Restrict Instance Types
Denies GPU and specialty EC2 instance types (p3, p4, x1, x2, u-*), preventing surprise compute bills from expensive instance families.
When to use this rule
Use this when: Your modules accept instance_type as a variable and you want to prevent developers from deploying GPU or specialty instances that cost $3-$30+/hour.
Do not use this when: You run ML/HPC workloads that legitimately require GPU instances (p3, p4, p5) or high-memory instances (x1, x2, u-*).
Why this rule exists
AWS offers instance families designed for GPU computing (p3, p4, p5), memory-intensive workloads (x1, x2), and high-memory bare metal (u-*). These cost $3-$30+ per hour. A single p4d.24xlarge costs over $32/hour, which is $23,000/month if left running.
Developers experimenting in non-production environments, or teams copy-pasting from ML tutorials, can accidentally deploy these instances and generate surprise bills.
Affected resources
| Resource | Service | Why |
|---|---|---|
aws_instance | Amazon EC2 | instance_type determines compute cost |
Known limits
- Only checks
instance_typeonaws_instance. Does not checkaws_launch_template,aws_autoscaling_group,aws_sagemaker_endpoint_configuration, or ECS task size. - Does not restrict other expensive resource types (e.g., large RDS instances, Redshift nodes, OpenSearch domains).
- The deny list is currently fixed. Custom allow/deny lists via parameterization are planned for a future release.
What this rule does
Validates the instance_type attribute against a deny list. Values matching denied patterns are rejected during module processing.
Denied patterns: p3.*, p4.*, x1.*, x2.*, u-*
Before and after
module "ec2" {
source = "https://soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws?version=5.0.0&rules=pofix/restrict_instance_types"
instance_type = "p4d.24xlarge" # Denied by Restrict Instance Types
}
module "ec2" {
source = "https://soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws?version=5.0.0&rules=pofix/restrict_instance_types"
instance_type = "m5.xlarge" # Allowed
}
The only change is the rule transformation. All existing arguments, outputs, and module behavior remain identical.
Real-world scenario
A developer testing a machine learning pipeline set the instance type to p4d.24xlarge ($32/hour) in the staging account. The instance ran for 3 weeks before the cost anomaly was flagged. The bill was $16,000.
Compliance framework support
This rule is not a compliance control. It supports these framework objectives as an operational safeguard:
| Framework | Controls | Role |
|---|---|---|
| SOC 2 | CC6.3 | Supports access control by restricting permitted resource configurations |
Default configuration
This rule ships with the following defaults. Custom parameterization via the registry is planned for a future release.
| Parameter | Type | Default | Description |
|---|---|---|---|
denied | list(string) | ["p3.*", "p4.*", "x1.*", "x2.*", "u-*"] | Denied instance type patterns |
message | string | "GPU and high-memory instance types are not permitted without approval" | Validation error message |
How to enable
Add ?rules=pofix/restrict_instance_types to your HTTPS module source:
module "example" {
source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&rules=pofix/restrict_instance_types"
}
Configure via the compliance.tf API. See Getting Started with Operational Rules.
Failure modes
| Scenario | Result |
|---|---|
| Developer specifies a denied instance type | Module transformation reports a validation error. The module is still delivered but includes a validation block that will fail at terraform plan time. |
| New GPU instance family (e.g., p6) released by AWS | Not automatically denied. The deny list must be updated in a future rule version. |
Terraform and OpenTofu compatible
This rule works with both Terraform (1.x+) and OpenTofu (1.6+). The generated HCL uses standard lifecycle meta-arguments supported by all versions.
Help us improve this page
Operational Rules are a new feature. We'd love your feedback on this rule page — what's useful, what's missing, what's confusing. Share feedback.