life cycle added id

added spaces for life cycle dates

changes after peer review

_topic_maps/_topic_map_rosa.yml

@@ -235,6 +235,17 @@ Topics:
 - Name: Setting up your environment
   File: rosa-sts-setting-up-environment
 ---
+Name: Getting started with ROSA GovCloud
+Dir: rosa_govcloud
+Distros: openshift-rosa
+Topics:
+- Name: Getting started with Red Hat OpenShift Service on AWS (classic architecture) in AWS GovCloud
+  File: rosa-govcloud-getting-started
+- Name: Managing your Red Hat OpenShift Service on AWS (classic architecture) AWS GovCloud account
+  File: rosa-govcloud-account-management
+- Name: Installing a Red Hat OpenShift Service on AWS (classic architecture) cluster in AWS GovCloud
+  File: rosa-install-govcloud-cluster
+---
 Name: Install ROSA Classic clusters
 Dir: rosa_install_access_delete_clusters
 Distros: openshift-rosa

_topic_maps/_topic_map_rosa_hcp.yml

@@ -167,6 +167,17 @@ Topics:
 - Name: Planning resource usage in your cluster
   File: rosa-planning-environment
 ---
+Name: Getting started with ROSA GovCloud
+Dir: rosa_govcloud
+Distros: openshift-rosa-hcp
+Topics:
+- Name: Getting started with Red Hat OpenShift Service on AWS in AWS GovCloud
+  File: rosa-govcloud-getting-started
+- Name: Managing your Red Hat OpenShift Service on AWS (classic architecture) AWS GovCloud account
+  File: rosa-govcloud-account-management
+- Name: Installing a Red Hat OpenShift Service on AWS cluster in AWS GovCloud
+  File: rosa-install-govcloud-cluster
+---
 Name: Install clusters
 Dir: rosa_hcp
 Distros: openshift-rosa-hcp

modules/life-cycle-dates.adoc

@@ -35,4 +35,16 @@ ifdef::openshift-rosa-hcp[]
 Before upgrading your cluster from version 4.16 to version 4.18, confirm that your control plane and machines pools are using version 4.16.
 See _Upgrade options for {product-title} clusters_ in the _Additional resources_ section for more information.
 =====
-endif::openshift-rosa-hcp[]
+endif::openshift-rosa-hcp[]
+
+[id="govcloud-life-cycle-dates_{context}"]
+= Life cycle dates for {product-title} GovCloud
+
+{product-title} GovCloud is subject to FedRAMP high security controls which require the use of cryptographic modules that have received a validation status of active or implementation under test from the Cryptographic Module Validation Program (CMVP). As a result, OpenSSL which is the module that is applicable to RHEL CoreOS in an OpenShift implementation is the determining factor for what OpenShift versions ROSA GovCloud offers, which may create drift from the standard OpenShift support lifecycle.
+
+[options="header"]
+|===
+|Version    |General availability   |End of life
+|4.15       |May 9, 2025           |Dec 1, 2025
+|4.16       |Oct 20, 2025           |Dec 27, 2025
+|===

modules/osd-aws-privatelink-firewall-prerequisites.adoc

@@ -103,6 +103,24 @@ endif::openshift-dedicated[]
 |`oidc.op1.openshiftapps.com`
 |443
 |Used by {product-title}  for STS implementation with managed OIDC configuration.
+
+ifdef::openshift-rosa[]
+|`api.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+
+|`goalert-api.goalert-prod.appsrefrp01ugw1.p1.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+
+|`splunk.y0j2v8m5s2h4t0v.jciv.p1.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+
+|`ocm-prod.rosa-public-nlb.appsrefrp01ugw1.p1.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+endif::openshift-rosa[]
 |===
 
 == Domains for telemetry
@@ -133,6 +151,24 @@ endif::openshift-dedicated[]
 |`observatorium.api.openshift.com`
 |443
 |Required for managed OpenShift-specific telemetry.
+
+ifdef::openshift-rosa[]
+|`console.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+
+|`time-a-g.nist.gov`
+|443
+|This is for GovCloud only.
+
+|`time-a-wwv.nist.gov`
+|443
+|This is for GovCloud only.
+
+|`time-a-b.nist.gov`
+|443
+|This is for GovCloud only.
+endif::openshift-rosa[]
 |===
 
