🥒 CCC.VPC Test: cfi-1775706869-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC
UIDvpc-071bf2e1e2416f266
ResourceNamecfi-1775706869-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "cn03-allowed-requester-vpc-ids": [
          "vpc-01f543721b8193a2c,vpc-0bbce9271c5d23986"
        ],
        "cn03-disallowed-requester-vpc-ids": [
          "vpc-02ff4e20289c915b9,vpc-0d617b955f0a44661"
        ],
        "cn03-receiver-vpc-id": "vpc-071bf2e1e2416f266"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIds
[
  "vpc-01f543721b8193a2c,vpc-0bbce9271c5d23986"
]
Cn03DisallowedRequesterVpcIds
[
  "vpc-02ff4e20289c915b9,vpc-0d617b955f0a44661"
]
Cn03ReceiverVpcIdvpc-071bf2e1e2416f266
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-09 04:03:57

Total Run Time: 20s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"120µs
And I refer to "{result}" as "vpcService"12µs
When I call "{vpcService}" with "CountDefaultVpcs"360ms
Then "{result}" is "0"28µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"44µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"145µs
And I refer to "{result}" as "vpcService"16µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"690ms
Then "{result.ViolatingSubnetCount}" is "0"44µs
And "{result.Reason}" contains "disable default public IP"31µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"44µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"138µs
And I refer to "{result}" as "vpcService"16µs
Given I refer to "{UID}" as "TargetVpcId"17µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"602ms
And I refer to "{result.SubnetId}" as "TestSubnetId"58µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"2s
And I refer to "{result.ResourceId}" as "TestResourceId"40µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"437ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"58µs
Then "{HasExternalIp}" is false22µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"532ms
Then "{result.Deleted}" is true44µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"45µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"139µs
And I refer to "{result}" as "vpcService"16µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"18µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"167µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"185µs
And "{ReceiverVpcId}" is not nil44µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"525ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"70µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"155µs
Then "{result.ListDefined}" is true34µs
And "{result.TestedCount}" should be greater than "0"33µs
And "{result.AllCorrect}" is true23µs
