🥒 CCC.SvlsComp Test: avmfunc20260611

Test Parameters

ServiceTypeserverless-computing
ProviderServiceTypeMicrosoft.Web/sites/functions
CatalogTypesCCC.SvlsComp
TagFilter@Behavioural, @serverless-computing, @Behavioural
UIDavmfunc20260611
ResourceNameavmfunc20260611
Config
{}
azure-log-analytics-workspace-id433b7b84-1ba6-4f5c-8375-6d2016f07e6a
azure-resource-groupavm-testing
azure-subscription-idc1cedd8e-bf91-4d7d-a4cc-45700402a2a1
burst-overrun15
catalog-versions
{
  "CCC.Core": "v2025.10",
  "CCC.SvlsComp": "DEV"
}
function-nameavmfunc20260611
permitted-regions
[
  "westus2"
]
private-endpoint-urlhttps://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger
providerazure
rate-limit-threshold10
regionwestus2
resourceavmfunc20260611
serviceserverless-computing
service-typeserverless-computing
tags@Behavioural @serverless-computing

Summary

Generated: 2026-06-18 15:27:47

Total Run Time: 34s

Features: 12

Scenarios: 14 (✅ 5 | ❌ 9)

Steps: 105 (✅ 84 | ❌ 9 | ⏭️ 11 | ❓ 1)

