🥒 CCC.VPC Test: cfi-1775557775-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC
UIDvpc-027ef85c88b9d68c2
ResourceNamecfi-1775557775-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "cn03-allowed-requester-vpc-ids": [
          "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59"
        ],
        "cn03-disallowed-requester-vpc-ids": [
          "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53"
        ],
        "cn03-receiver-vpc-id": "vpc-027ef85c88b9d68c2"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIds
[
  "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59"
]
Cn03DisallowedRequesterVpcIds
[
  "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53"
]
Cn03ReceiverVpcIdvpc-027ef85c88b9d68c2
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-07 10:39:34

Total Run Time: 25s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"127µs
And I refer to "{result}" as "vpcService"21µs
When I call "{vpcService}" with "CountDefaultVpcs"338ms
Then "{result}" is "0"29µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"32µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"157µs
And I refer to "{result}" as "vpcService"23µs
Given I refer to "{UID}" as "TargetVpcId"23µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"651ms
Then "{result.ViolatingSubnetCount}" is "0"217µs
And "{result.Reason}" contains "disable default public IP"30µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"63µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"246µs
And I refer to "{result}" as "vpcService"22µs
Given I refer to "{UID}" as "TargetVpcId"25µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"572ms
And I refer to "{result.SubnetId}" as "TestSubnetId"48µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"7s
And I refer to "{result.ResourceId}" as "TestResourceId"37µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"150ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"49µs
Then "{HasExternalIp}" is false33µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"503ms
Then "{result.Deleted}" is true79µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"33µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"130µs
And I refer to "{result}" as "vpcService"20µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"26µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"29µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"25µs
And "{ReceiverVpcId}" is not nil23µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"499ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"43µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"96µs
Then "{result.ListDefined}" is true36µs
And "{result.TestedCount}" should be greater than "0"41µs
And "{result.AllCorrect}" is true19µs
And "{result.ViolationCount}" is "0"21µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6439 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 863901f2-d66a-4842-838c-993e95bed78c, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: ghZCIMweZWnQ3Pdfm7NhjKzHilRNy79d0gd3n7E7nOYQW9u-AVf8_odE5mWIS0CqvFR2BOEB-r3nQO5tnPggJ2YCTLX073Je3-LRuVKYuB0mt5q0bwgkmmdJxLkPOCaW5UcmVXxmSs4hykUcIBh5EJBzHlmgeQp10mgJUc51qJCDuHydyFmwsiCBWOFzVZISrBAs0-J_Vtx5vchCrvwCpKP5bZVB6buVZDqDnFfox57-PoLapR5PLA5n2XoH13KWmYX4j1oZ34D1pvqZK48DYNln6ziCZ8GXKGoEf_FzktpA1BV8CBct8-3ABDlbA03bhTv4y0IscrY5feQGHm0RxRR_AxjbXHqlT2jdbheFoUY9EfDWZsoBxkk9en-eRZMEr_qDhBiwtnamZZToUaUHa3BkeEQG1JZ7ArXNejokQr0WHCG1mKzkSH0GuqIxG4402yB5lCe3rL_d94IBbp0ATN-8BGScDSiLOWQltAUrbFyIbb4LezkEU3unxk0fmlAA8n76XQgGh0bx8XHh7sZ_bM2k-Eu9CxQjGflGT5on2x4mM99gwHA6nHugyrRyLS9arVl_bJnPmJepsoyBn4xr4K8fzcHjLlYVpEvXhjp1OYATZY4OzYxO_V1CC7hoK1MDtP8ppY1ylgxEo-nvLOfDhs1MZbpjWLOtsbXdzrXps-18tNK6E-w11W1Yb8qsA2v28WaXF8_4Fj_666TEvhtQc9aykOHno5-m9IJMS5nHnaDJMYzMJ6nfiDMqtHyr1wPXmDWaDxJvX2auPyBI2eR0YmQG; CN03 guardrail aligned: allow-list expects deny for requester vpc-00ceb92e81affe793","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-00ceb92e81affe793","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 863901f2-d66a-4842-838c-993e95bed78c, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: ghZCIMweZWnQ3Pdfm7NhjKzHilRNy79d0gd3n7E7nOYQW9u-AVf8_odE5mWIS0CqvFR2BOEB-r3nQO5tnPggJ2YCTLX073Je3-LRuVKYuB0mt5q0bwgkmmdJxLkPOCaW5UcmVXxmSs4hykUcIBh5EJBzHlmgeQp10mgJUc51qJCDuHydyFmwsiCBWOFzVZISrBAs0-J_Vtx5vchCrvwCpKP5bZVB6buVZDqDnFfox57-PoLapR5PLA5n2XoH13KWmYX4j1oZ34D1pvqZK48DYNln6ziCZ8GXKGoEf_FzktpA1BV8CBct8-3ABDlbA03bhTv4y0IscrY5feQGHm0RxRR_AxjbXHqlT2jdbheFoUY9EfDWZsoBxkk9en-eRZMEr_qDhBiwtnamZZToUaUHa3BkeEQG1JZ7ArXNejokQr0WHCG1mKzkSH0GuqIxG4402yB5lCe3rL_d94IBbp0ATN-8BGScDSiLOWQltAUrbFyIbb4LezkEU3unxk0fmlAA8n76XQgGh0bx8XHh7sZ_bM2k-Eu9CxQjGflGT5on2x4mM99gwHA6nHugyrRyLS9arVl_bJnPmJepsoyBn4xr4K8fzcHjLlYVpEvXhjp1OYATZY4OzYxO_V1CC7hoK1MDtP8ppY1ylgxEo-nvLOfDhs1MZbpjWLOtsbXdzrXps-18tNK6E-w11W1Yb8qsA2v28WaXF8_4Fj_666TEvhtQc9aykOHno5-m9IJMS5nHnaDJMYzMJ6nfiDMqtHyr1wPXmDWaDxJvX2auPyBI2eR0YmQG"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 