🥒 CCC.VPC Test: cfi-20260409t081624z-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC, ~@NEGATIVE, ~@OPT_IN
UIDvpc-0538ea308fdf4f8c4
ResourceNamecfi-20260409t081624z-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "bad-vpc-id": "vpc-022fefc877eaaa292",
        "cn03-allowed-requester-vpc-ids": null,
        "cn03-allowed-requester-vpc-ids-csv": "vpc-04a9b036faceb51c1,vpc-0d4a9192631c747b6",
        "cn03-disallowed-requester-vpc-ids": null,
        "cn03-disallowed-requester-vpc-ids-csv": "vpc-05cd70ec8c2768550,vpc-0891a4a861e79a190",
        "cn03-non-allowlisted-requester-vpc-id": "vpc-0285333a6cb68dde8",
        "cn03-receiver-vpc-id": "vpc-0538ea308fdf4f8c4",
        "cn04-flow-log-group-name": "/aws/vpc/flow-logs/cfi-20260409t081624z-vpc"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
BadVpcIdvpc-022fefc877eaaa292
Cn03AllowedRequesterVpcIdsCsvvpc-04a9b036faceb51c1,vpc-0d4a9192631c747b6
Cn03DisallowedRequesterVpcIdsCsvvpc-05cd70ec8c2768550,vpc-0891a4a861e79a190
Cn03NonAllowlistedRequesterVpcIdvpc-0285333a6cb68dde8
Cn03ReceiverVpcIdvpc-0538ea308fdf4f8c4
Cn04FlowLogGroupName/aws/vpc/flow-logs/cfi-20260409t081624z-vpc
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-09 08:26:51

Total Run Time: 30s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"29µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"123µs
And I refer to "{result}" as "vpcService"19µs
When I call "{vpcService}" with "CountDefaultVpcs"419ms
Then "{result}" is "0"74µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"131µs
And I refer to "{result}" as "vpcService"26µs
Given I refer to "{UID}" as "TargetVpcId"12µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"686ms
Then "{result.ViolatingSubnetCount}" is "0"68µs
And "{result.Reason}" contains "disable default public IP"48µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"45µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"158µs
And I refer to "{result}" as "vpcService"29µs
Given I refer to "{UID}" as "TargetVpcId"34µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"579ms
And I refer to "{result.SubnetId}" as "TestSubnetId"51µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"7s
And I refer to "{result.ResourceId}" as "TestResourceId"37µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"159ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"52µs
Then "{HasExternalIp}" is false32µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"476ms
Then "{result.Deleted}" is true65µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"35µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"149µs
And I refer to "{result}" as "vpcService"27µs
And I refer to "{UID}" as "ReceiverVpcId"23µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"18µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"21µs
And "{ReceiverVpcId}" is not nil18µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"507ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"57µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"120µs
Then "{result.ListDefined}" is true46µs
And "{result.TestedCount}" should be greater than "0"42µs
And "{result.AllCorrect}" is true37µs
