🥒 CCC.SvlsComp Test: avmfunc20260611

Test Parameters

ServiceTypeserverless-computing
ProviderServiceTypeMicrosoft.Web/sites/functions
CatalogTypesCCC.SvlsComp
TagFilter@Behavioural, @serverless-computing, @Behavioural
UIDavmfunc20260611
ResourceNameavmfunc20260611
Config
{}
azure-log-analytics-workspace-id433b7b84-1ba6-4f5c-8375-6d2016f07e6a
azure-resource-groupavm-testing
azure-subscription-idc1cedd8e-bf91-4d7d-a4cc-45700402a2a1
burst-overrun15
catalog-versions
{
  "CCC.Core": "v2025.10",
  "CCC.SvlsComp": "DEV"
}
function-nameavmfunc20260611
permitted-regions
[
  "westus2"
]
private-endpoint-urlhttps://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger
providerazure
rate-limit-threshold10
regionwestus2
resourceavmfunc20260611
serviceserverless-computing
service-typeserverless-computing
tags@Behavioural @serverless-computing

Summary

Generated: 2026-06-22 17:44:11

Total Run Time: 34s

Features: 12

Scenarios: 14 (✅ 5 | ❌ 9)

Steps: 105 (✅ 84 | ❌ 9 | ⏭️ 11 | ❓ 1)

