search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 289 forks source link

Instance Scheduler - Cross-account access "AccessDenied" for certain accounts. #8558

Open mikereiddigital opened 1 day ago

mikereiddigital commented 1 day ago

Expected Behavior

From core-shared-services, the instance scheduler lambda with the role InstanceSchedulerLambdaFunctionPolicy/instance-scheduler-lambda-function will attempt to assume the role InstanceSchedulerAccess in the member account.

In addition, this error is not being tracked & logged in the lambda log. As such its hidden amongst the general unauthorised-api-alert errors and not flagged as an instance scheduler error.

Actual Behavior

For some accounts an AccessDenied error occurs. Note that this error is not logged in the lambda log & does not show as an error in the lambda metric.

Examples of cloudtrail ids in core-shared-services showing this error are:

3b012434-a836-453c-9e14-983c00a0a662

4af4ceab-c294-4ce7-9878-ccb881dd2035

552a5917-5a17-4aa3-8dfc-48c9c4cefe7f

Steps to Reproduce the Problem

These events can be found every morning & afternoon the instance scheduler runs.

Source code & module call can be found here - https://github.com/ministryofjustice/modernisation-platform/blob/11c18b77be7de8ad0e6c1cc574e70a9bc751417a/terraform/environments/core-shared-services/instance-scheduler-lambda-function.tf#L1

Version

No response

Modules

No response

Account

core-shared-services