🥒 CCC.VPC Test: cfi-1775557775-vpc-cn03-disallowed-requester-02

Test Parameters

ServiceType	vpc
ProviderServiceType	ec2:vpc
CatalogTypes	CCC.VPC
TagFilter	@MAIN, @CCC.VPC
UID	vpc-00ceb92e81affe793
ResourceName	cfi-1775557775-vpc-cn03-disallowed-requester-02
Instance	{ "ID": "main-aws", "Properties": { "Provider": "aws", "Region": "us-east-1", "AzureResourceGroup": "", "AzureSubscriptionID": "", "GcpProjectId": "" }, "Services": [ { "Type": "object-storage", "Properties": { "object-storage-retention-period-days": 2 } }, { "Type": "logging", "Properties": { "aws-cloud-trail-log-group-name": "cfi-test-log-group" } }, { "Type": "vpc", "Properties": { "cn03-allowed-requester-vpc-ids": [ "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59" ], "cn03-disallowed-requester-vpc-ids": [ "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53" ], "cn03-receiver-vpc-id": "vpc-027ef85c88b9d68c2" } } ], "Rules": { "permitted-account-ids": "", "permitted-regions": [ "us-east-1" ] } }
AwsCloudTrailLogGroupName	cfi-test-log-group
Cn03AllowedRequesterVpcIds	[ "vpc-0b622dcd5eee1a986,vpc-0c697ba86026b9c59" ]
Cn03DisallowedRequesterVpcIds	[ "vpc-00ceb92e81affe793,vpc-03e0763d329ec1a53" ]
Cn03ReceiverVpcId	vpc-027ef85c88b9d68c2
ObjectStorageRetentionPeriodDays	2
PermittedRegions	[ "us-east-1" ]
Provider	aws
Region	us-east-1

Summary

Generated: 2026-04-07 10:39:59

Total Run Time: 3s

Features: 4

Scenarios: 7 (✅ 3 | ❌ 4)

Steps: 80 (✅ 73 | ❌ 4 | ⏭️ 3 | ❓ 0)

Filter by Tag:

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources

Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT

Given a cloud api for "{Instance}" in "api"59µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"145µs

And I refer to "{result}" as "vpcService"34µs

When I call "{vpcService}" with "CountDefaultVpcs"407ms

Then "{result}" is "0"50µs

Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets

Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT

Given a cloud api for "{Instance}" in "api"57µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"148µs

And I refer to "{result}" as "vpcService"25µs

Given I refer to "{UID}" as "TargetVpcId"24µs

When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"399ms

Then "{result.ViolatingSubnetCount}" is "0"62µs

And "{result.Reason}" contains "disable default public IP"37µs

expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'

Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC

Given a cloud api for "{Instance}" in "api"39µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"142µs

And I refer to "{result}" as "vpcService"26µs

Given I refer to "{UID}" as "TargetVpcId"24µs

When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"366ms

And I refer to "{result.SubnetId}" as "TestSubnetId"59µs

And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"37µs

And I refer to "{result.ResourceId}" as "TestResourceId"25µs

And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"43µs

And I refer to "{result.HasExternalIp}" as "HasExternalIp"23µs

Then "{HasExternalIp}" is false20µs

When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"46µs

Then "{result.Deleted}" is true27µs

expected {result.Deleted} to be truthy, got (type: )

Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters

Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC

Given a cloud api for "{Instance}" in "api"41µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"128µs

And I refer to "{result}" as "vpcService"22µs

And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"26µs

And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"29µs

And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"18µs

And "{ReceiverVpcId}" is not nil13µs

When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"532ms

And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"67µs

And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"101µs

Then "{result.ListDefined}" is true39µs

And "{result.TestedCount}" should be greater than "0"42µs

And "{result.AllCorrect}" is true20µs

And "{result.ViolationCount}" is "0"29µs

📎 Attachments:

Disallow-list Enforcement Summary

View Content (56 bytes)

all 2 disallow-list VPC(s) correctly denied by guardrail

Disallow-list Enforcement

View JSON (6439 bytes)

