-subnet-tagging.adoc b/modules/rosa-hcp-vpc-subnet-tagging.adoc
@@ -5,7 +5,7 @@
 [id="rosa-hcp-vpc-subnet-tagging_{context}"]
 = Tagging your subnets
 
-Before you can use your VPC to create a {hcp-title} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly before you can use these resources. The following table shows how your resources should be tagged as the following:
+Before you can use your VPC to create a {rosa-short} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly before you can use these resources for a cluster. The following table shows how your resources should be tagged:
 
 [cols="3a,8a,8a", options="header"]
 |===
@@ -15,17 +15,17 @@ Before you can use your VPC to create a {hcp-title} cluster, you must tag your V
 
 | Public subnet
 | `kubernetes.io/role/elb`	
-| `1` or no value
+| `1` (or no value)
 
 | Private subnet 
 | `kubernetes.io/role/internal-elb`	
-| `1` or no value
+| `1` (or no value)
 
 |===
 
 [NOTE]
 ====
-You must tag at least one private subnet and, if applicable, and one public subnet.
+You must tag at least one private subnet and, if applicable, one public subnet.
 ====
 
 .Prerequisites

diff --git a/modules/rosa-sts-byo-oidc.adoc b/modules/rosa-sts-byo-oidc.adoc
@@ -11,7 +11,7 @@
 [id="rosa-sts-byo-oidc_{context}"]
 = Creating an OpenID Connect configuration
 
-When using a
+When creating a
 ifdef::openshift-rosa-hcp[]
 {rosa-short}
 endif::openshift-rosa-hcp[]

diff --git a/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc b/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc
@@ -1,7 +1,8 @@
 // Module included in the following assemblies:
 //
-// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
 // * rosa_getting_started/rosa-quickstart-guide-ui.adoc
+// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
+// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
@@ -14,7 +15,14 @@ ifeval::["{context}" == "rosa-quickstart"]
 :quickstart:
 endif::[]
 
-Before using the {cluster-manager-first} {hybrid-console-second} to create {product-title} (ROSA) clusters that use the AWS Security Token Service (STS), create the required account-wide STS roles and policies, including the Operator policies.
+Before using the {hybrid-console} to create 
+ifdef::openshift-rosa[]
+{rosa-classic-short}
+endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+{rosa-short}
+endif::openshift-rosa-hcp[]
+clusters that use the AWS Security Token Service (STS), create the required account-wide STS roles and policies, including the Operator policies.
 
 ifdef::quick-install[]
 .Prerequisites
@@ -37,11 +45,19 @@ $ rosa list account-roles
 ----
 endif::[]
 
-. If they do not exist in your AWS account, create the required account-wide STS roles and policies:
+. If they do not exist in your AWS account, create the required account-wide AWS IAM STS roles and policies:
 +
+ifdef::openshift-rosa[]
 [source,terminal]
 ----
 $ rosa create account-roles
 ----
+endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+[source,terminal]
+----
+$ rosa create account-roles --hosted-cp
+----
+endif::openshift-rosa-hcp[]
 +
 Select the default values at the prompts to quickly create the roles and policies.
diff --git a/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc b/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc
@@ -1,18 +1,18 @@
 // Module included in the following assemblies:
 //
+// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
+// * rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
+// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
 // * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+// * rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
 // * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
-// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
 
 ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :tf-classic:
 endif::[]
 ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
 :tf-hcp:
 endif::[]
-ifeval::["{context}" == "rosa-hcp-sts-creating-a-cluster-quickly"]
-:hcp-rosa:
-endif::[]
 
