There is a kind of read-only enforcement when all configuration is produced by automation - you learn, often painfully, that any writes (i.e. manual hacks) are liable to be rewritten, without warning and at arbitrary times.
There's no error message telling you you can't hack an extra vhost into httpd.conf, but once you've got paged at 3am because your hack disappeared, you pretty quickly learn to supply your own error message.
Heroku's an extreme example of this - the dyno filesystem is perfectly writable, but it's definitely going away within 24 hours.
(The large-company version of "all configuration is produced by automation", which produces a surprisingly similar result, is "all configuration is produced by another team".)
There's no error message telling you you can't hack an extra vhost into httpd.conf, but once you've got paged at 3am because your hack disappeared, you pretty quickly learn to supply your own error message.
Heroku's an extreme example of this - the dyno filesystem is perfectly writable, but it's definitely going away within 24 hours.
(The large-company version of "all configuration is produced by automation", which produces a surprisingly similar result, is "all configuration is produced by another team".)