TLDR: ARPaCCino is an agentic AI system that automates Policy as Code (PaC) generation and Infrastructure as Code (IaC) compliance. It uses Large Language Models (LLMs), Retrieval-Augmented Generation (RAG), and external tools to translate natural language policy descriptions into formal rules (like Rego), validate IaC configurations against these rules, and iteratively correct non-compliant infrastructures. The system improves accuracy and reliability, even with smaller LLMs, by enabling self-correction and leveraging domain-specific knowledge.
Infrastructure as Code (IaC) has transformed how organizations manage their IT infrastructure, allowing them to define and provision resources using machine-readable code. This approach brings significant benefits like automation, consistency, and reproducibility. However, even with IaC, misconfigurations and security vulnerabilities can arise if not managed carefully.
This is where Policy as Code (PaC) comes into play. PaC extends the IaC paradigm by encoding security, compliance, and operational policies into formal, machine-readable rules. These rules can be automatically validated and enforced throughout the software development lifecycle, helping to “shift security left” in the DevSecOps pipeline and reduce human error.
Despite its advantages, adopting PaC can be challenging. The specialized languages used for policies often have a steep learning curve, and authoring correct and comprehensive rules can be difficult, especially in complex and dynamic environments.
Introducing ARPaCCino: Bridging the Gap
A new research paper introduces ARPaCCino, an innovative system designed to overcome these challenges. ARPaCCino is an “agentic” system that combines the power of Large Language Models (LLMs), Retrieval-Augmented Generation (RAG), and specialized tools to automate the creation and verification of PaC rules. Essentially, it acts as an intelligent assistant for policy compliance.
Given a natural language description of desired policies – for example, “Allow only virtual machines with 4 cores” – ARPaCCino can automatically generate the formal policy rules, such as those written in Rego (the language used by Open Policy Agent). It then assesses whether your Infrastructure as Code configuration complies with these newly generated policies. If a non-compliance is detected, ARPaCCino can even propose and apply iterative corrections to the IaC configuration until all specified requirements are met.
The system’s modular architecture and integration with external tools and knowledge bases make it highly adaptable. This means ARPaCCino can support policy validation across a wide range of technologies, including less common or emerging IaC frameworks, provided it has access to relevant documentation and examples.
Also Read:
- Unlocking Deeper Intelligence: The Convergence of Retrieval and Reasoning in Advanced LLM Systems
- FlowFSM: AI Agents Uncover Network Protocol Logic from Documentation
How ARPaCCino Works Under the Hood
ARPaCCino operates with a core reasoning engine powered by an LLM. This engine orchestrates the entire process, interpreting user requests, planning actions, and calling upon a suite of specialized tools.
The RAG Tool provides ARPaCCino with access to domain-specific knowledge, including official documentation for policy languages like Rego and various IaC frameworks. This allows the LLM to understand and generate accurate, context-aware policies.
Infrastructure Tools ensure compatibility with different IaC frameworks (like Terraform). ARPaCCino uses specialized tools that preprocess infrastructure definitions for policy validation.
The Rule Checker Tool verifies the correctness of generated Rego rules. While basic checks ensure syntactic validity, this tool goes further by incorporating feedback (potentially from an external expert or oracle) to ensure semantic validity and logical soundness before enforcement.
The Policy Validation Tool takes the preprocessed infrastructure and the verified Rego rules to deterministically evaluate whether the infrastructure complies with the policies. Based on this, ARPaCCino decides if the IaC is ready for deployment or needs further adjustments.
The paper highlights a case study using Terraform, demonstrating ARPaCCino’s effectiveness in generating correct policies, identifying non-compliant infrastructures, and applying necessary modifications. A significant finding is that this agentic approach greatly enhances the system’s ability to generate syntactically and semantically correct policies, even when using smaller, open-weight LLMs. This suggests that ARPaCCino can achieve comparable results to more powerful (and costly) models by leveraging its iterative correction and tool-based validation capabilities.
ARPaCCino represents a significant step forward in automating Policy as Code. By leveraging agentic AI and RAG techniques, it aims to reduce the burden on developers, improve compliance, and adapt to the ever-evolving infrastructure ecosystem. For more technical details, you can refer to the full research paper.
