clusters-list now works w/ cross account VPCs and displays the account each VPC associated with the cluster is in. We do this using a cross-account IAM role that gives the Cluster account access to Parameter Store in the VPC account(s).
Updated the README to explain how to do cross-account capture.
Updated the detailed design diagram to reflect cross-account capture
Updated the cluster-deregister-vpc to remove permissions for an account to create GWLB Endpoints on the cluster's GWLB if there are no other VPCs needing it
Manually tested clusters-list and cluster-deregister-vpc against my AWS accounts
List call showing 1 VPC in the Cluster account and 2 VPCs in another account
When we remove the 2 cross account VPCs, cluster-deregister-vpc doesn't remove the GWLB perms until it's called on the last VPC in that other account
(.venv) chelma@3c22fba4e266 aws-aio % ./manage_arkime.py cluster-deregister-vpc --cluster-name MyCluster3 --vpc-id vpc-0eadcf1a9ad8b3e26
2023-08-24 10:59:22 - Debug-level logs save to file: /Users/chelma/workspace/Arkime/aws-aio/manage_arkime/manage_arkime.log
2023-08-24 10:59:22 - Using AWS Credential Profile: default
2023-08-24 10:59:22 - Using AWS Region: default from AWS Config settings
2023-08-24 10:59:22 - Deregistering the VPC with the Cluster...
2023-08-24 10:59:23 - Removing the cross-account access role: arkime_MyCluster3_vpc-0eadcf1a9ad8b3e26
2023-08-24 10:59:24 - Removing permissions for Account YYYYYYYYYYYY to create GWLBE Endpoints on: vpce-svc-0bf7f421d6596c8cb
2023-08-24 10:59:24 - There are 1 other VPCs currently using this permission; skipping...
2023-08-24 10:59:24 - Removing association details from Param Store at: /arkime/clusters/MyCluster3/vpcs/vpc-0eadcf1a9ad8b3e26/cross-account
(.venv) chelma@3c22fba4e266 aws-aio % ./manage_arkime.py cluster-deregister-vpc --cluster-name MyCluster3 --vpc-id vpc-08d5c92356da0ccb4
2023-08-24 11:03:15 - Debug-level logs save to file: /Users/chelma/workspace/Arkime/aws-aio/manage_arkime/manage_arkime.log
2023-08-24 11:03:15 - Using AWS Credential Profile: default
2023-08-24 11:03:15 - Using AWS Region: default from AWS Config settings
2023-08-24 11:03:15 - Deregistering the VPC with the Cluster...
2023-08-24 11:03:16 - Removing the cross-account access role: arkime_MyCluster3_vpc-08d5c92356da0ccb4
2023-08-24 11:03:17 - Removing permissions for Account YYYYYYYYYYYY to create GWLBE Endpoints on: vpce-svc-0bf7f421d6596c8cb
2023-08-24 11:03:18 - Removing association details from Param Store at: /arkime/clusters/MyCluster3/vpcs/vpc-08d5c92356da0ccb4/cross-account
License
I confirm that this contribution is made under an Apache 2.0 license and that I have the authority necessary to make this contribution on behalf of its copyright owner.
Description
clusters-list
now works w/ cross account VPCs and displays the account each VPC associated with the cluster is in. We do this using a cross-account IAM role that gives the Cluster account access to Parameter Store in the VPC account(s).cluster-deregister-vpc
to remove permissions for an account to create GWLB Endpoints on the cluster's GWLB if there are no other VPCs needing itTasks
Testing
clusters-list
andcluster-deregister-vpc
against my AWS accounts List call showing 1 VPC in the Cluster account and 2 VPCs in another accountWhen we remove the 2 cross account VPCs,
cluster-deregister-vpc
doesn't remove the GWLB perms until it's called on the last VPC in that other accountLicense
I confirm that this contribution is made under an Apache 2.0 license and that I have the authority necessary to make this contribution on behalf of its copyright owner.