🥒 CCC.VPC Test: cfi-20260526t102301z-vpc

Test Parameters

ServiceTypevpc
ProviderServiceTypeec2:vpc
CatalogTypesCCC.VPC
TagFilter@MAIN, @CCC.VPC, ~@NEGATIVE, ~@OPT_IN
UIDvpc-0d5625cb163976d86
ResourceNamecfi-20260526t102301z-vpc
Instance
{
  "ID": "main-aws",
  "Properties": {
    "Provider": "aws",
    "Region": "us-east-1",
    "AzureResourceGroup": "",
    "AzureSubscriptionID": "",
    "GcpProjectId": ""
  },
  "Services": [
    {
      "Type": "object-storage",
      "Properties": {
        "object-storage-retention-period-days": 2
      }
    },
    {
      "Type": "logging",
      "Properties": {
        "aws-cloud-trail-log-group-name": "cfi-test-log-group"
      }
    },
    {
      "Type": "vpc",
      "Properties": {
        "bad-vpc-id": "vpc-0f3af4b6986f1e0ab",
        "cn03-allowed-requester-vpc-ids": null,
        "cn03-allowed-requester-vpc-ids-csv": "vpc-0a591620e00092dc2,vpc-0dae16d47368ba7ae",
        "cn03-disallowed-requester-vpc-ids": null,
        "cn03-disallowed-requester-vpc-ids-csv": "vpc-0a7d07499ce3992e8,vpc-0eadc3a916f373b88",
        "cn03-non-allowlisted-requester-vpc-id": "vpc-0666381e8a3976bde",
        "cn03-receiver-vpc-id": "vpc-0d5625cb163976d86",
        "cn04-flow-log-group-name": "/aws/vpc/flow-logs/cfi-20260526t102301z-vpc"
      }
    }
  ],
  "Rules": {
    "permitted-account-ids": "",
    "permitted-regions": [
      "us-east-1"
    ]
  }
}
AwsCloudTrailLogGroupNamecfi-test-log-group
BadVpcIdvpc-0f3af4b6986f1e0ab
Cn03AllowedRequesterVpcIdsCsvvpc-0a591620e00092dc2,vpc-0dae16d47368ba7ae
Cn03DisallowedRequesterVpcIdsCsvvpc-0a7d07499ce3992e8,vpc-0eadc3a916f373b88
Cn03NonAllowlistedRequesterVpcIdvpc-0666381e8a3976bde
Cn03ReceiverVpcIdvpc-0d5625cb163976d86
Cn04FlowLogGroupName/aws/vpc/flow-logs/cfi-20260526t102301z-vpc
ObjectStorageRetentionPeriodDays2
PermittedRegions
[
  "us-east-1"
]
Provideraws
Regionus-east-1

Summary

Generated: 2026-05-26 10:33:01

Total Run Time: 17s

Features: 4

Scenarios: 7 (✅ 7 | ❌ 0)

Steps: 80 (✅ 80 | ❌ 0 | ⏭️ 0 | ❓ 0)

