Basic Policy Framework Examples¶

# Create invitation for CS101 students with specific templates only
cws profiles invitations create "CS101 Introduction to Python" \
  --type read_only \
  --valid-days 120 \
  --template-whitelist "python-basic,ubuntu-basic" \
  --max-instance-types "t2.micro,t2.small" \
  --max-hourly-cost 0.10

# Output:
Policy restrictions applied:
  - Allowed templates: [python-basic ubuntu-basic]
  - Max instance types: [t2.micro t2.small]
  - Max hourly cost: $0.10

Invitation Created Successfully
Name: CS101 Introduction to Python
Type: read_only
Expires: May 15, 2024 (in 120 days)

Share this invitation code with the recipient:
inv-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890

They can accept it with:
cws profiles accept-invitation --encoded 'inv-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890' --name 'CS101'

# Student accepts class invitation
cws profiles accept-invitation \
  --encoded 'inv-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890' \
  --name 'CS101'

# Output:
Accepted invitation and created profile 'CS101'

# Student tries to launch an allowed template - SUCCESS
cws launch python-basic my-homework
# Output:
✓ Policy check: Template 'python-basic' is allowed
✓ Instance type 't2.micro' is within limits
✓ Cost $0.0116/hour is within $0.10 limit
Launching instance...

# Student tries to launch a restricted template - BLOCKED
cws launch python-ml advanced-project
# Output:
✗ Policy violation: Template 'python-ml' not in allowed list: [python-basic ubuntu-basic]
Available templates for this profile: python-basic, ubuntu-basic

# Student tries expensive instance - BLOCKED  
cws launch python-basic my-project --size XL
# Output:
✗ Policy violation: Instance type 'c5.4xlarge' not allowed. Maximum allowed: [t2.micro t2.small]
✗ Policy violation: Hourly cost $0.544 exceeds maximum allowed $0.10

# CS401 Machine Learning course with GPU access
cws profiles invitations create "CS401 Machine Learning" \
  --type read_write \
  --valid-days 90 \
  --template-whitelist "python-ml,r-research,jupyter-gpu" \
  --max-instance-types "t3.medium,c5.large,p3.2xlarge" \
  --max-hourly-cost 3.06 \
  --max-daily-budget 25.00

# Policy allows GPU instances for ML coursework but with budget controls

# Create invitation for graduate students with research flexibility
cws profiles invitations create "Bioinformatics Lab Access" \
  --type read_write \
  --valid-days 365 \
  --template-blacklist "windows-desktop,gaming-instance" \
  --forbidden-regions "eu-central-1,ap-southeast-1" \
  --max-daily-budget 50.00

# Allows most templates but blocks inappropriate ones
# Prevents launching in expensive regions
# Sets daily spending limit per student

# Student can launch appropriate research templates
cws launch python-ml genomics-analysis  # ✓ Allowed
cws launch r-research statistical-modeling  # ✓ Allowed 
cws launch jupyter-gpu deep-learning  # ✓ Allowed

# But blocked from inappropriate templates
cws launch windows-desktop my-project
# ✗ Policy violation: Template 'windows-desktop' is blacklisted

# And prevented from expensive regions
cws launch python-ml project --region eu-central-1  
# ✗ Policy violation: Region 'eu-central-1' is forbidden

# Shared project between multiple institutions
cws profiles invitations create "Multi-Lab COVID Study" \
  --type read_write \
  --valid-days 180 \
  --template-whitelist "r-research,python-bio,jupyter-collaborative" \
  --max-instance-types "m5.large,m5.xlarge,r5.large,r5.xlarge" \
  --forbidden-regions "us-gov-west-1,us-gov-east-1" \
  --max-hourly-cost 0.50

# Ensures collaborators use consistent environments
# Prevents government cloud usage (compliance)
# Controls costs across institutions

# Development team with cost controls
cws profiles invitations create "Dev Team Environment" \
  --type read_write \
  --valid-days 90 \
  --template-whitelist "ubuntu-dev,python-web,node-js,docker-compose" \
  --max-instance-types "t3.medium,c5.large,m5.large" \
  --max-daily-budget 20.00

# Standardizes development environments
# Prevents expensive instance launches
# Controls team cloud spending

# Client-specific environment with restrictions
cws profiles invitations create "ACME Corp Analytics Project" \
  --type read_only \
  --valid-days 60 \
  --template-whitelist "r-research,python-data-analysis" \
  --forbidden-regions "eu-west-1,ap-northeast-1" \
  --max-instance-types "t3.large,m5.large" \
  --max-hourly-cost 0.25

# Client can only access project-appropriate tools
# Regional compliance (data sovereignty)
# Cost control for client billing

# NSF grant with specific budget limits
cws profiles invitations create "NSF Grant XYZ Computing" \
  --type read_write \
  --valid-days 1095 \  # 3 years
  --template-whitelist "python-scientific,r-hpc,matlab-compute" \
  --max-daily-budget 100.00 \
  --max-hourly-cost 5.00

# Long-term grant with appropriate daily limits
# Ensures spending aligns with NSF requirements
# Blocks inappropriate template usage

# Chemistry department semester budget
cws profiles invitations create "Chem Dept Fall 2024" \
  --type read_write \
  --valid-days 120 \
  --template-blacklist "gaming-instance,desktop-heavy,video-editing" \
  --max-instance-types "t3.medium,c5.large,m5.large,r5.large" \
  --max-daily-budget 75.00

# Prevents non-academic usage
# Reasonable instance size limits
# Department-wide spending control

# View current profile policy restrictions
cws profiles current

# Output:
Current profile: CS101 (Invitation)
Name: CS101 Introduction to Python
Region: us-west-2
Owner Account: prof-smith-account

Policy Restrictions:
  - Template whitelist: python-basic, ubuntu-basic
  - Max instance types: t2.micro, t2.small  
  - Max hourly cost: $0.10

# Check which templates are available for current profile
cws templates list --profile-filtered

# Output:
Available templates for profile 'CS101':

✓ python-basic          Simple Python environment for learning
✓ ubuntu-basic          Basic Ubuntu server with development tools

Restricted templates (policy violations):
✗ python-ml            Template not in whitelist
✗ r-research          Template not in whitelist  
✗ jupyter-gpu         Template not in whitelist

# Profile owner can temporarily override restrictions (admin profiles only)
cws launch python-ml emergency-analysis --override-policy --confirm

# Requires confirmation and logs policy override for audit

# Department-level base restrictions
cws profiles invitations create "Computer Science Department" \
  --type admin \
  --template-blacklist "windows-desktop,gaming-instance" \
  --forbidden-regions "us-gov-west-1" \
  --max-daily-budget 100.00

# Individual instructors inherit and add specific restrictions
# Students inherit all restrictions from instructor + department

# Summer research program with higher limits
cws profiles invitations create "Summer REU Program" \
  --type read_write \
  --valid-days 90 \
  --template-whitelist "python-ml,r-research,jupyter-gpu,matlab-compute" \
  --max-instance-types "t3.xlarge,c5.2xlarge,p3.2xlarge" \
  --max-daily-budget 150.00  # Higher summer research budget

# Regular semester limits are lower for coursework