 Managed clusters require enabling telemetry to allow Red{nbsp}Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red{nbsp}Hat, see _About remote health monitoring_ in the _Additional resources_ section.

modules/rosa-aws-privatelink-create-cluster.adoc

@@ -1,11 +1,11 @@
 // Module included in the following assemblies:
-//
 // * rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc
+
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-aws-privatelink-create-cluster_{context}"]
 = Creating an AWS PrivateLink cluster
 
-You can create an AWS PrivateLink cluster using the {product-title} (ROSA) CLI, `rosa`.
+You can create an AWS PrivateLink cluster using the {rosa-cli-first}.
 
 [NOTE]
 ====
@@ -15,8 +15,8 @@ AWS PrivateLink is supported on existing VPCs only.
 .Prerequisites
 
 * You have available AWS service quotas.
-* You have enabled the ROSA service in the AWS Console.
-* You have installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your installation host.
+* You have enabled the {product-title} service in the AWS Console.
+* You have installed and configured the latest {rosa-cli}, on your installation host.
 
 .Procedure
 

modules/rosa-govcloud-deploy-cluster.adoc

@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-install-govcloud-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-deploy-cluster_{context}"]
+= Preparing to deploy a {product-title} cluster in AWS GovCloud
+
+To deploy a {product-title} cluster in AWS GovCloud, you must be logged in to your Red{nbsp}Hat FedRAMP account.
+
+.Prerequisites
+
+* You have configured your AWS CLI to use GovCloud.
+* You are logged into your government region.
+
+.Procedure
+
+. Navigate to https://console.openshiftusgov.com/openshift/token.
+. Sign in with your Red{nbsp}Hat FedRAMP account credentials where you will see a screen with your token.
+. Copy your token for the next step.
++
+. In your terminal:
++
+.. Run `rosa login` and paste your copied token in order to log into the service.
++
+[source,terminal]
+----
+$ rosa login --govcloud --token=<TOKEN>
+----
++
+====
+[NOTE]
+Depending on your AWS CLI configuration, you may need to add a government region to the end of the command string like `--region us-gov-west-1`.
+====
++
+.. Run `rosa whoami` to confirm all information is correct ensuring that you are using the AWS Gov region and the OCM API is “https://api.openshiftusgov.com”..
++
+[source,terminal]
+----
+$ rosa whoami
+----
++
+.Example output
+
+[source,text]
+----
+AWS ARN:                                 arn:aws-us-gov:iam::00000000000:user/rosa-gov-user
+AWS Account ID:                       00000000000
+AWS Default Region:                 us-gov-east-1
+OCM API:                                   https://api.openshiftusgov.com
+OCM Account Email:                  rosa-gov-user@redhat.com
+OCM Account ID:                       3ZXXXXXXXXXXXXXXXXXXXXXXXXX
+OCM Account Name:                 Rosa Gov
+OCM Account Username:          rosa-gov-user
+OCM Organization External ID:  rosa-gov-user
+OCM Organization ID:                3ZXXXXXXXXXXXXXXXXXXXXXXXXX
+OCM Organization Name:          rosa-gov-user
+----
++
+. You must create a VPC where {product-title} will be deployed.
+For instructions on setting up a VPC, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-private-link.html#getting-started-private-link-step-2[Amazon VPC architecture for the AWS PrivateLink use case].
+
+

