fix(dynamodb): addtoresourcepolicy fix for table (v1)

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json

@@ -71,6 +71,36 @@
     "ProvisionedThroughput": {
      "ReadCapacityUnits": 5,
      "WriteCapacityUnits": 5
+    },
+    "ResourcePolicy": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": "dynamodb:*",
+        "Effect": "Allow",
+        "Principal": {
+         "AWS": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
+          ]
+         }
+        },
+        "Resource": "*"
+       }
+      ],
+      "Version": "2012-10-17"
+     }
     }
    },
    "UpdateReplacePolicy": "Delete",

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts

@@ -39,7 +39,12 @@ export class TestStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'));
+    this.tableTwo.addToResourcePolicy( new iam.PolicyStatement({
+      actions: ['dynamodb:*'],
+      principals: [new iam.AccountRootPrincipal()],
+      resources: ['*'],
+    }));
+
   }
 }
 

packages/aws-cdk-lib/aws-dynamodb/lib/table.ts

@@ -524,7 +524,7 @@ export interface TableAttributes {
   readonly grantIndexPermissions?: boolean;
 }
 
-export abstract class TableBase extends Resource implements ITable, iam.IResourceWithPolicy {
+export abstract class TableBase extends Resource implements ITable {
   /**
    * @attribute
    */
@@ -564,7 +564,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
    * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...)
    */
   public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
-    return iam.Grant.addToPrincipalOrResource({
+    return iam.Grant.addToPrincipal({
       grantee,
       actions,
       resourceArns: [
@@ -575,7 +575,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
           produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE,
         })),
       ],
-      resource: this,
+      scope: this,
     });
   }
   /**
@@ -691,23 +691,6 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
     return this.combinedGrant(grantee, { keyActions, tableActions: ['dynamodb:*'] });
   }
 
-  /**
-   * Adds a statement to the resource policy associated with this file system.
-   * A resource policy will be automatically created upon the first call to `addToResourcePolicy`.
-   *
-   * Note that this does not work with imported file systems.
-   *
-   * @param statement The policy statement to add
-   */
-  public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
-    this.resourcePolicy = this.resourcePolicy ?? new iam.PolicyDocument({ statements: [] });
-    this.resourcePolicy.addStatements(statement);
-    return {
-      statementAdded: true,
-      policyDependable: this,
-    };
-  }
-
   /**
    * Return the given named metric for this Table
    *
@@ -958,11 +941,11 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
           produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE,
         })),
       ];
-      const ret = iam.Grant.addToPrincipalOrResource({
+      const ret = iam.Grant.addToPrincipal({
         grantee,
         actions: opts.tableActions,
         resourceArns: resources,
-        resource: this,
+        scope: this,
       });
       return ret;
     }
@@ -971,11 +954,11 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
         throw new Error(`DynamoDB Streams must be enabled on the table ${this.node.path}`);
       }
       const resources = [this.tableStreamArn];
-      const ret = iam.Grant.addToPrincipalOrResource({
+      const ret = iam.Grant.addToPrincipal({
         grantee,
         actions: opts.streamActions,
         resourceArns: resources,
-        resource: this,
+        scope: this,
       });
       return ret;
     }
@@ -1732,6 +1715,29 @@ export class Table extends TableBase {
       },
     };
   }
+
+  /**
+   * Adds a statement to the resource policy associated with this file system.
+   * A resource policy will be automatically created upon the first call to `addToResourcePolicy`.
+   *
+   * Note that this does not work with imported file systems.
+   *
+   * @param statement The policy statement to add
+   */
+  public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
+
+    this.resourcePolicy = this.resourcePolicy ?? new iam.PolicyDocument({ statements: [] });
+    this.resourcePolicy.addStatements(statement);
+
+    this.table.resourcePolicy = {
+      policyDocument: this.resourcePolicy,
+    };
+
+    return {
+      statementAdded: true,
+      policyDependable: this,
+    };
+  }
 }
 
 /**