Adam Jordens
Mar 15, 2017 · 2 min read

Slightly delayed response but I would say that infrastructure-as-code (in the sense of codifying more than just a pipeline) has not been a significant pain point or blocker thus far.

This could be related to (a) the size of our cloud footprint and (b) how our approach to managing cloud resources has evolved since ~2009.

Both (a) and (b) have led to the formation of centralized teams (build, deploy, networking, data, security, etc.) that build and support tools aimed at alleviating common pain points faced by application teams. Some of these tools are farther along the infrastructure-as-code spectrum than others.

Infrastructure components that our application owners might be concerned with:

  • aws accounts
  • subnets / vpcs
  • security groups / iam profiles
  • load balancers
  • autoscaling groups

AWS Account / Subnet / VPC

These are non-trivial configurations that are owned and managed by a dedicated networking team.

An application owner would know the account and vpc to deploy into but not necessarily how subnets are configured and peered across accounts.

I suspect there will be some improvements to Spinnaker aimed at better supporting the (non trivial!) migration of an application across accounts.

Security Groups

Security Groups are largely managed by an application owner in Spinnaker with support from a dedicated security team.

This is likely to evolve over time with some investment into tooling that might allow application owners to reason about security groups in terms of what other applications require ingress (vs needing to know specific security group names/ids, ports, etc.).

IAM Profiles

IAM Profiles are similarly managed by a dedicated security team.

Tooling does exist that allows iam roles to be defined, template’d and version controlled outside of AWS.

Changes are managed via pull requests.

Load Balancers

Load balancers are infrequently used with most teams using Eureka for client-side load balancing / service discovery.

Simple conventions (like default ports and mTLS) help reduce the amount of per-application boiler plate config.

Where load balancers are used, they are managed within Spinnaker.

Autoscaling Groups

ASGs are fully managed within Spinnaker.

I suspect that over time more infrastructure-as-code capabilities will appear in Spinnaker with managed pipeline templates being an initial dip in the water.

Written by

Continuous Delivery junkie at Netflix. Spent time at Amazon and a few startups in my previous life.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade