Ensure tagging using AWS CDK

Question

I am looking for a way to write a unit test using the AWS CDK to ensure that all my resources of a stack are tagged properly. Is there a way to write an assertion for all resources like for example:

expect(stack).toHaveAllResources({
  Tags: [
    {
      Key: "ou",
      Value: "ds",
    },
  ],
});

Answer 1

This use-case is not really supported by the aws-cdk/assert package. I've had similar struggles on how to do this type of compliance testing on CDK. I had a quick discussion on the CDK slack community and basically concluded that the best way for now is still to use tools like cfn-guard or checkov or similar for compliance testing of cfn stacks (I'm sure some support Tag checking).

I'd you really want to use jest (which I can totally understand), I think Aspects are your best bet. Write an Aspect (example and guide here to 'visit' all nodes in your stack and do some testing on them. I don't have a fully worked out example for tags but I hope it pointed you in the right direction.

Also note that not all resources support tagging. So your test would fail most of the time if it checks all resources for tags the way you initially proposed. One way to do it would be to cherry-pick a few resource types that you definitely want tagged (roles, buckets, stack itself etc).

Edit: for those interested in compliance testing, I found this new github solution which uses the same type of implementation as described above using Aspects: https://github.com/cdklabs/cdk-nag