Unearthing Semantic Checks for Cloud Infrastructure-as-Code Programs. In SOSP 2024

Download

• Paper

Abstract

Cloud infrastructures are increasingly managed by Infrastructure-as-Code (IaC) frameworks, with Terraform leading the market. These frameworks enable cloud users to configure their resources in a declarative manner, without having to directly work with low-level cloud API calls. However, while IaC frameworks assist in automating cloud provisioning, IaC programs that pass the compilation phase may still incur errors at deployment time. This stems from a fundamental semantic gap between IaC-level programs and cloud-level requirements—even a syntactically-correct IaC program could lead to runtime errors due to violations against cloud-level expectations that are often under-documented and unstated at the IaC level. To bridge this gap, we develop Zodiac, a tool that adopts novel semantic-guided mining and deployment-based validation pipelines to automatically unearth cloud IaC semantic checks. We have applied Zodiac to IaC resources offered by Microsoft Azure, where it found 400+ semantic checks that would trigger deployment failures if violated. This captures semantic cloud requirements that state-of-the-art IaC tools cannot easily capture.

Citation

Yiming Qiu, Patrick Tser Jern Kon, Ryan Beckett, and Ang Chen. “Unearthing Semantic Checks for Cloud Infrastructure-as-Code Programs.” In The 30th Symposium on Operating Systems Principles. SOSP 2024.