🥒 CCC.VPC Test: cfi-1776044303-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC, ~@NEGATIVE, ~@OPT_IN
UIDvpc-0232d940ac1e052fc
ResourceNamecfi-1776044303-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "bad-vpc-id": "vpc-08d29b9a77c3a1931",
        "cn03-allowed-requester-vpc-ids": null,
        "cn03-allowed-requester-vpc-ids-csv": "vpc-00edf4476fa81d898,vpc-035f0b812cb80ea99",
        "cn03-disallowed-requester-vpc-ids": null,
        "cn03-disallowed-requester-vpc-ids-csv": "vpc-06343230833672ab6,vpc-08678ebdbec637832",
        "cn03-non-allowlisted-requester-vpc-id": "vpc-030739f6bd57beef0",
        "cn03-receiver-vpc-id": "vpc-0232d940ac1e052fc",
        "cn04-flow-log-group-name": "/aws/vpc/flow-logs/cfi-1776044303-vpc"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
BadVpcIdvpc-08d29b9a77c3a1931
Cn03AllowedRequesterVpcIdsCsvvpc-00edf4476fa81d898,vpc-035f0b812cb80ea99
Cn03DisallowedRequesterVpcIdsCsvvpc-06343230833672ab6,vpc-08678ebdbec637832
Cn03NonAllowlistedRequesterVpcIdvpc-030739f6bd57beef0
Cn03ReceiverVpcIdvpc-0232d940ac1e052fc
Cn04FlowLogGroupName/aws/vpc/flow-logs/cfi-1776044303-vpc
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-04-13 01:47:08

Total Run Time: 24s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"45µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"152µs
And I refer to "{result}" as "vpcService"13µs
When I call "{vpcService}" with "CountDefaultVpcs"264ms
Then "{result}" is "0"42µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"46µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"142µs
And I refer to "{result}" as "vpcService"53µs
Given I refer to "{UID}" as "TargetVpcId"21µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"506ms
Then "{result.ViolatingSubnetCount}" is "0"57µs
And "{result.Reason}" contains "disable default public IP"42µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"79µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"133µs
And I refer to "{result}" as "vpcService"23µs
Given I refer to "{UID}" as "TargetVpcId"25µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"471ms
And I refer to "{result.SubnetId}" as "TestSubnetId"38µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"2s
And I refer to "{result.ResourceId}" as "TestResourceId"34µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"297ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"56µs
Then "{HasExternalIp}" is false29µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"499ms
Then "{result.Deleted}" is true47µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"131µs
And I refer to "{result}" as "vpcService"16µs
And I refer to "{UID}" as "ReceiverVpcId"14µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"26µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"21µs
And "{ReceiverVpcId}" is not nil18µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"323ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"64µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"123µs
Then "{result.ListDefined}" is true39µs
And "{result.TestedCount}" should be greater than "0"36µs
And "{result.AllCorrect}" is true38µs
