🥒 CCC.VPC Test: cfi-1775571562-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC, ~@NEGATIVE, ~@OPT_IN
UIDvpc-052e26ee900d736f5
ResourceNamecfi-1775571562-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "bad-vpc-id": "",
        "cn03-allowed-requester-vpc-ids": null,
        "cn03-allowed-requester-vpc-ids-csv": "vpc-0305bca4e5d1dbba1,vpc-08d80da7fc89b037d",
        "cn03-disallowed-requester-vpc-ids": null,
        "cn03-disallowed-requester-vpc-ids-csv": "vpc-02f7f1c9c21fbf4c8,vpc-0cd15c2c6c3933bcc",
        "cn03-non-allowlisted-requester-vpc-id": "vpc-005c037e22662c07e",
        "cn03-receiver-vpc-id": "vpc-052e26ee900d736f5",
        "cn04-flow-log-group-name": "/aws/vpc/flow-logs/cfi-1775571562-vpc"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIdsCsvvpc-0305bca4e5d1dbba1,vpc-08d80da7fc89b037d
Cn03DisallowedRequesterVpcIdsCsvvpc-02f7f1c9c21fbf4c8,vpc-0cd15c2c6c3933bcc
Cn03NonAllowlistedRequesterVpcIdvpc-005c037e22662c07e
Cn03ReceiverVpcIdvpc-052e26ee900d736f5
Cn04FlowLogGroupName/aws/vpc/flow-logs/cfi-1775571562-vpc
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-07 14:28:58

Total Run Time: 17s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"30µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"122µs
And I refer to "{result}" as "vpcService"17µs
When I call "{vpcService}" with "CountDefaultVpcs"132ms
Then "{result}" is "0"36µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"28µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"142µs
And I refer to "{result}" as "vpcService"15µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"284ms
Then "{result.ViolatingSubnetCount}" is "0"47µs
And "{result.Reason}" contains "disable default public IP"38µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"39µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"148µs
And I refer to "{result}" as "vpcService"16µs
Given I refer to "{UID}" as "TargetVpcId"22µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"292ms
And I refer to "{result.SubnetId}" as "TestSubnetId"37µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"2s
And I refer to "{result.ResourceId}" as "TestResourceId"35µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"185ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"43µs
Then "{HasExternalIp}" is false20µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"415ms
Then "{result.Deleted}" is true42µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"48µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"126µs
And I refer to "{result}" as "vpcService"19µs
And I refer to "{UID}" as "ReceiverVpcId"15µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"12µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"15µs
And "{ReceiverVpcId}" is not nil21µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"263ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"56µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"107µs
Then "{result.ListDefined}" is true32µs
And "{result.TestedCount}" should be greater than "0"38µs
And "{result.AllCorrect}" is true28µs
