🥒 CCC.VPC Test: cfi-1776043305-vpc-cn03-disallowed-requester-01

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC
UIDvpc-0351e15653a529b6c
ResourceNamecfi-1776043305-vpc-cn03-disallowed-requester-01
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "cn03-allowed-requester-vpc-ids": [
          "vpc-02b2cf8649cae372a,vpc-09f36d618737b4da7"
        ],
        "cn03-disallowed-requester-vpc-ids": [
          "vpc-0351e15653a529b6c,vpc-0fd941576fc1de4a0"
        ],
        "cn03-receiver-vpc-id": "vpc-05f4e0d1e4eccf07f"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
Cn03AllowedRequesterVpcIds
[
  "vpc-02b2cf8649cae372a,vpc-09f36d618737b4da7"
]
Cn03DisallowedRequesterVpcIds
[
  "vpc-0351e15653a529b6c,vpc-0fd941576fc1de4a0"
]
Cn03ReceiverVpcIdvpc-05f4e0d1e4eccf07f
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-13 01:31:04

Total Run Time: 791ms

Features: 4

Scenarios: 7 (✅ 3 | ❌ 4)

Steps: 80 (✅ 73 | ❌ 4 | ⏭️ 3 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"45µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"120µs
And I refer to "{result}" as "vpcService"13µs
When I call "{vpcService}" with "CountDefaultVpcs"90ms
Then "{result}" is "0"25µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"36µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"143µs
And I refer to "{result}" as "vpcService"18µs
Given I refer to "{UID}" as "TargetVpcId"19µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"120ms
Then "{result.ViolatingSubnetCount}" is "0"47µs
And "{result.Reason}" contains "disable default public IP"30µs
expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"40µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"163µs
And I refer to "{result}" as "vpcService"22µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"104ms
And I refer to "{result.SubnetId}" as "TestSubnetId"45µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"31µs
And I refer to "{result.ResourceId}" as "TestResourceId"17µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"21µs
And I refer to "{result.HasExternalIp}" as "HasExternalIp"18µs
Then "{HasExternalIp}" is false16µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"19µs
Then "{result.Deleted}" is true23µs
expected {result.Deleted} to be truthy, got (type: )
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"29µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"146µs
And I refer to "{result}" as "vpcService"65µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"20µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"17µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"16µs
And "{ReceiverVpcId}" is not nil186µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"138ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"51µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"94µs
Then "{result.ListDefined}" is true32µs
And "{result.TestedCount}" should be greater than "0"44µs
And "{result.AllCorrect}" is true33µs
