feat(dynamodb): add resource polices for table

[LeeroyHannigan]

Issue # (if applicable)

Closes #29600.

#29600

Reason for this change

Adding a new feature

Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb

Description of how you validated changes

integration test integ.dynamodb.policy.ts

Checklist

• [X ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[msambol]

nit: Resource policy to assign to the table.

[msambol]

Can you run this with yarn integ-runner... ? It should produce a snapshot.

[LeeroyHannigan]

I can. I was just running cdk synth. So yarn integ-runner filename.js is the way to run it?

[msambol]

yeah, take a look here: https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md

[pahud]

yes when you update any integ.*.ts under framework-integ, you should run yarn integ to update the snapshots.
https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md#integration-tests

[msambol]

Title: feat(dynamodb): add resource policy for table

[toutou826]

Hi @LeeroyHannigan ,

I am interested to use this functionality, thank you taking on this feature!

It would be great to change the grant functions in Table construct:

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts#L442

from using Grant.addToPrincipal to Grant.addToPrincipalOrResource so people could use TableV2.grant and related functions for resource based permission as well

[comcalvi]

Don't expose the resourcePolicy like this, integrate it with the L2's grant methods (try using addToPrincipalOrResource). You'll need to put this under a feature flag, because otherwise this will be modifying people's IAM permissions on a version bump, which is a breaking change.

[comcalvi]

This is the same suggestion that @toutou826 made here: #29818 (comment).

[GavinZZ]

@comcalvi can you explain how it will work with the grant methods and why it would be backward incompatible?

My understanding of grant, specifically addToPrincipalOrResource will first add IAM policy to the principal of the grantee resource and fall back to adding resource-based policy addToResourcePolicy on fail. For all existing grant usage for dynamodb table, it calls addToPrincipal which tries to add IAM policy and throw an exception when fail.

Are you suggesting to make resourcePolicy field private and table construct will need to implement addToResourcePolicy function, then when failing to add IAM policy fall back to call addToResourcePolicy and update resourcePolicy field? I don't see why this would be backward incompatible though.

[LeeroyHannigan]

@comcalvi

Don't expose the resourcePolicy like this, integrate it with the L2's grant methods (try using addToPrincipalOrResource). You'll need to put this under a feature flag, because otherwise this will be modifying people's IAM permissions on a version bump, which is a breaking change.

According to the design guidelines we should expose this prop:

When a construct represents an AWS resource that supports a resource policy, it should expose an optional prop that will allow initializing resource with a specified policy [awslint:resource-policy-prop]:

resourcePolicy?: iam.PolicyStatement[]

Are you suggesting otherwise?

[comcalvi]

I didn't realize this was in our design guidelines. We should follow the design guidelines here. As we discussed offline, this grant needs to support using addToPrincpalOrResource. TableBase needs to implement IResourceWithPolicy.

[comcalvi]

We need unit test changes as well as integ test changes.

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[comcalvi]

Please add some unit tests for this change.

[comcalvi]

Suggested change

	* @default - No resource policy statements are added to the created table.
	* @default - No resource policy.

[comcalvi]

Suggested change

	* @default - No resource policy statements are added to the created table.
	* @default - No resource policy.

[comcalvi]

can we use the package import iam object instead of these directly?

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: dc14bba
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.