Add simple tab to separate console/api steps

tidb-cloud/tidb-cloud-encrypt-cmek.md

@@ -26,9 +26,10 @@ If you want to encrypt your data using the KMS owned by your account, take the f
 
 ### Step 1. Create a CMEK-enabled project
 
-> **Note:**
->
-> You can complete this step through [Create a CMEK-enabled project](https://docs.pingcap.com/tidbcloud/api/v1beta#tag/Project/operation/CreateProject) endpoint of TiDB Cloud API. Make sure the `aws_cmek_enabled` field is set to `true`.
+You can create a CMEK-enabled project either using the console or using API.
+
+<SimpleTab groupId="method">
+<div label="Use Console" value="console">
 
 You need to create a CMEK-enabled project, take the following steps:
 
@@ -43,13 +44,25 @@ You need to create a CMEK-enabled project, take the following steps:
 >
 > After creating a CMEK-enabled project, you will be redirected to the Encryption Access page so that you can complete the CMEK configuration.
 
+</div>
+<div label="Use API" value="api">
+
+You can complete this step using TiDB Cloud API through the [Create a CMEK-enabled project](https://docs.pingcap.com/tidbcloud/api/v1beta#tag/Project/operation/CreateProject) endpoint. Make sure that the `aws_cmek_enabled` field is set to `true`.
+
+Currently, TiDB Cloud API is still in beta. For more information, see [TiDB Cloud API Documentation](https://docs.pingcap.com/tidbcloud/api/v1beta).
+
+</div>
+</SimpleTab>
+
 ### Step 2. Complete the CMEK configuration of the project
 
-> **Note:**
->
-> You can complete this step through the "Configure AWS CMEK" endpoint of the TiDB Cloud API.
+You can complete the CMEK configuration of the project either using the console or using API.
+
+<SimpleTab groupId="method">
+<div label="Use Console" value="console">
+
+To complete the CMEK configuration of the project, take the following steps:
 
-You need to complete the CMEK configuration of the project, take the following steps:
 1.  Click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner, switch to the target project if you have multiple projects, and then click **Admin**.
 2. Click **Encryption Access** to enter the encryption management page of the project.
 3. Click **Create Encryption Key** to enter the key creation page.
@@ -58,14 +71,24 @@ You need to complete the CMEK configuration of the project, take the following s
 6. Fill in the Key ARN obtained from AWS KMS.
 7. Click **Create** to complete the creation of the key.
 
+</div>
+<div label="Use API" value="api">
+
+You can complete this step using TiDB Cloud API through the [Configure AWS CMEK](https://docs.pingcap.com/tidbcloud/api/v1beta#tag/Cluster/operation/CreateAwsCmek) endpoint.
+
+Currently, TiDB Cloud API is still in beta. For more information, see [TiDB Cloud API Documentation](https://docs.pingcap.com/tidbcloud/api/v1beta).
+
+</div>
+</SimpleTab>
+
 > **Note:**
 >
-> - this feature is in the development stage and the policy requirement could be subject to change as future features might require more permissions. 
+> - This feature is in the development stage and the policy requirement could be subject to change as future features might require more permissions. 
 > - For projects that do not have CMEK enabled, you can view the Encryption Access page, but you are not allowed to click Create New Key.
 
 ### Step 3. Create a cluster
 
-[Create a TiDB Dedicated Cluster](https://docs.pingcap.com/tidbcloud/create-tidb-cluster) hosted on AWS under the project created in Step 1. Ensure that the region where the cluster is located is the same as that in Step 2.
+Under the project created in Step 1, create a TiDB Dedicated cluster hosted on AWS. For detailed steps, refer to [this document](https://docs.pingcap.com/tidbcloud/create-tidb-cluster). Ensure that the region where the cluster is located is the same as that in Step 2.
 
 > **Note:**
 >
@@ -93,58 +116,57 @@ After revoking TiDB Cloud's access to CMEK, if you need to restore the access, f
 
 ## Appendix
 
-If you need to configure CMEK through TiDB Cloud API, You need to use the "Configure AWS CMEK" endpoint of the TiDB Cloud API. Before calling the API, you need to configure the key policy on AWS KMS, please add the following information to In the key policy:
-
-    ```json
-    {
-        "Version": "2012-10-17",
-        "Id": "cmek-policy",
-        "Statement": [
-            // EBS-related policy
-            {
-                "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "*"
-                },
-                "Action": [
-                    "kms:Encrypt",
-                    "kms:Decrypt",
-                    "kms:ReEncrypt*",
-                    "kms:GenerateDataKey*",
-                    "kms:CreateGrant",
-                    "kms:DescribeKey"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "kms:CallerAccount": "<pingcap-account>",
-                        "kms:ViaService": "ec2.<region>.amazonaws.com"
-                    }
-                }
+If you need to configure CMEK through TiDB Cloud API, You need to use the "Configure AWS CMEK" endpoint of the TiDB Cloud API. Before calling the API, you need to configure the key policy on AWS KMS, add the following information to the key policy:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "cmek-policy",
+    "Statement": [
+        // EBS-related policy
+        {
+            "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
             },
-            // S3-related policy
-            {
-                "Sid": "Allow TiDB cloud role to use KMS to store encrypted backup to S3",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::<pingcap-account>:root"
-                },
-                "Action": [
-                    "kms:Decrypt",
-                    "kms:GenerateDataKey"
-                ],
-                "Resource": "*"
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:CreateGrant",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "kms:CallerAccount": "<pingcap-account>",
+                    "kms:ViaService": "ec2.<region>.amazonaws.com"
+                }
+            }
+        },
+        // S3-related policy
+        {
+            "Sid": "Allow TiDB cloud role to use KMS to store encrypted backup to S3",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::<pingcap-account>:root"
             },
-            ... // user's own admin access to KMS
-        ]
-    }
-    ```
+            "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey"
+            ],
+            "Resource": "*"
+        },
+        ... // user's own admin access to KMS
+    ]
+}
+```
 
 > **Note:**
 >
 > - `<pingcap-account>` is the account where your clusters run in. If you do not know the account, contact [support](/tidb-cloud/tidb-cloud-support.md).
 > - `<region>` is the region where you want to create your cluster, for example, `us-west-2`. If you do not want to specify a region, replace `<region>` with a wildcard `*`, and put it in a `StringLike` block.
 > - For EBS-related policy in the preceding block, refer to [AWS documentation](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-caller-account).
 > - For S3-related policy in the preceding block, refer to [AWS blog](https://repost.aws/knowledge-center/s3-bucket-access-default-encryption).
-