'AWS CDK - How to test a resource has one value within an array of values

I have a test suite for an EC2 Redis construct that tests if the resource has particular IAM policies attached. I can test if it has all of the values within one test successfully, but when testing if it has each policy individually, only the first test passes. It seems like the order of values in the array of policies can make the test fail, which is not ideal.

I'd like to be able to provide more granular unit tests where a specific test will fail with a description of the policy the test expects, but I'm not able to find anything that might enable this behavior in the AWS CDK assert library. Is there a way to test if an array of properties of a CDK construct includes just one value?

Passes:

test('Redis Instance - should attach all IAM policies in order', () => {
  const name = 'test-redis'
  const { stack } = createRedisInstance(name)
  expect(stack).to(haveResourceLike('AWS::IAM::Role', {
    ManagedPolicyArns: [{
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/AmazonSSMManagedInstanceCore'
      ]]
    }, {
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/AmazonS3ReadOnlyAccess'
      ]]
    }, {
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/CloudWatchAgentServerPolicy'
      ]]
    }]
  }))
})

Fails:

test('Redis Instance - should attach AmazonSSMManagedInstanceCore IAM policy', () => {
  const name = 'test-redis'
  const { stack } = createRedisInstance(name)
  expect(stack).to(haveResourceLike('AWS::IAM::Role', {
    ManagedPolicyArns: [{
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/AmazonSSMManagedInstanceCore'
      ]]
    }]
  }))
})

test('Redis Instance - should attach AmazonS3ReadOnlyAccess IAM policy', () => {
  const name = 'test-redis'
  const { stack } = createRedisInstance(name)
  expect(stack).to(haveResourceLike('AWS::IAM::Role', {
    ManagedPolicyArns: [{
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/AmazonS3ReadOnlyAccess'
      ]]
    }]
  }))
})

test('Redis Instance - should attach CloudWatchAgentServerPolicy IAM policy', () => {
  const name = 'test-redis'
  const { stack } = createRedisInstance(name)
  expect(stack).to(haveResourceLike('AWS::IAM::Role', {
    ManagedPolicyArns: [{
      'Fn::Join': ['', [
        'arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/CloudWatchAgentServerPolicy'
      ]]
    }]
  }))
})


Solution 1:[1]

Use arrayWith(objectLike({...})) to test objects in any position in arrays.

Example


import { 
   expect as expectCDK,
   haveResourceLike, 
   arrayWith, 
   objectLike, 
   // deepObjectLike // sometimes better than objectLike
} from '@aws-cdk/assert';

...
...

test('Redis Instance - should attach CloudWatchAgentServerPolicy IAM policy', () => {
  const name = 'test-redis'
  const { stack } = createRedisInstance(name)
  expect(stack).to(haveResourceLike('AWS::IAM::Role', {
    ManagedPolicyArns: arrayWith(
      objectLike({ ... }),
    )
  }))
})


https://www.npmjs.com/package/@aws-cdk/assert

Solution 2:[2]

For those using the CDK v2 you can achieve the same with Match.arrayWith and Match.objectLike

template.hasResourceProperties('AWS::IAM::Policy', Match.objectLike({
  PolicyDocument: {
    Statement: Match.arrayWith([Match.objectLike({
      Action: 'secretsmanager:GetSecretValue',
      Effect: 'Allow',
      Resource: 'arn:aws:secretsmanager:TEST_REGION:TEST_ACCOUNT:secret:YourSecret-??????'
    })])
  }
}));

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.assertions-readme.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Emmanuel N K
Solution 2 Javier Mendoza Gomez