🥒 CCC.VPC Test: cfi-1775709523-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC, ~@NEGATIVE, ~@OPT_IN
UIDvpc-0feec083a109b3f33
ResourceNamecfi-1775709523-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "bad-vpc-id": "vpc-061fc0e23d1f97e09",
        "cn03-allowed-requester-vpc-ids": null,
        "cn03-allowed-requester-vpc-ids-csv": "vpc-0cd64c742c4aeeec6,vpc-0fe2bda106e9fcff8",
        "cn03-disallowed-requester-vpc-ids": null,
        "cn03-disallowed-requester-vpc-ids-csv": "vpc-035038ee014ffbedf,vpc-057df3e61ae902317",
        "cn03-non-allowlisted-requester-vpc-id": "vpc-0b2bf9794226515fc",
        "cn03-receiver-vpc-id": "vpc-0feec083a109b3f33",
        "cn04-flow-log-group-name": "/aws/vpc/flow-logs/cfi-1775709523-vpc"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
BadVpcIdvpc-061fc0e23d1f97e09
Cn03AllowedRequesterVpcIdsCsvvpc-0cd64c742c4aeeec6,vpc-0fe2bda106e9fcff8
Cn03DisallowedRequesterVpcIdsCsvvpc-035038ee014ffbedf,vpc-057df3e61ae902317
Cn03NonAllowlistedRequesterVpcIdvpc-0b2bf9794226515fc
Cn03ReceiverVpcIdvpc-0feec083a109b3f33
Cn04FlowLogGroupName/aws/vpc/flow-logs/cfi-1775709523-vpc
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-09 04:48:16

Total Run Time: 24s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"196µs
And I refer to "{result}" as "vpcService"21µs
When I call "{vpcService}" with "CountDefaultVpcs"291ms
Then "{result}" is "0"60µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"30µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"169µs
And I refer to "{result}" as "vpcService"26µs
Given I refer to "{UID}" as "TargetVpcId"22µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"583ms
Then "{result.ViolatingSubnetCount}" is "0"73µs
And "{result.Reason}" contains "disable default public IP"36µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"44µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"124µs
And I refer to "{result}" as "vpcService"15µs
Given I refer to "{UID}" as "TargetVpcId"13µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"506ms
And I refer to "{result.SubnetId}" as "TestSubnetId"57µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"2s
And I refer to "{result.ResourceId}" as "TestResourceId"40µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"346ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"44µs
Then "{HasExternalIp}" is false23µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"480ms
Then "{result.Deleted}" is true63µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"67µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"168µs
And I refer to "{result}" as "vpcService"27µs
And I refer to "{UID}" as "ReceiverVpcId"30µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"44µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"97µs
And "{ReceiverVpcId}" is not nil48µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"418ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"114µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"113µs
Then "{result.ListDefined}" is true27µs
And "{result.TestedCount}" should be greater than "0"26µs
And "{result.AllCorrect}" is true19µs