And "{result.ViolationCount}" is "0"26µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6449 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-071bf2e1e2416f266","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: a07b7684-f022-4496-bf02-4185f039187a, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: hifJw9VCbu6r4u8WfbnlDtCWgde0rRSV_lhXi5I5zMKrrFqUXOg4MgfWbMpeg5boRt6ngR009XXjVFAA210t_O2liLuK0H2v5A_v2AqKftFl1jHDkGxYDC6VmJp9_OLER-PmZggQHNhztJ0EkbFjTiA9JgfFpvuBFYnUlYe8xmm3PmPXiuyT_Ooh2B1Q_2fVXImroGOFWwvywXLLMCIxJhdsMkE0IP_SoCmEz9UqwTPDB6uHORy4Ol5EilB6m9fICJfxEWT0vSd_EMLyN9ixPsHMVBkZ8o4QkfrZQHeKOUWihqDjc_gYKs7YIuYxtilfw7pxSys7AwQRfDn0L45cIxLaBmX_DT9Bddm7wip5ERFZ-mdI52an0B1bvQRJN-AuAO8IVaNasNcsG_vjBGa-eRjVfD9YVBLpZr3moWFJEqmkUYLbalBq3yWr5wqRk_jeXm28Ve-LZ-l59wNq387GQLTs5rN7m7JQM9F9nxO_4oCF3pvddgsJT0cgA7AtS1oO9kVkQoJSXvl-Os6oIeVf0Ql5thxdKhvm0oIoCQ0rgh_g9Nh2CTsEVYJZxw2lfaTT_0GabPpELp7BDzzLyXHZpFKvwVA2j09E4YMgevCRZdoNApxylF-5XVDMWI0JDl7EyKkWy9LPsiu7PIWxiVRaE4ywKK-vszdwuOKRM17PDs0SsBrvybye5JNj0ebMzsgGNvclMKWf71r_GM2K3kGlzUPrCUINjpRZH_wKc90mJdMWDwnSe_wdCiQP-dXm3XDyjHEwWUFAO442HbwVcvONyx0HxA; CN03 guardrail aligned: allow-list expects deny for requester vpc-02ff4e20289c915b9","ReceiverVpcId":"vpc-071bf2e1e2416f266","RequesterInAllowList":false,"RequesterVpcId":"vpc-02ff4e20289c915b9","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: a07b7684-f022-4496-bf02-4185f039187a, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: hifJw9VCbu6r4u8WfbnlDtCWgde0rRSV_lhXi5I5zMKrrFqUXOg4MgfWbMpeg5boRt6ngR009XXjVFAA210t_O2liLuK0H2v5A_v2AqKftFl1jHDkGxYDC6VmJp9_OLER-PmZggQHNhztJ0EkbFjTiA9JgfFpvuBFYnUlYe8xmm3PmPXiuyT_Ooh2B1Q_2fVXImroGOFWwvywXLLMCIxJhdsMkE0IP_SoCmEz9UqwTPDB6uHORy4Ol5EilB6m9fICJfxEWT0vSd_EMLyN9ixPsHMVBkZ8o4QkfrZQHeKOUWihqDjc_gYKs7YIuYxtilfw7pxSys7AwQRfDn0L45cIxLaBmX_DT9Bddm7wip5ERFZ-mdI52an0B1bvQRJN-AuAO8IVaNasNcsG_vjBGa-eRjVfD9YVBLpZr3moWFJEqmkUYLbalBq3yWr5wqRk_jeXm28Ve-LZ-l59wNq387GQLTs5rN7m7JQM9F9nxO_4oCF3pvddgsJT0cgA7AtS1oO9kVkQoJSXvl-Os6oIeVf0Ql5thxdKhvm0oIoCQ0rgh_g9Nh2CTsEVYJZxw2lfaTT_0GabPpELp7BDzzLyXHZpFKvwVA2j09E4YMgevCRZdoNApxylF-5XVDMWI0JDl7EyKkWy9LPsiu7PIWxiVRaE4ywKK-vszdwuOKRM17PDs0SsBrvybye5JNj0ebMzsgGNvclMKWf71r_GM2K3kGlzUPrCUINjpRZH_wKc90mJdMWDwnSe_wdCiQP-dXm3XDyjHEwWUFAO442HbwVcvONyx0HxA"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-071bf2e1e2416f266","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 60800996-72c9-455c-bd7f-758059899375, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: UbKRxkyJfHK99VPru3Mpt8zUK_YE-4Fn97BqIzAupBytUO7PFhmxp7xejsLUjISGaWUIUKOp6LLp8h4kUtV1XDfxtIerv0955s93eXdvk2iMu1hIGiRVO8gfU0-SoPMsSWk9Rn4xI_rpmPttiMdty0cAyar32Qe9gPOtNeyHM16kg8zY82P1iEP1iFXLSzD-jZlW9WgooetKlWcXjbhbX6neF9s2jn--tZHNCo-5m-2_XA6VPqoAsdSECqZRRprwXIscXUZfPZfbfECYGian5pp-hoZliow2kzcwf830xRZ12UtOdQP0tat4XCX3J9GL6TRvFXL-DHpkO6fF_AtZsq_-Jpk1T96_1VpDS_Je_1VTlnN3STm1tcpQMPQXQba-77pvPgIjexJBV0m6H3OpJbcQevXYB9Pl5iQ7t9R_rWBGZJrndGhKtiOgbCD5lIMaFk527gLehrN4bLq06FqBcG3vTf-e3UGiIiQ-X-HoIQtc71aNnWzsydy1jf2dAfdw2CvId5phIYH22OmGWLepVw7pUhieWXCl61ZSIC86OWY83yYSEzi1EpiaVGBmAwiWnDXGJcRKa_IoQvAQVcZdzcxt3EwnPK5Bpi-WM26HyNtXjoaR4nDV9I9863_sSehwoP2sDmrZ-3Cz93sdb63w4OJXlBw17x1dEjzdssyi58beOiZgryT9caIP4-683-eop4ZNND8_KlBYTKR0ZPgtu6tMpqhdabKB3Ll1_8MmsfGbn-h_WOTBuAN4e7SkdnsREN_Otf38GFZqMNAyyo_ACYvW8_0; CN03 guardrail aligned: allow-list expects deny for requester vpc-0d617b955f0a44661","ReceiverVpcId":"vpc-071bf2e1e2416f266","RequesterInAllowList":false,"RequesterVpcId":"vpc-0d617b955f0a44661","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 