And "{result.ViolationCount}" is "0"28µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6467 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0232d940ac1e052fc","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 410829e8-e7d8-4b8b-8e2f-75d696f28c0d, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: Up3fIdw8IWOo5eH_EcN9UuXmfFUWiYe8hycwW4uxo5QmM6UEDk5I-jl51IwjPuxnnEg_AIvBDRt8qSXDF49sqIHMnXs2MUG8yv4AKzG9XcD1VEtBXeCBHG_s0oqKfaXA4gCoRCeC4nrF_Xby7IVz96cD74OKbcdyJK50mvOn2A0sXKQ78jafxmi3wnyfX-L6j61V-YlhH_jILJfztMUeLmNIH7qpBc91O1sinGGUKfRsvKhY09uGhmizT2PSipNNeFAdZYM1mR_MJOBcVWA3Ry--UvLk8DJddgMFEFuZ305U59L56vSe3Crf5Rw14qkz6NTrYK83Jqyu9OHIzVQUSm4s1ZbpHayob9gkx27Q6rGft-nROOsXcwab9LmLBDmD2XaAzVq3hdeZNkwG6Do1DhE7QkiaGkf4GzDourfpoZ9cbOP0x_1npYEEmj62aesa4OUk7VLY0iLjdFQFoUS_FTxUp3wpLULDvM_rkUFmhmhPKFIaMG74pPl1SCLGW3_snX_rIgNQPvLCBDt4cg-QiHqnE09EklGXLxT8wEukAt2C6w02R7O8BhCBbcELvO5TB-ZWVZZ5LRB3XEg82EZQmCH7WxHyeKVNtXrVWPmQYgmy-Wdhl2lzPyTVDvHdCCYWoPEQxDZmq2vUAkcUkrmFkJ3KEGbtoUmZGyacwV6yPBRxwJOAP3c_8kY3AM-xhqEHwISHnosa9ltBjk36RkZdD9QbMk3BoKxKhUKrFWPRz_GaY_Pj7pbyD9rZaMcr_Y4zxAzRb926ISY0Esz9wPxDxGvDVRNxGJ1y; CN03 guardrail aligned: allow-list expects deny for requester vpc-06343230833672ab6","ReceiverVpcId":"vpc-0232d940ac1e052fc","RequesterInAllowList":false,"RequesterVpcId":"vpc-06343230833672ab6","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 410829e8-e7d8-4b8b-8e2f-75d696f28c0d, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: Up3fIdw8IWOo5eH_EcN9UuXmfFUWiYe8hycwW4uxo5QmM6UEDk5I-jl51IwjPuxnnEg_AIvBDRt8qSXDF49sqIHMnXs2MUG8yv4AKzG9XcD1VEtBXeCBHG_s0oqKfaXA4gCoRCeC4nrF_Xby7IVz96cD74OKbcdyJK50mvOn2A0sXKQ78jafxmi3wnyfX-L6j61V-YlhH_jILJfztMUeLmNIH7qpBc91O1sinGGUKfRsvKhY09uGhmizT2PSipNNeFAdZYM1mR_MJOBcVWA3Ry--UvLk8DJddgMFEFuZ305U59L56vSe3Crf5Rw14qkz6NTrYK83Jqyu9OHIzVQUSm4s1ZbpHayob9gkx27Q6rGft-nROOsXcwab9LmLBDmD2XaAzVq3hdeZNkwG6Do1DhE7QkiaGkf4GzDourfpoZ9cbOP0x_1npYEEmj62aesa4OUk7VLY0iLjdFQFoUS_FTxUp3wpLULDvM_rkUFmhmhPKFIaMG74pPl1SCLGW3_snX_rIgNQPvLCBDt4cg-QiHqnE09EklGXLxT8wEukAt2C6w02R7O8BhCBbcELvO5TB-ZWVZZ5LRB3XEg82EZQmCH7WxHyeKVNtXrVWPmQYgmy-Wdhl2lzPyTVDvHdCCYWoPEQxDZmq2vUAkcUkrmFkJ3KEGbtoUmZGyacwV6yPBRxwJOAP3c_8kY3AM-xhqEHwISHnosa9ltBjk36RkZdD9QbMk3BoKxKhUKrFWPRz_GaY_Pj7pbyD9rZaMcr_Y4zxAzRb926ISY0Esz9wPxDxGvDVRNxGJ1y"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0232d940ac1e052fc","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 419d1892-4131-423b-8455-66075cde2bcd, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: gI8uoxQyO1NBqmykmau3ML7vRR8tCsPzPZubvmQfnuXYOvjm0gMfKJ5uHFQasTtX9RPpF7nmGXh7NUitBfjLWltE8UrehfaCsbLBmfmwW8XPghEXuSNH8XNzGO1Wg5O4g-AaERTSFZO9zCwAohVh8BatSd9vqlR3nYxCuVrGcYv2U3cpWrKcEjzd9MoMtGgsOh77e7jeM2rgbcrURZHdqXQOZcAn3PIpvq0Ur11qWssFzBoa2Pe5XYeo05DUrYpar3h8Jz1TMT_joKSB7-Y1w6lDCKxuN-x2JedRGekkTAcYD3ahRRK3xCrCOqV38eqRViiOkz-6VbxABvbjMAV0sl4mHHyEt7eBjkICJDO_vmYOc3pLvOy2BweslyYAmhqTQ7woVknlLCJf0_Mw3P5AvxfSssdSd2_CpfhO02FCqFla1fDJdbofK5GNS_r_JTOMapIQnkHU8eyXa4lvAzs_ijihcFdhFLFpKyIRTqNgSCOF8bYJSSpEnjjMuVT_2wyK2qoNHhmnBIBgwu6ZDW5_MShU23uGAPobqf5Pz4qEyQQ9qN9K3n2tzPI-piPoAS0nZmJe7iHD0dUGAf_2DVRkHrvqyRZS4IpuiHAd3cO8-YWtfTIEFXuHlY8b_uH47VWTQpeB8dO9klF22TNYa0a6HvFxhgeoFQdjBAxH4QYUXMS4EfPZgYKiphRfW6LPxClMiW48IdyNlsgbeC8bmtxReTdr7goSfOuaVEgzgJXuffAaq3W69MmfpAiEGpZNQlpNgWdOfnOcSpTV5qO72nywwWrqSwWvFw; CN03 