# Dissertation Topic Proposal ### Change Interpretation Techniques for Safe, User-Friendly Continuous Deployment in IaC ## Context of Proposal **Infrastructure-as-Code (IaC)** consists of managing and provisioning computer infrastructure resources, through the use of configuration files or programming languages, in an simpler, consistent, and maintainable manner. Several **IaC** solutions are currently available and widely adopted for cloud-based applications. Among the most popular solutions are AWS CDK and AWS CloudFormation, Terraform, Chef, and Puppet. The abstraction provided by this concept allows developers to programmatically build and maintain infrastructure resources while keeping track of changes. Each of the mentioned products allows the developer to review the proposed infrastructure changes before deployment. This process consists of displaying relevant "before vs. after" information about every resource subject to modifications (including creation or removal). It is an asset to preventing errors from reaching production systems. For the purposes of this document, this process will be referred to as **Review**, which may or not require a human **approval** before deployment. **IaC** is reusable and can be shared with third-parties. However, this also raises a drawback: when introducing a community-based infrastructure definition, the **Review** becomes complex to read and may hide attempts to exploit the customer. ## Goals and Expected Results This dissertation aims to find a solution to aid in analyzing the differences between any two infrastructure descriptions. The end goal is to provide a short and readable **Review** process to the user. This includes: - A visualization over infrastructure and permission changes; - A Domain-Specific Language (DSL) for users to configure rules for automatically accepting or rejecting changes; - Detecting similar/isomorphic resource changes for: - Automatically approving changes based on past approvals - Collapsing repetitive changes for user review Other possible goals: - Rules for identifying possible security threats in IaC #### Stretch goals - Identifying the individual code changes that led to effective infrastructure changes based on code annotations ## Innovative aspects - Eliminating extensive and repetitive **Reviews** when trying to deploy large infrastructure changes - worsened by community-created sets of resources - Increasing human comprehension of permission policy changes on multiple resources - Automatic approval of recurring changes in iterations - Abstracted tools for code analysis of infrastructure changes ## Preliminary work plan * From October to December, the student will focus on state of the art, identifying similar tools and defining a plan to implement and validate his contributions * In November, the student will start identifying and interviewing experts to get a sense of the problem space and the kinds of rules that people are expecting to encode. * From January to April, the student will focus on the implementation * During April and May, a validation of the tool will be held with experts through interviews or a survey * During June, the student will write his dissertation ## References * https://www.terraform.io/docs/commands/plan.html * Jalagam, Sesh, et al. "Execution of a distributed deployment plan for a multi-tier application in a cloud infrastructure." U.S. Patent No. 10,031,783. 24 Jul. 2018. * J. Scheuner, P. Leitner, J. Cito and H. Gall, "Cloud Work Bench -- Infrastructure-as-Code Based Cloud Benchmarking," 2014 IEEE 6th International Conference on Cloud Computing Technology and Science, Singapore, 2014, pp. 246-253, doi: 10.1109/CloudCom.2014.98. * Hummer W., Rosenberg F., Oliveira F., Eilam T. (2013) Testing Idempotence for Infrastructure as Code. In: Eyers D., Schwan K. (eds) Middleware 2013. Middleware 2013. Lecture Notes in Computer Science, vol 8275. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45065-5_19 * A. Bhattacharjee, Y. Barve, A. Gokhale and T. Kuroda, "A Model-Driven Approach to Automate the Deployment and Management of Cloud Services," 2018 IEEE/ACM International Conference on Utility and Cloud Computing Companion (UCC Companion), Zurich, 2018, pp. 109-114, doi: 10.1109/UCC-Companion.2018.00043. * J. Sandobalin, E. Insfran and S. Abrahao, "An Infrastructure Modelling Tool for Cloud Provisioning," 2017 IEEE International Conference on Services Computing (SCC), Honolulu, HI, 2017, pp. 354-361, doi: 10.1109/SCC.2017.52. ## Candidate profile This dissertation will be persued by Henrique Lima as an intern at AWS and supervised by prof. Tiago Boldt Sousa, and has already been discussed with both. ## Description of hosting institution Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 175 fully featured services from data centers globally. At AWS, the Cloud Development Kit (CDK) team is a globally distributed team (working from 6 countries) building an Open Source tool to allow people to use their already familiar programming tools and practices to build applications on AWS using Infrastructure-as-Code. ## Possibility of extending work after the dissertation The plan is for the CDK team to pick up this work after the thesis has finished, continue development on it and put it into production. Automatic approval rule synthesis would be a logical future extension to the framework proposed here, probably complex enough to deserve its own dissertation (but none such is currently planned). ## Scientific conferences * International Conference on Cloud Security and Management (ICCSM) * International Conference on Internet and Cloud Computing Technology (ICICCT) * International Conference on Cloud Computing Systems and Technologies (ICCCST)