60800996-72c9-455c-bd7f-758059899375, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: UbKRxkyJfHK99VPru3Mpt8zUK_YE-4Fn97BqIzAupBytUO7PFhmxp7xejsLUjISGaWUIUKOp6LLp8h4kUtV1XDfxtIerv0955s93eXdvk2iMu1hIGiRVO8gfU0-SoPMsSWk9Rn4xI_rpmPttiMdty0cAyar32Qe9gPOtNeyHM16kg8zY82P1iEP1iFXLSzD-jZlW9WgooetKlWcXjbhbX6neF9s2jn--tZHNCo-5m-2_XA6VPqoAsdSECqZRRprwXIscXUZfPZfbfECYGian5pp-hoZliow2kzcwf830xRZ12UtOdQP0tat4XCX3J9GL6TRvFXL-DHpkO6fF_AtZsq_-Jpk1T96_1VpDS_Je_1VTlnN3STm1tcpQMPQXQba-77pvPgIjexJBV0m6H3OpJbcQevXYB9Pl5iQ7t9R_rWBGZJrndGhKtiOgbCD5lIMaFk527gLehrN4bLq06FqBcG3vTf-e3UGiIiQ-X-HoIQtc71aNnWzsydy1jf2dAfdw2CvId5phIYH22OmGWLepVw7pUhieWXCl61ZSIC86OWY83yYSEzi1EpiaVGBmAwiWnDXGJcRKa_IoQvAQVcZdzcxt3EwnPK5Bpi-WM26HyNtXjoaR4nDV9I9863_sSehwoP2sDmrZ-3Cz93sdb63w4OJXlBw17x1dEjzdssyi58beOiZgryT9caIP4-683-eop4ZNND8_KlBYTKR0ZPgtu6tMpqhdabKB3Ll1_8MmsfGbn-h_WOTBuAN4e7SkdnsREN_Otf38GFZqMNAyyo_ACYvW8_0"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"42µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"124µs
And I refer to "{result}" as "vpcService"18µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"21µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"30µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"20µs
And "{ReceiverVpcId}" is not nil18µs
Given "{NonAllowlistedRequesterVpcId}" is not nil35µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"99µs
Then "{result.AllowedListDefined}" is true25µs
And "{result.Allowed}" is false21µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"363ms
Then "{result.DryRunAllowed}" is false46µs
And "{result.AllowListDefined}" is true28µs
And "{result.RequesterInAllowList}" is false30µs
And "{result.GuardrailExpectation}" is "deny"26µs
And "{result.GuardrailMismatch}" is false21µs
And "{result.ExitCode}" should be greater than "0"26µs
And "{result.Reason}" contains "guardrail aligned"25µs
And "{result.ConflictType}" is ""23µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"39µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"119µs
And I refer to "{result}" as "vpcService"13µs
Given I refer to "{UID}" as "TargetVpcId"167µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"334ms
Then "{result.FlowLogCount}" should be greater than "0"72µs
And "{result.NonCompliantCount}" is "0"29µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"47µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"137µs
And I refer to "{result}" as "vpcService"17µs
Given I refer to "{UID}" as "TargetVpcId"27µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"340ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"14s
And I refer to "{result.ResourceId}" as "TestResourceId"48µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"36µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"112ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"43µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"444ms
Then "{result.Deleted}" is true43µs
And "{TrafficCleanupDeleted}" is true23µs
And "{RecordsObserved}" is true25µs