 :_mod-docs-content-type: CONCEPT
 [id="rosa-sts-overview-of-the-default-cluster-specifications_{context}"]
@@ -48,9 +48,16 @@ ifdef::tf-classic,tf-hcp[]
 * Default IAM role prefix: `rosa-<6-digit-alphanumeric-string>`
 endif::tf-classic,tf-hcp[]
 ifndef::tf-classic,tf-hcp[]
+ifdef::openshift-rosa[]
 * Default IAM role prefix: `ManagedOpenShift`
+endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+* Default IAM role prefix: `HCP-ROSA`
+endif::openshift-rosa-hcp[]
 endif::tf-classic,tf-hcp[]
+ifndef::openshift-rosa-hcp[]
 * No cluster admin role created
+endif::openshift-rosa-hcp[]
 
 |Cluster settings
 |
@@ -70,29 +77,32 @@ ifdef::openshift-rosa-hcp[]
 * Default AWS region for installations using the ROSA CLI (`rosa`): Defined by your `aws` CLI configuration
 * Default EC2 IMDS endpoints (both v1 and v2) are enabled
 endif::openshift-rosa-hcp[]
-* Availability: Single zone for the data plane
 endif::tf-classic,tf-hcp[]
-ifndef::rosa-hcp,tf-hcp[]
+ifndef::openshift-rosa-hcp,tf-hcp[]
 * EC2 Instance Metadata Service (IMDS) is enabled and allows the use of IMDSv1 or IMDSv2 (token optional)
-endif::rosa-hcp,tf-hcp[]
+endif::openshift-rosa-hcp,tf-hcp[]
+* Availability: Single zone for the data plane
 * Monitoring for user-defined projects: Enabled
-ifndef::openshift-rosa-hcp,hcp-rosa[]
+ifdef::openshift-rosa-hcp[]
+* No cluster admin role created
+endif::openshift-rosa-hcp[]
+ifndef::openshift-rosa-hcp[]
 |Encryption
 |* Cloud storage is encrypted at rest
 * Additional etcd encryption is not enabled
 * The default AWS Key Management Service (KMS) key is used as the encryption key for persistent data
-endif::openshift-rosa-hcp,hcp-rosa[]
+endif::openshift-rosa-hcp[]
 
-ifdef::openshift-rosa,openshift-rosa-hcp,tf-classic[]
+ifdef::openshift-rosa,tf-classic[]
 |Control plane node configuration
 |* Control plane node instance type: m5.2xlarge (8 vCPU, 32 GiB RAM)
 * Control plane node count: 3
-endif::openshift-rosa,openshift-rosa-hcp,tf-classic[]
-ifndef::openshift-rosa-hcp,hcp-rosa[]
+endif::openshift-rosa,tf-classic[]
+ifndef::openshift-rosa-hcp[]
 |Infrastructure node configuration
 |* Infrastructure node instance type: r5.xlarge (4 vCPU, 32 GiB RAM)
 * Infrastructure node count: 2
-endif::openshift-rosa-hcp,hcp-rosa[]
+endif::openshift-rosa-hcp[]
 
 |Compute node machine pool
 |* Compute node instance type: m5.xlarge (4 vCPU 16, GiB RAM)
@@ -145,7 +155,7 @@ endif::openshift-rosa-hcp[]
 +
 [NOTE]
 ====
-For installations that use {cluster-manager} on the {hybrid-console-second}, the `auto` mode requires an admin-privileged {cluster-manager} role.
+For installations that use {cluster-manager} on the {hybrid-console-second}, the `auto` mode requires an admin-privileged {cluster-manager} role (ocm-role).
 ====
 ifdef::tf-classic,tf-hcp[]
 * Default Operator role prefix: `rosa-<6-digit-alphanumeric-string>`
@@ -175,7 +185,4 @@ endif::[]
 ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
 :!tf-hcp:
 endif::[]
-ifeval::["{context}" == "rosa-hcp-sts-creating-a-cluster-quickly"]
-:!hcp-rosa:
-endif::[]
 
diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
@@ -6,7 +6,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-For {hcp-title-first} workloads that do not require public internet access, you can create a private cluster.
+For {product-title} workloads that do not require public internet access, you can create a private cluster.
 
 //include::modules/osd-aws-privatelink-about.adoc[leveloffset=+1]
 //include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1]