/**
* Feature: agentcore-mcp-migration, Property 1: VPC Endpoint Security Group Restricts Ingress to Allowed CIDRs
*
* Validates: Requirements 5.3
*
* For any ingress rule in the AgentCore VPC endpoint security group, the rule
* SHALL only allow TCP port 443 from the VPN client CIDR or VPC CIDR — no other
* ports, protocols, or source CIDRs shall be present.
*/
import { describe, it, expect } from 'vitest';
import fc from 'fast-check';
import { readFileSync } from 'fs';
import { resolve } from 'path';
const VPCE_TF_PATH = resolve(import.meta.dirname, '..', 'terraform', 'vpc-endpoint.tf');
/**
* Parse ingress blocks from the vpce security group resource in vpc-endpoint.tf.
* Returns an array of { from_port, to_port, protocol, cidr_blocks } objects.
*/
function extractIngressRules(hclContent) {
const rules = [];
// Find the aws_security_group "vpce" resource block
const sgMatch = hclContent.match(
/resource\s+"aws_security_group"\s+"vpce"\s+\{([\s\S]*?)^\}/m
);
if (!sgMatch) return rules;
const sgBody = sgMatch[1];
// Extract each ingress { ... } block
const ingressRegex = /ingress\s*\{([^}]+)\}/g;
let match;
while ((match = ingressRegex.exec(sgBody)) !== null) {
const block = match[1];
const fromPort = block.match(/from_port\s*=\s*(\d+)/);
const toPort = block.match(/to_port\s*=\s*(\d+)/);
const protocol = block.match(/protocol\s*=\s*"([^"]+)"/);
const cidrBlocks = block.match(/cidr_blocks\s*=\s*\[([^\]]+)\]/);
const cidrs = cidrBlocks
? cidrBlocks[1].match(/(?:var\.\w+|"[^"]+")/g) || []
: [];
rules.push({
from_port: fromPort ? parseInt(fromPort[1], 10) : null,
to_port: toPort ? parseInt(toPort[1], 10) : null,
protocol: protocol ? protocol[1] : null,
cidr_blocks: cidrs.map(c => c.replace(/"/g, '').trim()),
});
}
return rules;
}
// Allowed CIDR variable references in the security group
const ALLOWED_CIDR_REFS = new Set(['var.vpn_client_cidr', 'var.vpc_cidr']);
describe('Feature: agentcore-mcp-migration, Property 1: VPC Endpoint Security Group Restricts Ingress to Allowed CIDRs', () => {
const hclContent = readFileSync(VPCE_TF_PATH, 'utf-8');
const ingressRules = extractIngressRules(hclContent);
it('should have at least one ingress rule defined', () => {
expect(ingressRules.length).toBeGreaterThan(0);
});
it('all ingress rules should allow only TCP port 443', () => {
for (const rule of ingressRules) {
expect(rule.from_port).toBe(443);
expect(rule.to_port).toBe(443);
expect(rule.protocol).toBe('tcp');
}
});
it('all ingress CIDR sources should reference only VPN or VPC CIDR variables', () => {
for (const rule of ingressRules) {
expect(rule.cidr_blocks.length).toBeGreaterThan(0);
for (const cidr of rule.cidr_blocks) {
expect(ALLOWED_CIDR_REFS.has(cidr)).toBe(true);
}
}
});
it('property: no disallowed CIDR should appear in any ingress rule', () => {
/**
* **Validates: Requirements 5.3**
*
* Generate random CIDR blocks and verify none of them appear as allowed
* sources in the VPC endpoint security group ingress rules — only
* var.vpn_client_cidr and var.vpc_cidr are permitted.
*/
const randomCidr = fc
.tuple(
fc.integer({ min: 0, max: 255 }),
fc.integer({ min: 0, max: 255 }),
fc.integer({ min: 0, max: 255 }),
fc.integer({ min: 0, max: 255 }),
fc.integer({ min: 0, max: 32 })
)
.map(([a, b, c, d, mask]) => `${a}.${b}.${c}.${d}/${mask}`);
fc.assert(
fc.property(randomCidr, (cidr) => {
// No hardcoded CIDR should appear in the ingress rules
for (const rule of ingressRules) {
for (const source of rule.cidr_blocks) {
if (source === cidr) return false;
}
}
return true;
}),
{ numRuns: 100 }
);
});
it('property: no disallowed port should be open in ingress rules', () => {
/**
* **Validates: Requirements 5.3**
*
* Generate random port numbers (excluding 443) and verify none of them
* appear as allowed ports in the security group ingress rules.
*/
const nonHttpsPort = fc.integer({ min: 1, max: 65535 }).filter(p => p !== 443);
fc.assert(
fc.property(nonHttpsPort, (port) => {
for (const rule of ingressRules) {
if (rule.from_port === port || rule.to_port === port) return false;
}
return true;
}),
{ numRuns: 100 }
);
});
});