Feature: CCC.VPC.CN01.AR01 - Subscription must not contain default network resources
Scenario: Main check: no default VPC exists @vpc @tlp-amber @tlp-red @CCC.VPC.CN01 @CCC.VPC.CN01.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"37µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"117µs
And I refer to "{result}" as "vpcService"13µs
When I call "{vpcService}" with "CountDefaultVpcs"157ms
Then "{result}" is "0"33µs
Feature: CCC.VPC.CN02.AR01 - No external IP by default in public subnets
Scenario: Main check (config): public subnets do not auto-assign external IPs @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Policy @MAIN @CCC.VPC @DEFAULT
Given a cloud api for "{Instance}" in "api"41µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"152µs
And I refer to "{result}" as "vpcService"16µs
Given I refer to "{UID}" as "TargetVpcId"14µs
When I call "{vpcService}" with "EvaluatePublicSubnetDefaultIPControl" using argument "{TargetVpcId}"321ms
Then "{result.ViolatingSubnetCount}" is "0"49µs
And "{result.Reason}" contains "disable default public IP"65µs
Scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP @vpc @tlp-red @CCC.VPC.CN02 @CCC.VPC.CN02.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"147µs
And I refer to "{result}" as "vpcService"24µs
Given I refer to "{UID}" as "TargetVpcId"23µs
When I call "{vpcService}" with "SelectPublicSubnetForTest" using argument "{TargetVpcId}"201ms
And I refer to "{result.SubnetId}" as "TestSubnetId"48µs
And I call "{vpcService}" with "CreateTestResourceInSubnet" using argument "{TestSubnetId}"2s
And I refer to "{result.ResourceId}" as "TestResourceId"36µs
And I call "{vpcService}" with "GetResourceExternalIpAssignment" using argument "{TestResourceId}"175ms
And I refer to "{result.HasExternalIp}" as "HasExternalIp"41µs
Then "{HasExternalIp}" is false22µs
When I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"445ms
Then "{result.Deleted}" is true60µs
Feature: CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters
Scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"31µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"125µs
And I refer to "{result}" as "vpcService"23µs
And I refer to "{UID}" as "ReceiverVpcId"14µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"13µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"16µs
And "{ReceiverVpcId}" is not nil15µs
When I call "{vpcService}" with "ValidateDisallowListEnforcement" using argument "{ReceiverVpcId}"215ms
And I attach "{result.Summary}" to the test output as "Disallow-list Enforcement Summary"60µs
And I attach "{result.Results}" to the test output as "Disallow-list Enforcement"119µs
Then "{result.ListDefined}" is true53µs
And "{result.TestedCount}" should be greater than "0"83µs
And "{result.AllCorrect}" is true55µs
And "{result.ViolationCount}" is "0"99µs
📎 Attachments:
Disallow-list Enforcement Summary
View Content (56 bytes)
all 2 disallow-list VPC(s) correctly denied by guardrail
Disallow-list Enforcement
View JSON (6465 bytes)
[{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0d5625cb163976d86","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: e1a8574d-684d-4219-a815-8a15c6160510, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: -_o5HnjcNcPb7tDjFhi4SbqK2GDe-SPmTczFkyXu4fZQGg9swB2VblhSHurmeC0emEiF2TVCTeJwyNjbhveqx7wlkmYfC7rPO-uVrzLDoYyqkud9ki0S0yn6IQqIMgmR26wd0yUICRdMZ36gQoUpUxUbTLg1pRHMdQtjciZMe-bjCOLyZ03oG_ZB76DDW3xOcTVLlayTNoC0ynXqPoeX-36ALVHAvTECIy70IMsc-6Ka6gYwWwTzRlKcHR7uLAPKMKE8w_mlEDryxaGH6JQZIsk15nQX25hVVtIbYHWsTcFhDMxBee09wf_UpAzc_k6cqAgr8_S9pBLcKprgEXoW_PTkAUbuXdRXr8GYq2wAMI8Aq97FzYAzpnEFVsLJSN0BPqjXQcB_HHoK2sovWAt_ijZ3SHJy3tNXnm3P-Kk4EYIK_tTKpbPJhw7G98PWTnB094iPTxul5bPkzanl3TxD4v1sDzbbvKv6B88jWCFJhES38dmTU81LMWySWRnHvZ7ijbPE3zve2624lLXzNieS1oPJ2oG1O_UdAkNWWi-jNBgA_ORqGFIEXZhtZPl-1A05oxUmAMatUzXOs-yu2I7UWSZLyPZrbJZH_SxROpPoZoeLVtMi9oAHp_LVfb3sWDyvoVm2Wg8pHWtPCY-IowfGyFcNLpFL_SyDyIdUsg8zAGYTaCrQf_r-CP-iGEE_JmgJm2h5EihDyn2phne7wo4mEPMWUZrLARRr-qy_cv0UZ4LonhsrRd3ievMKuYtOMEO2IhgvFq4U1yY-T_19vqMu4kkazM4ZcQ; CN03 