🥒 CCC.VPC Test: cfi-1775706869-vpc-cn03-disallowed-requester-01

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC
UIDvpc-02ff4e20289c915b9
ResourceNamecfi-1775706869-vpc-cn03-disallowed-requester-01
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "cn03-allowed-requester-vpc-ids": [
          "vpc-01f543721b8193a2c,vpc-0bbce9271c5d23986"
        ],
        "cn03-disallowed-requester-vpc-ids": [
          "vpc-02ff4e20289c915b9,vpc-0d617b955f0a44661"
        ],
        "cn03-receiver-vpc-id": "vpc-071bf2e1e2416f266"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIds
[
  "vpc-01f543721b8193a2c,vpc-0bbce9271c5d23986"
]
Cn03DisallowedRequesterVpcIds
[
  "vpc-02ff4e20289c915b9,vpc-0d617b955f0a44661"
]
Cn03ReceiverVpcIdvpc-071bf2e1e2416f266
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-09 04:03:54

Total Run Time: 3s

Features: 4

Scenarios: 7 (✅ 3 | ❌ 4)

Steps: 80 (✅ 73 | ❌ 4 | ⏭️ 3 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"42µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"173µs
And I refer to "{result}" as "vpcService"14µs
When I call "{vpcService}" with "CountDefaultVpcs"364ms
Then "{result}" is "0"38µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"42µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"150µs
And I refer to "{result}" as "vpcService"26µs
Given I refer to "{UID}" as "TargetVpcId"41µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"358ms
Then "{result.ViolatingSubnetCount}" is "0"245µs
And "{result.Reason}" contains "disable default public IP"81µs
expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"34µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"128µs
And I refer to "{result}" as "vpcService"25µs
Given I refer to "{UID}" as "TargetVpcId"38µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"335ms
And I refer to "{result.SubnetId}" as "TestSubnetId"46µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"31µs
And I refer to "{result.ResourceId}" as "TestResourceId"21µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"22µs
And I refer to "{result.HasExternalIp}" as "HasExternalIp"19µs
Then "{HasExternalIp}" is false19µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"22µs
Then "{result.Deleted}" is true23µs
expected {result.Deleted} to be truthy, got (type: )
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"149µs
And I refer to "{result}" as "vpcService"17µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"19µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"20µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"18µs
And "{ReceiverVpcId}" is not nil15µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"519ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"62µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"335µs
Then "{result.ListDefined}" is true1ms
And "{result.TestedCount}" should be greater than "0"176µs
And "{result.AllCorrect}" is true27µs