And "{result.ViolationCount}" is "0"34µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6465 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0538ea308fdf4f8c4","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 3016f5fc-4636-4b68-9352-455d23d02fbc, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VgqkhcFF9BRvsAV14aZ3f8UoPLTa9Trzfz8gbuFTg4aPpUBsa-sNhbFr0hd0L9bupQwQWQlyjOdZ-2sQpi0YEcMF35Ks0OfzM9qdPK34II5bfBmzbC3m5tZZ2Gdf--CMqbroXwPufs9yLEHBhK9c0Fa9UXd7J7bFXKrGVTTO3cwLAxpYi9NvmPbMSNY2aC76mh8O7JIBNVtJgJUvo33GWaDlYfNkolxpIPu06f8im-VGiJYOQSW_sMHXZ5yOAaUg4kpfn0320yg9kYEjJLlH1UuQGkH5grOMtkDVv17YCvtwKbcbnaemfCt6bQypGWRGT9GscJwQM6-7XrfpZT-nKTKMF_4z1_cGddUfq5sg9n3t6Zj1G4_G2DjURXGEw1ypAnGxd64-m-T0mxaMX4iHnjEVrYi3bmuGNsWbsTGGoAbrGNrBCt_I2mps3RICMNVls8rgggUKO01UadO8gxg0vENIOOz2jxfnNbKfDpLcMIMtVMgUqGi562bjAqkZh5j4auSdewos_ytllIIZmdLcjWr48uFGpoB7_HNbC3CfJuzLORM1sHg2x-nDcClYQEj4k1ThO6a95AtcWY-wy8m275komGle4KTtUSx9cHRyCQll_5YWtui5xeN_Ip3Lg7X0SuZ5ZAdSyBIWeKKgWOD_MA8vqxbFBtR-lPmqPG2TZRFZ8_D8y9xhGx8LXu8hagOpjxGnAeIjwzKOd-z8nJ38hvCdy83LB0_5JZtXr7XATcNpLXWRK4kzRaQ4L3HGUUiq5sIH2Dd5N2ZBvf-kWwza5677qYBmjw; CN03 guardrail aligned: allow-list expects deny for requester vpc-05cd70ec8c2768550","ReceiverVpcId":"vpc-0538ea308fdf4f8c4","RequesterInAllowList":false,"RequesterVpcId":"vpc-05cd70ec8c2768550","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 3016f5fc-4636-4b68-9352-455d23d02fbc, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VgqkhcFF9BRvsAV14aZ3f8UoPLTa9Trzfz8gbuFTg4aPpUBsa-sNhbFr0hd0L9bupQwQWQlyjOdZ-2sQpi0YEcMF35Ks0OfzM9qdPK34II5bfBmzbC3m5tZZ2Gdf--CMqbroXwPufs9yLEHBhK9c0Fa9UXd7J7bFXKrGVTTO3cwLAxpYi9NvmPbMSNY2aC76mh8O7JIBNVtJgJUvo33GWaDlYfNkolxpIPu06f8im-VGiJYOQSW_sMHXZ5yOAaUg4kpfn0320yg9kYEjJLlH1UuQGkH5grOMtkDVv17YCvtwKbcbnaemfCt6bQypGWRGT9GscJwQM6-7XrfpZT-nKTKMF_4z1_cGddUfq5sg9n3t6Zj1G4_G2DjURXGEw1ypAnGxd64-m-T0mxaMX4iHnjEVrYi3bmuGNsWbsTGGoAbrGNrBCt_I2mps3RICMNVls8rgggUKO01UadO8gxg0vENIOOz2jxfnNbKfDpLcMIMtVMgUqGi562bjAqkZh5j4auSdewos_ytllIIZmdLcjWr48uFGpoB7_HNbC3CfJuzLORM1sHg2x-nDcClYQEj4k1ThO6a95AtcWY-wy8m275komGle4KTtUSx9cHRyCQll_5YWtui5xeN_Ip3Lg7X0SuZ5ZAdSyBIWeKKgWOD_MA8vqxbFBtR-lPmqPG2TZRFZ8_D8y9xhGx8LXu8hagOpjxGnAeIjwzKOd-z8nJ38hvCdy83LB0_5JZtXr7XATcNpLXWRK4kzRaQ4L3HGUUiq5sIH2Dd5N2ZBvf-kWwza5677qYBmjw"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0538ea308fdf4f8c4","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 2f1d59ed-bc6a-4ed1-8c8c-a0918bde5828, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: dwLhbERA8e9C2qFUCgzwIMma5ENzeaRMptZvQ2AMiOsmPfy2UTbuoQ8Rv_R2A0D31lSsaKwwBZsNmGVTt6o0bzMh8UkuMsEMG600ljBw4zXYms47vy4kG_rEKoSsPozphJuW8ffbTgN1X5TfJGWHErDXxxS-_ouiDTCDHLWdTBzlAwhibWXx5eaqr4cQubeCcK9e3I8oib84nHDsr1FaWKl9m0yyJYGAXSsEEZtOwg7O8JzqZAAQ0jmL8tN7hYT0bE6aQkoTFdOkVd7BmQzd5YVFZAk4ZhMEoOZZz2Czobse6dm2ppKfjCOWcNREsmwjfF2Tpl07JTnCgv8OJDMLm_5tm-jAxWO8X83BNgFpjAXmKdZSCVMkPRswtLNtE6bpwlnTcsi0r4mBd5P4142D5rv4ljzh2N19L2mET-0AJaXoZDXrn4S6Ke5Ugc0nScrBXaBo_2xAABVZ5LcbVyCXYG0VGcPxSpBE1VYqCT0Ka149297q8JTFp5GIAtQV7FN5SLrVqIA4KgSd54nW7Wn5pwu4K_IHaqA1zRN7FDOlbnpIq7G7eOHJC_RCP3YaMFySexpNA1EOMpE5Yh01o1p66ZizqzSnr8S7_yT87fh6O8Zxjd3k9wrmjLk0FyxX3yz2lKPuMA0V-Nuix9Cf-JfYZqvXj44xRUGeBJY6o-qkGRzr7ouOtLt_oy6EGD-7-IBKsVIkG-KwsEiyXYFjAT6_2QYXiVDA67wDfCw1Poarn0t1tmUIV1yyw0XmKCEkDa_Wja5nCXFaihGigSfJSVoWgKc1J07han4; CN03 