© Copyright 2024, Intel Corporation
Welcome to the Intel Optimized Cloud Modules for the HashiCorp Sentinel Policy as Code library. This library is designed to serve organizations aiming to balance cost efficiency with optimal performance and advanced security features for their cloud-based workloads. In the rapidly evolving landscape of cloud computing, new hardware technologies are continuously introduced, each promising enhanced performance and security capabilities. To leverage these advancements, organizations must remain agile, ensuring their workloads are supported by the most current and effective hardware solutions.
The core purpose of this library is to facilitate this very objective. It provides a curated list of Intel's optimal instance types per cloud resource, selected to deliver the best possible performance, security, and cost-efficiency for your cloud workloads. What sets this library apart is its dynamic nature; it is designed to automatically update, informing developers whenever more suitable hardware becomes available within their cloud environment, enabling them to make timely and informed decisions.
This library also contains recommended instance types for AI and Confidential Computing workloads. For more information regarding Intel's AI and Confidential Computing capabilities and policies see the Intel® Xeon® Scalable Processors and Intel® Advanced Matrix Extensions (AMX) and Intel® Xeon® Scalable Processors and Confidential Computing sections below.
Required Versions
Sentinel : >=0.24.0
Terraform Cloud : Use Enhanced Policy Sets with a Sentinel version >=0.24.0
Set Up
To get started using these policies fork or clone this Policy Library from the github repository. This will ensure that all necessary components for the policies are included.
Note that all policies are set to a default of advisory mode and will NOT impact deployments until changed to either soft-mandatory or hard-mandatory. See https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/manage-policy-sets#sentinel for more information regarding Sentinel enforcement modes.
-
Clone or fork this repository
-
Identify terraform resources you wish to govern that have an associated
deny-unapproved-instance-typespolicy -
Edit the relevant sections of the
alternativeblock within theapproved.jsonfile located at/imports/static/approved.jsonfor the resource you wish to restrict deployments for (For more information see the How to Use section) -
Edit the
sentinel.hclfile located atpolicy_sets/$CLOUD/sentinel.hcland remove any policy import statements for policies you do not wish to use (For more information see the How to Use section) -
Log into Terraform Enterprise or Terraform Cloud for Business and add the newly cloned repository as a Version Controlled policy set: https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/manage-policy-sets#create-policy-sets
NOTE: When configuring the policy set you must give the path
/policy_sets/$CLOUD/in thePolicies pathsection underMore Options -
Apply the policy set to your workspaces or globally as desired
-
Update the
deny-unapproved-instance-typespolicies in the relevantsentinel.hclto soft-mandatory or hard-mandatory to harden governance and force rather than inform developers. (See Advisory Only Policies)
This policy library uses a python script to automatically generate documentation and provide an updated list of allowed instance types from Intel. If you intend to use Intel's list of recommended instances and want to be informed when new recommendations are available you must not edit the optimal.json file. The script will only be triggered by modifications to optimal.json. Do not directly modify policies.md or the optimal section within the approved.json file either as these are automatically generated by the parse_json.py script located in the .github/ directory. For more information on trimming or adding to the allowed instance type list see the Customizing Instance Lists section below.
This policy library contains policies that use the key work check that should NEVER have an enforcement level other than advisory.
Sentinel policies evaluate to either a pass or a fail. In instances where we would like to inform the developer of relevant information, but not fail the run, we must use policies set to advisory enforcement modes. In the instance that an advisory mode policy fails the run will complete as normal, but the developer will be presented with a warning message containing relevant information to their Terraform plan.
For example:
In order to stay informed about the latest optimal instance types this policy library uses an intel-check-$CLOUD-optimized-instance-types policy where $CLOUD is specific to either AWS, Azure, GCP or IBM. These policies are included by default in all policy_sets.
The intent of these policies is to inform developers when new hardware is available so that the allowed list can be updated (See Section How to Stay up to Date ). If this policy is modified to an enforcement level other than advisory deployments will be impacted when new instance types are released which is not the desired behavior.