And "{result.ViolationCount}" is "0"36µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6465 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-052e26ee900d736f5","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 5fd5bbce-f68e-4f3d-b796-cc2424b2af60, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VlsLonD8JSbVnRQU8shfeeM8rQbU4fxRqmpjuNV9thq0K1vWvjR4RJTvWCe5pu8ytotR2omocc3hmuSMolJgVzv7XiAz-aJC7INH64MMfsEY-qOayW0VgIHllcbEbpm0uYaVYKEA7GqwDLh2mj-K4uuC_Aa1XKh-eBJrODPAJHe9cZ_q9SH-LA5dzgR75Q6DG85u8-Ken5ZqR-O5iF0rDHCrCiAr-7AbXIyoOPOcPRghHUGBVQ4d0ibXz_ftpe0vc5Pl-BxaertGRRp9j6flMZkq9ZnaKhMp7fZWuJlQK7IY6kUEd_Qp3OBVAuENVpFmdPKpfTOZchvxp6ossORCqJEn0aRRkoYmc0BL8_GOI_aoOr_ClHzRl2LzaixauUFeve3o_HY6p7FaEL8iGZDyUCDn1dqapEIWgrQnrlvTVcLuuf-x_ixj1I3-bHtsSn4LOvlB1FOfRfJNO7yetgFef2xZNc3lZo0jvPrGM8RNQWPaEyL5X0HP6SnthD0smH9Yjm_zBY22l4ME0vgkKxFvZO3f-UFlXWKKUPB3q9s789iFGAU0LqVJ8HUS_aBrb5aU4QwA27cMfNj-7PTbi0chI4479DCEQLpsBw08wkFh6KgmURGrqeapsK92MZFvO0AIHQVYMtuQhiTpA8vnfK_Xt5UcYLRqEd698bjgvIlRjrDDrr0fTXJHv24qMEK_QPuYEb9jw_xEBI720uNN2HCyBRFPpY3QdS3AmDkFEEGm4lkWJVc3xKGL0bOpE_UOih_62j-pnQJoo2jWLjAxM7k43UPJKftzkws; CN03 guardrail aligned: allow-list expects deny for requester vpc-02f7f1c9c21fbf4c8","ReceiverVpcId":"vpc-052e26ee900d736f5","RequesterInAllowList":false,"RequesterVpcId":"vpc-02f7f1c9c21fbf4c8","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 5fd5bbce-f68e-4f3d-b796-cc2424b2af60, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VlsLonD8JSbVnRQU8shfeeM8rQbU4fxRqmpjuNV9thq0K1vWvjR4RJTvWCe5pu8ytotR2omocc3hmuSMolJgVzv7XiAz-aJC7INH64MMfsEY-qOayW0VgIHllcbEbpm0uYaVYKEA7GqwDLh2mj-K4uuC_Aa1XKh-eBJrODPAJHe9cZ_q9SH-LA5dzgR75Q6DG85u8-Ken5ZqR-O5iF0rDHCrCiAr-7AbXIyoOPOcPRghHUGBVQ4d0ibXz_ftpe0vc5Pl-BxaertGRRp9j6flMZkq9ZnaKhMp7fZWuJlQK7IY6kUEd_Qp3OBVAuENVpFmdPKpfTOZchvxp6ossORCqJEn0aRRkoYmc0BL8_GOI_aoOr_ClHzRl2LzaixauUFeve3o_HY6p7FaEL8iGZDyUCDn1dqapEIWgrQnrlvTVcLuuf-x_ixj1I3-bHtsSn4LOvlB1FOfRfJNO7yetgFef2xZNc3lZo0jvPrGM8RNQWPaEyL5X0HP6SnthD0smH9Yjm_zBY22l4ME0vgkKxFvZO3f-UFlXWKKUPB3q9s789iFGAU0LqVJ8HUS_aBrb5aU4QwA27cMfNj-7PTbi0chI4479DCEQLpsBw08wkFh6KgmURGrqeapsK92MZFvO0AIHQVYMtuQhiTpA8vnfK_Xt5UcYLRqEd698bjgvIlRjrDDrr0fTXJHv24qMEK_QPuYEb9jw_xEBI720uNN2HCyBRFPpY3QdS3AmDkFEEGm4lkWJVc3xKGL0bOpE_UOih_62j-pnQJoo2jWLjAxM7k43UPJKftzkws"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-052e26ee900d736f5","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 98955a7b-8952-4d29-9b45-9c2967910575, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: g-GeuGtGwR6tRgNFHvCpUIxbO0qmUYhumSd4btLVKIiA0i-74izUR6pR3WwUa_Bxnv2dUOCT3fkSE6hKEiAHaYxdIbP7czofbLcqMhD9vgUAyuhRU99XBf3rImmjOzoaMPJ-euA-dWBwEijpKfO9cTSvySpBprdHw-aqTn6lFQPrn29qBs6hgJjap6qU4bGTl6ToBrCtk6F0k0CpC0yotnxdacxfOO3Klvv55KXNX8whPlTjn30NGuXWRkxkZUX-JF6HRuj-Z56XWcM0CL8f4MCDzd0hym40IoIyAXuKwjcBqn-0Kx36iseMXVTuYddSuxM84VwQVg-aAxyr0EtXJWpXb2bwaHTNheywuVcVcULvXzLzV0fvJkZ0IxnJ87jpp6IyGUKDL5nMPT6t742kkkx3LctlOqN2Kxefp476nGOhq1SpLac2MqAT5uQd7Ipk4xvBkSjMrsHsdsE6YVx8gwG44Z5nPzQzuP_yKTOC9-OCbcP8DoWBlv5jLBy9Mk73dxvx8wkjX5IGtSdg3rfyS17tBOX0Cq4j4yAkpl4MfXqrXVy0DeTXQyMiq8NWF9NBEJW3qO2FUZ_3Tl65MY8TC7ClINk6igvbQHfAfqx0v12Sj1gLcZ8_sG3dsiiiSeP9QcMMaFpnr1YgnEK3VGLbHzuvHtL4BNOpHZANHx8dfjy6uF5cyf6DY6iOoc8Vl4R3mBGVjtMRokAi8fRnremdvx5pG6YfjvksZNh3FGMNp7nBDKMEDO-afkTatscmcIwCxECS9BpeteSWFD6VnDVCZhlZ_H5l_A; CN03 