Abstract: Techniques for managing network-accessible infrastructure metadata are provided. A method includes receiving a resource request comprising resource metadata corresponding to a network-accessible infrastructure resource, determining whether to commit the resource request based at least in part on a constraint associated with the network-accessible infrastructure resource, and, in accordance with a determination to commit the resource request: generating, by the computer system, a resource identifier describing resource metadata in accordance with the resource request, storing, by the computer system, the resource metadata in a data store in communication with the computer system, receiving, by the computer system, a data request to provide the resource metadata described by the resource identifier, and providing, by the computer system, the resource metadata described by the resource identifier in accordance with the data request.

Abstract: Techniques for implementing an infrastructure orchestration service are described. A configuration file for a deployment to a first execution target and a second execution target can be received. A first safety plan can be generated for the first execution target that comprises a first list of resources and operations associated with deployment at the first execution target. Approval of the first safety plan can be received. A second safety plan can be generated for the second execution target that comprises a second list of resources and operations associated with deployment at the second execution target. A determination can be made whether the second safety plan is a subset of the first safety plan. If the determination is that the second safety plan is a subset of the first safety plan, the second safety plan can automatically be approved and transmitted to the second execution target for deployment.

Abstract: Techniques are disclosed for utilizing directed acyclic graphs for deployment instructions. A computer-implemented method can include various operations. Instructions may be executed by a computing device to perform parses of configuration data associated with deploying one or more services to various execution targets. The computing device may cause a first graph to be generated that indicates dependencies between tasks associated with deploying the service(s). A second graph may be generated that specifies dependencies between different deployments of the service(s) to the execution target(s). Services may be deployed based on traversing the first and second graph.

Abstract: Techniques for implementing an infrastructure orchestration service are described. A configuration file for a deployment to a first execution target and a second execution target can be received. A first safety plan can be generated for the first execution target that comprises a first list of resources and operations associated with deployment at the first execution target. Approval of the first safety plan can be received. A second safety plan can be generated for the second execution target that comprises a second list of resources and operations associated with deployment at the second execution target. A determination can be made whether the second safety plan is a subset of the first safety plan. If the determination is that the second safety plan is a subset of the first safety plan, the second safety plan can automatically be approved and transmitted to the second execution target for deployment.

Abstract: Techniques for implementing an infrastructure orchestration service are described. A safety plan comprising a list of resources and operations based at least in part on a deployment configuration file can be received. Upon receiving approval of the safety plan, an operation corresponding to at least one of the list of resources can be prepared to be performed. The operation can be compared to the safety plan. If the operation is part of the safety plan, the operation can be performed. If the operation is not part of the safety plan, the deployment can be halted, and a notification that the deployment is not in compliance with the safety plan can be transmitted.

Abstract: Techniques are disclosed for managing dependencies in an orchestration service. A computer-implemented method can include operations performed by a declarative infrastructure provisioner (DIP). In some embodiments, the DIP parses configuration data associated with a computing system and generates a directed acyclic graph (DAG) for booting a first resource. The DAG may specify a dependency of the first resource on a capability of a second resource. The DIP may traverse the DAG and determine, based at least in part on the traversal, that the dependency has been reached. The DIP may publish, to a scheduling process, an indication that the first resource is awaiting availability of the capability of the second resource. In some embodiments, the DIP receives a subsequent indication that the capability is available, regenerates the DAG, and recommences traversal of the DAG. Additional operations for booting the first resource may be performed in accordance with the recommenced traversal.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: Techniques are disclosed for managing dependencies in an orchestration service. A computer-implemented method can include operations performed by a declarative infrastructure provisioner (DIP). In some embodiments, the DIP parses configuration data associated with a computing system and generates a directed acyclic graph (DAG) for booting a first resource. The DAG may specify a dependency of the first resource on a capability of a second resource. The DIP may traverse the DAG and determine, based at least in part on the traversal, that the dependency has been reached. The DIP may publish, to a scheduling process, an indication that the first resource is awaiting availability of the capability of the second resource. In some embodiments, the DIP receives a subsequent indication that the capability is available, regenerates the DAG, and recommences traversal of the DAG. Additional operations for booting the first resource may be performed in accordance with the recommenced traversal.

Abstract: Techniques for preventing concurrent execution of an infrastructure orchestration service are described. Worker nodes can receive instructions, or tasks, for deploying infrastructure resources and can provide heartbeat notifications to scheduler nodes, also considered a lease. A signing proxy can track the heartbeat notifications sent from the worker nodes to the scheduler node. The signing proxy can receive requests corresponding to a performance of the tasks assigned to the worker nodes. The signing proxy can determine whether the lease between each worker node and the scheduler is valid. If the lease is valid, the signing proxy may make a call to services on behalf of the worker node, and if the lease is not valid, the signing proxy may not make a call to services on behalf of the worker node. Instead, the signing proxy may cut off all outgoing network traffic, blocking access of the worker node to services.

Abstract: Techniques for implementing an infrastructure orchestration service are described. In some examples, a declarative provisioner of the infrastructure orchestration service receives instructions for deployment of a resource. The declarative provisioner identifies that the deployment of the resource is a long-running task stores state information corresponding to the deployment of the resource. In certain embodiments, upon identifying that the deployment of the resource is a long-running task, the declarative provisioner pauses its execution of the long-running task. Responsive to a trigger received from the infrastructure orchestration service, the declarative provisioner resumes execution of the deployment of the resource using the state information and transmits deployment information corresponding to the deployment of the resource to the infrastructure orchestration service.

