🥒 CCC.SvlsComp Test: avmfunc20260611

Test Parameters

ServiceTypeserverless-computing
ProviderServiceTypeMicrosoft.Web/sites/functions
CatalogTypesCCC.SvlsComp
TagFilter@Behavioural, @serverless-computing, @Behavioural
UIDavmfunc20260611
ResourceNameavmfunc20260611
Config
{}
azure-log-analytics-workspace-id433b7b84-1ba6-4f5c-8375-6d2016f07e6a
azure-resource-groupavm-testing
azure-subscription-idc1cedd8e-bf91-4d7d-a4cc-45700402a2a1
burst-overrun15
catalog-versions
{
  "CCC.Core": "v2025.10",
  "CCC.SvlsComp": "DEV"
}
function-nameavmfunc20260611
permitted-regions
[
  "westus2"
]
private-endpoint-urlhttps://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger
providerazure
rate-limit-threshold10
regionwestus2
resourceavmfunc20260611
serviceserverless-computing
service-typeserverless-computing
tags@Behavioural @serverless-computing

Summary

Generated: 2026-06-22 17:06:39

Total Run Time: 32s

Features: 12

Scenarios: 14 (✅ 5 | ❌ 9)

Steps: 105 (✅ 84 | ❌ 9 | ⏭️ 11 | ❓ 1)

