DOC-2277: Warn that BYOC GCP credential rotation needs Support

[micheleRP]

What

Adds a Service account credential rotation callout to two BYOC GCP pages:

• GCP IAM Policies (cloud-iam-policies-gcp.adoc) — new section at the bottom.
• Create a BYOC Cluster on GCP (create-byoc-cluster-gcp.adoc) — section before "Next steps".

The callout text lives in a single shared partial (security:partial$byoc-gcp-credential-rotation.adoc) included by both pages, so it stays in sync.

Why

Customer incident ZD-6896: a BYOC GCP customer rotated their GCP service account credentials without coordinating with Redpanda Support. The agent lost connectivity, the cluster stuck in "Upgrading," tiered storage was disrupted, and recovery took 8 days of Engineering effort. The docs never warned that credential rotation is not self-service. This PR closes that gap.

Resolves DOC-2277.

Notes

• Uses a [WARNING] admonition for the not-self-service / disruption risk, with the "contact Support" instructions as body text above it.
• The internal CIAINFRA-3907 reference is intentionally omitted from the public docs.

Preview pages

• GCP IAM Policies (updated)
• Create a BYOC Cluster on GCP (updated)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ee1882d-362b-46ce-a197-967c84560518

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A new AsciiDoc partial file, byoc-gcp-credential-rotation.adoc, is introduced under modules/security/partials/. It describes the procedure for rotating BYOC GCP service account credentials by contacting Redpanda Support and includes a warning that the rotation is not self-service and can leave the cluster in an unrecoverable state if performed without coordination. This partial is then included in two existing pages: the BYOC GCP cluster creation page (within the "Manage custom resource labels and network tags" section) and the GCP cloud IAM policies page.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• redpanda-data/cloud-docs#400: Introduced or expanded the BYOC GCP custom resource labels and network tags workflow in create-byoc-cluster-gcp.adoc, the same section where the new credential rotation partial is now included.

Suggested reviewers

• kbatuigas
• gavinheavyside
• matteogaraventa

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately summarizes the main change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description covers the change, rationale, linked issue, notes, and preview pages, though it omits the template's review deadline and checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-2277-gcp-credential-rotation-warning

---

_{Comment @coderabbitai help to get the list of available commands.}

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	ab93ff7
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6a3e8e68d7698a0008a1ae6f
😎 Deploy Preview	https://deploy-preview-625--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Feediver1]

Check out Claude'a suggestions re other pages that may be impacted.

[Feediver1]

Final-pass review (docs-team-standards)

Overall: Clean, well-scoped, incident-driven doc-gap fix. SME-reviewed and approved, correct single-sourcing and heading levels. No critical issues — one cross-platform follow-up worth flagging.

What this PR does

Adds a Service account credential rotation warning to two BYOC GCP pages (GCP IAM Policies; Create a BYOC Cluster on GCP) via a single shared partial, telling customers that GCP service account credential rotation is not self-service and must be coordinated with Redpanda Support — closing the gap behind incident ZD-6896.

Jira alignment

DOC-2277 — fully addressed: the missing warning + safe "contact Support" path, on the two pages a GCP operator would look. (Couldn't fetch the ticket directly via MCP, but the content matches the PR's stated requirement. Internal CIAINFRA-3907 ref correctly omitted from public docs.)

Critical issues

None. Verified:

• Partial resolves — security:partial$byoc-gcp-credential-rotation.adoc created here; both consumers use correct full cross-module include syntax.
• Heading levels correct — the partial's == Service account credential rotation lands as a proper H2 sibling in both pages.
• No single-source risk — these GCP pages and iam-policies.adoc are cloud-docs-native (env-gated, not single-sourced from docs), so a cloud-docs partial is consistent.
• No nav change needed — content added to existing pages.

Suggestions

1. Impact — AWS/Azure equivalents. Sibling pages exist (cloud-iam-policies.adoc AWS, cloud-iam-policies-azure.adoc, and create-byoc-cluster-aws/azure.adoc). If credential rotation is also Support-coordinated for BYOC on AWS/Azure (likely, given shared BYOC architecture), those pages have the same gap. Out of scope for DOC-2277 (GCP incident), but worth a follow-up ticket so the warning isn't GCP-only.
2. Minor — ordering. The how-to ("contact Support to rotate") precedes the WARNING. Conventionally the risk warning leads, then the safe path. Current order is a deliberate choice and reads fine; optional to flip.

Impact on other files

• AWS/Azure BYOC pages — see suggestion 1 (follow-up, not a blocker).
• No What's New entry needed (safety/clarity fix, not a feature). No broken xrefs.

CodeRabbit

No inline findings posted.

What works well

• Single shared partial keeps both pages in sync — the right pattern for identical warning text.
• SME review tightened the disruption list (agent connectivity, tiered storage uploads) and replaced "unrecoverable state" with the more accurate "stuck and unable to complete future operations."
• WARNING tone calibrated — "can disrupt… can leave the cluster stuck" frames risk without overstating.
• Internal ticket reference kept out of public docs.

🤖 Automated final-pass review via docs-team-standards pr-review.

[micheleRP]

Confirmed with Matteo that we'll merge this now and if/when we get confirmation about AWS & Azure, we'll update the doc for them similarly.