modules/rosa-govcloud-fedramp-signup.adoc

@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+//
+// * rosa_govcloud/rosa-create-govcloud-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-fedramp-signup_{context}"]
+= Signing up for a Red Hat FedRAMP account
+
+To access {product-title} in AWS GovCloud, you must sign up for a Red{nbsp}Hat FedRAMP account.
+
+.Procedure
+. Navigate to link:https://console.redhat.com/openshift/create/rosa/govcloud[].
+. Complete the access request form.
+. Click *Submit* to sign up.
++
+You will receive a _Submission confirmation_.
+
+Red{nbsp}Hat's confirmed stateside support team will contact you through email for the following information:
+
+* *Admin details* to include your _organization name_, _administrator first and last name_ and _administrator email_.
+
+* *User authentication* option to the FedRAMP {hybrid-console-second} from one of the following two options:
+
+** _Local group in a Red{nbsp}Hat managed Keycloak instance_, where users will be required to setup multi-factor authentication (MFA) with an approved device.
++
+====
+[NOTE]
+Only device link:https://www.yubico.com/product/yubikey-5c-nfc-fips[YubiKEY 5C NFC FIPS] currently accepted.
+====
+** _Customer managed Identity Provider (IdP), integrated via OpenID Connect (OIDC)_, where you will need to provide the following:
+*** *Discovery Endpoint:* The IdP's OIDC discovery URL (typically ending in _/.well-known/openid-configuration_). This allows Keycloak to automatically fetch most of the IdP's settings.
+*** *Client ID and secret:* Credentials that allow Keycloak to authenticate with the customer's IdP.
+*** *Email domain(s):* A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
+*** *Essential claim:* A specific key-value pair (e.g., _"rh-approved": "true"_) that must be present in a user's token from the IdP to grant them access.
++
+In this configuration, the customer takes on the responsibility for implementing FIPS 140-2 validated MFA.
+
+
+// Following process with a sign up button will not be available until https://issues.redhat.com/browse/CRCPLAN-397 is complete.
+//. Navigate to https://console.openshiftusgov.com/openshift/token.
+//. Click *Sign up* to sign up for a {product-title} FedRAMP account.
+//+
+//* The *Sign up* link is located below the *Log in* button.
+//+
+//. Enter the required information and click the *Sign up* button.
+//. Once you receive an email with a code for you to confirm, enter the token and click *Confirm account*.
+//+
+//You will be directed to a screen with your login token.

modules/rosa-govcloud-keycloak-identity-management.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-install-govcloud-cluster.adoc
+//Andy Krohg said this is for SRE so to remove this module,
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-keycloak-identity-management_{context}"]
+= Preparing to access {product-title} in AWS GovCloud using Keycloak
+
+To access {product-title} in AWS GovCloud using Keycloak for identity management.
+
+.Prerequisites
+
+* You have configured your AWS CLI to use GovCloud.
+* You are logged into your government region.
+* You have the admin user details.
+* *Customer Configuration Options (Schemas)*
+Identify which of the three categories customers are based on their Identity Provider (IdP) setup, each corresponding to a specific YAML schema:
+** *Customer with Configurable IdP:* For customers who use their own external IdP and can configure it to send a specific essential claim to automatically validate users with the following details:
+*** *Discovery Endpoint:* The IdP's OIDC discovery URL (typically ending in _/.well-known/openid-configuration_). This allows Keycloak to automatically fetch most of the IdP's settings.
+*** *Client ID & Secret:* Credentials that allow Keycloak to authenticate with the customer's IdP.
+*** *Email Domain(s):* A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
+*** *Essential Claim:* A specific key-value pair (e.g., _"rh-approved": "true"_) that must be present in a user's token from the IdP to grant them access. This is a crucial mechanism for controlling access from the customer's side. This claim must be a custom one, not a standard OIDC claim.
+** *Customer without IdP:* For customers who use the platform's Keycloak instance as their direct identity provider.
+** *Customer with Unchangeable IdP:* For customers who use their own external IdP but cannot configure it to send the essential claim. These customers rely on manual user approval.
+
+.Procedure
+For any customer that has an IdP please use the following steps:
+
+. Navigate to Keycloak Admin Console.
+. Change to the redhat-external realm.
+. Under _Configure_, select *Identity providers*.
+. Click on the IdP of the customer whose configuration was just merged into _keycloak-interface_.
+. Under _OIDC_, click *Settings*.
+. Expand the *Advanced* section and update the _Scopes_ field to _openid profile email_.
+
+This ensures that when a user first logs into Keycloak via the IdP, all the required information for that user is correctly imported.
+