Abstract: Techniques for implementing an infrastructure orchestration service are described. A safety plan comprising a list of resources and operations based at least in part on a deployment configuration file can be received. Upon receiving approval of the safety plan, an operation corresponding to at least one of the list of resources can be prepared to be performed. The operation can be compared to the safety plan. If the operation is part of the safety plan, the operation can be performed. If the operation is not part of the safety plan, the deployment can be halted, and a notification that the deployment is not in compliance with the safety plan can be transmitted.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: Techniques for preventing concurrent execution of an infrastructure orchestration service are described. Worker nodes can receive instructions, or tasks, for deploying infrastructure resources and can provide heartbeat notifications to scheduler nodes, also considered a lease. A signing proxy can track the heartbeat notifications sent from the worker nodes to the scheduler node. The signing proxy can receive requests corresponding to a performance of the tasks assigned to the worker nodes. The signing proxy can determine whether the lease between each worker node and the scheduler is valid. If the lease is valid, the signing proxy may make a call to services on behalf of the worker node, and if the lease is not valid, the signing proxy may not make a call to services on behalf of the worker node. Instead, the signing proxy may cut off all outgoing network traffic, blocking access of the worker node to services.

Abstract: Techniques for implementing an infrastructure orchestration service are described. In certain embodiments, a cloud infrastructure orchestration system (CIOS) is disclosed that generates customized flock configurations for services to be deployed to different regions supported by the CIOS. The CIOS receives generic configuration information describing a set of infrastructure assets associated with a service and identifies first portions of the generic configuration information for deploying the set of infrastructure assets associated with the service that are configurable. The CIOS receives region configuration information for configuring the generic configuration information and updates the generic configuration information based on the region configuration information. The CIOS then transmits the updated configuration information to set of regions managed by the CIOS.

Abstract: Techniques are disclosed for utilizing directed acyclic graphs for deployment instructions. A computer-implemented method can include various operations. Instructions may be executed by a computing device to perform parses of configuration data associated with a deployment. The computing device may cause a first directed acyclic graph (DAG) to be generated, the first DAG being utilized for deploying a first resource based on the parses. A second DAG may be generated for deploying execution targets based on the parses, the second DAG specifying dependencies between execution targets of the deployment. The computing device may generate a linked list data structure based on the parses and may deploy the computing system by traversal of the linked list data structure.

Abstract: Techniques are disclosed for efficient utilization worker threads in a workflow-as-a-service (WFaaS) environment. A client device may request a workflow for execution by the client device. The client device may receive the requested workflow and initialize a set of worker threads to execute the workflow and a set of heartbeater threads to monitor the set of worker threads. Upon receiving an indication of a processing delay, the client device may capture the state of the workflow, suspend execution of the workflow, and store the workflow in a temporary queue. While the processing delay persists, the client device may use the set of worker threads to execute other tasks. When the processing delay terminates, the client device may resume execution of the workflow.

Abstract: Techniques for implementing an infrastructure orchestration service are described. In some examples, a declarative provisioner of the infrastructure orchestration service receives instructions for deployment of a resource. The declarative provisioner identifies that the deployment of the resource is a long-running task stores state information corresponding to the deployment of the resource. In certain embodiments, upon identifying that the deployment of the resource is a long-running task, the declarative provisioner pauses its execution of the long-running task. Responsive to a trigger received from the infrastructure orchestration service, the declarative provisioner resumes execution of the deployment of the resource using the state information and transmits deployment information corresponding to the deployment of the resource to the infrastructure orchestration service.

Abstract: Techniques are disclosed for utilizing directed acyclic graphs for deployment instructions. A computer-implemented method can include various operations. Instructions may be executed by a computing device to perform parses of configuration data associated with a deployment. The computing device may cause a first directed acyclic graph (DAG) to be generated, the first DAG being utilized for deploying a first resource based on the parses. A second DAG may be generated for deploying execution targets based on the parses, the second DAG specifying dependencies between execution targets of the deployment. The computing device may generate a linked list data structure based on the parses and may deploy the computing system by traversal of the linked list data structure.

Abstract: Techniques for implementing rollback of infrastructure changes in an infrastructure orchestration service are described. In certain examples, an infrastructure orchestration service is disclosed that manages both provisioning and deploying of infrastructure assets within a cloud environment. The service receives a plan comprising a set of instructions associated with a set of infrastructure assets of an execution target and identifies a first state of the set of infrastructure assets. The service executes the set of instructions in the plan to achieve a second state for the set of infrastructure assets. Based in part on the executing, the service receives a trigger for rolling back the plan to restore the set of infrastructure assets in the plan to the first state and executes a rollback plan for the plan. The service then transmits a result associated with the execution of the rollback plan.

Abstract: Techniques for implementing an infrastructure orchestration service are described. In some examples, a declarative provisioner of the infrastructure orchestration service receives instructions for deployment of a resource. The declarative provisioner identifies that the deployment of the resource is a long-running task stores state information corresponding to the deployment of the resource. In certain embodiments, upon identifying that the deployment of the resource is a long-running task, the declarative provisioner pauses its execution of the long-running task. Responsive to a trigger received from the infrastructure orchestration service, the declarative provisioner resumes execution of the deployment of the resource using the state information and transmits deployment information corresponding to the deployment of the resource to the infrastructure orchestration service.