fix(dynamodb): addToResourcePolicy has no effect

[pahud]

Issue # (if applicable)

Closes #35062.

Reason for this change

The addToResourcePolicy() method for DynamoDB tables had no effect - it was not adding resource policies to the synthesized CloudFormation template. Users calling table.addToResourcePolicy() found that their policies were ignored, forcing them to use insecure workarounds.

Description of changes

Fixed the addToResourcePolicy() method to properly update the CloudFormation table's resource policy:

• Fixed core bug: Added missing this.table.resourcePolicy = { policyDocument: this.resourcePolicy } line in addToResourcePolicy() method
• Restored intended functionality: Resource policies now appear in synthesized CloudFormation templates
• Applied to both Table V1 and V2: Consistent behavior across all DynamoDB table constructs
• Avoids circular dependencies: Uses wildcard resources (*) pattern to prevent CloudFormation circular dependency issues with auto-generated table names
• Added comprehensive tests: 5 new tests covering both wildcard and scoped resource scenarios
• Updated README.md: Completely rewrote addToResourcePolicy documentation:
  • Removed problematic examples that would create circular dependencies
  • Added correct wildcard resource pattern following KMS approach
  • Documented the CloudFormation limitation and workarounds
  • Provided clear examples for both standard and scoped resource policies

Before (broken):

// This had no effect - policy was ignored
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [table.tableArn], // This would also create circular dependency
}));
// CloudFormation template: No ResourcePolicy property

After (fixed):

// Now works correctly - policy appears in CloudFormation
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: ['*'], // Wildcard avoids circular dependency (KMS pattern)
}));
// CloudFormation template: ResourcePolicy.PolicyDocument properly set

For scoped resources (requires explicit table name):

const table = new dynamodb.Table(this, 'MyTable', {
  tableName: 'my-explicit-table-name', // Explicit name enables scoped resources
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});

table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [
    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name')
  ],
}));

Architecture Note: DynamoDB tables use inline ResourcePolicy properties (like KMS keys) rather than separate policy resources. Due to CloudFormation's circular dependency limitations, resource policies must use wildcard resources (*) when table names are auto-generated, or explicit table names must be specified for scoped resources.

Describe any new or updated permissions being added

N/A - No new IAM permissions required. This change only affects how existing resource policies are structured.

Description of how you validated changes

• Unit tests: Added new addToResourcePolicy tests:
  • Standard wildcard resource usage (resources: ['*'])
  • Explicit table name workaround for scoped resources
  • Comprehensive limitation documentation
• Integration tests: Added comprehensive integration test covering both wildcard and scoped resource patterns
• Full test suite: All DynamoDB unit tests pass, confirming no regressions
• CloudFormation validation: Verified synthesis works without circular dependency errors
• Deployment testing: Confirmed resource policies are properly applied at deployment time

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[alvazjor]

@pahud I think this fix is correct. But there are some conflicts that need to be resolved. Please address them and I will re-approve. Thanks

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.