And "{result.ViolationCount}" is "0"43µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6451 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-071bf2e1e2416f266","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 03a68dee-513a-46e1-b10c-460ae9325a76, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: hj9CF60zts2C3bYh37kjpObVDb5VtKJ32cP19Z9rt4Sok7zPrvZfJW-qEGv3emVeF2ykAcWCcq_xKSdLftbjIfg3laQnqCWUmVEKC-amK26WNNguP2wOgKFkxG97G9ecPswPxKgnxw9XOH8AdH0L9GF3Wl1X5ol0RL6_ijrOAupYdV3E8uGl0wbaPjzxys1COfyYrrmt6xaH8htTozA75Htk89YLrJ4wakBhbIkQiPtJ-kbamWtXZhC9AJEOsq1bVbCuNBv5MfGlwKl-eJ7aAK7aJOezk2PnH8NMiOfHbdhe6wf50J75aWcWYhbnh-I2vgdmX5fFPn3UP-a1UrCilGunP921vrNjEwK24I7BNYh-XeQUjPCNb1eB_mCEyDhXd7uX-HRnMlee4yKhWRQWtsnv5TC83V7SMZWy2SizcHfzFvwY_Mhoq3gra6jlxE044Be8s0PUEGT7SC4VdpjsbEV9JSGffdbmdLTWKYlXc9ax2Kst4lRnDSdcdlsS9FWG945Y53tWN5AEnJlgFgZhkQO1Fa_spd7OSxFMP6a6RSNobGL7lB8nRyQPXcXGChBxbejTXxxZ88Vz4xsaShhCM_CH4JTKBKPwTz0Rdw_XUFjMi6QfKSo98kt3nypMLHwrlpcUBpLYo91ylxHF_9ulnJlwBi0ieUUDzV8IFdGH6uZYj2szDheB5szC4tIGZQJxWb7uBRvgOIJg27mr9YNgg_6QL2N7ilFk_-X7jWBza6tQYk2JHyupOA01GuOV5_tjXHcMTHm-P8pnVDFRINXm8AS-AA; CN03 guardrail aligned: allow-list expects deny for requester vpc-02ff4e20289c915b9","ReceiverVpcId":"vpc-071bf2e1e2416f266","RequesterInAllowList":false,"RequesterVpcId":"vpc-02ff4e20289c915b9","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 03a68dee-513a-46e1-b10c-460ae9325a76, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: hj9CF60zts2C3bYh37kjpObVDb5VtKJ32cP19Z9rt4Sok7zPrvZfJW-qEGv3emVeF2ykAcWCcq_xKSdLftbjIfg3laQnqCWUmVEKC-amK26WNNguP2wOgKFkxG97G9ecPswPxKgnxw9XOH8AdH0L9GF3Wl1X5ol0RL6_ijrOAupYdV3E8uGl0wbaPjzxys1COfyYrrmt6xaH8htTozA75Htk89YLrJ4wakBhbIkQiPtJ-kbamWtXZhC9AJEOsq1bVbCuNBv5MfGlwKl-eJ7aAK7aJOezk2PnH8NMiOfHbdhe6wf50J75aWcWYhbnh-I2vgdmX5fFPn3UP-a1UrCilGunP921vrNjEwK24I7BNYh-XeQUjPCNb1eB_mCEyDhXd7uX-HRnMlee4yKhWRQWtsnv5TC83V7SMZWy2SizcHfzFvwY_Mhoq3gra6jlxE044Be8s0PUEGT7SC4VdpjsbEV9JSGffdbmdLTWKYlXc9ax2Kst4lRnDSdcdlsS9FWG945Y53tWN5AEnJlgFgZhkQO1Fa_spd7OSxFMP6a6RSNobGL7lB8nRyQPXcXGChBxbejTXxxZ88Vz4xsaShhCM_CH4JTKBKPwTz0Rdw_XUFjMi6QfKSo98kt3nypMLHwrlpcUBpLYo91ylxHF_9ulnJlwBi0ieUUDzV8IFdGH6uZYj2szDheB5szC4tIGZQJxWb7uBRvgOIJg27mr9YNgg_6QL2N7ilFk_-X7jWBza6tQYk2JHyupOA01GuOV5_tjXHcMTHm-P8pnVDFRINXm8AS-AA"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-071bf2e1e2416f266","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 0bdb6c63-6ba0-4380-9008-d56f0b3d1817, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: bQyD5AFdb5n9B6tKHHR7Tg5aSFGdoKaB5mJ2C3lVnllQ7rtTdtxKstbEsxZ3AB5ztxK0FEr7S-3mS3Q0NQwgC1820ZlA1phCOnHE9Yn_aQnvbnjM9hDs9oTj8YefWfh_h154NX4GDj1QtNVnlkbrLOm_o6w58hsTKz7i6Bd5-ebr8Cbjvxxp9ulavhUE5EO1CfxywKCXkk14SrEw2KbBQ-UK_Kfzlnm12SfDVebDQsyBTvTRArjbturYqEVmSgTT6JWfmB73MiCt45hUf_SjGDCsjtETDeVIoH0KgTL-nhGv1Wiqx6aIx1U-EUiCK0Ge162iSwaBIdKOyqBzjiasY61wU0gef2ykMc089dUAoWH7aFfp6OWb-7zjO5shyXg1ykGdl_uL0Sbx3uxTphl0x3DkpoSdDpCHwp4GjNMKrafYMml4sPiz6oCYwMKZvx_8Maa8CcqLOxp7ZJhOMwAhbjeq9aeqNze7TPg9ZA8DS4-5E4tDaPU6pRpKdrhhK6ktlNdQIO2c1F8eAGWTv719vrJSzz0MGuBaQByfmszX6HKVtHeUZHHqCyleco2X4-iQLACh467ccb8_ZjoiIE9Yg_DVMMATzJlb9W7YyXB5_I3fLwodXtkwuvf4wQsa2XuRU74aYB3E-1fpglvDbn2f93HUCEqP-OXRTzJ9BfFgVp8i-JboXw83oSpbDPRpK1j-6mUSEHodtxul3wFr_qJz8PGiG0eAh08tKMuVNKbYIEdjX16nLdVOgCY1B229c0JmGIH1pFXfHoqcOzzHafJn8yYgnTXY; CN03 guardrail aligned: allow-list expects deny for requester