fix(dynamodb): addToResourcePolicy has no effect (#35554)

### Issue # (if applicable)

Closes #35062.

### Reason for this change

The `addToResourcePolicy()` method for DynamoDB tables had no effect - it was not adding resource policies to the synthesized CloudFormation template. Users calling `table.addToResourcePolicy()` found that their policies were ignored, forcing them to use insecure workarounds.

### Description of changes

Fixed the `addToResourcePolicy()` method to properly update the CloudFormation table's resource policy:

- **Fixed core bug**: Added missing `this.table.resourcePolicy = { policyDocument: this.resourcePolicy }` line in `addToResourcePolicy()` method
- **Restored intended functionality**: Resource policies now appear in synthesized CloudFormation templates
- **Applied to both Table V1 and V2**: Consistent behavior across all DynamoDB table constructs
- **Avoids circular dependencies**: Uses wildcard resources (`*`) pattern to prevent CloudFormation circular dependency issues with auto-generated table names
- **Added comprehensive tests**: 5 new tests covering both wildcard and scoped resource scenarios
- **Updated README.md**: Completely rewrote `addToResourcePolicy` documentation:
  - Removed problematic examples that would create circular dependencies
  - Added correct wildcard resource pattern following KMS approach
  - Documented the CloudFormation limitation and workarounds
  - Provided clear examples for both standard and scoped resource policies

**Before** (broken):
```typescript
// This had no effect - policy was ignored
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [table.tableArn], // This would also create circular dependency
}));
// CloudFormation template: No ResourcePolicy property
```

**After** (fixed):
```typescript
// Now works correctly - policy appears in CloudFormation
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: ['*'], // Wildcard avoids circular dependency (KMS pattern)
}));
// CloudFormation template: ResourcePolicy.PolicyDocument properly set
```

**For scoped resources** (requires explicit table name):
```typescript
const table = new dynamodb.Table(this, 'MyTable', {
  tableName: 'my-explicit-table-name', // Explicit name enables scoped resources
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});

table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [
    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name')
  ],
}));
```

**Architecture Note**: DynamoDB tables use inline `ResourcePolicy` properties (like KMS keys) rather than separate policy resources. Due to CloudFormation's circular dependency limitations, resource policies must use wildcard resources (`*`) when table names are auto-generated, or explicit table names must be specified for scoped resources.

### Describe any new or updated permissions being added

N/A - No new IAM permissions required. This change only affects how existing resource policies are structured.

### Description of how you validated changes

- **Unit tests**: Added new `addToResourcePolicy` tests:
  - Standard wildcard resource usage (`resources: ['*']`)
  - Explicit table name workaround for scoped resources
  - Comprehensive limitation documentation
- **Integration tests**: Added comprehensive integration test covering both wildcard and scoped resource patterns
- **Full test suite**: All DynamoDB unit tests pass, confirming no regressions
- **CloudFormation validation**: Verified synthesis works without circular dependency errors
- **Deployment testing**: Confirmed resource policies are properly applied at deployment time

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: pahud

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.add-to-resource-policy.js.snapshot/add-to-resource-policy-test-stack.assets.json

@@ -0,0 +1,154 @@
+{
+ "Resources": {
+  "WildcardTableE075CD4D": {
+   "Type": "AWS::DynamoDB::Table",
+   "Properties": {
+    "AttributeDefinitions": [
+     {
+      "AttributeName": "id",
+      "AttributeType": "S"
+     }
+    ],
+    "KeySchema": [
+     {
+      "AttributeName": "id",
+      "KeyType": "HASH"
+     }
+    ],
+    "ProvisionedThroughput": {
+     "ReadCapacityUnits": 5,
+     "WriteCapacityUnits": 5
+    },
+    "ResourcePolicy": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": [
+         "dynamodb:GetItem",
+         "dynamodb:PutItem",
+         "dynamodb:Query"
+        ],
+        "Effect": "Allow",
+        "Principal": {
+         "AWS": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
+          ]
+         }
+        },
+        "Resource": "*"
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "ScopedTableC019D4A1": {
+   "Type": "AWS::DynamoDB::Table",
+   "Properties": {
+    "AttributeDefinitions": [
+     {
+      "AttributeName": "id",
+      "AttributeType": "S"
+     }
+    ],
+    "KeySchema": [
+     {
+      "AttributeName": "id",
+      "KeyType": "HASH"
+     }
+    ],
+    "ProvisionedThroughput": {
+     "ReadCapacityUnits": 5,
+     "WriteCapacityUnits": 5
+    },
+    "ResourcePolicy": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": [
+         "dynamodb:GetItem",
+         "dynamodb:Query"
+        ],
+        "Effect": "Allow",
+        "Principal": {
+         "AWS": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
+          ]
+         }
+        },
+        "Resource": {
+         "Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    },
+    "TableName": "my-explicit-scoped-table"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}