Reference Architecture and AWS Service Quotas or Limits

[zackproser]

A customer asked:

How do AWS service quotas (a.k.a Limits) factor into a Gruntwork Reference Architecture deployment?

[zackproser]

AWS Service Quotas are fine-grained "caps" that AWS places on certain resource usage. For example, AWS has a service quota governing the number of concurrent executions Lambda functions in your account may reach.

AWS enforces service quotas for many different reasons which may include:

• Limiting service-wide abuse
• Ensuring sufficient resource availability across a given region
• Preventing brand new AWS accounts that may have test workloads from generating massive usage costs

New AWS accounts are more likely to receive strict service quotas or limits, which is unfortunate given the fact that Gruntwork requires new AWS accounts for deployments, to ensure no account baselines have been applied that conflict with our own.

Strict service quotas often interfere with a Gruntwork Reference Architecture deployment. For example, our CIS Reference Architecture deploys several lambda functions in your account that automatically clean up expired IAM certificates.

If a new AWS account's service quotas for concurrent lambda execution are throttled by a strict service quota, for example, one that pins concurrent executions to 50, then it may not be possible to terragrunt apply the relevant terragrunt configuration that creates a lambda requiring more than 50 concurrent executions.

In this scenario, Gruntwork needs to reach out to AWS on your behalf and request service quota increases for all relevant services that might be constrained or throttled in your account.

It's important to understand that Gruntwork has no control over when or how AWS applies service quotas to your account(s), and can only request quota increases on your behalf and then wait until the limits are raised before proceeding with a deployment. While Gruntwork does build automated tooling that requests relevant service quotas be raised on new accounts, we still have no control over how quickly these service quota increases will be reviewed and lifted by AWS's internal teams.