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage
Scenario: Function encryption status reports enabled controls @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @serverless-computing
Given a cloud api for "{config}" in "api"50µs
Given I call "{api}" with "GetServiceAPI" using argument "serverless-computing"95µs
And I refer to "{result}" as "svc"10µs
When I call "{svc}" with "GetFunctionEncryptionStatus" using argument "{uid}"39µs
Then "{result}" is not an error17µs
And I refer to "{result}" as "encryption"11µs
And I attach "{encryption}" to the test output as "Function Encryption Status"43µs
Then "{encryption.EnvEncrypted}" is "true"23µs
expected {encryption.EnvEncrypted} to equal 'true', got 'false'
📎 Attachments:
Function Encryption Status
View JSON (61 bytes)
{"EnvEncrypted":false,"KMSKeyArn":"","SecretsEncrypted":true}
Feature: CCC.SvlsComp.CN01.AR01 - Deny Public Internet Access
Scenario: Private invoke path succeeds @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"33µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"27µs
And I refer to "{result}" as "svc"11µs
When I call "{svc}" with "AttemptPrivateInvoke" using argument "{uid}"9ms
Then "{result}" is not an error21µs
And I refer to "{result}" as "privateInvoke"190µs
Then "{privateInvoke.Invoked}" is "true"53µs
expected {privateInvoke.Invoked} to equal 'true', got 'false'
Scenario: No public invoke surface is configured @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN
Given a cloud api for "{config}" in "api"37µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"42µs
And I refer to "{result}" as "svc"19µs
When I call "{svc}" with "GetInvokeEndpointExposure" using argument "{uid}"46µs
Then "{result}" is not an error14µs
And I refer to "{result}" as "exposure"11µs
And I attach "{exposure}" to the test output as "Invoke Endpoint Exposure"52µs
Then "{exposure.PublicEndpointConfigured}" is "false"31µs
📎 Attachments:
Invoke Endpoint Exposure
View JSON (183 bytes)
{"PublicEndpointConfigured":false,"PublicEndpointURL":"","PrivateEndpointConfigured":true,"PrivateEndpointURL":"https://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger"}
Scenario: Public internet invoke attempt is denied @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN @OPT_IN
Given a cloud api for "{config}" in "api"36µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"28µs
And I refer to "{result}" as "svc"21µs
When I call "{svc}" with "AttemptPublicInternetInvoke" using argument "{uid}"31µs
Then "{result}" is not an error21µs
expected {result} to not be an error, but got: no public invoke URL available (set public-invoke-url)
And I refer to "{result}" as "publicInvoke"10µs
And I attach "{publicInvoke}" to the test output as "Public Invoke Attempt"14µs
Then "{publicInvoke.AccessDenied}" is "true"14µs
Feature: CCC.SvlsComp.CN02.AR01 - Function Invocation Rate Limits
Scenario: Invocations beyond threshold are throttled @CCC.SvlsComp @CCC.SvlsComp.CN02 @PerService @tlp-amber @tlp-red @Behavioural @Destructive @serverless-computing
Given a cloud api for "{config}" in "api"28µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"29µs
And I refer to "{result}" as "svc"11µs
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{rate-limit-threshold}"74ms
Then "{result}" is not an error24µs
And I refer to "{result}" as "withinThreshold"28µs
Then "{withinThreshold.AllSucceeded}" is "true"30µs
expected {withinThreshold.AllSucceeded} to equal 'true', got 'false'
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{burst-overrun}"24µs
Then "{result}" is not an error13µs
And I refer to "{result}" as "overrun"12µs
And I attach "{overrun}" to the test output as "Invocation Burst Overrun"15µs
Then "{overrun.ThrottledCount}" is greater than "{0}"22µs
Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations
Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable
Given a cloud api for "{config}" in "api"40µs
Then no-op required23µs
Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts
Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"36µs
And I call "{api}" with "GetServiceAPI" using argument "{service-type}"28µs
And I refer to "{result}" as "theService"12µs
Given I call "{api}" with "GetServiceAPI" using argument "logging"182µs
And I refer to "{result}" as "loggingService"13µs
When I call "{theService}" with "UpdateResourcePolicy"93µs
Then "{result}" is not an error16µs
And I attach "{result}" to the test output as "Policy Update Result"34µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"1s
Then "{result}" is not an error24µs
And I refer to "{result}" as "adminLogs"17µs
And I attach "{adminLogs}" to the test output as "Admin Activity Logs"67µs
Then "{adminLogs}" is an array of objects with at least the following contents51µs
result
Succeeded
expected row not found: map[result:Succeeded]
📎 Attachments:
Policy Update Result
View JSON (4 bytes)
null
Admin Activity Logs
View JSON (2 bytes)
[]
Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts
Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"40µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"36µs
And I refer to "{result}" as "theService"25µs
And I call "{api}" with "GetServiceAPI" using argument "logging"26µs
And I refer to "{result}" as "loggingService"13µs
When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"7ms
And I attach "{result}" to the test output as "Data Write Trigger Result"65µs
And we wait for a period of "10000" ms10s
Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"677ms
And I refer to "{result}" as "dataLogs"22µs
And I attach "{dataLogs}" to the test output as "Data Write Logs"39µs
Then "{dataLogs}" is an array of objects with at least the following contents31µs
result
Succeeded
field {dataLogs} is not an array
📎 Attachments:
Data Write Trigger Result
View JSON (4 bytes)
null
Data Write Logs
View Content (1136 bytes)
Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: InsufficientAccessError
--------------------------------------------------------------------------------
{
  "error": {
    "message": "The provided credentials have insufficient access to perform the requested operation",
    "code": "InsufficientAccessError",
    "correlationId": "5b934eb5-c2b2-4bf7-9a77-c1d024f5340d",
    "innererror": {
      "code": "NspValidationFailedError",
      "message": "Access to workspace 'avmlaw20260616' from '64.236.143.215' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator."
    }
  }
}
--------------------------------------------------------------------------------
Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts
Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"38µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"31µs
And I refer to "{result}" as "theService"13µs
And I call "{api}" with "GetServiceAPI" using argument "logging"17µs
And I refer to "{result}" as "loggingService"24µs
When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"9ms
And I attach "{result}" to the test output as "Data Read Trigger Result"45µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"27ms
Then "{result}" is not an error50µs
expected {result} to not be an error, but got: Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query -------------------------------------------------------------------------------- RESPONSE 403: 403 Forbidden ERROR CODE: InsufficientAccessError -------------------------------------------------------------------------------- { "error": { "message": "The provided credentials have insufficient access to perform the requested operation", "code": "InsufficientAccessError", "correlationId": "54f647cc-5827-48f2-954c-6ee46f855e4a", "innererror": { "code": "NspValidationFailedError", "message": "Access to workspace 'avmlaw20260616' from '64.236.143.215' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator." } } } --------------------------------------------------------------------------------
And I refer to "{result}" as "readLogs"13µs
And I attach "{readLogs}" to the test output as "Data Read Logs"16µs
Then "{readLogs}" is an array of objects with at least the following contents12µs
result
Succeeded
📎 Attachments:
Data Read Trigger Result
View JSON (4 bytes)
null
Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests
Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"31µs
And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"61µs
And "{result}" is not an error35µs
And I refer to "{result}" as "userReadableService"18µs
When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"8ms
Then "{result}" is an error23µs
expected {result} to be an error, got
And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"16µs
Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events
Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"79µs
Then no-op required54µs
Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities
Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"31µs
Then no-op required19µs
Feature: CCC.Core.CN10.AR01 - Replication Destination Trust
Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"25µs
Then no-op required20µs
Feature: CCC.Core.CN06.AR01 - Resource Location Compliance
Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"27µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"52µs
And I refer to "{result}" as "theService"21µs
When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"45µs
Then "{result}" is not an error19µs
And I refer to "{result}" as "region"13µs
And I attach "{region}" to the test output as "Resource Region"23µs
Then "{permitted-regions}" is an array of objects with at least the following contents50µs
value
{region}
expected row not found: map[value:{region}]
📎 Attachments:
Resource Region
View Content (7 bytes)
westus2