When managing AWS WAF resources using Terraform, one common issue is exceeding the Web ACL Capacity Units (WCUs) limit, which can lead to deployment failures. This blog post will guide you through understanding WCUs, checking capacity using AWS CLI, and integrating this process into your Terraform workflow to ensure smooth deployments.
Understanding WCUs in AWS WAF
AWS WAF uses Web ACL Capacity Units (WCUs) to measure the resources required to run rules, rule groups, and Web ACLs. Each rule type has a different capacity requirement based on its complexity and processing needs. The capacity limits help AWS manage the performance and cost of running WAF rules efficiently.
Simple Rules: Require fewer WCUs (e.g., size constraint rules).
Complex Rules: Require more WCUs (e.g., regex pattern sets).
For detailed WCU calculations, refer to the AWS WAF documentation oai_citation:1,AWS WAF web ACL capacity units (WCUs) – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced.
Common Error
When you exceed the WCU limits, you may encounter the following error:
Checking WCU Requirements with AWS CLI
Terraform lacks built-in functionality to check WCUs before applying configurations. However, AWS CLI provides a check-capacity command to verify the WCU requirements. Here’s how you can use it:
Define WAF Rules in JSON:
Create a JSON file (rules.json) with the rules you want to include:
“Rules”: [
{
“Name”: “Rule1”,
“Priority”: 1,
“Statement”: {
“ByteMatchStatement”: {
“SearchString”: “BadBot”,
“FieldToMatch”: {
“UriPath”: {}
},
“TextTransformations”: [
{
“Priority”: 0,
“Type”: “NONE”
}
]
}
},
“Action”: {
“Block”: {}
},
“VisibilityConfig”: {
“SampledRequestsEnabled”: true,
“CloudWatchMetricsEnabled”: true,
“MetricName”: “Rule1Metric”
}
}
]
}
Run the check-capacity Command:
Use the AWS CLI to check the capacity:
The output will look like this:
“Capacity”: 15
}
This command returns the total WCU requirement for your specified rules. Ensure it doesn’t exceed 5,000 WCUs for a single Web ACL.
Integrating Capacity Check with Terraform
To avoid deployment failures due to WCU limits, integrate the capacity check into your Terraform workflow using a shell script:
Create a Shell Script:
Write a script (check_capacity.sh) to perform the capacity check:
CAPACITY=$(aws wafv2 check-capacity –scope REGIONAL –rules file://rules.json | jq ‘.Capacity’)
if [ “$CAPACITY“ -gt 5000 ]; then
echo “Error: Capacity units exceeded. Current capacity: $CAPACITY“
exit 1
else
echo “Capacity check passed. Current capacity: $CAPACITY“
export TERRAFORM_CAPACITY_CHECK=passed
fi
Integrate with Terraform:
Modify your Terraform workflow to include the script:
if [ “$TERRAFORM_CAPACITY_CHECK“ == “passed” ]; then
terraform apply
else
echo “Terraform apply aborted due to capacity issues.”
fi
By incorporating this script, you ensure that your Terraform deployments only proceed if the WCU requirements are within limits, preventing potential failures and downtime.
Conclusion
Handling WCU limits is crucial for successful AWS WAF deployments using Terraform. By leveraging the check-capacity command in AWS CLI and integrating it into your Terraform workflow, you can proactively manage capacity and avoid deployment issues. This approach ensures a smoother, more reliable infrastructure management process especially until terraform starts to support a similar built-in functionality.
For further reading, check the official AWS WAF documentation on WCUs and the AWS CLI check-capacity command reference.