4b22a979-cb3e-412a-8824-d692d0d2f07e, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: PRe5rInFwJJw8I1II70mF4MJL1AV8JB8X8awh0V88eLa7ZHykxiUbsVyYzyxYoy6HLR5DSd5Ifg3YkZIw0l6Zej1GvOt2nsOSDdwYi3HeLDX6IXnRWa_eqIvYB30-9W9cHnqdTHCeAyhL2dr-w6GvzCPU2l0_4P6RBdqbShDz0cMZ8qgPBzsp4DZopW1LkXM0tedskyKz4qUc0NzpPotIZqxfaK07mcPHdhjhMjS46rHcwwUoWS--MAoal7d5rZSFSMC1Yqy7IZgc67GkS_yWW1ekC1ijJ9Q-I-fgak2-gYg3PjGa2l5Ost_qK1CsGPbCewkVpI1FRHUCzkloOB8kze0ZCsRxQDc5mW2Zc0sc2YE8X_hBBQ0rmsK1sf430Ygxc0PplAsj8u1l42x4PYB_aoDTI0oHVzd5ORoKxHwYK0006m_3G_6afsMP6H7SoqDXrVk5BKqTUflQoygHA9k-_jM10rNjU1QTZj0m5N5QDIynuAuYXu_zkVWdKMcFpNoAzYlP-UNCS7g7ITQCV6yqW2lHtc9FxcN1ryCoef7Mci-ri0M_bfo7NJTsbTAUCGUtwIsUH0D1lhFHaC3CTS1Om4ZKLHlej2s0aCVrFsQFvtbxntCE1kHn2Q5YLtCNoN-egtoF9FzXg0X-grIcHEjyTr0bM9DPLzyUZ0XtXB3leVIybV-wReiaQZTA_tfpEUfZVjFoi2tHDVb45XPyTVKFsg60qTf3DayL8ECePOJSIj_vra9n-QA-0Qlro_3PukVx-QMNkITUvCj-zxf2uZ4bsBD; CN03 guardrail aligned: allow-list expects deny for requester vpc-03e0763d329ec1a53","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-03e0763d329ec1a53","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 4b22a979-cb3e-412a-8824-d692d0d2f07e, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: PRe5rInFwJJw8I1II70mF4MJL1AV8JB8X8awh0V88eLa7ZHykxiUbsVyYzyxYoy6HLR5DSd5Ifg3YkZIw0l6Zej1GvOt2nsOSDdwYi3HeLDX6IXnRWa_eqIvYB30-9W9cHnqdTHCeAyhL2dr-w6GvzCPU2l0_4P6RBdqbShDz0cMZ8qgPBzsp4DZopW1LkXM0tedskyKz4qUc0NzpPotIZqxfaK07mcPHdhjhMjS46rHcwwUoWS--MAoal7d5rZSFSMC1Yqy7IZgc67GkS_yWW1ekC1ijJ9Q-I-fgak2-gYg3PjGa2l5Ost_qK1CsGPbCewkVpI1FRHUCzkloOB8kze0ZCsRxQDc5mW2Zc0sc2YE8X_hBBQ0rmsK1sf430Ygxc0PplAsj8u1l42x4PYB_aoDTI0oHVzd5ORoKxHwYK0006m_3G_6afsMP6H7SoqDXrVk5BKqTUflQoygHA9k-_jM10rNjU1QTZj0m5N5QDIynuAuYXu_zkVWdKMcFpNoAzYlP-UNCS7g7ITQCV6yqW2lHtc9FxcN1ryCoef7Mci-ri0M_bfo7NJTsbTAUCGUtwIsUH0D1lhFHaC3CTS1Om4ZKLHlej2s0aCVrFsQFvtbxntCE1kHn2Q5YLtCNoN-egtoF9FzXg0X-grIcHEjyTr0bM9DPLzyUZ0XtXB3leVIybV-wReiaQZTA_tfpEUfZVjFoi2tHDVb45XPyTVKFsg60qTf3DayL8ECePOJSIj_vra9n-QA-0Qlro_3PukVx-QMNkITUvCj-zxf2uZ4bsBD"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"27µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"125µs
And I refer to "{result}" as "vpcService"17µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"16µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"19µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"15µs
And "{ReceiverVpcId}" is not nil15µs
Given "{NonAllowlistedRequesterVpcId}" is not nil20µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"85µs
Then "{result.AllowedListDefined}" is true21µs
And "{result.Allowed}" is false17µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"388ms
Then "{result.DryRunAllowed}" is false347µs
And "{result.AllowListDefined}" is true61µs
And "{result.RequesterInAllowList}" is false84µs
And "{result.GuardrailExpectation}" is "deny"58µs
And "{result.GuardrailMismatch}" is false56µs
And "{result.ExitCode}" should be greater than "0"66µs
And "{result.Reason}" contains "guardrail aligned"65µs
And "{result.ConflictType}" is ""58µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @CCC.VPC @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"32µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"128µs
And I refer to "{result}" as "vpcService"20µs
Given I refer to "{UID}" as "TargetVpcId"20µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"327ms
Then "{result.FlowLogCount}" should be greater than "0"52µs
And "{result.NonCompliantCount}" is "0"33µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"32µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"123µs
And I refer to "{result}" as "vpcService"17µs
Given I refer to "{UID}" as "TargetVpcId"26µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"323ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"13s
And I refer to "{result.ResourceId}" as "TestResourceId"45µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"23µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"112ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"49µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"435ms
Then "{result.Deleted}" is true44µs
And "{TrafficCleanupDeleted}" is true26µs
And "{RecordsObserved}" is true24µs