Redpanda Terraform provider: manage Connect pipelines, PrivateLink, and more

The Redpanda Terraform provider is designed to manage clusters and Apache Kafka^® resources in Redpanda Cloud. It supports the provisioning, management, and configuration of clusters and Kafka resources like topics and schemas, as well as configuration of Redpanda-specific resources like roles and pipelines.

Since our GA release in May 2025, the Redpanda Terraform provider has received over 400,000 installs. We have steadily broadened the capabilities of the provider—starting with the provisioning, management, and configuration of cluster infrastructure and Kafka resources—and helping teams move toward a governed, automated streaming standard.

For organizations scaling their data footprint, the provider offers more than just automation; it provides a single, declarative control plane for the entire streaming lifecycle.

In this blog post, we describe some of the most recent additions to the Redpanda provider. For a full list of examples and resources managed, see our Terraform Provider Registry documentation.

Standardized provisioning of Redpanda Cloud clusters

Redpanda Terraform provider allows you to automate the lifecycle and configuration of clusters using our Cloud API. Previously, platform teams needed to utilize the rpk CLI or make API requests to provision a cluster for BYOC or BYOVPC. Now, using a single Terraform configuration file, you can easily bring up an entire BYOC or BYOVPC cluster with a Redpanda network by issuing terraform plan and terraform apply.

See an example of provisioning a Redpanda BYOC cluster on AWS.

BYOVPC support for security-first architectures

Bring your own VPC provides a unique form factor for deploying Redpanda clusters in secure environments where fine-grained permissions are used to manage resources within an already provisioned VPC. Redpanda currently supports BYOVPC for both GCP and AWS.

To start provisioning resources, you must provide a set of arguments for customer-managed resources that include identifiers such as arn for AWS or name for GCP resources.

For more details, our docs provide  an example of provisioning a BYOVPC cluster on AWS, where customer-managed resources are provided to the redpanda_network and redpanda_cluster resource.

Manage Redpanda Connect pipelines as code

One of the most significant hurdles in streaming is the gap between managing the cluster and managing the data. With the addition of Redpanda Connect pipeline management, that gap is officially closed.

Platform teams can now manage ingestion and transformation pipelines—leveraging hundreds of pre-built connectors—within the same Terraform workflow they use for their VPCs. See an example pipeline configuration below, or see the full docs for redpanda_pipeline resources in our Terraform registry.

resource "redpanda_pipeline" "example" {
  cluster_api_url = redpanda_cluster.example.cluster_api_url
  display_name    = "example-pipeline"
  description     = "An example Redpanda Connect pipeline"
  state           = "stopped"

  config_yaml = <<-YAML
    input:
      generate:
        interval: "1s"
        mapping: |
          root.message = "hello world"
          root.timestamp = now()

    output:
      stdout: {}
  YAML

  resources = {
    memory_shares = "256Mi"
    cpu_shares    = "200m"
  }

  tags = {
    "environment" = "example"
    "managed-by"  = "terraform"
  }
}

Configure Serverless clusters for AWS PrivateLink 

‍Redpanda Serverless now supports Private Link via Terraform, enabling secure inbound communication to the broker. This gives teams the "zero-to-sixty" speed of a serverless model while satisfying strict requirements that data must never traverse the public internet.

We provide an example configuration below. See the full details for redpanda_serverless-cluster and redpanda_serverless_private_link resources in the docs.

resource "redpanda_serverless_private_link" "test" {
  count = 1
  name               = "${var.cluster_name}-private-link"
  resource_group_id  = redpanda_resource_group.test.id
  cloud_provider     = "aws"
  serverless_region  = var.region
  allow_deletion = var.allow_private_link_deletion

  cloud_provider_config = {
    aws = {
      allowed_principals = var.allowed_principals
    }
  }
}

resource "redpanda_serverless_cluster" "test" {
  name              = var.cluster_name
  resource_group_id = redpanda_resource_group.test.id
  serverless_region = var.region

  private_link_id = redpanda_serverless_private_link.test[0].id 

  networking_config = {
    public = var.public_networking
    private  = var.private_networking
  }
}

Write-only arguments for secure credentials

The provider now supports Terraform write-only arguments (suffixed with _wo) for sensitive resources. Sensitive data is used to create the resource and is then immediately discarded by Terraform, ensuring credentials never appear in plain-text plan or state files. Here's a quick example:

resource "redpanda_user" "example" {
  name                = "example-user"
  password_wo         = var.user_password  # Not stored in state
  password_wo_version = 1                  # Increment to trigger password update
  mechanism           = "scram-sha-256"
  cluster_api_url     = redpanda_cluster.example.cluster_api_url
}

Building for the long term

The Redpanda Terraform provider has evolved into a first-class infrastructure-as-code tool for managing the full lifecycle of Redpanda Cloud environments.

Whether you are operating in tightly controlled VPCs or feeding real-time data to AI agents, the provider gives you the control to manage your streaming stack the same way you manage the rest of your cloud—with code.

Ready to get started?

• Explore the Redpanda Terraform provider docs
• Browse all supported resources and examples on the Terraform Registry

Whether you are operating in tightly controlled VPCs or feeding real-time data to AI agents, the provider gives you the control to manage your streaming stack the same way you manage the rest of your cloud: with code.