Intel policy libraries are designed by default to use the latest list of recommended instance types provided by Intel for a given Terraform resource. There are two lists that determine allowed instance types within the approved.json. It is possible to modify the list of allowed instance types.
IMPORTANT: DO NOT modify the optimal.json or the optimal section within the approved.json. These files and sections are used in the intel-check-$CLOUD-optimized-instance-types policies that keep developers informed of new hardware releases. Making changes to this file or the optimal section will break the logic to inform developers of new releases.
In order to modify the list of allowed instance types for a resource you must first identify the relevant content within the approved.json file. Do this by browsing to the intel-$CLOUD-resource-unapproved-instance-type.sentinel policy you would like to modify in the policies/$CLOUD folder. Note that there are additional policies specific to AI or Confidential Computing workloads in a subfolder within the same directory. For this example, note the value approved.aws.aws_autoscaling_group.alternative for doc.allowed to identify the section of the approved.json to modify:
doc = {
"allowed": approved.aws.aws_autoscaling_group.optimal + approved.aws.aws_autoscaling_group.alternative,
Remember that editing the optimal section of this json will break the functionality of automatically informing developers when there are new instance types available - so we will want to edit the alternative section within the aws_autoscaling_group resource in the approved.json by adding or removing the desired instance types.
When policies fail they provide an error message like the one below:
========================================================================
_ _ _
(_) | | | |
_ _ __ | |_ ___| |
| | '_ \| __/ _ \ |
| | | | | || __/ |
|_|_| |_|\__\___|_|
========================================================================
Name :intel-aws-autoscaling-group-deny-unapproved-instance-types.sentinel
Category :Platform (PaaS)
Provider :hashicorp/aws
Resource :aws_autoscaling_group
Parameter :instance_type
Check :instance_type contains
For a list of allowed instance types see:
https://github.com/intel/terraform-intel-aws-eks/blob/main/policies.md
========================================================================
RESOURCE VIOLATIONS
The configured server type should use an Intel Xeon 3rd Generation Scalable processor (code-named Ice Lake)
========================================================================
name :bar
type :aws_autoscaling_group
address :aws_autoscaling_group.bar
message :bar uses an override value that is not an allowed server type.
------------------------------------------------------------------------
Resources out of compliance: 1
------------------------------------------------------------------------
Value:
Fail
If you are editing the allowed instance type list you may want to provide a different url and edit the policies.md files directly to accurately represent to your users what your allowed instance types are. In order to reflect these changes to your developers in the policy output you must edit the policies_url section of the approved.json for the CSP you are interested in. For example:
{
"aws": {
"policies_url": "https://github.com/intel/policy-library-intel/blob/main/docs/aws/policies.md",
You can edit this URL to the forked or cloned repo that you created.
When using sentinel test in a remote directory against a policy that contains a static import (like the deny-unapproved-instance-type policies) additional commands and arguments must be passed in order for the test to run successfully. Execute the following command or another like it to test policies at the root level of this repository :
find . -name "*.sentinel" -type f -execdir sentinel test \;
When intel-check-$CLOUD-optimized-instance-types policies fail this indicates that there are new policies available or new optimal recommended instance types from Intel. Staying up to date depends on how you are consuming the policy library.
If you cloned the repository you can update by using a command like : git pull. Note that this may cause merge conflicts that need to be resolved.
If you forked the repository you can update by clicking the sync fork button at the top of the repository.
If you are using the Terraform Registry your instance types will be automatically updated as the approved.json is not locally sourced.
Intel® AMX is a new built-in accelerator that improves AI (Artificial Intelligence) performance of deep-learning training and inference on the CPU and is ideal for workloads like LLMs, natural-language processing, recommendation systems and image recognition.
Deep learning workloads, such as those that that rely on generative AI, large language models (LLMs), and computer vision, can be incredibly compute intensive, requiring high levels of performance and, often, additional specialized hardware to ensure successful AI deployment. The associated costs of these requirements can quickly escalate, and adding discrete hardware solutions can create unnecessary layers of complexity and compatibility issues.
