🥒 CCC.VPC Test: cfi-1775557775-vpc-cn03-allowed-requester-01

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC
UIDvpc-0c697ba86026b9c59
ResourceNamecfi-1775557775-vpc-cn03-allowed-requester-01
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "cn03-allowed-requester-vpc-ids": [
          "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59"
        ],
        "cn03-disallowed-requester-vpc-ids": [
          "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53"
        ],
        "cn03-receiver-vpc-id": "vpc-027ef85c88b9d68c2"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIds
[
  "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59"
]
Cn03DisallowedRequesterVpcIds
[
  "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53"
]
Cn03ReceiverVpcIdvpc-027ef85c88b9d68c2
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-07 10:40:08

Total Run Time: 3s

Features: 4

Scenarios: 7 (✅ 3 | ❌ 4)

Steps: 80 (✅ 73 | ❌ 4 | ⏭️ 3 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"29µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"110µs
And I refer to "{result}" as "vpcService"21µs
When I call "{vpcService}" with "CountDefaultVpcs"358ms
Then "{result}" is "0"27µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"39µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"132µs
And I refer to "{result}" as "vpcService"14µs
Given I refer to "{UID}" as "TargetVpcId"13µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"378ms
Then "{result.ViolatingSubnetCount}" is "0"57µs
And "{result.Reason}" contains "disable default public IP"42µs
expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"76µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"228µs
And I refer to "{result}" as "vpcService"30µs
Given I refer to "{UID}" as "TargetVpcId"193µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"450ms
And I refer to "{result.SubnetId}" as "TestSubnetId"51µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"37µs
And I refer to "{result.ResourceId}" as "TestResourceId"66µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"30µs
And I refer to "{result.HasExternalIp}" as "HasExternalIp"30µs
Then "{HasExternalIp}" is false21µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"27µs
Then "{result.Deleted}" is true26µs
expected {result.Deleted} to be truthy, got (type: )
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"130µs
And I refer to "{result}" as "vpcService"23µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"31µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"35µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"29µs
And "{ReceiverVpcId}" is not nil27µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"478ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"75µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"124µs
Then "{result.ListDefined}" is true43µs
And "{result.TestedCount}" should be greater than "0"44µs
And "{result.AllCorrect}" is true25µs
