Slightly delayed response but I would say that infrastructure-as-code (in the sense of codifying more than just a pipeline) has not been a significant pain point or blocker thus far.
This could be related to (a) the size of our cloud footprint and (b) how our approach to managing cloud resources has evolved since ~2009.
Both (a) and (b) have led to the formation of centralized teams (build, deploy, networking, data, security, etc.) that build and support tools aimed at alleviating common pain points faced by application teams. Some of these tools are farther along the infrastructure-as-code spectrum than others.
Infrastructure components that our application owners might be concerned with:
- aws accounts
- subnets / vpcs
- security groups / iam profiles
- load balancers
- autoscaling groups
AWS Account / Subnet / VPC
These are non-trivial configurations that are owned and managed by a dedicated networking team.
An application owner would know the account and vpc to deploy into but not necessarily how subnets are configured and peered across accounts.
I suspect there will be some improvements to Spinnaker aimed at better supporting the (non trivial!) migration of an application across accounts.
Security Groups are largely managed by an application owner in Spinnaker with support from a dedicated security team.
This is likely to evolve over time with some investment into tooling that might allow application owners to reason about security groups in terms of what other applications require ingress (vs needing to know specific security group names/ids, ports, etc.).
IAM Profiles are similarly managed by a dedicated security team.
Tooling does exist that allows iam roles to be defined, template’d and version controlled outside of AWS.
Changes are managed via pull requests.
Load balancers are infrequently used with most teams using Eureka for client-side load balancing / service discovery.
Simple conventions (like default ports and mTLS) help reduce the amount of per-application boiler plate config.
Where load balancers are used, they are managed within Spinnaker.
ASGs are fully managed within Spinnaker.
I suspect that over time more infrastructure-as-code capabilities will appear in Spinnaker with managed pipeline templates being an initial dip in the water.