Event-Based Mirroring: Scheduled Scans

[chelma]

Description

Per design discussion in (#35), we need a mechanism to detect changes in the User VPC's ENIs and automatically set up the per-ENI Mirroring configuration. This task is to implement the initial version of that. The approach chosen will be to:

• Create a per-Cluster AWS EventBridge Bus
• Create per-VPC Lambda Functions that will scan a designated subnet for changes added/removed ENIs and update the per-ENI mirroring configuration
• Create per-VPC EventBridge Rules that kicks off each per-VPC scan Lambda every minute
• Create per-VPC EventBridge Rules that listen on the per-Cluster Bus for user-initiated requests to kick off a scan
• Update the add-vpc and remove-vpc CLI commands to kick off the Lambdas via an EventBridge event rather than directly manipulating the per-ENI mirroring resources themselves

A few design comments:

• We make our Lambda Functions operate at the subnet level for a few reasons.
  • Currently, we use CDK/CloudFormation to set up required, per-Subnet resources that must be in place before we can create the per-ENI resources for that subnet. This means that, while we'll probably eventually want to have our scan operate at the VPC level, for the time being it only creates additional work for us without an apparent benefit. Once we start configuring our per-Subnet mirroring resources using events rather than manually-invoked CDK, we'll likely revisit this.
  • Similarly, while we will eventually want the ability to create/destroy per-ENI mirroring resource directly in order to better leverage the events natively generated by AWS Services such as EC2/ECS on the default EventBridge Bus, we don't currently need that ability and it makes this task more complex to implement. We'll leave that evolution to its own task.

Acceptance Criteria

• Demonstrate that the updated, event-based add-vpc and remove-vpc successfully configure mirroring components
• Demonstrate that changes to the User VPC's ENIs are actioned by an automated system