And "{result.ViolationCount}" is "0"22µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6455 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0feec083a109b3f33","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 67157c3c-3e57-4c20-9e7f-1210ea91f8af, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: QnMsCqOnoT_AZGLYFh6i0bvumYzmokHOffC8dYuuKI3gFhLI5We79Y7BjQTz1XF8lG-AmvyzirAWZwnFqlccZR1Uq3JzwkXTgQtM-dJ7VvSw_t-fAlU4S7EP8kBlzB-yqUEtpyZmRo1J30eAwjfaoMZ0r8nBGCOOpoZ8bsRyE79KcCD8pImRtYhmITugBotpkAw4g6lOsmG8dI9uQVNSPxTxV7I5rV3CZh3-XIRsvD2YbD7QXCkYTyjkCF5ceIiLokXJ1hGtH0Kcv_G3ascVwsoqauSS86itYWmKdz4yaj6bDTUsMBwshnh2iVZajDh31QpA0vMYNnzPkWLDtvyhC5aPE94cjHzfEoc--pLtDynY5TEA9m46P0s8I5G7oMFRZ_e1emLuzB26rgwWUFZdUpLqh_qyaP2MDPotmEvx-zwSNZPAFEJTvOTWk7ZK6LqZU7GNl4gXqyYU4ljEF9OfntUTaKrl-x97XvYt22KbUwCV54IWVbqrE5xLUJ7I5wnYLyLL23QoFDPctMkLaW3DheCk8ILmhYopKvkrXInWRbwtVo4VGVd60D5cyHrv6MKXu29q1rqguq9uvgfcjqU1DGoy-5KwNc46F0VRsiHa9Mczc5lITDLQg1xKGECtdXIAGoCrXp6m-VG615dD3G-sfh9uWIaK4mZ7Tn0zEncpBPP9mf1C9yhHSffdwwHKRB2Zzk1j4Jsogir675VsVJbfwRDWcuvPQrIv2VNyQiUPfFrfejL6pgv7cK1NTz2jpVgFe1v7NzvJKSqsAXPbHEHFnIYdjw1L; CN03 guardrail aligned: allow-list expects deny for requester vpc-035038ee014ffbedf","ReceiverVpcId":"vpc-0feec083a109b3f33","RequesterInAllowList":false,"RequesterVpcId":"vpc-035038ee014ffbedf","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 67157c3c-3e57-4c20-9e7f-1210ea91f8af, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: QnMsCqOnoT_AZGLYFh6i0bvumYzmokHOffC8dYuuKI3gFhLI5We79Y7BjQTz1XF8lG-AmvyzirAWZwnFqlccZR1Uq3JzwkXTgQtM-dJ7VvSw_t-fAlU4S7EP8kBlzB-yqUEtpyZmRo1J30eAwjfaoMZ0r8nBGCOOpoZ8bsRyE79KcCD8pImRtYhmITugBotpkAw4g6lOsmG8dI9uQVNSPxTxV7I5rV3CZh3-XIRsvD2YbD7QXCkYTyjkCF5ceIiLokXJ1hGtH0Kcv_G3ascVwsoqauSS86itYWmKdz4yaj6bDTUsMBwshnh2iVZajDh31QpA0vMYNnzPkWLDtvyhC5aPE94cjHzfEoc--pLtDynY5TEA9m46P0s8I5G7oMFRZ_e1emLuzB26rgwWUFZdUpLqh_qyaP2MDPotmEvx-zwSNZPAFEJTvOTWk7ZK6LqZU7GNl4gXqyYU4ljEF9OfntUTaKrl-x97XvYt22KbUwCV54IWVbqrE5xLUJ7I5wnYLyLL23QoFDPctMkLaW3DheCk8ILmhYopKvkrXInWRbwtVo4VGVd60D5cyHrv6MKXu29q1rqguq9uvgfcjqU1DGoy-5KwNc46F0VRsiHa9Mczc5lITDLQg1xKGECtdXIAGoCrXp6m-VG615dD3G-sfh9uWIaK4mZ7Tn0zEncpBPP9mf1C9yhHSffdwwHKRB2Zzk1j4Jsogir675VsVJbfwRDWcuvPQrIv2VNyQiUPfFrfejL6pgv7cK1NTz2jpVgFe1v7NzvJKSqsAXPbHEHFnIYdjw1L"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0feec083a109b3f33","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 983958ac-a553-4ffe-8d32-f5cd6afda44a, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: eU6nw_TxdrWt8S305rLLlFBUykSV3K3N4j-RKkawMGNYcd0113llIfHHsoIH5Lv99ktUSi0yIUgioPFAaY2RFcaeonVqgIGcTCbjG5two5GpJV3m-TdRPCeN5Emd6jqABMuAOGEtGdJUyca74E97PfAtP7gOGhyKzd2MuXOeMIlDZEGieyZzbSKJC0Q3JsYBqe3yaT2YFlaju6jz2fJr1WCXoaFa2Md-vOJZVsGCPFkgNpGbn0HrvICjxg_Kzizj8EYuYrCFhmrQ1m5RgV9HdxidovKpE5CY4ps0Ww2g7N0k5SAUzf0a8c56UPRVYd3oDezXXmxkK_zzf1Q5ZZCd1KQWiGR6z-lPqsuAUWmXeadK6sStISl4bPvMj3Zm2PA0QYycC0VRWPSnwdoFh5Af1pgGqsgvP0nagbIrov4IrcrN9JMxHXybK1_gvtcr2RJgPvBs2_T_hjZE1hPuPVYvsEyScroS-m5Zw3Wpmyx7kE03N3RoOoVEScOfqEsus7wYYMHNanrbGeAZkBpGKdb22K93rhSuLUe79I0ZJyjHpCeYpFswowuvRSt5jglkP4o94MrUwTUTcq8asr2QPFzQCI2h43T4V07bFVo2awmYYUcWxgzG4ibvaz2xdPoIJ9e5v6T3mzAWqzYhdQJRsJkjy7NTzOTrUJ-W-BrGY3Ri1TPMs6tlhQevwta9ZKZG3HarzWEw866izUa5ESlZ_yk-4D16N01jWT9btFfla854M4ieNh-j4cMrUoVPw_zJnQQMe52J0WORglHO5VYm6fZXq6PAVUqn; CN03 