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage
Scenario: Function encryption status reports enabled controls @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @serverless-computing
Given a cloud api for "{config}" in "api"39µs
Given I call "{api}" with "GetServiceAPI" using argument "serverless-computing"96µs
And I refer to "{result}" as "svc"10µs
When I call "{svc}" with "GetFunctionEncryptionStatus" using argument "{uid}"33µs
Then "{result}" is not an error14µs
And I refer to "{result}" as "encryption"10µs
And I attach "{encryption}" to the test output as "Function Encryption Status"28µs
Then "{encryption.EnvEncrypted}" is "true"19µs
expected {encryption.EnvEncrypted} to equal 'true', got 'false'
📎 Attachments:
Function Encryption Status
View JSON (61 bytes)
{"EnvEncrypted":false,"KMSKeyArn":"","SecretsEncrypted":true}
Feature: CCC.SvlsComp.CN01.AR01 - Deny Public Internet Access
Scenario: Private invoke path succeeds @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"25µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"28µs
And I refer to "{result}" as "svc"17µs
When I call "{svc}" with "AttemptPrivateInvoke" using argument "{uid}"22ms
Then "{result}" is not an error19µs
And I refer to "{result}" as "privateInvoke"13µs
Then "{privateInvoke.Invoked}" is "true"19µs
expected {privateInvoke.Invoked} to equal 'true', got 'false'
Scenario: No public invoke surface is configured @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN
Given a cloud api for "{config}" in "api"61µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"62µs
And I refer to "{result}" as "svc"16µs
When I call "{svc}" with "GetInvokeEndpointExposure" using argument "{uid}"47µs
Then "{result}" is not an error22µs
And I refer to "{result}" as "exposure"19µs
And I attach "{exposure}" to the test output as "Invoke Endpoint Exposure"52µs
Then "{exposure.PublicEndpointConfigured}" is "false"35µs
📎 Attachments:
Invoke Endpoint Exposure
View JSON (183 bytes)
{"PublicEndpointConfigured":false,"PublicEndpointURL":"","PrivateEndpointConfigured":true,"PrivateEndpointURL":"https://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger"}
Scenario: Public internet invoke attempt is denied @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN @OPT_IN
Given a cloud api for "{config}" in "api"35µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"19µs
And I refer to "{result}" as "svc"11µs
When I call "{svc}" with "AttemptPublicInternetInvoke" using argument "{uid}"28µs
Then "{result}" is not an error17µs
expected {result} to not be an error, but got: no public invoke URL available (set public-invoke-url)
And I refer to "{result}" as "publicInvoke"10µs
And I attach "{publicInvoke}" to the test output as "Public Invoke Attempt"13µs
Then "{publicInvoke.AccessDenied}" is "true"17µs
Feature: CCC.SvlsComp.CN02.AR01 - Function Invocation Rate Limits
Scenario: Invocations beyond threshold are throttled @CCC.SvlsComp @CCC.SvlsComp.CN02 @PerService @tlp-amber @tlp-red @Behavioural @Destructive @serverless-computing
Given a cloud api for "{config}" in "api"24µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"28µs
And I refer to "{result}" as "svc"11µs
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{rate-limit-threshold}"107ms
Then "{result}" is not an error27µs
And I refer to "{result}" as "withinThreshold"15µs
Then "{withinThreshold.AllSucceeded}" is "true"25µs
expected {withinThreshold.AllSucceeded} to equal 'true', got 'false'
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{burst-overrun}"14µs
Then "{result}" is not an error14µs
And I refer to "{result}" as "overrun"10µs
And I attach "{overrun}" to the test output as "Invocation Burst Overrun"14µs
Then "{overrun.ThrottledCount}" is greater than "{0}"21µs
Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations
Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable
Given a cloud api for "{config}" in "api"41µs
Then no-op required16µs
Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts
Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"25µs
And I call "{api}" with "GetServiceAPI" using argument "{service-type}"34µs
And I refer to "{result}" as "theService"18µs
Given I call "{api}" with "GetServiceAPI" using argument "logging"172µs
And I refer to "{result}" as "loggingService"12µs
When I call "{theService}" with "UpdateResourcePolicy"53µs
Then "{result}" is not an error15µs
And I attach "{result}" to the test output as "Policy Update Result"24µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"1s
Then "{result}" is not an error24µs
And I refer to "{result}" as "adminLogs"21µs
And I attach "{adminLogs}" to the test output as "Admin Activity Logs"79µs
Then "{adminLogs}" is an array of objects with at least the following contents41µs
result
Succeeded
expected row not found: map[result:Succeeded]
📎 Attachments:
Policy Update Result
View JSON (4 bytes)
null
Admin Activity Logs
View JSON (2 bytes)
[]
Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts
Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"94µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"59µs
And I refer to "{result}" as "theService"41µs
And I call "{api}" with "GetServiceAPI" using argument "logging"42µs
And I refer to "{result}" as "loggingService"34µs
When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"9ms
And I attach "{result}" to the test output as "Data Write Trigger Result"38µs
And we wait for a period of "10000" ms10s
Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"2s
And I refer to "{result}" as "dataLogs"23µs
And I attach "{dataLogs}" to the test output as "Data Write Logs"63µs
Then "{dataLogs}" is an array of objects with at least the following contents34µs
result
Succeeded
field {dataLogs} is not an array
📎 Attachments:
Data Write Trigger Result
View JSON (4 bytes)
null
Data Write Logs
View Content (1135 bytes)
Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: InsufficientAccessError
--------------------------------------------------------------------------------
{
  "error": {
    "message": "The provided credentials have insufficient access to perform the requested operation",
    "code": "InsufficientAccessError",
    "correlationId": "4f6ba071-9b6f-4229-8e7d-60dff22edf40",
    "innererror": {
      "code": "NspValidationFailedError",
      "message": "Access to workspace 'avmlaw20260616' from '172.203.195.1' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator."
    }
  }
}
--------------------------------------------------------------------------------
Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts
Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"56µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"35µs
And I refer to "{result}" as "theService"22µs
And I call "{api}" with "GetServiceAPI" using argument "logging"25µs
And I refer to "{result}" as "loggingService"21µs
When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"7ms
And I attach "{result}" to the test output as "Data Read Trigger Result"30µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"22ms
Then "{result}" is not an error30µs
expected {result} to not be an error, but got: Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query -------------------------------------------------------------------------------- RESPONSE 403: 403 Forbidden ERROR CODE: InsufficientAccessError -------------------------------------------------------------------------------- { "error": { "message": "The provided credentials have insufficient access to perform the requested operation", "code": "InsufficientAccessError", "correlationId": "0c824944-cbe6-424e-a97b-c82fcac935de", "innererror": { "code": "NspValidationFailedError", "message": "Access to workspace 'avmlaw20260616' from '172.203.195.1' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator." } } } --------------------------------------------------------------------------------
And I refer to "{result}" as "readLogs"20µs
And I attach "{readLogs}" to the test output as "Data Read Logs"13µs
Then "{readLogs}" is an array of objects with at least the following contents12µs
result
Succeeded
📎 Attachments:
Data Read Trigger Result
View JSON (4 bytes)
null
Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests
Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"41µs
And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"56µs
And "{result}" is not an error51µs
And I refer to "{result}" as "userReadableService"22µs
When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"13ms
Then "{result}" is an error25µs
expected {result} to be an error, got
And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"26µs
Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events
Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"63µs
Then no-op required36µs
Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities
Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"38µs
Then no-op required22µs
Feature: CCC.Core.CN10.AR01 - Replication Destination Trust
Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"34µs
Then no-op required22µs
Feature: CCC.Core.CN06.AR01 - Resource Location Compliance
Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"31µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"31µs
And I refer to "{result}" as "theService"21µs
When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"43µs
Then "{result}" is not an error23µs
And I refer to "{result}" as "region"19µs
And I attach "{region}" to the test output as "Resource Region"36µs
Then "{permitted-regions}" is an array of objects with at least the following contents50µs
value
{region}
expected row not found: map[value:{region}]
📎 Attachments:
Resource Region
View Content (7 bytes)
westus2