To help make your deep learning workloads more efficient and cost-effective and easier to train and deploy, Intel® AMX on Intel® Xeon® Scalable processors delivers acceleration for inferencing and training while minimizing the need for specialized hardware.
This policy library restricts Terraform deployed resources to AMX capable hardware. As new AMX capable hardware becomes available for cloud resources this library will be updated to ensure it includes the latest optimal choices for Generative AI workloads in the cloud.
Protecting your systems and data has never been more critical, especially when working with sensitive, confidential, or regulated data. Intel® confidential computing solutions are designed to protect data in use with isolation, encryption and control, and verification capabilities to help you unlock new opportunities for business collaboration and insights.
From AI-powered healthcare to fraud prevention, confidential computing helps to enable more collaboration, insights, and innovation with less risk.
Intel® Software Guard Extensions (Intel® SGX) Unlock new opportunities for business collaboration and insights—even with sensitive or regulated data. Intel® SGX is the most researched and updated confidential computing technology in data centers on the market today, with the smallest trust boundary.
Intel® Trust Domain Extensions (Intel® TDX) Increase confidentiality at the VM level, enhance privacy, and gain control over your data with Intel® TDX. It enables isolation of the guest OS and VM applications, which removes access from the cloud host, hypervisor, and other VMs on the platform.
Intel® Trust Authority Take confidential computing to the next level with a zero trust attestation SaaS that verifies the trustworthiness of compute assets at the network, edge, and in the cloud.
Confirmed still active updated 8/5/24
- intel-ai-aws-autoscaling-group-deny-unapproved-instance-types (docs | code)
- intel-ai-aws-eks-node-group-deny-unapproved-instance-types (docs | code)
- intel-ai-aws-instance-deny-unapproved-instance-types (docs | code)
- intel-ai-aws-launch-template-deny-unapproved-instance-types (docs | code)
- intel-aws-autoscaling-group-check-optimal-instance-types (docs | code)
- intel-aws-autoscaling-group-deny-unapproved-instance-types (docs | code)
- intel-aws-databricks-cluster-check-optimal-instance-types (docs | code)
- intel-aws-databricks-cluster-deny-unapproved-instance-types (docs | code)
- intel-aws-databricks-cluster-deny-unapproved-runtime-engines (docs | code)
- intel-aws-databricks-cluster-enforce-spark-conf (docs | code)
- intel-aws-db-instance-check-optimal-instance-types (docs | code)
- intel-aws-db-instance-deny-unapproved-instance-types (docs | code)
- intel-aws-db-instance-deny-unapproved-storage-types (docs | code)
- intel-aws-db-instance-deny-unencrypted-database (docs | code)
- intel-aws-eks-node-group-check-optimal-instance-types (docs | code)
- intel-aws-eks-node-group-deny-unapproved-instance-types (docs | code)
- intel-aws-elasticache-replication-group-check-optimal-instance-types (docs | code)
- intel-aws-elasticache-replication-group-unapproved-instance-types (docs | code)
- intel-aws-emr-cluster-check-optimal-instance-types (docs | code)
- intel-aws-emr-cluster-deny-unapproved-instance-types (docs | code)
- intel-aws-emr-instance-fleet-check-optimal-instance-types (docs | code)
- intel-aws-emr-instance-fleet-deny-unapproved-instance-types (docs | code)
- intel-aws-instance-check-optimal-instance-types (docs | code)
- intel-aws-instance-deny-unapproved-instance-types (docs | code)
- intel-aws-launch-template-check-optimal-instance-types (docs | code)
- intel-aws-launch-template-deny-unapproved-instance-types (docs | code)
- intel-aws-rds-cluster-check-optimal-instance-types (docs | code)
- intel-aws-rds-cluster-deny-unapproved-instance-types (docs | code)
- intel-aws-rds-cluster-instance-check-optimal-instance-types (docs | code)
- intel-aws-rds-cluster-instance-deny-unapproved-instance-types (docs | code)
- intel-aws-sagemaker-endpoint-configuration-check-optimal-instance-types (docs | code)
