feat(dynamodb): add resource polices for table

[LeeroyHannigan]

Issue # (if applicable)

Closes #29600.

#29600
Reason for this change

Adding a new feature
Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb
Description of how you validated changes

integration test integ.dynamodb.policy.ts
Checklist

[X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[scanlonp]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[JavierLuna]

Really looking forward to this, resource based policies would simplify our architecture a lot

[scanlonp]

@LeeroyHannigan, this looks amazing! Just a bit of clean up and some implementation questions. I said in the comments, but I think we can take all of the doc strings and code style from table-v2.ts and copy it to the corresponding places in table.ts.

I see that we are slightly changing the grant implementation; I assume it should not affect its current behavior. I wish we had some grant coverage in our integ tests, but it looks like we do not currently test it beyond a couple grantReadData/grantWriteData calls. However, I see it is thoroughly unit tested, and none were effected, so I feel good.

Lastly, you call out that adding a replica and adding a resource-based policy to that replica in the same deployment (update) is not possible. Is this an error that is thrown on the CloudFormation side? Can you detail how this affects a user creating a TableV2? It sounds to me like a user needs to define all their replicas, deploy, then add all the resource policies, the deploy again. Is that correct?
I do not believe we can validate this at synth time since we are stateless. Calling it out may be the only option.

Again, thanks for submitting this PR and excited for customers being able to use this soon!

[scanlonp]

Let's clean this up.

[scanlonp]

Let's move this below encryptionKey.

[scanlonp]

Noting that this should not be readonly as we can add policies to it. Checkout s3/bucket.ts for a similar pattern.

[scanlonp]

Can cut down this doc string.

[scanlonp]

Appreciate these removal polices!

[scanlonp]

Suggested change

	new IntegTest(app, 'resource-policy-integ-test', {
	testCases: [stack],
	regions: ['us-east-1'],
	cdkCommandOptions: {
	deploy: {
	args: {
	rollback: true,
	},
	},
	},
	});
	new IntegTest(app, 'resource-policy-integ-test', {
	testCases: [stack],
	});

Let's simplify the integ test configuration. Unless there is a specific reason, this may be better for our automation.

[scanlonp]

Suggested change

	new IntegTest(app, 'table-v2-resource-policy-integ-test', {
	testCases: [stack],
	regions: ['us-east-1'],
	cdkCommandOptions: {
	deploy: {
	args: {
	rollback: true,
	},
	},
	},
	});
	new IntegTest(app, 'table-v2-resource-policy-integ-test', {
	testCases: [stack],
	});

Same thing here. Paring down the config.

[scanlonp]

This is an odd test. It is not actually testing what is says its testing. There is no error added related to policy statements, so we cannot throw in a unit test for that scenario.

This error is already covered by a test in this section, so I suggest we delete this test unless it is testing something related to policy documents.

[scanlonp]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/github-merit-badger.yml without workflows permission

Pull request has been modified.

[LeeroyHannigan]

Lastly, you call out that adding a replica and adding a resource-based policy to that replica in the same deployment (update) is not possible. Is this an error that is thrown on the CloudFormation side? Can you detail how this affects a user creating a TableV2? It sounds to me like a user needs to define all their replicas, deploy, then add all the resource policies, the deploy again. Is that correct? I do not believe we can validate this at synth time since we are stateless. Calling it out may be the only option.

Yes, precisely. You first would need to create the replica and then update with the resource based policy. This limitation comes from the CFN implementation.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[scanlonp]

Looks good. Thanks for your hard work on this @LeeroyHannigan

[scanlonp]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/github-merit-badger.yml without workflows permission

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 5e3b3d1
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).