(aws-dynamodb): `addToResourcePolicy` has no effect

[colifran]

Describe the bug

Using addToResourcePolicy for Table does not actually add the resource policy to the DDB table in the synthesized CFN template.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The resource policy would be applied to the DDB table in the synthesized CFN template.

Current Behavior

The resource policy is not applied to the DDB table in the synthesized CFN template.

Reproduction Steps

Create the following stack:

import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
import { PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { Construct } from 'constructs';

export class CdkTableReproStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new dynamodb.Table(this, 'SimpleTable', {
      tableName: 'simple-table',
      partitionKey: {
        name: 'id',
        type: dynamodb.AttributeType.STRING
      },
      billingMode: dynamodb.BillingMode.PAY_PER_REQUEST,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      resourcePolicy: new PolicyDocument({
        statements: [
          new PolicyStatement({
            actions: [
              'dynamodb:BatchGetItem',
              'dynamodb:DeleteItem',
              'dynamodb:GetItem',
              'dynamodb:Query',
              'dynamodb:Scan',
              'dynamodb:Describe*',
            ],
            resources: ['*'],
          }),
        ],
      }),
    });
  }
}

Run cdk synth and observe the following CFN template:

Resources:
  SimpleTableC6BC762D:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      ResourcePolicy:
        PolicyDocument:
          Statement:
            - Action:
                - dynamodb:BatchGetItem
                - dynamodb:DeleteItem
                - dynamodb:GetItem
                - dynamodb:Query
                - dynamodb:Scan
                - dynamodb:Describe*
              Effect: Allow
              Resource: "*"
          Version: "2012-10-17"
      TableName: simple-table
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdkTableReproStack/SimpleTable/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/yXGSwqAIBAA0LO018ncROtuUO1j1AnUUmj6ENHdg1q9p0GrGlSBJ0vropy9gbvf0EaBJ4/uSrhkZ+Ae0Mwk2il9eURHnPfV0iNSdgSBy0MrqBpQRWDv5bqnzS8E3e8LNqEfg2gAAAA=
    Metadata:
      aws:cdk:path: CdkTableReproStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Now update the stack as follows:

import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { Construct } from 'constructs';

export class CdkTableReproStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const table = new dynamodb.Table(this, 'SimpleTable', {
      tableName: 'simple-table',
      partitionKey: {
        name: 'id',
        type: dynamodb.AttributeType.STRING
      },
      billingMode: dynamodb.BillingMode.PAY_PER_REQUEST,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    table.addToResourcePolicy(new PolicyStatement({
      actions: [
        'dynamodb:BatchGetItem',
        'dynamodb:DeleteItem',
        'dynamodb:GetItem',
        'dynamodb:Query',
        'dynamodb:Scan',
        'dynamodb:Describe*',
      ],
      resources: ['*'],
    }));
  }
}

Run cdk synth and observe that the CFN template no longer includes the policy:

Resources:
  SimpleTableC6BC762D:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      TableName: simple-table
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdkTableReproStack/SimpleTable/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/yXGSwqAIBAA0LO018ncROtuUO1j1AnUUmj6ENHdg1q9p0GrGlSBJ0vropy9gbvf0EaBJ4/uSrhkZ+Ae0Mwk2il9eURHnPfV0iNSdgSBy0MrqBpQRWDv5bqnzS8E3e8LNqEfg2gAAAA=
    Metadata:
      aws:cdk:path: CdkTableReproStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Possible Solution

I think resourcePolicy needs to be lazily evaluated. I did the following locally and it fixed it:

First add this to the constructor:

this.resourcePolicy = props.resourcePolicy;

Update resourcePolicy in CfnTable to:

resourcePolicy: Lazy.any({ produce: () => this.resourcePolicy ? { policyDocument: this.resourcePolicy } : undefined })

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

aws-cdk-lib@2.207.0

AWS CDK CLI version

aws-cdk@2.1022.0

Node.js Version

v20.19.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @colifran,

Thank you for reporting this issue! I can confirm this is a valid bug in the DynamoDB Table construct (v1). The addToResourcePolicy method correctly updates the internal policy document but doesn't propagate changes to the underlying CloudFormation resource.

Root Cause:
The issue occurs because the resourcePolicy is evaluated only once during CfnTable construction, but the addToResourcePolicy method updates the policy after construction is complete.

Workaround:
For now, you can work around this by providing the complete resource policy during table construction using the resourcePolicy property instead of addToResourcePolicy.

Your Suggested Fix:
Your proposed solution is correct! The resource policy needs to be lazily evaluated using Lazy.any() so that changes made via addToResourcePolicy are reflected in the CloudFormation template.

This is a great opportunity for community contribution! The fix would involve:

1. Modifying the Table constructor to initialize this.resourcePolicy from props
2. Updating the CfnTable resourcePolicy property to use lazy evaluation

Note: This issue is separate from #30793 which affects TableV2 - both constructs need individual fixes.

[vishalsatam]

The workaround proposed doesn't make any sense in terms of security. There is no way to get the tableArn so that the resourcePolicy can restrict it to the particular table.

Are you really recommending to AWS customers that they use * as resource in the policy document? Did your security team approve this?

[pahud]

Hi @vishalsatam,

You're right to raise this security concern. The workaround I mentioned (using the resourcePolicy property during construction) doesn't solve the core issue when developers need to reference table.tableArn in their policy statements.

The real problem is that addToResourcePolicy should allow developers to write secure, properly scoped policies like this:

table.addToResourcePolicy(new PolicyStatement({
 actions: ['dynamodb:GetItem', 'dynamodb:PutItem'],
 resources: [table.tableArn], // This should work!
 principals: [/* specific principals /]
}));

But currently this fails because table.tableArn isn't available when the policy is evaluated. The lazy evaluation fix that @colifran proposed would resolve this security issue by ensuring the policy is evaluated at synthesis time when table.tableArn is available.

This is exactly why we need the proper fix rather than workarounds.

[pahud]

self-assigned. I'll submit an immediate PR today.