Abstract

Infrastructure as Code (IaC) enables organizations to provision and manage infrastructure at scale using version-controlled, declarative specifications. Despite these advantages, infrastructure drift where deployed resources diverge from their intended configuration remains a persistent operational challenge and is often addressed manually and reactively. Recent advances in Large Language Models (LLMs) have accelerated their adoption within software engineering and DevOps workflows; however, the sensitive nature of IaC artifacts, particularly Terraform state files, has limited organizational willingness to rely on public LLM services for drift detection and remediation. This thesis investigates the feasibility of using open-source, self-hosted LLMs to assist with IaC drift detection and reconciliation in a privacy-preserving manner. We present OpenSentinel, a Terraform-native, GitOps-aligned system that integrates constrained LLM reasoning into existing IaC workflows. Rather than allowing LLMs to autonomously detect drift or modify live infrastructure, OpenSentinel treats Terraform as the authoritative drift detector and supplies LLMs with structured, locality-aware patch contexts to interpret drift semantics and synthesize configuration-level remediation proposals. All generated changes are validated using refresh-only Terraform planning and submitted as pull requests for human review and approval. We evaluate OpenSentinel through controlled experiments on AWS-based Terraform projects spanning multiple drift categories, including configuration toggles, property modifications, and resource relationship changes. Results show that instruction-following open-source models particularly gpt-oss:20b and qwen3-coder:latest can reliably preserve configuration locality and generate structurally valid patches that successfully converge infrastructure state. However, semantic patch correctness is not guaranteed in all cases, with observed false positives arising from heuristic overgeneralization and incomplete interpretation of intent. Overall, this work demonstrates that open-source LLMs can effectively assist IaC drift reconciliation when tightly constrained within Terraform-native and GitOpsgoverned workflows. The findings highlight both the promise and current limitations of LLM-assisted infrastructure maintenance and underscore the continued importance of human oversight for ensuring semantic correctness and operational safety.

Publication Date

2026

Document Type

Thesis

Student Type

Graduate

Degree Name

Software Engineering (MS)

Department, Program, or Center

Software Engineering, Department of

College

Golisano College of Computing and Information Sciences

Advisor

Ashique KhudaBukhsh

Advisor/Committee Member

Christian Newman

Campus

RIT – Main Campus

Download

Share

COinS