guardrail aligned: allow-list expects deny for requester vpc-0cd15c2c6c3933bcc","ReceiverVpcId":"vpc-052e26ee900d736f5","RequesterInAllowList":false,"RequesterVpcId":"vpc-0cd15c2c6c3933bcc","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 98955a7b-8952-4d29-9b45-9c2967910575, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: g-GeuGtGwR6tRgNFHvCpUIxbO0qmUYhumSd4btLVKIiA0i-74izUR6pR3WwUa_Bxnv2dUOCT3fkSE6hKEiAHaYxdIbP7czofbLcqMhD9vgUAyuhRU99XBf3rImmjOzoaMPJ-euA-dWBwEijpKfO9cTSvySpBprdHw-aqTn6lFQPrn29qBs6hgJjap6qU4bGTl6ToBrCtk6F0k0CpC0yotnxdacxfOO3Klvv55KXNX8whPlTjn30NGuXWRkxkZUX-JF6HRuj-Z56XWcM0CL8f4MCDzd0hym40IoIyAXuKwjcBqn-0Kx36iseMXVTuYddSuxM84VwQVg-aAxyr0EtXJWpXb2bwaHTNheywuVcVcULvXzLzV0fvJkZ0IxnJ87jpp6IyGUKDL5nMPT6t742kkkx3LctlOqN2Kxefp476nGOhq1SpLac2MqAT5uQd7Ipk4xvBkSjMrsHsdsE6YVx8gwG44Z5nPzQzuP_yKTOC9-OCbcP8DoWBlv5jLBy9Mk73dxvx8wkjX5IGtSdg3rfyS17tBOX0Cq4j4yAkpl4MfXqrXVy0DeTXQyMiq8NWF9NBEJW3qO2FUZ_3Tl65MY8TC7ClINk6igvbQHfAfqx0v12Sj1gLcZ8_sG3dsiiiSeP9QcMMaFpnr1YgnEK3VGLbHzuvHtL4BNOpHZANHx8dfjy6uF5cyf6DY6iOoc8Vl4R3mBGVjtMRokAi8fRnremdvx5pG6YfjvksZNh3FGMNp7nBDKMEDO-afkTatscmcIwCxECS9BpeteSWFD6VnDVCZhlZ_H5l_A"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"123µs
And I refer to "{result}" as "vpcService"14µs
And I refer to "{UID}" as "ReceiverVpcId"16µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"14µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"17µs
And "{ReceiverVpcId}" is not nil14µs
Given "{NonAllowlistedRequesterVpcId}" is not nil18µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"81µs
Then "{result.AllowedListDefined}" is true21µs
And "{result.Allowed}" is false17µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"122ms
Then "{result.DryRunAllowed}" is false66µs
And "{result.AllowListDefined}" is true53µs
And "{result.RequesterInAllowList}" is false53µs
And "{result.GuardrailExpectation}" is "deny"278µs
And "{result.GuardrailMismatch}" is false38µs
And "{result.ExitCode}" should be greater than "0"38µs
And "{result.Reason}" contains "guardrail aligned"34µs
And "{result.ConflictType}" is ""20µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @CCC.VPC @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"37µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"138µs
And I refer to "{result}" as "vpcService"15µs
Given I refer to "{UID}" as "TargetVpcId"13µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"87ms
Then "{result.FlowLogCount}" should be greater than "0"45µs
And "{result.NonCompliantCount}" is "0"24µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"57µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"137µs
And I refer to "{result}" as "vpcService"18µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"131ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"13s
And I refer to "{result.ResourceId}" as "TestResourceId"36µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"21µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"44ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"41µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"425ms
Then "{result.Deleted}" is true43µs
And "{TrafficCleanupDeleted}" is true25µs
And "{RecordsObserved}" is true134µs