From 356d9a0c5a2a082073b7f19f3cf99e242ab0cd2a Mon Sep 17 00:00:00 2001
From: Samson Keung <keungsi@amazon.com>
Date: Mon, 13 Jan 2025 15:11:04 -0800
Subject: [PATCH] Add to unit tests to check IAM policies have permissions

---
 .../test/provider-framework/provider.test.ts  | 92 ++++++++++++++++++-
 1 file changed, 90 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts b/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts
index 916c5f9630465..57b429937b3c8 100644
--- a/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts
+++ b/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts
@@ -478,7 +478,8 @@ describe('role', () => {
     });
 
     // THEN
-    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::Lambda::Function', {
       Role: {
         'Fn::GetAtt': [
           'MyRoleF48FFE04',
@@ -486,6 +487,49 @@ describe('role', () => {
         ],
       },
     });
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'lambda:InvokeFunction',
+            Effect: 'Allow',
+            Resource: [
+              {
+                'Fn::GetAtt': [
+                  'MyHandler6B74D312',
+                  'Arn',
+                ],
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': [
+                        'MyHandler6B74D312',
+                        'Arn',
+                      ],
+                    },
+                    ':*',
+                  ],
+                ],
+              },
+            ],
+          },
+          {
+            Action: 'lambda:GetFunction',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'MyHandler6B74D312',
+                'Arn',
+              ],
+            },
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
   });
 
   it('uses default role otherwise', () => {
@@ -502,7 +546,8 @@ describe('role', () => {
     });
 
     // THEN
-    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::Lambda::Function', {
       Role: {
         'Fn::GetAtt': [
           'MyProviderframeworkonEventServiceRole8761E48D',
@@ -510,6 +555,49 @@ describe('role', () => {
         ],
       },
     });
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'lambda:InvokeFunction',
+            Effect: 'Allow',
+            Resource: [
+              {
+                'Fn::GetAtt': [
+                  'MyHandler6B74D312',
+                  'Arn',
+                ],
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': [
+                        'MyHandler6B74D312',
+                        'Arn',
+                      ],
+                    },
+                    ':*',
+                  ],
+                ],
+              },
+            ],
+          },
+          {
+            Action: 'lambda:GetFunction',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'MyHandler6B74D312',
+                'Arn',
+              ],
+            },
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
   });
 });