Where Are The Gaps? A Systematic Mapping Study of Infrastructure as Code Research

TL;DR

This systematic mapping study reviews existing research on Infrastructure as Code (IaC), categorizing key topics and highlighting the need for further investigation into defects and security flaws in IaC practices.

Contribution

The paper provides a comprehensive overview of IaC research topics and identifies gaps, especially in the areas of defects and security flaws, guiding future research directions.

Findings

Identified four main research topics in IaC: frameworks/tools, usage, empirical studies, testing.

52% of publications focus on frameworks or tools for IaC.

Highlighted the need for more research on defects and security flaws in IaC.

Abstract

Context:Infrastructure as code (IaC) is the practice to automatically configure system dependencies and to provision local and remote instances. Practitioners consider IaC as a fundamental pillar to implement DevOps practices, which helps them to rapidly deliver software and services to end-users. Information technology (IT) organizations, such as Github, Mozilla, Facebook, Google and Netflix have adopted IaC. A systematic mapping study on existing IaC research can help researchers to identify potential research areas related to IaC, for example, the areas of defects and security flaws that may occur in IaC scripts. Objective: The objective of this paper is to help researchers identify research areas related to infrastructure as code (IaC) by conducting a systematic mapping study of IaC-related research. Methodology: We conduct our research study by searching six scholar databases. We collect a set of 33,887 publications by using seven search strings. By systematically applying inclusion and exclusion criteria, we identify 31 publications related to IaC. We identify topics addressed in these publications by applying qualitative analysis. Results: We identify four topics studied in IaC-related publications: (i) framework/tool for infrastructure as code; (ii) use of infrastructure as code; (iii) empirical study related to infrastructure as code; and (iv) testing in infrastructure as code. According to our analysis, 52% of the studied 31 publications propose a framework or tool to implement the practice of IaC or extend the functionality of an existing IaC tool. Conclusion: As defects and security flaws can have serious consequences for the deployment and development environments in DevOps, along with other topics, we observe the need for research studies that will study defects and security flaws for IaC.