DEV Community: Mukul Sharma The latest articles on DEV Community by Mukul Sharma (@mukulsharma). https://dev.to/mukulsharma https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1599906%2Fa0a214fd-2960-4aa2-8805-05c887403f7a.png DEV Community: Mukul Sharma https://dev.to/mukulsharma en Blocking FastAPI Access Logs Mukul Sharma Sun, 14 Jul 2024 03:55:08 +0000 https://dev.to/mukulsharma/taming-fastapi-access-logs-3idi https://dev.to/mukulsharma/taming-fastapi-access-logs-3idi <p>Have you ever found your FastAPI deployment cluttered with unnecessary access logs? These logs can create more noise than value, obscuring important information. Let's explore a neat trick to selectively block these access logs in FastAPI.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjsa7soxyvzg4k84pdzek.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjsa7soxyvzg4k84pdzek.png" alt="The Problem"></a></p> <p>Access logs can quickly overwhelm your console, making it difficult to spot critical information.</p> <h2> No B.S. Solution </h2> <p><a href="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExamN3YnNpb3NqNzA0czJ0NjVkMWFqODVjZG95enY0Y253aXBxeGNobiZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/Dd7eqfJIDTnEmSVRGn/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExamN3YnNpb3NqNzA0czJ0NjVkMWFqODVjZG95enY0Y253aXBxeGNobiZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/Dd7eqfJIDTnEmSVRGn/giphy.gif" alt="No Drama, No BS"></a></p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># main.py </span><span class="kn">import</span> <span class="n">logging</span> <span class="n">block_endpoints</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">/endpoint1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/endpoint2</span><span class="sh">"</span><span class="p">]</span> <span class="k">class</span> <span class="nc">LogFilter</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">Filter</span><span class="p">):</span> <span class="k">def</span> <span class="nf">filter</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="k">if</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">:</span> <span class="k">if</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="ow">in</span> <span class="n">block_endpoints</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> <span class="n">uvicorn_logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">"</span><span class="s">uvicorn.access</span><span class="sh">"</span><span class="p">)</span> <span class="n">uvicorn_logger</span><span class="p">.</span><span class="nf">addFilter</span><span class="p">(</span><span class="nc">LogFilter</span><span class="p">())</span> </code></pre> </div> <h3> How It Works </h3> <p>We create a <code>LogFilter</code> class that inherits from <code>logging.Filter</code>.<br> The filter method checks if the log record corresponds to one of our blocked endpoints.</p> <ul> <li>If the endpoint is in our <code>block_endpoints</code> list, we return <strong>False</strong>, preventing the log from being processed.</li> <li>By default we return <strong>True</strong> to log as usual.</li> </ul> <p>We apply this filter to Uvicorn's access logger, which FastAPI uses under the hood.</p> <h3> Going Deep </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fee7r7tpa4whjjbwmhpig.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fee7r7tpa4whjjbwmhpig.jpg" alt="The Deep from The Boys"></a></p> <p>When working with Python's logging module, each log entry is represented by a <code>LogRecord</code> object. In our <code>LogFilter</code> class, the <code>record</code> parameter is an instance of this <code>LogRecord</code> class.</p> <p>The <code>args</code> attribute of a <code>LogRecord</code> contains a tuple of arguments which are merged into the log message. In the context of Uvicorn's access logs, these arguments hold valuable information about each request. Here's a breakdown of what each argument typically represents:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Typical structure of record.args for Uvicorn access logs </span><span class="n">remote_address</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># IP address of the client </span><span class="n">request_method</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># HTTP method (GET, POST, etc.) </span><span class="n">query_string</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="c1"># Full path including query parameters </span><span class="n">html_version</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="c1"># HTTP version used </span><span class="n">status_code</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="c1"># HTTP status code of the response </span> </code></pre> </div> <p>Understanding this structure allows us to create more sophisticated filters. For example, we could filter logs based on status codes, specific IP addresses, or HTTP methods, not just endpoint paths.</p> <h3> Gotchas and Tips </h3> <ul> <li>This method works with Uvicorn's default logging setup. If you've customized your logging configuration, you might need to adjust the logger name.</li> <li>At times you might have a separate file for logging config such as <code>logger.py</code>. You may define the class <strong>LogFilter</strong> there but make sure to apply <code>.addFilter</code> in <code>main.py</code>.</li> </ul> <p>Remember that completely blocking logs for certain endpoints might make debugging more challenging. Use this technique judiciously.</p> <p>As <strong>thank you</strong> for making it to the end of this post, here is a trick I use for maximum benefit.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># main.py </span><span class="kn">import</span> <span class="n">logging</span> <span class="n">block_endpoints</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">/endpoint1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/endpoint2</span><span class="sh">"</span><span class="p">]</span> <span class="k">class</span> <span class="nc">LogFilter</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">Filter</span><span class="p">):</span> <span class="k">def</span> <span class="nf">filter</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="k">if</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">4</span><span class="p">:</span> <span class="nf">if </span><span class="p">(</span><span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="ow">in</span> <span class="n">block_endpoints</span> <span class="ow">and</span> <span class="n">record</span><span class="p">.</span><span class="n">args</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">200</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> <span class="n">uvicorn_logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">"</span><span class="s">uvicorn.access</span><span class="sh">"</span><span class="p">)</span> <span class="n">uvicorn_logger</span><span class="p">.</span><span class="nf">addFilter</span><span class="p">(</span><span class="nc">LogFilter</span><span class="p">())</span> </code></pre> </div> <p>This will only block the request if the status code is <em>200</em>. This is super helpful when blocking <code>INFO</code> endpoints where you only need to be informed if an unexpected status code was returned.