🥒 CCC.SecMgmt Test: ccc-avm-test-secret-20260611

Test Parameters

ServiceTypesecrets
ProviderServiceTypeMicrosoft.KeyVault/vault/secrets
CatalogTypesCCC.SecMgmt
TagFilter@Behavioural, @secrets, @Behavioural
UIDccc-avm-test-secret-20260611
ResourceNameccc-avm-test-secret-20260611
Config
{}
authorized-regionwestus2
azure-key-vault-nameavmkv20260611
azure-key-vault-urihttps://avmkv20260611.vault.azure.net/
azure-secret-nameccc-avm-test-secret-20260611
azure-subscription-idc1cedd8e-bf91-4d7d-a4cc-45700402a2a1
azure-tenant-idfa193ac0-9c06-4111-bf55-341e4db193d3
catalog-versions
{
  "CCC.Core": "v2025.10",
  "CCC.SecMgmt": "DEV"
}
permitted-regions
[
  "westus2"
]
providerazure
regionwestus2
resourceccc-avm-test-secret-20260611
servicesecrets
service-typesecrets
stale-version-id00000000000000000000000000000000
tags@Behavioural @secrets
unauthorized-regionwesteurope

Summary

Generated: 2026-06-22 17:05:58

Total Run Time: 40s

Features: 2

Scenarios: 4 (✅ 2 | ❌ 2)

Steps: 26 (✅ 18 | ❌ 2 | ⏭️ 6 | ❓ 0)

Feature: CCC.SecMgmt.CN01.AR01 - Deny Outdated Secret Version After Rotation
Scenario: Current secret version is readable @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"38µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"97µs
And I refer to "{result}" as "svc"17µs
When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "latest"11s
Then "{result}" is not an error43µs
expected {result} to not be an error, but got: access denied: Get "https://avmkv20260611.vault.azure.net/secrets/ccc-avm-test-secret-20260611/?api-version=2025-07-01": dial tcp: lookup avmkv20260611.vault.azure.net on 127.0.0.53:53: no such host
And I refer to "{result}" as "currentSecret"13µs
And I attach "{currentSecret}" to the test output as "Current Secret Version"20µs
Then "{currentSecret.Denied}" is "false"106µs
Scenario: Stale secret version retrieve is denied @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN
Given a cloud api for "{config}" in "api"72µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"54µs
And I refer to "{result}" as "svc"37µs
When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "{stale-version-id}"10s
Then "{result}" is an error28µs
Feature: CCC.SecMgmt.CN02.AR01 - Deny Retrieve From Unauthorized Region
Scenario: Authorized region read succeeds @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"37µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"33µs
And I refer to "{result}" as "svc"19µs
When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{authorized-region}"8s
Then "{result}" is not an error30µs
expected {result} to not be an error, but got: access denied: Get "https://avmkv20260611.vault.azure.net/secrets/ccc-avm-test-secret-20260611/?api-version=2025-07-01": dial tcp: lookup avmkv20260611.vault.azure.net on 127.0.0.53:53: no such host
And I refer to "{result}" as "authorizedRead"12µs
And I attach "{authorizedRead}" to the test output as "Authorized Region Read"17µs
Then "{authorizedRead.Denied}" is "false"16µs
Scenario: Unauthorized region read is denied @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN
Given a cloud api for "{config}" in "api"33µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"32µs
And I refer to "{result}" as "svc"19µs
When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{unauthorized-region}"11s
Then "{result}" is an error24µs