And "{result.ViolationCount}" is "0"23µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6439 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 0e04121e-216c-4d4e-be1d-359ee7ffd519, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: IG_g2thsjHP2Jee4H_bgGsdrYJCHgMIfKGDr3HRbTOPbYpoE9T1IdlEGzJC7RV2sRqMj4K8o96l07mapqPXPFaDC8IBXmqlSjpR2lzCx8DfImV2a2iQkHrgNir7DVD0_wyKEEeJnwWfOijs9g0JNdtJIdpUT_YPp7FkZ50cLkH8yYancLtiR3DwVmxQIRkOSi4VoZ0h70QrDKIxcYLnRSUzDJ7ZcF94VOaWt409CjYkWDOLSVZ308c9WV6uPTZ7AotQ_VWu1ofG56u0pDzGybNf7mz0G0sUgEupJ5__LFOGnSXWe7i82iBVDI7-wOWLxxHNSSlOwtoMM9AX7Y8U2zl_wJMAZctubhjjGm2Ewx8St_eO0TsUUa-bg1WYVy4hqUJmt75fvPhPVYaRL8uZSFpdOukp0xwCdPozJagG4jpPbQ0hWN5jQL-OiATVGy-BK40RbTeOo8qbKsBkvzZE_ULvMoR-wt8hh4Iw-UeZ_WiSnHkz2YLYegoaAjUgDYbSqVW66bU0QJRUMRVCzOcrwFd9fn2cnrqTtXzk3YHW8CGX3LJV5TRskA4_jgTcodP7uRU3uWaaaeYKfxu9mdM9RoR7G9-dAGkzqNBnG_ELB6V7-RcuEdmlLRO3XAYro5NARued4CmdWrLXBvvu529W2AaS9GpCnRlz6O_7xV2nWOYPfcL-CHJnGLwJTIcC3rj5_OY8sLaxx8zCta66UqdD34CZV24cYbl_cDJWQM4-EW9VlRL4h22qj88RBaeuwM11x1aH4276tMrJfos9Qk29vpu0f; CN03 guardrail aligned: allow-list expects deny for requester vpc-00ceb92e81affe793","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-00ceb92e81affe793","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 0e04121e-216c-4d4e-be1d-359ee7ffd519, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: IG_g2thsjHP2Jee4H_bgGsdrYJCHgMIfKGDr3HRbTOPbYpoE9T1IdlEGzJC7RV2sRqMj4K8o96l07mapqPXPFaDC8IBXmqlSjpR2lzCx8DfImV2a2iQkHrgNir7DVD0_wyKEEeJnwWfOijs9g0JNdtJIdpUT_YPp7FkZ50cLkH8yYancLtiR3DwVmxQIRkOSi4VoZ0h70QrDKIxcYLnRSUzDJ7ZcF94VOaWt409CjYkWDOLSVZ308c9WV6uPTZ7AotQ_VWu1ofG56u0pDzGybNf7mz0G0sUgEupJ5__LFOGnSXWe7i82iBVDI7-wOWLxxHNSSlOwtoMM9AX7Y8U2zl_wJMAZctubhjjGm2Ewx8St_eO0TsUUa-bg1WYVy4hqUJmt75fvPhPVYaRL8uZSFpdOukp0xwCdPozJagG4jpPbQ0hWN5jQL-OiATVGy-BK40RbTeOo8qbKsBkvzZE_ULvMoR-wt8hh4Iw-UeZ_WiSnHkz2YLYegoaAjUgDYbSqVW66bU0QJRUMRVCzOcrwFd9fn2cnrqTtXzk3YHW8CGX3LJV5TRskA4_jgTcodP7uRU3uWaaaeYKfxu9mdM9RoR7G9-dAGkzqNBnG_ELB6V7-RcuEdmlLRO3XAYro5NARued4CmdWrLXBvvu529W2AaS9GpCnRlz6O_7xV2nWOYPfcL-CHJnGLwJTIcC3rj5_OY8sLaxx8zCta66UqdD34CZV24cYbl_cDJWQM4-EW9VlRL4h22qj88RBaeuwM11x1aH4276tMrJfos9Qk29vpu0f"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: fbce6178-ec0b-4439-b105-d70284f9a1d4, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: 5BM-CzRoBEObvLmDINoU_YTgT2CtxQrz1N-ySXhPfnOCvfhRaRzWY3MUG9u2Plj2nqOe8kcR1A6BwtJ-dtZhk-k5-oks9Kjokql2MQ9pKAm1EyXvI__n2kLnP5nF83hCkj5rccl4_8dsH4vkApXpuOp1olz_-Hi44Du6Vp9rO6KaW_5AEaSc2kzX4yezOssctnZ37ylodjYEslx_O2nS9E62d_Nglo0F5_gZWXg2xGQ2UQe_2AJ2BAIU5Jc8bBDpsOUk4EZp3b7wqIKYEv_w47zqfOhnwcE_le5k4nOjCYB_P4ASU7T98dlQt9ADQ2By3xADyGbiS1c6mqt8knG-jQH86abz4uBhOoTzEjnFxmkGVOLPjvgRxsYOOe5g6cciJUdvsB89GwKnqJw_Gq0Ty4PIQglJDFJ536V3Q5XLUFofGRyju86LUIgNW092N2Iy47fCnMUEJcur-3ObHeoudE3Y14wwoVe8UzbBdweQI9cjyR1dSQWp6kPwW8s0unyciS7yjVvAcJwmUlTFGyZntj86MuBrOn4ApGfhzfkBuOLFFNOzcWDmJbTSKOwVrP3jTZm3oJDz-Eu1JAJf3j9Ejdp0srIL4UejSayayYaAVN_dKLgbbKkLmlt7iaVdTsHya-t2VjQ002rj4oCI4fEShMS5rTbipRO3cUYPYMbZXOsJkNW-jw9ILkpxz-3bkcfqpv9fXlFRaTYnTN4NG-MH23VpVLlUEQgNbR_Csc9EwBlt-4k0C5iAG_bvUfh-fR6yQOin96zvDIALuLYyEyFS3eCb; CN03 guardrail aligned: allow-list expects deny for requester vpc-03e0763d329ec1a53","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-03e0763d329ec1a53","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: fbce6178-ec0b-4439-b105-d70284f9a1d4, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: 5BM-CzRoBEObvLmDINoU_YTgT2CtxQrz1N-ySXhPfnOCvfhRaRzWY3MUG9u2Plj2nqOe8kcR1A6BwtJ-dtZhk-k5-oks9Kjokql2MQ9pKAm1EyXvI__n2kLnP5nF83hCkj5rccl4_8dsH4vkApXpuOp1olz_-Hi44Du6Vp9rO6KaW_5AEaSc2kzX4yezOssctnZ37ylodjYEslx_O2nS9E62d_Nglo0F5_gZWXg2xGQ2UQe_2AJ2BAIU5Jc8bBDpsOUk4EZp3b7wqIKYEv_w47zqfOhnwcE_le5k4nOjCYB_P4ASU7T98dlQt9ADQ2By3xADyGbiS1c6mqt8knG-jQH86abz4uBhOoTzEjnFxmkGVOLPjvgRxsYOOe5g6cciJUdvsB89GwKnqJw_Gq0Ty4PIQglJDFJ536V3Q5XLUFofGRyju86LUIgNW092N2Iy47fCnMUEJcur-3ObHeoudE3Y14wwoVe8UzbBdweQI9cjyR1dSQWp6kPwW8s0unyciS7yjVvAcJwmUlTFGyZntj86MuBrOn4ApGfhzfkBuOLFFNOzcWDmJbTSKOwVrP3jTZm3oJDz-Eu1JAJf3j9Ejdp0srIL4UejSayayYaAVN_dKLgbbKkLmlt7iaVdTsHya-t2VjQ002rj4oCI4fEShMS5rTbipRO3cUYPYMbZXOsJkNW-jw9ILkpxz-3bkcfqpv9fXlFRaTYnTN4NG-MH23VpVLlUEQgNbR_Csc9EwBlt-4k0C5iAG_bvUfh-fR6yQOin96zvDIALuLYyEyFS3eCb"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"42µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"139µs
And I refer to "{result}" as "vpcService"16µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"18µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"18µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"29µs
And "{ReceiverVpcId}" is not nil16µs
Given "{NonAllowlistedRequesterVpcId}" is not nil16µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"108µs
Then "{result.AllowedListDefined}" is true26µs
And "{result.Allowed}" is false38µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"393ms
Then "{result.DryRunAllowed}" is false83µs
And "{result.AllowListDefined}" is true63µs
And "{result.RequesterInAllowList}" is false65µs
And "{result.GuardrailExpectation}" is "deny"62µs
And "{result.GuardrailMismatch}" is false58µs
And "{result.ExitCode}" should be greater than "0"67µs
And "{result.Reason}" contains "guardrail aligned"67µs
And "{result.ConflictType}" is ""162µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @CCC.VPC @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"42µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"126µs
And I refer to "{result}" as "vpcService"15µs
Given I refer to "{UID}" as "TargetVpcId"12µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"333ms
Then "{result.FlowLogCount}" should be greater than "0"56µs
expected {result.FlowLogCount} (0) to be greater than 0
And "{result.NonCompliantCount}" is "0"28µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"33µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"147µs
And I refer to "{result}" as "vpcService"27µs
Given I refer to "{UID}" as "TargetVpcId"24µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"349ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"188ms
And I refer to "{result.ResourceId}" as "TestResourceId"50µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"26µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"117ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"74µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"36µs
Then "{result.Deleted}" is true36µs
expected {result.Deleted} to be truthy, got (type: )
And "{TrafficCleanupDeleted}" is true21µs
And "{RecordsObserved}" is true20µs