guardrail aligned: allow-list expects deny for requester vpc-0a7d07499ce3992e8","ReceiverVpcId":"vpc-0d5625cb163976d86","RequesterInAllowList":false,"RequesterVpcId":"vpc-0a7d07499ce3992e8","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: e1a8574d-684d-4219-a815-8a15c6160510, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: -_o5HnjcNcPb7tDjFhi4SbqK2GDe-SPmTczFkyXu4fZQGg9swB2VblhSHurmeC0emEiF2TVCTeJwyNjbhveqx7wlkmYfC7rPO-uVrzLDoYyqkud9ki0S0yn6IQqIMgmR26wd0yUICRdMZ36gQoUpUxUbTLg1pRHMdQtjciZMe-bjCOLyZ03oG_ZB76DDW3xOcTVLlayTNoC0ynXqPoeX-36ALVHAvTECIy70IMsc-6Ka6gYwWwTzRlKcHR7uLAPKMKE8w_mlEDryxaGH6JQZIsk15nQX25hVVtIbYHWsTcFhDMxBee09wf_UpAzc_k6cqAgr8_S9pBLcKprgEXoW_PTkAUbuXdRXr8GYq2wAMI8Aq97FzYAzpnEFVsLJSN0BPqjXQcB_HHoK2sovWAt_ijZ3SHJy3tNXnm3P-Kk4EYIK_tTKpbPJhw7G98PWTnB094iPTxul5bPkzanl3TxD4v1sDzbbvKv6B88jWCFJhES38dmTU81LMWySWRnHvZ7ijbPE3zve2624lLXzNieS1oPJ2oG1O_UdAkNWWi-jNBgA_ORqGFIEXZhtZPl-1A05oxUmAMatUzXOs-yu2I7UWSZLyPZrbJZH_SxROpPoZoeLVtMi9oAHp_LVfb3sWDyvoVm2Wg8pHWtPCY-IowfGyFcNLpFL_SyDyIdUsg8zAGYTaCrQf_r-CP-iGEE_JmgJm2h5EihDyn2phne7wo4mEPMWUZrLARRr-qy_cv0UZ4LonhsrRd3ievMKuYtOMEO2IhgvFq4U1yY-T_19vqMu4kkazM4ZcQ"},{"AllowListDefined":true,"ConflictMessage":"","ConflictType":"","DryRunAllowed":false,"ErrorCode":"UnauthorizedOperation","ExitCode":1,"GuardrailExpectation":"deny","GuardrailMismatch":false,"Origin":"terraform-fixture","PeerOwnerId":"","PeerVpcId":"vpc-0d5625cb163976d86","Reason":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 83079c10-015b-476b-a9e9-3a88dfb33fd9, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: a7kvaenoJbqrbOowgHtgegUd-85-wxm4fCD_gAFGNXDwrgogyV4ikDKy1J933NEU8Tpiq4onyX672QSDaKrErtNbW6mXeElF9GemEk9gTSzaEuSGUSX9RUEjGVfwqM-EpPmTaTCS91tRF3yxX9ZG7AQ_tocpgmTjX2FqSnuVty65J9JW3csCaozf4lp2XOhXD1TlOexrBJwx-Ismn_dVmPlvshBg6Nm0_uzg1AxJc07LIOZO4yFFifsPVje-3B1KAnKh_s88GjbEWC4xfoqM0JSwUrtoArB_aClqHvlNMPcRBWm_GifoWOoKUaamTYdFwWQRcEfGVpTpNreClL99Ndz_sU1-xYJ52nSMQUchvyXSGsNmAwSfjGThuJbSmfkb93GkLoXhQ8MxxbBOZ-ccejd0wl37BgwIK5y8GvB7c0fGWv9U3LwJa4wZUqrLtjf5R2tPuW07NvBD8d9BcE2Yo7rYmGndXId8mgOAmmJALbphfEiblTm-Aq4T5xChvKlruZgodvfES3HXgRdpHh0l0q6CYliKI9oAweO74jZol39eAhePmV_IBxsXR-mmBpC__DnjflNtr9uUk5qaHgs4mDjs3J1wvSt_9miYzhay255w6XsDS5hNw6zqUrE8y1k0ENs4Jm9NoRls6soYmDWV3BboUI1uzHbBaPar9zaXo9Xfl7z11EmDDmnf-jrNN62WgDAutFiaCfejoZ96A8l7hCaLGD2dkciPrHQnH9mnx_KQPvPkA8jiu6Xy0jZYRxB4oszZ4m7FMRuA329zQFNDktPO49WFuUU; CN03 guardrail aligned: allow-list expects deny for requester vpc-0eadc3a916f373b88","ReceiverVpcId":"vpc-0d5625cb163976d86","RequesterInAllowList":false,"RequesterVpcId":"vpc-0eadc3a916f373b88","Stderr":"operation error EC2: CreateVpcPeeringConnection, https response error StatusCode: 403, RequestID: 83079c10-015b-476b-a9e9-3a88dfb33fd9, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::211203495394:assumed-role/TerraformRole/GitHubActions is not authorized to perform: ec2:CreateVpcPeeringConnection on resource: arn:aws:ec2:us-east-1:211203495394:vpc-peering-connection/* with an explicit deny in an identity-based policy: arn:aws:iam::211203495394:policy/CN03PeeringGuardrail. Encoded authorization failure message: a7kvaenoJbqrbOowgHtgegUd-85-wxm4fCD_gAFGNXDwrgogyV4ikDKy1J933NEU8Tpiq4onyX672QSDaKrErtNbW6mXeElF9GemEk9gTSzaEuSGUSX9RUEjGVfwqM-EpPmTaTCS91tRF3yxX9ZG7AQ_tocpgmTjX2FqSnuVty65J9JW3csCaozf4lp2XOhXD1TlOexrBJwx-Ismn_dVmPlvshBg6Nm0_uzg1AxJc07LIOZO4yFFifsPVje-3B1KAnKh_s88GjbEWC4xfoqM0JSwUrtoArB_aClqHvlNMPcRBWm_GifoWOoKUaamTYdFwWQRcEfGVpTpNreClL99Ndz_sU1-xYJ52nSMQUchvyXSGsNmAwSfjGThuJbSmfkb93GkLoXhQ8MxxbBOZ-ccejd0wl37BgwIK5y8GvB7c0fGWv9U3LwJa4wZUqrLtjf5R2tPuW07NvBD8d9BcE2Yo7rYmGndXId8mgOAmmJALbphfEiblTm-Aq4T5xChvKlruZgodvfES3HXgRdpHh0l0q6CYliKI9oAweO74jZol39eAhePmV_IBxsXR-mmBpC__DnjflNtr9uUk5qaHgs4mDjs3J1wvSt_9miYzhay255w6XsDS5hNw6zqUrE8y1k0ENs4Jm9NoRls6soYmDWV3BboUI1uzHbBaPar9zaXo9Xfl7z11EmDDmnf-jrNN62WgDAutFiaCfejoZ96A8l7hCaLGD2dkciPrHQnH9mnx_KQPvPkA8jiu6Xy0jZYRxB4oszZ4m7FMRuA329zQFNDktPO49WFuUU"}]
Scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed @vpc @tlp-amber @tlp-red @CCC.VPC.CN03 @CCC.VPC.CN03.AR01 @Destructive @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"82µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"173µs
And I refer to "{result}" as "vpcService"47µs
And I refer to "{UID}" as "ReceiverVpcId"52µs
And I refer to "{Cn03NonAllowlistedRequesterVpcId}" as "NonAllowlistedRequesterVpcId"88µs
And I load environment variable "CN03_PEER_TRIAL_MATRIX_FILE" as "PeerTrialMatrixFile"80µs
And "{ReceiverVpcId}" is not nil52µs
Given "{NonAllowlistedRequesterVpcId}" is not nil44µs
When I call "{vpcService}" with "EvaluatePeerAgainstAllowList" using argument "{NonAllowlistedRequesterVpcId}"278µs
Then "{result.AllowedListDefined}" is true42µs
And "{result.Allowed}" is false25µs
When I call "{vpcService}" with "AttemptVpcPeeringDryRun" using arguments "{NonAllowlistedRequesterVpcId}" and "{ReceiverVpcId}"118ms
Then "{result.DryRunAllowed}" is false30µs
And "{result.AllowListDefined}" is true23µs
And "{result.RequesterInAllowList}" is false24µs
And "{result.GuardrailExpectation}" is "deny"27µs
And "{result.GuardrailMismatch}" is false57µs
And "{result.ExitCode}" should be greater than "0"27µs
And "{result.Reason}" contains "guardrail aligned"27µs
And "{result.ConflictType}" is ""23µs
Feature: CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic
Scenario: Main check (config): flow logs are active and capture all traffic @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Policy @MAIN @DEFAULT @CCC.VPC
Given a cloud api for "{Instance}" in "api"27µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"105µs
And I refer to "{result}" as "vpcService"23µs
Given I refer to "{UID}" as "TargetVpcId"16µs
When I call "{vpcService}" with "EvaluateVpcFlowLogsControl" using argument "{TargetVpcId}"147ms
Then "{result.FlowLogCount}" should be greater than "0"51µs
And "{result.NonCompliantCount}" is "0"36µs
Scenario: Behavioral check (active): traffic produces flow log records @vpc @tlp-amber @tlp-red @CCC.VPC.CN04 @CCC.VPC.CN04.AR01 @Behavioural @MAIN @CCC.VPC
Given a cloud api for "{Instance}" in "api"43µs
And I call "{api}" with "GetServiceAPI" using argument "vpc"125µs
And I refer to "{result}" as "vpcService"16µs
Given I refer to "{UID}" as "TargetVpcId"54µs
When I call "{vpcService}" with "PrepareFlowLogDeliveryObservation" using argument "{TargetVpcId}"76ms
And I call "{vpcService}" with "GenerateTestTraffic" using argument "{TargetVpcId}"13s
And I refer to "{result.ResourceId}" as "TestResourceId"48µs
And I refer to "{result.CleanupDeleted}" as "TrafficCleanupDeleted"43µs
And I call "{vpcService}" with "ObserveRecentFlowLogDelivery" using argument "{TargetVpcId}"48ms
And I refer to "{result.RecordsObserved}" as "RecordsObserved"37µs
And I call "{vpcService}" with "DeleteTestResource" using argument "{TestResourceId}"398ms
Then "{result.Deleted}" is true47µs
And "{TrafficCleanupDeleted}" is true24µs
And "{RecordsObserved}" is true22µs