guardrail aligned: allow-list expects deny for requester vpc-057df3e61ae902317","ReceiverVpcId":"vpc-0feec083a109b3f33","RequesterInAllowList":false,"RequesterVpcId":"vpc-057df3e61ae902317","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 983958ac-a553-4ffe-8d32-f5cd6afda44a, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: eU6nw_TxdrWt8S305rLLlFBUykSV3K3N4j-RKkawMGNYcd0113llIfHHsoIH5Lv99ktUSi0yIUgioPFAaY2RFcaeonVqgIGcTCbjG5two5GpJV3m-TdRPCeN5Emd6jqABMuAOGEtGdJUyca74E97PfAtP7gOGhyKzd2MuXOeMIlDZEGieyZzbSKJC0Q3JsYBqe3yaT2YFlaju6jz2fJr1WCXoaFa2Md-vOJZVsGCPFkgNpGbn0HrvICjxg_Kzizj8EYuYrCFhmrQ1m5RgV9HdxidovKpE5CY4ps0Ww2g7N0k5SAUzf0a8c56UPRVYd3oDezXXmxkK_zzf1Q5ZZCd1KQWiGR6z-lPqsuAUWmXeadK6sStISl4bPvMj3Zm2PA0QYycC0VRWPSnwdoFh5Af1pgGqsgvP0nagbIrov4IrcrN9JMxHXybK1_gvtcr2RJgPvBs2_T_hjZE1hPuPVYvsEyScroS-m5Zw3Wpmyx7kE03N3RoOoVEScOfqEsus7wYYMHNanrbGeAZkBpGKdb22K93rhSuLUe79I0ZJyjHpCeYpFswowuvRSt5jglkP4o94MrUwTUTcq8asr2QPFzQCI2h43T4V07bFVo2awmYYUcWxgzG4ibvaz2xdPoIJ9e5v6T3mzAWqzYhdQJRsJkjy7NTzOTrUJ-W-BrGY3Ri1TPMs6tlhQevwta9ZKZG3HarzWEw866izUa5ESlZ_yk-4D16N01jWT9btFfla854M4ieNh-j4cMrUoVPw_zJnQQMe52J0WORglHO5VYm6fZXq6PAVUqn"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"116µs
And I refer to "{result}" as "vpcService"16µs
And I refer to "{UID}" as "ReceiverVpcId"13µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"15µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"17µs
And "{ReceiverVpcId}" is not nil14µs
Given "{NonAllowlistedRequesterVpcId}" is not nil17µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"86µs
Then "{result.AllowedListDefined}" is true23µs
And "{result.Allowed}" is false18µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"353ms
Then "{result.DryRunAllowed}" is false45µs
And "{result.AllowListDefined}" is true27µs
And "{result.RequesterInAllowList}" is false34µs
And "{result.GuardrailExpectation}" is "deny"38µs
And "{result.GuardrailMismatch}" is false26µs
And "{result.ExitCode}" should be greater than "0"31µs
And "{result.Reason}" contains "guardrail aligned"32µs
And "{result.ConflictType}" is ""22µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"125µs
And I refer to "{result}" as "vpcService"26µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"258ms
Then "{result.FlowLogCount}" should be greater than "0"114µs
And "{result.NonCompliantCount}" is "0"55µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"46µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"125µs
And I refer to "{result}" as "vpcService"29µs
Given I refer to "{UID}" as "TargetVpcId"22µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"254ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"18s
And I refer to "{result.ResourceId}" as "TestResourceId"42µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"38µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"91ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"234µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"446ms
Then "{result.Deleted}" is true55µs
And "{TrafficCleanupDeleted}" is true23µs
And "{RecordsObserved}" is true19µs