</p> <h3> Conclusion </h3> <p>By implementing this simple logging filter, you can significantly reduce noise in your FastAPI application logs. This allows you to focus on the information that truly matters, making your debugging and monitoring processes more efficient.</p> <h4> What to do next? </h4> <ul> <li>Feel free to ask questions and share your experience in the comments below!</li> <li>For further reading, check <a href="https://github.com/encode/starlette/issues/864" rel="noopener noreferrer">this</a> GitHub discussion.</li> <li>Check out my LinkedIn <a href="https://www.linkedin.com/in/mukuliskul" rel="noopener noreferrer">here</a>.</li> </ul> fastapi python filter logs Handling AWS WAF Capacity Limits with Terraform Mukul Sharma Sun, 09 Jun 2024 18:28:02 +0000 https://dev.to/mukulsharma/handling-aws-waf-capacity-limits-with-terraform-1741 https://dev.to/mukulsharma/handling-aws-waf-capacity-limits-with-terraform-1741 <p>When managing AWS WAF resources using Terraform, one common issue is exceeding the Web ACL Capacity Units (WCUs) limit, which can lead to deployment failures. This blog post will guide you through understanding WCUs, checking capacity using AWS CLI, and integrating this process into your Terraform workflow to ensure smooth deployments.</p> <h4> Understanding WCUs in AWS WAF </h4> <p>AWS WAF uses Web ACL Capacity Units (WCUs) to measure the resources required to run rules, rule groups, and Web ACLs. Each rule type has a different capacity requirement based on its complexity and processing needs. The capacity limits help AWS manage the performance and cost of running WAF rules efficiently.</p> <ul> <li> <strong>Simple Rules</strong>: Require fewer WCUs (e.g., size constraint rules).</li> <li> <strong>Complex Rules</strong>: Require more WCUs (e.g., regex pattern sets).</li> </ul> <p>For detailed WCU calculations, refer to the <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html">AWS WAF documentation</a> <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html">oai_citation:1,AWS WAF web ACL capacity units (WCUs) - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced</a>.</p> <h4> Common Error </h4> <p>When you exceed the WCU limits, you may encounter the following error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WAFInvalidParameterException: Error reason: You exceeded the capacity limit for a rule group or web ACL. </code></pre> </div> <h4> Checking WCU Requirements with AWS CLI </h4> <p>Terraform lacks built-in functionality to check WCUs before applying configurations. However, AWS CLI provides a <code>check-capacity</code> command to verify the WCU requirements. Here’s how you can use it:</p> <ol> <li> <strong>Define WAF Rules in JSON</strong>: Create a JSON file (<code>rules.json</code>) with the rules you want to include: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rule1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ByteMatchStatement"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"SearchString"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BadBot"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FieldToMatch"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"UriPath"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"TextTransformations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NONE"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Block"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"VisibilityConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"SampledRequestsEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudWatchMetricsEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"MetricName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rule1Metric"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <strong>Run the <code>check-capacity</code> Command</strong>: Use the AWS CLI to check the capacity: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws wafv2 check-capacity <span class="nt">--scope</span> REGIONAL <span class="nt">--rules</span> file://rules.json </code></pre> </div> <p>The output will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Capacity"</span><span class="p">:</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This command returns the total WCU requirement for your specified rules. Ensure it doesn't exceed 5,000 WCUs for a single Web ACL.</p> <h4> Integrating Capacity Check with Terraform </h4> <p>To avoid deployment failures due to WCU limits, integrate the capacity check into your Terraform workflow using a shell script:</p> <ol> <li> <strong>Create a Shell Script</strong>: Write a script (<code>check_capacity.sh</code>) to perform the capacity check: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c">#!/bin/bash</span> <span class="nv">CAPACITY</span><span class="o">=</span><span class="si">$(</span>aws wafv2 check-capacity <span class="nt">--scope</span> REGIONAL <span class="nt">--rules</span> file://rules.json | jq <span class="s1">'.Capacity'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CAPACITY</span><span class="s2">"</span> <span class="nt">-gt</span> 5000 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error: Capacity units exceeded. Current capacity: </span><span class="nv">$CAPACITY</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Capacity check passed. Current capacity: </span><span class="nv">$CAPACITY</span><span class="s2">"</span> <span class="nb">export </span><span class="nv">TERRAFORM_CAPACITY_CHECK</span><span class="o">=</span>passed <span class="k">fi</span> </code></pre> </div> <ol> <li> <strong>Integrate with Terraform</strong>: Modify your Terraform workflow to include the script: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ./check_capacity.sh <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$TERRAFORM_CAPACITY_CHECK</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"passed"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>terraform apply <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Terraform apply aborted due to capacity issues."</span> <span class="k">fi</span> </code></pre> </div> <p>By incorporating this script, you ensure that your Terraform deployments only proceed if the WCU requirements are within limits, preventing potential failures and downtime.</p> <h3> Conclusion </h3> <p>Handling WCU limits is crucial for successful AWS WAF deployments using Terraform. By leveraging the <code>check-capacity</code> command in AWS CLI and integrating it into your Terraform workflow, you can proactively manage capacity and avoid deployment issues. This approach ensures a smoother, more reliable infrastructure management process especially until terraform starts to support a similar built-in functionality.</p> <p>For further reading, check the official <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html">AWS WAF documentation on WCUs</a> and the <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/wafv2/check-capacity.html">AWS CLI <code>check-capacity</code> command reference</a>.</p> terraform aws webacl waf