modules/rosa-govcloud-manage-fedramp.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-govcloud-account-management.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-manage_{context}"]
+= Changing your Red Hat FedRAMP account password
+
+To change your FedRAMP account password, you must have access to your Red{nbsp}Hat FedRAMP account.
+
+.Procedure
+
+. Navigate to link:https://sso.openshiftusgov.com/realms/redhat-external/account[].
+. Sign in with your current username and password.
+. Under the middle box called _Account Security_, click *Signing In*.
+. Under _Basic Authentication_ select *Password*.
+. Click *Update* and choose a password that meets the following requirements:
++
+* minimum of fifteen (15) characters
+* at least one (1) upper-case letter
+* at least one (1) lower-case letter
+* at least one (1) number
+* at least one (1) special character (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ‘ [ ] / ? > <)
+. Confirm your password.
+. Click *Submit*.
+
+// reducing the steps from
+//To change your FedRAMP password:
+//. Navigate to https://console.openshiftusgov.com/openshift/token.
+//. Click *Forgot your password?* under the password field.
+//. Follow the steps to change your password

modules/rosa-govcloud-manage-vpn.adoc

@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-govcloud-account-management.adoc
+
+//doc not used and removed form the assembly as no VPN required
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-manage-vpn_{context}"]
+= Changing your VPN password
+
+Once you have access to the VPN, you can change your VPN password.
+
+.Prerequisites
+
+* You must have downloaded and installed the VPN client.
+* You must not be connected to the VPN.
+
+.Procedure
+
+To change your VPN password:
+
+. Navigate to https://auth.openshiftusgov.com/auth.
+. Sign in with your current username and password.
+. Under the middle box called _Account Security_, click *Signing in*.
+. Click *Update* in the _My Password_ row.
+. Enter your new password, confirm it, then click *Submit*.

modules/rosa-govcloud-preparing-access.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-govcloud-getting-started.adoc
+//Andy Krohg said this is for SRE so to remove this module, and add to the signup module
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-preparing-access_{context}"]
+= Preparing to access {product-title} in AWS GovCloud
+
+To access {product-title} in AWS GovCloud you must prepare your accounts and list of users.
+
+.Prerequisites
+
+* You must have one of the following:
+** FIPS 140-2 compliant hardware token if you use Red{nbsp}Hat authorization for access to console.openshiftusgov.com.
+** Integrated IDP if you are an existing customer with a managed hardware token and authorization infrastructure.
+* You must already have an AWS GovCloud account.
+* You must already have a commercial Red{nbsp}Hat account.
+** If you need a commercial Red{nbsp}Hat account, visit the link:https://console.redhat.com[console] to sign up.
+* You have configured your AWS CLI to use GovCloud.
+* You already have the latest version of the {rosa-cli-first} installed.
+* You must have enabled {product-title} on the paired commercial account.
+* You must attest that users:
+** Are US-based, a US citizen, and using a US IP address based on GovCloud and US government requirements.
+** Have a successful background check from an approved entity conducted by their organization or sponsoring agency.
+** Should be subject to initial and annual refresher security training.
+
+//Andy Krohg said the following is redundant to the FedRAMP access
+//.Procedure
+
+//To prepare for access to {product-title} in AWS GovCloud:
+
+//[TIP]
+//====
+//The following steps are only performed once per person.
+//====
+
+//. Contact your Red{nbsp}Hat account team to request access.
+//. Prepare a list of users and email addresses who need access.
+//. Each user who needs access must sign and return the _Rules of Behavior_ form to your account team.
+//. After the first three steps are complete, which typically takes three to six business days, you will receive instructions from Red{nbsp}Hat with your credentials.
+
+