And "{result.ViolationCount}" is "0"24µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6439 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-05f4e0d1e4eccf07f","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 1e70ffb1-2506-46ca-acea-5e30373506db, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: MVjUoVm24-MPx34ehFH1qk4wJv3TLmO-suCdDRxyir5ujXtA_x0A1gMwUqh2KflsB0wRdKZsqvkBm1gz67baLUCPjCVT-tVXlqp28dL-5TyZBHmZKUdcrpuPq9t7XXSPQKnNDNxIqeC0w0kDcTjgUyS2ESpDvr3CiWzn0dnnweDcs_7CQaAXX5ReSdp0vtoZBp03gbwd4QT8Y1wI5HYDCrfdp31oT_-WFeLfeqrA5aKKVyhkNS3Co0CCxoPuDjUWa0qND4B-q050_POT1raoYTrGXD8W6hWQaDFrJuNIcYCHSBCOHHFImcjPHA75tP3zxqsQebTUZFL5QmrXBVQAiKcGn55SQhQLtH0HlKhg8G5WMIXQcBsPVKPzAi_8AFUY3l1qq5TIZMqNG4bZuBsfoMEiOYkpI7OMvJu_zrX4gT0fjpnBqPS3gfR375uQveYxUDWhTAXbIScj2PkQx5pBeYJlv3md95oLAVaBsuo5kCo3LzIPvIIRaG1jtiymIzqgS7FawnHy4XYvJBq5Gd0qb8_qO7E3x8mGzP14WMHOlvgDBuc7s-HIh1gLdoueY4_dDAHpJM-VmMdRVRr8Epc_DTK90JDN2lWRMwZiD9Qd0oFjGHT1PKcDSPzH3T7WDbqdve8oLltfnp2MkTCPsEsSFbIvuCjdQvdQ_WfYnvWWGiSJUSiL4tiQyc5uFa9K8mQHILFEpJbodxSF5bVf9KOe3rLYXEuiKJ2mYGTKHWIzUoo52HEdJRDaAQnBUIVpa1w21YxsRoE-w6YNmtmphclTu-V9; CN03 guardrail aligned: allow-list expects deny for requester vpc-0351e15653a529b6c","ReceiverVpcId":"vpc-05f4e0d1e4eccf07f","RequesterInAllowList":false,"RequesterVpcId":"vpc-0351e15653a529b6c","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 1e70ffb1-2506-46ca-acea-5e30373506db, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: MVjUoVm24-MPx34ehFH1qk4wJv3TLmO-suCdDRxyir5ujXtA_x0A1gMwUqh2KflsB0wRdKZsqvkBm1gz67baLUCPjCVT-tVXlqp28dL-5TyZBHmZKUdcrpuPq9t7XXSPQKnNDNxIqeC0w0kDcTjgUyS2ESpDvr3CiWzn0dnnweDcs_7CQaAXX5ReSdp0vtoZBp03gbwd4QT8Y1wI5HYDCrfdp31oT_-WFeLfeqrA5aKKVyhkNS3Co0CCxoPuDjUWa0qND4B-q050_POT1raoYTrGXD8W6hWQaDFrJuNIcYCHSBCOHHFImcjPHA75tP3zxqsQebTUZFL5QmrXBVQAiKcGn55SQhQLtH0HlKhg8G5WMIXQcBsPVKPzAi_8AFUY3l1qq5TIZMqNG4bZuBsfoMEiOYkpI7OMvJu_zrX4gT0fjpnBqPS3gfR375uQveYxUDWhTAXbIScj2PkQx5pBeYJlv3md95oLAVaBsuo5kCo3LzIPvIIRaG1jtiymIzqgS7FawnHy4XYvJBq5Gd0qb8_qO7E3x8mGzP14WMHOlvgDBuc7s-HIh1gLdoueY4_dDAHpJM-VmMdRVRr8Epc_DTK90JDN2lWRMwZiD9Qd0oFjGHT1PKcDSPzH3T7WDbqdve8oLltfnp2MkTCPsEsSFbIvuCjdQvdQ_WfYnvWWGiSJUSiL4tiQyc5uFa9K8mQHILFEpJbodxSF5bVf9KOe3rLYXEuiKJ2mYGTKHWIzUoo52HEdJRDaAQnBUIVpa1w21YxsRoE-w6YNmtmphclTu-V9"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-05f4e0d1e4eccf07f","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 30c99630-6de9-4bcd-ad8c-2bf98733d19d, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: XM9pTPoZz7e03u3FZ4eD9oY4rAjfrpGoxgiL1dOflZQ4UysJjXOk-WE46WFhC7aEAu1wq92jYmEOEpG0Dd00qG8e9IPzh6ijyl9yjHrfMDWVuTlQ1tMqg183JE-NYuBRgPQ1sznvVwzWkO-XbIywH_xA8PS2aE_WfOWg-ence7fkplOtDjZ27-TPYyjG-ilEIkzpyCt5-_l9FQohwrPD-dN15mKH_FThRSJP35LlgNT6s1KWFIidhwb8wQi_rK20E3MRd7GhbOS3XvOWFZhX7UqXQKRj0-_MxfVfZIZDJ9ZC2IkATj8jnzg9mlXvgzs9D5p-XuyK0B-4cfYq53KV9voIBI1Gx9ZULQ2Cvmv4Ac71-xM5bpexEJo2b2J9E_4ZRG_GSjFM6wveaEa8trqHEXmQObrQO_xgfaNgdGlEJ-E26vjAKo6aHA4IQ1tAQfmKb3jJjZzJfR7cIMJYno_yFczeyijvN50Di9-oxho15NR9goA29ePIYG7C-AyAj3RBgs9xYJtPMOaJQtk56dSdAZLWgODzfIckS_yPHmduaT79qb75Lx0Qt7ybuU6T7yZDk3VJLe8v8QgghoE9fhGG0CcWkUe8khF2xjrDwc7cCtYtdlGgAo28tTpO3y_TGnpx0DZWAhxdPx4f6xjxy7ZVXPOXO3G8nuGLRsJCJGmbDgFnsNbDkh0vxoIvrlWazGyiHVPNrXqzinR-NEc3jEHRhQdl-Rjpk_LQZ3AnmbfdTbav7NLYV5ETbzoE896Y56KNDpl2gQW6ZdzFDx1LAPunASN-; CN03 guardrail aligned: allow-list expects deny for requester