Creating Labs

Infrastructure Options

VM images, machine types, and cloud account configuration for POV Demo labs.

VM Images

Choose an image that matches the technology your lab covers. The image determines what software is pre-installed on the VM when the lab provisions.

Image Slug	Description
`hashistack2025`	HashiCorp tools: Nomad, Consul, Vault, Terraform. Ubuntu 22.04 base.
`ubuntu2024`	Clean Ubuntu 22.04 with standard dev tools. General-purpose.
`kubernetes-dev2025`	Kubernetes cluster node. Includes kubeadm, kubelet, kubectl, and container runtime.
`docker2024`	Docker Engine + Docker Compose. Ubuntu 22.04 base.
`awscli2024`	AWS CLI v2 + standard utilities. Ubuntu 22.04 base.
`devtools2024`	Developer tools: Git, Node.js, Python, Go. Ubuntu 22.04 base.

Machine Types

Type	vCPU	RAM	Use case
`small`	2	4 GB	Single-container tasks, CLI exercises, lightweight services.
`medium`	4	8 GB	Most labs. Kubernetes single-node, medium workloads.
`large`	8	16 GB	Multi-container orchestration, resource-intensive services.
`proxmox`	4	8 GB	Dedicated bare-metal hypervisor. For nested virtualization scenarios.

Note: The medium machine type is the right choice for most labs. Only use large when you've verified that the lab actually needs more resources.

Cloud Account Restrictions

Labs run on shared cloud infrastructure. The following restrictions apply to keep costs controlled and prevent interference between learners.

AWS Restrictions

Category	Allowed
Instance types	t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge
Storage (per instance)	Up to 100 GB gp3 EBS
Regions	us-east-1, us-west-2, eu-west-1
Blocked services	Amazon SageMaker, Amazon Redshift, Amazon EMR, AWS Batch

GCP Restrictions

Category	Allowed
Machine types	e2-micro through e2-standard-8
Storage (per instance)	Up to 100 GB standard persistent disk
Regions	us-east1, us-west1, europe-west1

Azure Restrictions

Category	Allowed
VM sizes	Standard_B1s through Standard_D4s_v3
Storage (per instance)	Up to 128 GB standard SSD
Regions	eastus, westus2, westeurope

AWS IAM Policies

Labs that need AWS API access attach IAM policies to the lab VMs. There are two ways to specify policies in config.yml.

Option 1: Template policy

Uses a predefined policy template:

virtualmachines:
  - name: "ubuntu-1"
    image: "awscli2024"
    machine_type: "medium"
    environment: "aws"
    iam_policies:
      - template: "ReadOnlyAccess"

Option 2: Inline policy

Define a custom IAM policy document:

virtualmachines:
  - name: "ubuntu-1"
    image: "awscli2024"
    machine_type: "medium"
    environment: "aws"
    iam_policies:
      - inline_policy: |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:ListBucket"
                ],
                "Resource": [
                  "arn:aws:s3:::lab-bucket-${ACCOUNT_ID}",
                  "arn:aws:s3:::lab-bucket-${ACCOUNT_ID}/*"
                ]
              }
            ]
          }

Note: Use ${ACCOUNT_ID} as a placeholder in inline policy ARNs. The platform substitutes the actual account ID at provision time.

GCP Cloud Projects

Add a gcp_projects block to config.yml to provision a temporary GCP project for each lab session.

gcp_projects:
  - count: 1
    apis:
      - "compute.googleapis.com"
      - "iam.googleapis.com"
      - "storage.googleapis.com"
    iam_roles:
      - "roles/editor"
    access_type: "service_account"
    provisioning_strategy: "pool_with_fallback"

Field	Type	Description
`count`	number	Number of GCP projects to provision. Always 1.
`apis`	string[]	GCP service APIs to enable on the project (e.g. "compute.googleapis.com").
`iam_roles`	string[]	IAM roles granted to the lab's service account (e.g. "roles/editor").
`access_type`	string	How credentials are exposed. Always "service_account".
`provisioning_strategy`	string	How projects are allocated. Always "pool_with_fallback".

Auto-injected credentials: The GCP project ID and service account credentials are automatically available as environment variables on lab VMs. Terraform's google provider picks them up without any extra configuration.

Azure Subscriptions

Add an azure_subscriptions block to config.yml to provision a temporary Azure subscription for each lab session.

azure_subscriptions:
  - count: 1
    access_type: "service_principal"
    rbac_role: "Contributor"
    provisioning_strategy: "pool_with_fallback"

Field	Type	Description
`count`	number	Number of subscriptions to provision. Always 1.
`access_type`	string	How credentials are exposed. Always "service_principal".
`rbac_role`	string	Azure RBAC role assigned to the service principal (e.g. "Contributor").
`provisioning_strategy`	string	How subscriptions are allocated. Always "pool_with_fallback".

Auto-injected credentials: The subscription ID and service principal credentials are automatically available as environment variables on lab VMs. Terraform's azurerm provider picks them up without any extra configuration.