[TRACKING] Phase 1 - Basic Create/Delete

[chelma]

Description

For phase 1, we will focus on creating a CLI with basic creation/deletion for adding an Arkime installation into an existing AWS Account with existing VPCs/traffic sources. Issue will be used to outline the overall progress of phase 1.

Still need to add the code/command to tear the demo traffic stacks down.

Tasks

• DONE: Create CDK stacks for demo traffic generation (Added README and CDK Traffic Gen stack #1)
• Enable spinnup/teardown of demo traffic sources via CLI #4
• Add Capture VPC Resource Spinnup/Teardown to CLI #5
• Update CLI to enable traffic mirroring on VPC #6
• Add Viewer VPC to Arkime Setup/Teardown via CLI #7

Follow-up Items

• Surface CDK Confirmations #12
• typescript quote style #18

[chelma]

Follow-up Work (CLI):

• README: Update to reflect current state, design, and how to use
• add-vpc: Add unit tests
• create-cluster: Update to provide uses with viewer URL/username/password when finished
• destroy-cluster: Update to check if the cluster is monitoring VPCs, abort if it is
• remove-vpc: Add unit tests

Follow-up Work (CDK):

• Capture Nodes Stack: Configure Auto-Scaling; currently wonky/broken
• Mirror Stack: Get the user's VPC cidr and use for filter rules instead of hardcoding
• Single Quotes: Action this open issue to change to a consistent quote style (typescript quote style #18)

Proposed Follow-up Workstreams, Prioritized From Highest to Lowest:

• Mirroring Resilience: Create mechanisms to make traffic mirroring more resilient to changes in user traffic load, network configuration (changes in subnets), and traffic soruces (changes in ENIs, short-lived ENIs)
• Configurable Capture: Create mechanisms to surface capture process configuration to the user and enable updates of that configuration
• Centralized Viewer: Create mechanisms to enable a single Viewer to surface details from many Arkime Clusters
• Viewer HTTPS: Create mechanisms (either code or a written guide) to enable HTTPS for the Viewer Nodes
• Cross-Account Capture: Create mechanisms to enable users to capture traffic from VPCs they own in other accounts (but the same region)
• Global Viewer: Create mechanisms to enable Viewers to surface details from Arkime Clusters in other regions
• User Management: Create mechanisms to enable better user management/AuthN/AuthZ than just the basic version provided by the Viewer

[chelma]

[awick]

couple other thoughts

• viewer https support with maybe user provided dns name should probably be higher than centralized
• with capture auto scaling would like to see ability to optionally specify min/max as cli params
• add cli ability to set/update the s3 lifecycle policy for pcap files with a X (90?) day default
• I think it would be nice if there was a cli command to get the viewer password (assuming the user has the perm)

[awick]

Would also like to figure out how we should represent capture node names, since using the ip is kind of useless. Maybe something like "--". Although if we share capture nodes across vpcs maybe just "-<instanceid"

[chelma]

Acceptance criteria met for this phase; follow-up work tracked in a new issue (#20). Resolving.