vpc-0fd941576fc1de4a0","ReceiverVpcId":"vpc-05f4e0d1e4eccf07f","RequesterInAllowList":false,"RequesterVpcId":"vpc-0fd941576fc1de4a0","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 30c99630-6de9-4bcd-ad8c-2bf98733d19d, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: XM9pTPoZz7e03u3FZ4eD9oY4rAjfrpGoxgiL1dOflZQ4UysJjXOk-WE46WFhC7aEAu1wq92jYmEOEpG0Dd00qG8e9IPzh6ijyl9yjHrfMDWVuTlQ1tMqg183JE-NYuBRgPQ1sznvVwzWkO-XbIywH_xA8PS2aE_WfOWg-ence7fkplOtDjZ27-TPYyjG-ilEIkzpyCt5-_l9FQohwrPD-dN15mKH_FThRSJP35LlgNT6s1KWFIidhwb8wQi_rK20E3MRd7GhbOS3XvOWFZhX7UqXQKRj0-_MxfVfZIZDJ9ZC2IkATj8jnzg9mlXvgzs9D5p-XuyK0B-4cfYq53KV9voIBI1Gx9ZULQ2Cvmv4Ac71-xM5bpexEJo2b2J9E_4ZRG_GSjFM6wveaEa8trqHEXmQObrQO_xgfaNgdGlEJ-E26vjAKo6aHA4IQ1tAQfmKb3jJjZzJfR7cIMJYno_yFczeyijvN50Di9-oxho15NR9goA29ePIYG7C-AyAj3RBgs9xYJtPMOaJQtk56dSdAZLWgODzfIckS_yPHmduaT79qb75Lx0Qt7ybuU6T7yZDk3VJLe8v8QgghoE9fhGG0CcWkUe8khF2xjrDwc7cCtYtdlGgAo28tTpO3y_TGnpx0DZWAhxdPx4f6xjxy7ZVXPOXO3G8nuGLRsJCJGmbDgFnsNbDkh0vxoIvrlWazGyiHVPNrXqzinR-NEc3jEHRhQdl-Rjpk_LQZ3AnmbfdTbav7NLYV5ETbzoE896Y56KNDpl2gQW6ZdzFDx1LAPunASN-"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"32µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"133µs
And I refer to "{result}" as "vpcService"15µs
And I load environment variable "CN03_RECEIVER_VPC_ID" as "ReceiverVpcId"17µs
And I load environment variable "CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID" as "NonAllowlistedRequesterVpcId"19µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"16µs
And "{ReceiverVpcId}" is not nil16µs
Given "{NonAllowlistedRequesterVpcId}" is not nil18µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"87µs
Then "{result.AllowedListDefined}" is true22µs
And "{result.Allowed}" is false18µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"99ms
Then "{result.DryRunAllowed}" is false38µs
And "{result.AllowListDefined}" is true25µs
And "{result.RequesterInAllowList}" is false24µs
And "{result.GuardrailExpectation}" is "deny"24µs
And "{result.GuardrailMismatch}" is false18µs
And "{result.ExitCode}" should be greater than "0"23µs
And "{result.Reason}" contains "guardrail aligned"25µs
And "{result.ConflictType}" is ""20µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"30µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"115µs
And I refer to "{result}" as "vpcService"19µs
Given I refer to "{UID}" as "TargetVpcId"20µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"67ms
Then "{result.FlowLogCount}" should be greater than "0"88µs
expected {result.FlowLogCount} (0) to be greater than 0
And "{result.NonCompliantCount}" is "0"22µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"137µs
And I refer to "{result}" as "vpcService"21µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"62ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"59ms
And I refer to "{result.ResourceId}" as "TestResourceId"60µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"22µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"38ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"39µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"34µs
Then "{result.Deleted}" is true29µs
expected {result.Deleted} to be truthy, got (type: )
And "{TrafficCleanupDeleted}" is true17µs
And "{RecordsObserved}" is true14µs