modules/rosa-govcloud-privatelink-create-cluster.adoc

@@ -0,0 +1,76 @@
+// Module included in the following assemblies:
+// * rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-aws-privatelink-create-cluster_{context}"]
+= Creating an AWS PrivateLink cluster
+
+You can create an AWS PrivateLink cluster using the {rosa-cli-first}.
+
+[NOTE]
+====
+AWS PrivateLink is supported on existing VPCs only.
+====
+
+.Prerequisites
+
+* You have available AWS service quotas.
+* You have enabled the {product-title} service in the AWS Console.
+* You have installed and configured the latest {rosa-cli}, on your installation host.
+* For GovCloud, you have enabled the {product-title} service in the AWS Console on the linked commercial account because it is inside the commercial account that you enable {product-title} for GovCloud. For more information, see link:https://docs.aws.amazon.com/rosa/latest/userguide/set-up.html#enable-rosa[Enable ROSA and configure AWS prerequisites].
+* For link:https://docs.aws.amazon.com/rosa/latest/userguide/integration-marketplace.html#_private_marketplace[Private Marketplace], you have enabled the {product-title} service in the AWS Console.
+ifdef::openshift-rosa[]
+For more information, see link:https://aws.amazon.com/marketplace/pp/prodview-tnyp2h3acabm6[AWS Marketplace listings for ROSA].
+endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+For more information, see link:https://aws.amazon.com/marketplace/pp/prodview-juiwfhpeizxro[AWS Marketplace listings for ROSA].
+endif::openshift-rosa-hcp[]
+
+.Procedure
+
+Creating a cluster can take up to 40 minutes.
+
+. With AWS PrivateLink, you can create a cluster with a single availability zone (Single-AZ) or multiple availability zones (Multi-AZ). In either case, your machine's classless inter-domain routing (CIDR) must match your virtual private cloud's CIDR. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/installing_on_aws/installing-aws-vpc#installation-custom-aws-vpc-requirements_installing-aws-vpc[Requirements for using your own VPC] and link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/installing_on_aws/installing-aws-vpc#installation-custom-aws-vpc-validation_installing-aws-vpc[VPC validation] for more information.
++
+[IMPORTANT]
+====
+If you use a firewall, you must configure it so that {product-title} can access the sites that it requires to function.
+
+For more information, see the AWS PrivateLink firewall prerequisites section.
+====
++
+--
+include::snippets/rosa-long-cluster-name.adoc[]
+--
++
+** To create a Single-AZ cluster:
++
+[source,terminal]
+----
+$ rosa create cluster --private-link --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id>
+----
+** To create a Multi-AZ cluster:
++
+[source,terminal]
+----
+$ rosa create cluster --private-link --multi-az --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id1>,<private-subnet-id2>,<private-subnet-id3>
+----
+
+. Enter the following command to check the status of your cluster. During cluster creation, the `State` field from the output will transition from `pending` to `installing`, and finally to `ready`.
++
+[source,terminal]
+----
+$ rosa describe cluster --cluster=<cluster_name>
+----
++
+[NOTE]
+====
+If installation fails or the `State` field does not change to `ready` after 40 minutes, check the installation troubleshooting documentation for more details.
+====
+
+. Enter the following command to follow the OpenShift installer logs to track the progress of your cluster:
++
+[source,terminal]
+----
+$ rosa logs install --cluster=<cluster_name> --watch
+----

modules/rosa-govcloud-support-ticket.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+// * rosa_govcloud/rosa-govcloud-account-management.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-govcloud-support-ticket_{context}"]
+= Opening a support ticket
+
+To get access to open a support ticket please complete the following.
+
+.Procedure
+
+. If you need to create an account, please contact fedramp-css@openshiftusgov.com.
+. Once access is granted, navigate to link:https://redhatgov.servicenowservices.com/css[].
+. Click *Create Case* and complete the required information.
+. Click *Submit*.

modules/rosa-hcp-firewall-prerequisites.adoc

@@ -65,8 +65,13 @@ If you are using a firewall to control egress traffic from {product-title}, your
 |`mirror.openshift.com`
 |443
 |Required. Used to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator (CVO) needs only a single functioning source.
+
+|`api.openshiftusgov.com`
+|443
+|This is for GovCloud only.
 |===
 