- intel-aws-sagemaker-endpoint-configuration-deny-unapproved-instance-types (docs | code)
- intel-check-aws-optimized-instance-types (docs | code)
- intel-azurerm-cosmosdb-cassandra-datacenter-check-optimal-instance-types (docs | code)
- intel-azurerm-cosmosdb-cassandra-datacenter-deny-unapproved-instance-types (docs | code)
- intel-azurerm-databricks-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-databricks-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-databricks-cluster-deny-unapproved-runtime-engines (docs | code)
- intel-azurerm-databricks-cluster-enforce-spark-conf (docs | code)
- intel-azurerm-hdinsight-hadoop-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-hdinsight-hadoop-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-hdinsight-hbase-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-hdinsight-hbase-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-hdinsight-interactive-query-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-hdinsight-interactive-query-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-hdinsight-kafka-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-hdinsight-kafka-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-kubernetes-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-kubernetes-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-kusto-cluster-check-optimal-instance-types (docs | code)
- intel-azurerm-kusto-cluster-deny-unapproved-instance-types (docs | code)
- intel-azurerm-linux-virtual-machine-check-optimal-instance-types (docs | code)
- intel-azurerm-linux-virtual-machine-deny-unapproved-instance-types (docs | code)
- intel-azurerm-mssql-managed-instance-check-optimal-instance-types (docs | code)
- intel-azurerm-mssql-managed-instance-deny-unapproved-instance-types (docs | code)
- intel-azurerm-mssql-server-check-optimal-instance-types (docs | code)
- intel-azurerm-mssql-server-deny-unapproved-instance-types (docs | code)
- intel-azurerm-mysql-flexible-server-check-optimal-instance-types (docs | code)
- intel-azurerm-mysql-flexible-server-deny-unapproved-instance-types (docs | code)
- intel-azurerm-service-plan-check-optimal-instance-types (docs | code)
- intel-azurerm-service-plan-deny-unapproved-instance-types (docs | code)
- intel-azurerm-windows-virtual-machine-check-optimal-instance-types (docs | code)
- intel-azurerm-windows-virtual-machine-deny-unapproved-instance-types (docs | code)
- intel-azurerm-windows-web-app-enforce-http2 (docs | code)
- intel-azurerm-windows-web-app-enforce-https (docs | code)
- intel-azurerm-windows-web-app-enforce-minimum-tls (docs | code)
- intel-check-azurerm-optimized-instance-types (docs | code)
- intel-ai-google-compute-instance-deny-unapproved-instance-types (docs | code)
- intel-ai-google-compute-instance-template-deny-unapproved-instance-types (docs | code)
- intel-ai-google-container-cluster-deny-unapproved-instance-types (docs | code)
- intel-ai-google-container-node-pool-deny-unapproved-instance-types (docs | code)
- intel-check-google-optimized-instance-types (docs | code)
- intel-google-compute-instance-check-optimal-instance-types (docs | code)
- intel-google-compute-instance-deny-unapproved-instance-types (docs | code)
- intel-google-compute-instance-enforce-min-cpu-platform (docs | code)
- intel-google-compute-instance-template-check-optimal-instance-types (docs | code)
- intel-google-compute-instance-template-deny-unapproved-instance-types (docs | code)
- intel-google-compute-instance-template-enforce-min-cpu-platform (docs | code)
- intel-google-container-cluster-check-optimal-instance-types (docs | code)
- intel-google-container-cluster-deny-unapproved-instance-types (docs | code)
- intel-google-container-cluster-enforce-min-cpu-platform (docs | code)
- intel-google-container-node-pool-check-optimal-instance-types (docs | code)
- intel-google-container-node-pool-deny-unapproved-instance-types (docs | code)
- intel-check-ibm-optimized-instance-types (docs | code)
- intel-ibm-is-instance-check-optimal-instance-types (docs | code)
- intel-ibm-is-instance-deny-unapproved-instance-types (docs | code)