Final Report Abstract

Infrastructure-as-Code (IaC) is a set of practices that involve using reusable scripts and deployment models to manage and provision IT infrastructure. Moreover, the configuration and host environments for software applications are typically subject to domain-specific guidelines, laws, and policies, often expressed as Architectural Design Decisions (ADDs). IaC-based cloud deployments are no exception to that. However, an examination of the state-of-the-art highlights a lack of a precise definition of the concept of compliance of IaC-based applications to enforced ADDs and the absence of a systematic way to check and enforce such compliance throughout the software delivery phases. Therefore, the main goal of the IAC² project is to tackle these deficiencies by facilitating systematic definition and management of IaC-based cloud application compliance. This goal is achieved through multiple collaborations with academic and industrial partners and a total of 14 peer-reviewed research papers published in a variety of scientific journals and conference proceedings. Throughout the project, we analyzed established patterns and anti-patterns at the code and architecture levels focusing on aspects of security, component hosting and management, and coupling-related practices for IaC-based cloud applications. We further studied their usage as the basis for ADDs, and we developed specifications that facilitate rigorously defining what it means for an IaC-based cloud application to be compliant with such ADDs. Furthermore, we introduced multiple methods that facilitate the definition, checking, and enforcement of compliance rules both at design time and at run time. To facilitate design-time compliance management, we developed a detector-based approach that analyzes application source code, including IaC, to infer its architecture. Based on this, carefully designed detectors are used to determine compliance with the enforced ADDs, and an iterative, semi-automatic architecture refinement process is employed to gradually improve the conformance of the application design. To facilitate run-time compliance management, we developed a method that employs a crawler-based approach to reconstruct the architecture of a running IaC-based cloud application. Then, the resulting application instance is checked against a previously defined set of architectural compliance rules, potential violations are flagged, semiautomatic fixes are applied, and validation is performed to ensure integrity. Both introduced methods are evaluated through case studies and interviews with industrial experts to assess their usability and their ability to reduce complexity and effort. All the concepts and methods envisioned and designed throughout this project are extensible to further compliance management domains and are validated through plugin-based, readily usable, open-source prototypes that facilitate portability and reusability.

Publications

• Automated detection of design patterns in declarative deployment models. Proceedings of the 14th IEEE/ACM International Conference on Utility and Cloud Computing, 1-10. ACM.
  Harzenetter, Lukas; Breitenbücher, Uwe; Falazi, Ghareeb; Leymann, Frank & Wersching, Adrian
  
• Detector-based component model abstraction for microservice-based systems. Computing, 103(11), 2521-2551.
  Ntentos, Evangelos; Zdun, Uwe; Plakidas, Konstantinos; Genfer, Patric; Geiger, Sebastian; Meixner, Sebastian & Hasselbring, Wilhelm
  
• Evaluating and Improving Microservice Architecture Conformance to Architectural Design Decisions. Lecture Notes in Computer Science, 188-203. Springer International Publishing.
  Ntentos, Evangelos; Zdun, Uwe; Plakidas, Konstantinos & Geiger, Sebastian
  
• Identifying Domain-Based Cyclic Dependencies in Microservice APIs Using Source Code Detectors. Lecture Notes in Computer Science, 207-222. Springer International Publishing.
  Genfer, Patric & Zdun, Uwe
  
• Assessing Architecture Conformance to Security-Related Practices in Infrastructure as Code Based Deployments. 2022 IEEE International Conference on Services Computing (SCC), 123-133. IEEE.
  Ntentos, Evangelos; Zdun, Uwe; Falazi, Ghareeb; Breitenbucher, Uwe & Leymann, Frank
  
• Assessing Architecture Conformance to Coupling-Related Infrastructure-as-Code Best Practices: Metrics and Case Studies. Lecture Notes in Computer Science, 101-116. Springer International Publishing.
  Ntentos, Evangelos; Zdun, Uwe; Soldani, Jacopo & Brogi, Antonio
  
• Avoiding Excessive Data Exposure Through Microservice APIs. Lecture Notes in Computer Science, 3-18. Springer International Publishing.
  Genfer, Patric & Zdun, Uwe
  
• On Unifying the Compliance Management of Applications Based on IaC Automation. 2022 IEEE 19th International Conference on Software Architecture Companion (ICSA-C), 226-229. IEEE.
  Falazi, Ghareeb; Breitenbucher, Uwe; Leymann, Frank; Stotzner, Miles; Ntentos, Evangelos; Zdun, Uwe; Becker, Martin & Heldwein, Elena
  
• Serverless or Serverful? A Pattern-Based Approach for Exploring Hosting Alternatives. Communications in Computer and Information Science, 45-67. Springer International Publishing.
  Yussupov, Vladimir; Breitenbücher, Uwe; Brogi, Antonio; Harzenetter, Lukas; Leymann, Frank & Soldani, Jacopo
  
• An Integrated Management System for Composed Applications Deployed by Different Deployment Automation Technologies. SN Computer Science, 4(4).
  Harzenetter, Lukas; Breitenbücher, Uwe; Binz, Tobias & Leymann, Frank
  
• Case Study for the IaC Compliance Management Framework (IACMF), Zenodo (2023)
  Falazi, Ghareeb & Harzenetter, Lukas
  
• Compliance Management of IaC-Based Cloud Deployments During Runtime. Proceedings of the IEEE/ACM 16th International Conference on Utility and Cloud Computing, 1-11. ACM.
  Falazi, Ghareeb; Harzenetter, Lukas; Képes, Kálmán; Leymann, Frank; Breitenbücher, Uwe; Ntentos, Evangelos; Zdun, Uwe; Becker, Martin & Heldwein, Elena
  
• Detecting and Resolving Coupling-Related Infrastructure as Code Based Architecture Smells in Microservice Deployments. 2023 IEEE 16th International Conference on Cloud Computing (CLOUD), 201-211. IEEE.
  Ntentos, Evangelos; Zdun, Uwe; Falazi, Ghareeb; Breitenbücher, Uwe & Leymann, Frank
  
• Microservice Security Metrics for Secure Communication, Identity Management, and Observability. ACM Transactions on Software Engineering and Methodology, 32(1), 1-34.
  Zdun, Uwe; Queval, Pierre-Jean; Simhandl, Georg; Scandariato, Riccardo; Chakravarty, Somik; Jelic, Marjan & Jovanovic, Aleksandar
  
• Source Code and Interviews with Industry Experts Regarding Compliance Management of IaC-Based Deployments During Runtime, Zenodo (2023)
  Falazi, Ghareeb; Harzenetter, Lukas; Képes, Kálmán; Leymann, Frank; Breitenbücher, Uwe; Ntentos, Evangelos; Zdun, Uwe & Becker, Martin u. a.
  
• Detection Strategies for Microservice Security Tactics. IEEE Transactions on Dependable and Secure Computing, 21(3), 1257-1273.
  Zdun, Uwe; Queval, Pierre-Jean; Simhandl, Georg; Scandariato, Riccardo; Chakravarty, Somik; Jelić, Marjan & Jovanović, Aleksandar