+
 == Domains for telemetry
 [cols="6,1,6",options="header"]
 |===
@@ -82,6 +87,22 @@ If you are using a firewall to control egress traffic from {product-title}, your
 |`sso.redhat.com`
 |443
 |Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red{nbsp}Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
+
+|`console.openshiftusgov.com`
+|443
+|This is for GovCloud only.
+
+|`time-a-g.nist.gov`
+|443
+|This is for GovCloud only.
+
+|`time-a-wwv.nist.gov`
+|443
+|This is for GovCloud only.
+
+|`time-a-b.nist.gov`
+|443
+|This is for GovCloud only.
 |===
 
 Managed clusters require enabling telemetry to allow Red{nbsp}Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.

modules/rosa-release-notes-Q4-2025.adoc

@@ -7,6 +7,21 @@
 
 [role="_abstract"] 
 The following items were added during the fourth quarter of 2025.
+* ** AWS GovCloud.**
+The Amazon Web Services (AWS) GovCloud service is now available and for use by federal and government agencies, or by commercial organizations and Federal Information Security Modernization Act (FISMA) R&D Universities supporting a government contract or in the process of bidding on a government contract such as a request for proposal (RFP) or request for information (RFI) pre-bid stage.
+ifdef::openshift-rosa-hcp[]
+https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/rosa_govcloud/rosa-govcloud-getting-started#rosa-govcloud-getting-started[Getting started with ROSA GovCloud]
+endif::openshift-rosa-hcp[]
+ifdef::openshift-rosa[]
+See link:
+https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws_classic_architecture/4/html/rosa_govcloud/rosa-govcloud-getting-started#rosa-govcloud-getting-started[Getting started with ROSA GovCloud].
+endif::openshift-rosa[]
+
+ifdef::openshift-rosa-hcp[]
+* ** ImageDigestMirrorSets (IDMS) now supported.**
+{product-title} now supports ImageDigestMirrorSets (IDMS), enabling clusters to redirect image pulls to a private, mirrored registry. This critical enhancement means customers in air-gapped or restricted networks can host their own mirrors for third-party images while satisfying strict security and compliance requirements. For more information, see xref:../openshift_images/image-configuration-hcp.adoc#images-registry-mirroring_image-configuration-hcp[Image registry mirroring for {product-title}].
+endif::openshift-rosa-hcp[]
+
 
 * **New version of {product-title} available.** {product-title} version 4.20 is now available for new clusters.
 

modules/rosa-sdpolicy-am-regions-az.adoc

@@ -29,6 +29,12 @@ Regions in China are not supported, regardless of their support on OpenShift Con
 ====
 For GovCloud (US) regions, you must submit an link:https://console.redhat.com/openshift/create/rosa/govcloud[Access request for Red{nbsp}Hat OpenShift Service on AWS (ROSA) FedRAMP].
 
+The following AWS GovCloud regions are supported:
+
+* `us-gov-west-1`
+* `us-gov-east-1`
+
+For more information about AWS GovCloud regions, see the link:https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html[The AWS GovCloud (US) User Guide].
 ====
 
 .AWS regions

rosa_govcloud/_attributes

@@ -0,0 +1 @@
+../_attributes/

rosa_govcloud/images

@@ -0,0 +1 @@
+../images/

rosa_govcloud/modules

@@ -0,0 +1 @@
+../modules/

rosa_govcloud/rosa-govcloud-account-management.adoc

@@ -0,0 +1,22 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-govcloud-account-management"]
+= Managing your {product-title} AWS GovCloud account
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-govcloud-account-management
+
+toc::[]
+
+//I'm not sure what I meant by <Govcloud statement>, but there was likely a request for making a statement about the access or similar to it. I'll see what I can find
+//[NOTE]
+//====
+//<Govcloud statement>
+//====
+
+Once you have access to the FedRAMP accounts, you can manage the credentials as needed.
+
+include::modules/rosa-govcloud-manage-fedramp.adoc[leveloffset=+1]
+
+include::modules/rosa-govcloud-support-ticket.adoc[leveloffset=+1]
+
+//following module not used anymore as no VPN required
+//include::modules/rosa-govcloud-manage-vpn.adoc[leveloffset=+1]

