Incorporating feedback - Tidy up

aws · May 28, 2024 · c8b40ee · c8b40ee
1 parent 5f2a8ba
commit c8b40ee
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 68 deletions.
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts
@@ -21,27 +21,21 @@ class TestStack extends Stack {
     });
 
     // table with resource policy
-    new dynamodb.TableV2(this, 'TableTestV2-1', {
+    const table = new dynamodb.TableV2(this, 'TableTestV2-1', {
       partitionKey: {
         name: 'id',
         type: dynamodb.AttributeType.STRING,
       },
       removalPolicy: RemovalPolicy.DESTROY,
       resourcePolicy: docu,
     });
+
+    table.grantReadData(new iam.AccountPrincipal('123456789012'));
   }
 }
 
 const stack = new TestStack(app, 'ResourcePolicyTest-v2', { env: { region: 'eu-west-1' } });
 
 new IntegTest(app, 'table-v2-resource-policy-integ-test', {
   testCases: [stack],
-  regions: ['us-east-1'],
-  cdkCommandOptions: {
-    deploy: {
-      args: {
-        rollback: true,
-      },
-    },
-  },
 });
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts
@@ -48,12 +48,4 @@ const stack = new TestStack(app, 'resource-policy-stack', {});
 
 new IntegTest(app, 'resource-policy-integ-test', {
   testCases: [stack],
-  regions: ['us-east-1'],
-  cdkCommandOptions: {
-    deploy: {
-      args: {
-        rollback: true,
-      },
-    },
-  },
 });
diff --git a/packages/aws-cdk-lib/aws-dynamodb/README.md b/packages/aws-cdk-lib/aws-dynamodb/README.md
@@ -671,7 +671,7 @@ Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.c
     });
 ```
 
-TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
+TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
 
 ## Grants
 

diff --git a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md
@@ -237,3 +237,29 @@ const table = new dynamodb.Table(this, 'Table', {
   deletionProtection: true,
 });
 ```
+## Resource Policy
+
+Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table in the form of a `PolicyDocument`:
+
+```ts
+const policy = new iam.PolicyDocument({
+  statements: [
+    new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem'],
+      principals: [new iam.AccountRootPrincipal()],
+      resources: ['*'],
+    }),
+  ],
+});
+
+new dynamodb.Table(this, 'MyTable', {
+  partitionKey: {
+    name: 'id',
+    type: dynamodb.AttributeType.STRING,
+  },
+  removalPolicy: RemovalPolicy.DESTROY,
+  resourcePolicy: policy,
+});
+```
+
+If you have a global table replica, note that it does not support the addition of a resource-based policy.
diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts
@@ -281,13 +281,6 @@ export interface ITable extends IResource {
    */
   readonly encryptionKey?: kms.IKey;
 
-  // /**
-  //  * Resource policy to assign to DynamoDB Table.
-  //  *
-  //  * @default - No resource policy statements are added to the created table.
-  //  */
-  // readonly resourcePolicy?: iam.PolicyDocument;
-
   /**
    * Adds an IAM policy statement associated with this table to an IAM
    * principal's policy.

diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts
@@ -417,11 +417,6 @@ export class TableV2 extends TableBaseV2 {
     return new Import(tableArn, tableName, attrs.tableId, attrs.tableStreamArn);
   }
 
-  /**
-   * @attribute
-   */
-  public resourcePolicy?: PolicyDocument;
-
   /**
    * @attribute
    */
@@ -444,6 +439,11 @@ export class TableV2 extends TableBaseV2 {
 
   public readonly encryptionKey?: IKey;
 
+  /**
+   * @attribute
+   */
+  public resourcePolicy?: PolicyDocument;
+
   protected readonly region: string;
 
   private readonly billingMode: string;

diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts
@@ -509,8 +509,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
 
   /**
    * Resource policy to assign to table.
-   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy
-   * @default - No resource policy statement
+   * @attribute
    */
   public abstract resourcePolicy?: iam.PolicyDocument;
 
@@ -1049,11 +1048,9 @@ export class Table extends TableBase {
   public readonly encryptionKey?: kms.IKey;
 
   /**
-   *   /**
-   * Resource policy to assign to table.
-   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy
-   * @default - No resource policy statement
-   * @attribute
+   * Resource policy to assign to DynamoDB Table.
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-resourcepolicy.html
+   * @default - No resource policy statements are added to the created table.
    */
   public resourcePolicy?: iam.PolicyDocument | undefined;
 

diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts
@@ -2852,35 +2852,4 @@ test('Resource policy test', () => {
       },
     ],
   });
-});
-
-test('throws if trying to add a resource policy to a region other than local region', () => {
-  // GIVEN
-  const stack = new Stack(undefined, 'Stack', {
-    env: {
-      region: 'eu-west-1',
-    },
-  });
-  const doc = new PolicyDocument({
-    statements: [
-      new PolicyStatement({
-        actions: ['dynamodb:GetItem'],
-        principals: [new ArnPrincipal('arn:aws:iam::111122223333:user/foobar')],
-        resources: ['*'],
-      }),
-    ],
-  });
-
-  // WHEN / THEN
-  expect(() => {
-    new TableV2(stack, 'Table', {
-      partitionKey: { name: 'pk', type: AttributeType.STRING },
-      sortKey: { name: 'sk', type: AttributeType.STRING },
-      resourcePolicy: doc,
-      replicas: [{
-        region: 'eu-west-1',
-        resourcePolicy: doc,
-      }],
-    });
-  }).toThrow('You cannot add a replica table in the same region as the primary table - the primary table region is eu-west-1');
 });
-Original file line number
+Diff line change
@@ Expand Up @@
         });
     ```
-    TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
+    TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
     ## Grants
@@ Expand Down @@