guardrail aligned: allow-list expects deny for requester vpc-0891a4a861e79a190","ReceiverVpcId":"vpc-0538ea308fdf4f8c4","RequesterInAllowList":false,"RequesterVpcId":"vpc-0891a4a861e79a190","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 2f1d59ed-bc6a-4ed1-8c8c-a0918bde5828, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: dwLhbERA8e9C2qFUCgzwIMma5ENzeaRMptZvQ2AMiOsmPfy2UTbuoQ8Rv_R2A0D31lSsaKwwBZsNmGVTt6o0bzMh8UkuMsEMG600ljBw4zXYms47vy4kG_rEKoSsPozphJuW8ffbTgN1X5TfJGWHErDXxxS-_ouiDTCDHLWdTBzlAwhibWXx5eaqr4cQubeCcK9e3I8oib84nHDsr1FaWKl9m0yyJYGAXSsEEZtOwg7O8JzqZAAQ0jmL8tN7hYT0bE6aQkoTFdOkVd7BmQzd5YVFZAk4ZhMEoOZZz2Czobse6dm2ppKfjCOWcNREsmwjfF2Tpl07JTnCgv8OJDMLm_5tm-jAxWO8X83BNgFpjAXmKdZSCVMkPRswtLNtE6bpwlnTcsi0r4mBd5P4142D5rv4ljzh2N19L2mET-0AJaXoZDXrn4S6Ke5Ugc0nScrBXaBo_2xAABVZ5LcbVyCXYG0VGcPxSpBE1VYqCT0Ka149297q8JTFp5GIAtQV7FN5SLrVqIA4KgSd54nW7Wn5pwu4K_IHaqA1zRN7FDOlbnpIq7G7eOHJC_RCP3YaMFySexpNA1EOMpE5Yh01o1p66ZizqzSnr8S7_yT87fh6O8Zxjd3k9wrmjLk0FyxX3yz2lKPuMA0V-Nuix9Cf-JfYZqvXj44xRUGeBJY6o-qkGRzr7ouOtLt_oy6EGD-7-IBKsVIkG-KwsEiyXYFjAT6_2QYXiVDA67wDfCw1Poarn0t1tmUIV1yyw0XmKCEkDa_Wja5nCXFaihGigSfJSVoWgKc1J07han4"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"62µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"208µs
And I refer to "{result}" as "vpcService"52µs
And I refer to "{UID}" as "ReceiverVpcId"36µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"63µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"29µs
And "{ReceiverVpcId}" is not nil22µs
Given "{NonAllowlistedRequesterVpcId}" is not nil38µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"142µs
Then "{result.AllowedListDefined}" is true51µs
And "{result.Allowed}" is false33µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"352ms
Then "{result.DryRunAllowed}" is false65µs
And "{result.AllowListDefined}" is true63µs
And "{result.RequesterInAllowList}" is false53µs
And "{result.GuardrailExpectation}" is "deny"38µs
And "{result.GuardrailMismatch}" is false45µs
And "{result.ExitCode}" should be greater than "0"39µs
And "{result.Reason}" contains "guardrail aligned"43µs
And "{result.ConflictType}" is ""32µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"40µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"138µs
And I refer to "{result}" as "vpcService"15µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"336ms
Then "{result.FlowLogCount}" should be greater than "0"60µs
And "{result.NonCompliantCount}" is "0"35µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"50µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"182µs
And I refer to "{result}" as "vpcService"26µs
Given I refer to "{UID}" as "TargetVpcId"19µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"356ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"19s
And I refer to "{result.ResourceId}" as "TestResourceId"44µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"25µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"111ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"51µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"436ms
Then "{result.Deleted}" is true49µs
And "{TrafficCleanupDeleted}" is true27µs
And "{RecordsObserved}" is true44µs