Calculate capacity for aws_wafv2_rule_group automatically

[janritter]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When creating a new rule group, inputting the correct capacity is cumbersome, it can be calculated or initially created with a too high value to then get the correct capacity from the web console. Instead of manually getting the value it would be great if Terraform allows an automatic calculation based on the configured rules. AWS offers the CheckCapacity API for this, it returns the needed capacity for a given ruleset.

As shown in the code example below, if the capacity value is set to 0 or -1 (still to be defined), it would be great if Terraform automatically fetches the value during runtime.

New or Affected Resource(s)

• aws_wafv2_rule_group

Potential Terraform Configuration

resource "aws_wafv2_rule_group" "example" {
  name     = "example-rule"
  scope    = "REGIONAL"
  # Use capacity 0 to automatically calculate the capacity
  capacity = 0

  rule {
    name     = "rule-1"
    priority = 1

    action {
      allow {}
    }

    statement {

      geo_match_statement {
        country_codes = ["US", "NL"]
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

References

• https://docs.aws.amazon.com/waf/latest/APIReference/API_CheckCapacity.html
• https://docs.aws.amazon.com/cli/latest/reference/wafv2/check-capacity.html

[rirze]

This would be awesome to have in the provider directly. I will note though, having done something similar before, that changing capacity of an existing rule will cause a recreate, which may not be clear to the user if this was implemented.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[zoezhangmattr]

this would be great to have. its frustrating to keep having the problem when set a capacity, dont even know what is wrong. creating WAFv2 RuleGroup (blahalah): WAFInvalidParameterException: Error reason: You exceeded the capacity limit for a rule group or web ACL., field: RULE_GROUP, parameter: 53 │ { │ RespMetadata: { │ StatusCode: 400, │ RequestID: "1ab7dc29-d407-4b57-a1c8-0413e73a9a5e" │ }, │ Field: "RULEGROUP", │ Message: "Error reason: You exceeded the capacity limit for a rule group or web ACL., field: RULE_GROUP, parameter: 53", │ Parameter: "53", │ Reason: "You exceeded the capacity limit for a rule group or web ACL." │ }

[daknhh]

You can also just use tools like https://github.com/globaldatanet/aws-firewall-factory - especially if you need to calculate capacity for Regex and IpSet Lists this can be tricky ;)