guardrail aligned: allow-list expects deny for requester vpc-08678ebdbec637832","ReceiverVpcId":"vpc-0232d940ac1e052fc","RequesterInAllowList":false,"RequesterVpcId":"vpc-08678ebdbec637832","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 419d1892-4131-423b-8455-66075cde2bcd, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: gI8uoxQyO1NBqmykmau3ML7vRR8tCsPzPZubvmQfnuXYOvjm0gMfKJ5uHFQasTtX9RPpF7nmGXh7NUitBfjLWltE8UrehfaCsbLBmfmwW8XPghEXuSNH8XNzGO1Wg5O4g-AaERTSFZO9zCwAohVh8BatSd9vqlR3nYxCuVrGcYv2U3cpWrKcEjzd9MoMtGgsOh77e7jeM2rgbcrURZHdqXQOZcAn3PIpvq0Ur11qWssFzBoa2Pe5XYeo05DUrYpar3h8Jz1TMT_joKSB7-Y1w6lDCKxuN-x2JedRGekkTAcYD3ahRRK3xCrCOqV38eqRViiOkz-6VbxABvbjMAV0sl4mHHyEt7eBjkICJDO_vmYOc3pLvOy2BweslyYAmhqTQ7woVknlLCJf0_Mw3P5AvxfSssdSd2_CpfhO02FCqFla1fDJdbofK5GNS_r_JTOMapIQnkHU8eyXa4lvAzs_ijihcFdhFLFpKyIRTqNgSCOF8bYJSSpEnjjMuVT_2wyK2qoNHhmnBIBgwu6ZDW5_MShU23uGAPobqf5Pz4qEyQQ9qN9K3n2tzPI-piPoAS0nZmJe7iHD0dUGAf_2DVRkHrvqyRZS4IpuiHAd3cO8-YWtfTIEFXuHlY8b_uH47VWTQpeB8dO9klF22TNYa0a6HvFxhgeoFQdjBAxH4QYUXMS4EfPZgYKiphRfW6LPxClMiW48IdyNlsgbeC8bmtxReTdr7goSfOuaVEgzgJXuffAaq3W69MmfpAiEGpZNQlpNgWdOfnOcSpTV5qO72nywwWrqSwWvFw"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"131µs
And I refer to "{result}" as "vpcService"25µs
And I refer to "{UID}" as "ReceiverVpcId"22µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"27µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"22µs
And "{ReceiverVpcId}" is not nil14µs
Given "{NonAllowlistedRequesterVpcId}" is not nil17µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"125µs
Then "{result.AllowedListDefined}" is true42µs
And "{result.Allowed}" is false20µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"271ms
Then "{result.DryRunAllowed}" is false44µs
And "{result.AllowListDefined}" is true28µs
And "{result.RequesterInAllowList}" is false31µs
And "{result.GuardrailExpectation}" is "deny"32µs
And "{result.GuardrailMismatch}" is false25µs
And "{result.ExitCode}" should be greater than "0"34µs
And "{result.Reason}" contains "guardrail aligned"32µs
And "{result.ConflictType}" is ""30µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"32µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"141µs
And I refer to "{result}" as "vpcService"24µs
Given I refer to "{UID}" as "TargetVpcId"21µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"198ms
Then "{result.FlowLogCount}" should be greater than "0"56µs
And "{result.NonCompliantCount}" is "0"34µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"128µs
And I refer to "{result}" as "vpcService"18µs
Given I refer to "{UID}" as "TargetVpcId"15µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"267ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"18s
And I refer to "{result.ResourceId}" as "TestResourceId"43µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"26µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"85ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"42µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"434ms
Then "{result.Deleted}" is true47µs
And "{TrafficCleanupDeleted}" is true23µs
And "{RecordsObserved}" is true34µs