[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 37cafebc-b2b4-4a5f-95c6-d06f3aba2e05, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VbM4jWgbC2zQPzRdJNoZ2zYlvWSbHCDKJpJ4zk8gU2ulPoQC5oeDJwFHTNtViLY58UcucDVGZqloJZQkOR_PKIuWiqLzNkf8RMd21Dqy3JyDR1ZqEBnLv211tsEgF7QGzNZ-PnA0r0oB8Z9hqdKwrBp9e4NBm0PToUqQk-4PnyESGIP3d828vRRHRHNkDAzrjsjvQTbHSAR0rbNNLy00ioNX11NkEkzteiG1Q0l5-6dMHkfyZFEbJDWIa2LgM2AMfZZEJW3UPrqOpQSJ7VIJtFWYuFdcTArSzd_xrdWsC8oY8o8pq08Y3-zQh_q_-zWZ28xLjK03YZwj9a3y3U22t_UsTh8Y6tEDlU8Mxem_mCqNWJnKhro1Jnan9QT7gSa5ODrs73Ha6lwUVQQSy0vluzHjT0UBWuLsVIBDr31qaFwY5fMw22q3Yg8fspQ2aY-Wi6h6KOaXvtajcDhPIujsLmayQ0Lyq_t39BmoeEI_Ua-Z2vuS6aRiqf2dC4OxbtII25oCmBiohlJyh2mI0zwdRICBkOVTvegxFiO03WD1jU_Jp6fuLN2uypTvT6MB-rRrSEoMaMjyNTAIGSWwvjAV3qmKSE9nAzPodJckG2K0-xbLpDZM_cJfqkvPM_3VoZsLGuVH8vKA90BQZSCsCUN3SH-32xQgnvsk8fykTFJAmSKhkDfcrCqnu9Zt7ApqfVZuJQCfptAmJRGZGwwv-xrFM-TuTMkld3fSMFwT56Pe8dm-__jUtgLKTZ1RnbXo_pONpgtmwucHmYHQoyqaMyzx721H; CN03 guardrail aligned: allow-list expects deny for requester vpc-00ceb92e81affe793","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-00ceb92e81affe793","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 37cafebc-b2b4-4a5f-95c6-d06f3aba2e05, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: VbM4jWgbC2zQPzRdJNoZ2zYlvWSbHCDKJpJ4zk8gU2ulPoQC5oeDJwFHTNtViLY58UcucDVGZqloJZQkOR_PKIuWiqLzNkf8RMd21Dqy3JyDR1ZqEBnLv211tsEgF7QGzNZ-PnA0r0oB8Z9hqdKwrBp9e4NBm0PToUqQk-4PnyESGIP3d828vRRHRHNkDAzrjsjvQTbHSAR0rbNNLy00ioNX11NkEkzteiG1Q0l5-6dMHkfyZFEbJDWIa2LgM2AMfZZEJW3UPrqOpQSJ7VIJtFWYuFdcTArSzd_xrdWsC8oY8o8pq08Y3-zQh_q_-zWZ28xLjK03YZwj9a3y3U22t_UsTh8Y6tEDlU8Mxem_mCqNWJnKhro1Jnan9QT7gSa5ODrs73Ha6lwUVQQSy0vluzHjT0UBWuLsVIBDr31qaFwY5fMw22q3Yg8fspQ2aY-Wi6h6KOaXvtajcDhPIujsLmayQ0Lyq_t39BmoeEI_Ua-Z2vuS6aRiqf2dC4OxbtII25oCmBiohlJyh2mI0zwdRICBkOVTvegxFiO03WD1jU_Jp6fuLN2uypTvT6MB-rRrSEoMaMjyNTAIGSWwvjAV3qmKSE9nAzPodJckG2K0-xbLpDZM_cJfqkvPM_3VoZsLGuVH8vKA90BQZSCsCUN3SH-32xQgnvsk8fykTFJAmSKhkDfcrCqnu9Zt7ApqfVZuJQCfptAmJRGZGwwv-xrFM-TuTMkld3fSMFwT56Pe8dm-__jUtgLKTZ1RnbXo_pONpgtmwucHmYHQoyqaMyzx721H"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-027ef85c88b9d68c2","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 969f2ff2-8e42-49fd-b590-467c0147e2a4, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: 4hdnImCp-p5qh70OHSN6xXzotqVVFqdf3Lv_IeDcTF4rwxi3MLfWNK-yxkIWS-6fNTVlR-5ZdzinaAGFJkBCq46IxdHx1bH373a2ni169wAsx1-DE3I5MoX8D46UjKeFFSSDzFWYV6UQg2BzC8GRee9TQOu78cQLdgMeBbWEDV_FyVMe3lnn2SPxeOqxv8iSAoQX-rQpC0ACMIFmxXi3HAJC8buQKqqtCHmK8klKWK5Xk-JD5BDgCfHy8RKYR5HDOZNyF8GBVUtmnrIOajoe11fm88pZtlfjyAQkIozTeUYfW5CQwEahmcfgzny3zboRcE4JCu9Dk3fHovhV588PrxdEb722P_vedUMGFS9Yj3KKfskIPtAX9-A5quJHDiGNcwPnlYRm-q4HNOnixYD2m_dwKiByI0sTtt6DQl2fEI9ox89fVtzyIJTitdul6gN8qw--kad1S-nZso7EY2KfGvytdARot_W-xEYxozg_XYOf8yS9UXAA5BR6hIG7XkKpLzTF-kzeaZdlWusZx-wBY-_KtwmV2kRNIKhFzg1EtYYKJT3VCzrzs3iz11F_fsQdMWWvPmQ16Zqw_DgWkP9sbga70vbTawc8YobzdQyNbyARRZCSJjUUP3yQDl6obvefYPbbgeZW8WZf1EojYQ5rvovfwH_pJjYgNQhCdSmWiUHq2WFcWYcW03SA3FtTtOiEPigINGlAR-TJCJnkBYLXKaqdWIG_4oNthw8-KvgtSBbQi3fKAUw_SKPsPXzhGggDEzp6lRPsX4eps-hu4BKBk3de; CN03 guardrail aligned: allow-list expects deny for requester vpc-03e0763d329ec1a53","ReceiverVpcId":"vpc-027ef85c88b9d68c2","RequesterInAllowList":false,"RequesterVpcId":"vpc-03e0763d329ec1a53","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 969f2ff2-8e42-49fd-b590-467c0147e2a4, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: 4hdnImCp-p5qh70OHSN6xXzotqVVFqdf3Lv_IeDcTF4rwxi3MLfWNK-yxkIWS-6fNTVlR-5ZdzinaAGFJkBCq46IxdHx1bH373a2ni169wAsx1-DE3I5MoX8D46UjKeFFSSDzFWYV6UQg2BzC8GRee9TQOu78cQLdgMeBbWEDV_FyVMe3lnn2SPxeOqxv8iSAoQX-rQpC0ACMIFmxXi3HAJC8buQKqqtCHmK8klKWK5Xk-JD5BDgCfHy8RKYR5HDOZNyF8GBVUtmnrIOajoe11fm88pZtlfjyAQkIozTeUYfW5CQwEahmcfgzny3zboRcE4JCu9Dk3fHovhV588PrxdEb722P_vedUMGFS9Yj3KKfskIPtAX9-A5quJHDiGNcwPnlYRm-q4HNOnixYD2m_dwKiByI0sTtt6DQl2fEI9ox89fVtzyIJTitdul6gN8qw--kad1S-nZso7EY2KfGvytdARot_W-xEYxozg_XYOf8yS9UXAA5BR6hIG7XkKpLzTF-kzeaZdlWusZx-wBY-_KtwmV2kRNIKhFzg1EtYYKJT3VCzrzs3iz11F_fsQdMWWvPmQ16Zqw_DgWkP9sbga70vbTawc8YobzdQyNbyARRZCSJjUUP3yQDl6obvefYPbbgeZW8WZf1EojYQ5rvovfwH_pJjYgNQhCdSmWiUHq2WFcWYcW03SA3FtTtOiEPigINGlAR-TJCJnkBYLXKaqdWIG_4oNthw8-KvgtSBbQi3fKAUw_SKPsPXzhGggDEzp6lRPsX4eps-hu4BKBk3de"}]

Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC

Given a cloud api for "{Instance}" in "api"98µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"205µs

And I refer to "{result}" as "vpcService"52µs

And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"57µs

And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"65µs

And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"69µs

And "{ReceiverVpcId}" is not nil48µs

Given "{NonAllowlistedRequesterVpcId}" is not nil66µs

When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"401µs

Then "{result.AllowedListDefined}" is true29µs

And "{result.Allowed}" is false21µs

When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"392ms

Then "{result.DryRunAllowed}" is false56µs

And "{result.AllowListDefined}" is true30µs

And "{result.RequesterInAllowList}" is false27µs

And "{result.GuardrailExpectation}" is "deny"42µs

And "{result.GuardrailMismatch}" is false28µs

And "{result.ExitCode}" should be greater than "0"70µs

And "{result.Reason}" contains "guardrail aligned"27µs

And "{result.ConflictType}" is ""37µs

Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic

Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @CCC.VPC @DEFAULT @CCC.VPC

Given a cloud api for "{Instance}" in "api"32µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"126µs

And I refer to "{result}" as "vpcService"24µs

Given I refer to "{UID}" as "TargetVpcId"23µs

When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"339ms

Then "{result.FlowLogCount}" should be greater than "0"56µs

expected {result.FlowLogCount} (0) to be greater than 0

And "{result.NonCompliantCount}" is "0"23µs

Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC

Given a cloud api for "{Instance}" in "api"37µs

And I call "{api}" with "GetServiceAPI" using argument "vpc"338µs

And I refer to "{result}" as "vpcService"168µs

Given I refer to "{UID}" as "TargetVpcId"66µs

When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"322ms

And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"124ms

And I refer to "{result.ResourceId}" as "TestResourceId"54µs

And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"35µs

And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"106ms

And I refer to "{result.RecordsObserved}" as "RecordsObserved"81µs

And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"37µs

Then "{result.Deleted}" is true40µs

expected {result.Deleted} to be truthy, got (type: )

And "{TrafficCleanupDeleted}" is true22µs

And "{RecordsObserved}" is true20µs