vpc-0d617b955f0a44661","ReceiverVpcId":"vpc-071bf2e1e2416f266","RequesterInAllowList":false,"RequesterVpcId":"vpc-0d617b955f0a44661","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 0bdb6c63-6ba0-4380-9008-d56f0b3d1817, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: bQyD5AFdb5n9B6tKHHR7Tg5aSFGdoKaB5mJ2C3lVnllQ7rtTdtxKstbEsxZ3AB5ztxK0FEr7S-3mS3Q0NQwgC1820ZlA1phCOnHE9Yn_aQnvbnjM9hDs9oTj8YefWfh_h154NX4GDj1QtNVnlkbrLOm_o6w58hsTKz7i6Bd5-ebr8Cbjvxxp9ulavhUE5EO1CfxywKCXkk14SrEw2KbBQ-UK_Kfzlnm12SfDVebDQsyBTvTRArjbturYqEVmSgTT6JWfmB73MiCt45hUf_SjGDCsjtETDeVIoH0KgTL-nhGv1Wiqx6aIx1U-EUiCK0Ge162iSwaBIdKOyqBzjiasY61wU0gef2ykMc089dUAoWH7aFfp6OWb-7zjO5shyXg1ykGdl_uL0Sbx3uxTphl0x3DkpoSdDpCHwp4GjNMKrafYMml4sPiz6oCYwMKZvx_8Maa8CcqLOxp7ZJhOMwAhbjeq9aeqNze7TPg9ZA8DS4-5E4tDaPU6pRpKdrhhK6ktlNdQIO2c1F8eAGWTv719vrJSzz0MGuBaQByfmszX6HKVtHeUZHHqCyleco2X4-iQLACh467ccb8_ZjoiIE9Yg_DVMMATzJlb9W7YyXB5_I3fLwodXtkwuvf4wQsa2XuRU74aYB3E-1fpglvDbn2f93HUCEqP-OXRTzJ9BfFgVp8i-JboXw83oSpbDPRpK1j-6mUSEHodtxul3wFr_qJz8PGiG0eAh08tKMuVNKbYIEdjX16nLdVOgCY1B229c0JmGIH1pFXfHoqcOzzHafJn8yYgnTXY"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"29µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"136µs
And I refer to "{result}" as "vpcService"24µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"30µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"19µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"15µs
And "{ReceiverVpcId}" is not nil15µs
Given "{NonAllowlistedRequesterVpcId}" is not nil18µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"89µs
Then "{result.AllowedListDefined}" is true22µs
And "{result.Allowed}" is false19µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"332ms
Then "{result.DryRunAllowed}" is false42µs
And "{result.AllowListDefined}" is true22µs
And "{result.RequesterInAllowList}" is false23µs
And "{result.GuardrailExpectation}" is "deny"32µs
And "{result.GuardrailMismatch}" is false23µs
And "{result.ExitCode}" should be greater than "0"25µs
And "{result.Reason}" contains "guardrail aligned"24µs
And "{result.ConflictType}" is ""20µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"36µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"126µs
And I refer to "{result}" as "vpcService"25µs
Given I refer to "{UID}" as "TargetVpcId"18µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"315ms
Then "{result.FlowLogCount}" should be greater than "0"117µs
expected {result.FlowLogCount} (0) to be greater than 0
And "{result.NonCompliantCount}" is "0"48µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"142µs
And I refer to "{result}" as "vpcService"24µs
Given I refer to "{UID}" as "TargetVpcId"26µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"330ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"131ms
And I refer to "{result.ResourceId}" as "TestResourceId"47µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"26µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"103ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"51µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"46µs
Then "{result.Deleted}" is true35µs
expected {result.Deleted} to be truthy, got (type: )
And "{TrafficCleanupDeleted}" is true38µs
And "{RecordsObserved}" is true17µs