rosa_govcloud/rosa-govcloud-getting-started.adoc

@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-govcloud-getting-started"]
+= Getting started with {product-title} in AWS GovCloud
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-govcloud-getting-started
+
+toc::[]
+
+//I'm not sure what I meant by <Govcloud statement>, but there was likely a request for making a statement about the access or similar to it. I'll see what I can find
+//[NOTE]
+//====
+//<Govcloud statement>
+//====
+
+// old definitition as no blocking anymore based on verification
+//Federal and government agencies can be granted access to the {product-title} in AWS GovCloud environment without further verification. However, commercial organizations and Federal Information Security Modernization Act (FISMA) R&D Universities must provide documentation to show that they are supporting a government contract or in the process of bidding on a government contract such as a request for proposal (RFP) or request for information (RFI) pre-bid stage. The customers who are in the government support verification process can review a subset of the FedRAMP Authority to Operate (ATO) documentation, but cannot gain access to the {product-title} in AWS GovCloud environment until verification is complete.
+
+This service is for use by federal and government agencies, or by commercial organizations and Federal Information Security Modernization Act (FISMA) R&D Universities supporting a government contract or in the process of bidding on a government contract such as a request for proposal (RFP) or request for information (RFI) pre-bid stage.
+
+//Snippet for accessing ROSA in AWS GovCloud
+include::snippets/rosa-access-govcloud.adoc[]
+
+include::modules/rosa-govcloud-fedramp-signup.adoc[leveloffset=+1]

rosa_govcloud/rosa-install-govcloud-cluster.adoc

@@ -0,0 +1,26 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-install-govcloud-cluster"]
+= Installing a {product-title} cluster in AWS GovCloud
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-install-govcloud-cluster
+
+toc::[]
+
+//I'm not sure what I meant by <Govcloud statement>, but there was likely a request for making a statement about the access or similar to it. I'll see what I can find
+//[NOTE]
+//====
+//<Govcloud statement>
+//====
+
+To install a {product-title} cluster in AWS GovCloud you must:
+
+* Meet the requirements to access AWS GovCloud.
+* Complete the steps in xref:../rosa_govcloud/rosa-govcloud-getting-started.adoc#rosa-govcloud-getting-started[Getting started with {product-title} in AWS GovCloud]:
+** Preparing to access {product-title} in AWS GovCloud.
+** Signing up for a Red{nbsp}Hat FedRAMP account following.
+
+include::modules/rosa-govcloud-deploy-cluster.adoc[leveloffset=+1]
+
+include::modules/rosa-govcloud-privatelink-create-cluster.adoc[leveloffset=+1]
+
+

rosa_govcloud/snippets

@@ -0,0 +1 @@
+../snippets/

snippets/rosa-access-govcloud.adoc

@@ -0,0 +1,17 @@
+// Text snippet included in the following assemblies:
+// * rosa_govcloud/rosa-install-govcloud-cluster.adoc
+// * rosa_govcloud/rosa-govcloud-getting-started.adoc
+//
+// Text snippet included in the following modules:
+//
+:_mod-docs-content-type: SNIPPET
+
+{product-title} in AWS GovCloud, carries the following requirements:
+
+* {product-title} FedRAMP can only be deployed into an existing VPC. See link:https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-private-link.html#getting-started-private-link-step-2[Create Amazon VPC architecture for the AWS PrivateLink] use case for instructions on setting up a VPC.
+* {product-title} in AWS GovCloud only supports the use of the link:https://www.redhat.com/en/blog/what-is-aws-sts-and-how-does-red-hat-openshift-service-on-aws-rosa-use-sts[AWS STS] credentials method.
+* {product-title} in AWS GovCloud only uses Federal Information Processing Standards (FIPS) validated modules in process cryptographic libraries.
+* {product-title} in AWS GovCloud requires a separate Red{nbsp}Hat account for use with FedRAMP, even if you already have an existing Red{nbsp}Hat account for {product-title} clusters in commercial regions.
+** Each person who needs to be able to create, modify, or delete clusters must have their own Red{nbsp}Hat FedRAMP account.
+** Access to an existing cluster, to use that cluster, does not require a Red{nbsp}Hat FedRAMP account.
+* You can use your Red{nbsp}Hat FedRAMP account to deploy to multiple AWS GovCloud accounts.