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage
Scenario: Function encryption status reports enabled controls @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @serverless-computing
Given a cloud api for "{config}" in "api"44µs
Given I call "{api}" with "GetServiceAPI" using argument "serverless-computing"115µs
And I refer to "{result}" as "svc"16µs
When I call "{svc}" with "GetFunctionEncryptionStatus" using argument "{uid}"40µs
Then "{result}" is not an error15µs
And I refer to "{result}" as "encryption"11µs
And I attach "{encryption}" to the test output as "Function Encryption Status"38µs
Then "{encryption.EnvEncrypted}" is "true"32µs
expected {encryption.EnvEncrypted} to equal 'true', got 'false'
📎 Attachments:
Function Encryption Status
View JSON (61 bytes)
{"EnvEncrypted":false,"KMSKeyArn":"","SecretsEncrypted":true}
Feature: CCC.SvlsComp.CN01.AR01 - Deny Public Internet Access
Scenario: Private invoke path succeeds @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"22µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"26µs
And I refer to "{result}" as "svc"17µs
When I call "{svc}" with "AttemptPrivateInvoke" using argument "{uid}"9ms
Then "{result}" is not an error19µs
And I refer to "{result}" as "privateInvoke"13µs
Then "{privateInvoke.Invoked}" is "true"20µs
expected {privateInvoke.Invoked} to equal 'true', got 'false'
Scenario: No public invoke surface is configured @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN
Given a cloud api for "{config}" in "api"27µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"25µs
And I refer to "{result}" as "svc"17µs
When I call "{svc}" with "GetInvokeEndpointExposure" using argument "{uid}"48µs
Then "{result}" is not an error22µs
And I refer to "{result}" as "exposure"11µs
And I attach "{exposure}" to the test output as "Invoke Endpoint Exposure"35µs
Then "{exposure.PublicEndpointConfigured}" is "false"32µs
📎 Attachments:
Invoke Endpoint Exposure
View JSON (183 bytes)
{"PublicEndpointConfigured":false,"PublicEndpointURL":"","PrivateEndpointConfigured":true,"PrivateEndpointURL":"https://avmfunc20260611.privatelink.azurewebsites.net/api/HttpTrigger"}
Scenario: Public internet invoke attempt is denied @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN @OPT_IN
Given a cloud api for "{config}" in "api"22µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"26µs
And I refer to "{result}" as "svc"41µs
When I call "{svc}" with "AttemptPublicInternetInvoke" using argument "{uid}"32µs
Then "{result}" is not an error24µs
expected {result} to not be an error, but got: no public invoke URL available (set public-invoke-url)
And I refer to "{result}" as "publicInvoke"15µs
And I attach "{publicInvoke}" to the test output as "Public Invoke Attempt"19µs
Then "{publicInvoke.AccessDenied}" is "true"25µs
Feature: CCC.SvlsComp.CN02.AR01 - Function Invocation Rate Limits
Scenario: Invocations beyond threshold are throttled @CCC.SvlsComp @CCC.SvlsComp.CN02 @PerService @tlp-amber @tlp-red @Behavioural @Destructive @serverless-computing
Given a cloud api for "{config}" in "api"26µs
And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"28µs
And I refer to "{result}" as "svc"20µs
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{rate-limit-threshold}"83ms
Then "{result}" is not an error27µs
And I refer to "{result}" as "withinThreshold"17µs
Then "{withinThreshold.AllSucceeded}" is "true"27µs
expected {withinThreshold.AllSucceeded} to equal 'true', got 'false'
When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{burst-overrun}"17µs
Then "{result}" is not an error16µs
And I refer to "{result}" as "overrun"13µs
And I attach "{overrun}" to the test output as "Invocation Burst Overrun"15µs
Then "{overrun.ThrottledCount}" is greater than "{0}"24µs
Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations
Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable
Given a cloud api for "{config}" in "api"33µs
Then no-op required24µs
Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts
Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "{service-type}"38µs
And I refer to "{result}" as "theService"21µs
Given I call "{api}" with "GetServiceAPI" using argument "logging"204µs
And I refer to "{result}" as "loggingService"13µs
When I call "{theService}" with "UpdateResourcePolicy"61µs
Then "{result}" is not an error16µs
And I attach "{result}" to the test output as "Policy Update Result"28µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"2s
Then "{result}" is not an error25µs
And I refer to "{result}" as "adminLogs"19µs
And I attach "{adminLogs}" to the test output as "Admin Activity Logs"78µs
Then "{adminLogs}" is an array of objects with at least the following contents47µs
result
Succeeded
expected row not found: map[result:Succeeded]
📎 Attachments:
Policy Update Result
View JSON (4 bytes)
null
Admin Activity Logs
View JSON (2 bytes)
[]
Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts
Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"43µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"37µs
And I refer to "{result}" as "theService"33µs
And I call "{api}" with "GetServiceAPI" using argument "logging"32µs
And I refer to "{result}" as "loggingService"17µs
When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"6ms
And I attach "{result}" to the test output as "Data Write Trigger Result"45µs
And we wait for a period of "10000" ms10s
Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"1s
And I refer to "{result}" as "dataLogs"25µs
And I attach "{dataLogs}" to the test output as "Data Write Logs"36µs
Then "{dataLogs}" is an array of objects with at least the following contents36µs
result
Succeeded
field {dataLogs} is not an array
📎 Attachments:
Data Write Trigger Result
View JSON (4 bytes)
null
Data Write Logs
View Content (1134 bytes)
Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: InsufficientAccessError
--------------------------------------------------------------------------------
{
  "error": {
    "message": "The provided credentials have insufficient access to perform the requested operation",
    "code": "InsufficientAccessError",
    "correlationId": "2027dbeb-2c83-44d2-9240-1065fe8ff30c",
    "innererror": {
      "code": "NspValidationFailedError",
      "message": "Access to workspace 'avmlaw20260616' from '68.154.54.39' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator."
    }
  }
}
--------------------------------------------------------------------------------
Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts
Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"41µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"39µs
And I refer to "{result}" as "theService"14µs
And I call "{api}" with "GetServiceAPI" using argument "logging"40µs
And I refer to "{result}" as "loggingService"14µs
When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"6ms
And I attach "{result}" to the test output as "Data Read Trigger Result"35µs
And we wait for a period of "10000" ms10s
When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"543ms
Then "{result}" is not an error37µs
expected {result} to not be an error, but got: Log Analytics workspace query: POST https://api.loganalytics.io/v1/workspaces/433b7b84-1ba6-4f5c-8375-6d2016f07e6a/query -------------------------------------------------------------------------------- RESPONSE 403: 403 Forbidden ERROR CODE: InsufficientAccessError -------------------------------------------------------------------------------- { "error": { "message": "The provided credentials have insufficient access to perform the requested operation", "code": "InsufficientAccessError", "correlationId": "709fe8ba-ca2e-47cc-b8b4-0efb97bca3dd", "innererror": { "code": "NspValidationFailedError", "message": "Access to workspace 'avmlaw20260616' from '68.154.54.39' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/avm-testing/providers/microsoft.operationalinsights/workspaces/avmlaw20260616) Please contact your administrator." } } } --------------------------------------------------------------------------------
And I refer to "{result}" as "readLogs"14µs
And I attach "{readLogs}" to the test output as "Data Read Logs"14µs
Then "{readLogs}" is an array of objects with at least the following contents13µs
result
Succeeded
📎 Attachments:
Data Read Trigger Result
View JSON (4 bytes)
null
Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests
Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"36µs
And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"330µs
And "{result}" is not an error19µs
And I refer to "{result}" as "userReadableService"12µs
When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"8ms
Then "{result}" is an error26µs
expected {result} to be an error, got
And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"15µs
Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events
Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"30µs
Then no-op required25µs
Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities
Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"29µs
Then no-op required26µs
Feature: CCC.Core.CN10.AR01 - Replication Destination Trust
Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"27µs
Then no-op required23µs
Feature: CCC.Core.CN06.AR01 - Resource Location Compliance
Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing
Given a cloud api for "{config}" in "api"36µs
Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"35µs
And I refer to "{result}" as "theService"23µs
When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"47µs
Then "{result}" is not an error25µs
And I refer to "{result}" as "region"34µs
And I attach "{region}" to the test output as "Resource Region"58µs
Then "{permitted-regions}" is an array of objects with at least the following contents618µs
value
{region}
expected row not found: map[value:{region}]
📎 Attachments:
Resource Region
View Content (7 bytes)
westus2