DynamoDB Table Resource Based Policy Support

[ShayYannay]

DynamodDB recently (20th March 2024) started to support Resource Based Policy per table (see blog post in https://aws.amazon.com/about-aws/whats-new/2024/03/amazon-dynamodb-resource-based-policies/)

Terraform AWS provider also started supporting this feature starting from version 5.43.0 (see in here https://registry.terraform.io/providers/hashicorp/aws/5.43.0/docs/resources/dynamodb_resource_policy)

From what I saw DynamoDB Crossplane provider uses version 5.31.0 on the current official version of 1.14.0, unfortunately still without the Resource Based Policy feature (https://marketplace.upbound.io/providers/upbound/provider-aws-dynamodb/v1.4.0/resources/dynamodb.aws.upbound.io/Table/v1beta1).

Saw there is an active PR to upgrade to terraform version 5.46.0 (see in here - #1271)

Appreciate if you can share time estimation when the Resource Base Policy will be exposed, please comment if any of the assumptions I made above are not correct.

Thanks!!

[ShayYannay]

Hi all,
Do you know if there is a time estimation for exposing Resource Based Policy in DynamoDB?
From what I saw the provider-aws-dynamodb version 1.5 was upgraded to use terraform 5.50.0 which expose this feature however it still need to be ported in the crossplane provider.
Please advise, thanks!

[turkenf]

Hi @ShayYannay,

Thank you for being so interested. Unfortunately, I cannot give a date for the support of this resource, it will be worked on according to the prioritization policy.

We would appreciate it if you would like to contribute. We are preparing a guide on adding new resources. You can try to add the resource yourself by trying the steps here. The guide is currently under review and if you have any questions, feel free to ask.

[ShayYannay]

@turkenf I will check the guide if you have any more guides on how to contribute please let me know
Thanks! for responding

[ShayYannay]

@turkenf I forked the provider-upjet-aws project and created changes according to the guide you sent above.
Able to generate the example manifest for ResourcePolicy under dynamodb.aws.upbound.io/v1beta1 api version and also the relevant CRD for that.

However trying to test it against my own K8 cluster did not worked.
Here is the output I got after running kubectl get managed

NAME                                                            SYNCED   READY   EXTERNAL-NAME   AGE
resourcepolicy.dynamodb.aws.upbound.io/example-resourcepolicy                                    30m

The SYNCED,READY and EXTERNAL-NAME are empty, there is no events on this manage resource
Could be that the crossplane controller did not handle this manage resource.

Some background my crossplane aws env, I'm running with xpkg.upbound.io/upbound/provider-aws-dynamodb:v1.5.0 and just added the new CRD and apply the manifest for ResourcePolicy I created.

Please advise, thanks!

[ShayYannay]

Here's my Draft PR in the meanwhile - #1339