Skip to content

fix(dynamodb): addToResourcePolicy has no effect #35554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

fix(dynamodb): addToResourcePolicy has no effect #35554

wants to merge 20 commits into from
+1,961 −292

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Sep 23, 2025
edited
Loading

Issue # (if applicable)

Closes #35062.

Reason for this change

The addToResourcePolicy() method for DynamoDB tables had no effect - it was not adding resource policies to the synthesized CloudFormation template. Users calling table.addToResourcePolicy() found that their policies were ignored, forcing them to use insecure workarounds.

Description of changes

Fixed the addToResourcePolicy() method to properly update the CloudFormation table's resource policy:

  • Fixed core bug: Added missing this.table.resourcePolicy = { policyDocument: this.resourcePolicy } line in addToResourcePolicy() method
  • Restored intended functionality: Resource policies now appear in synthesized CloudFormation templates
  • Applied to both Table V1 and V2: Consistent behavior across all DynamoDB table constructs
  • Avoids circular dependencies: Uses wildcard resources (*) pattern to prevent CloudFormation circular dependency issues with auto-generated table names
  • Added comprehensive tests: 5 new tests covering both wildcard and scoped resource scenarios
  • Updated README.md: Completely rewrote addToResourcePolicy documentation:
    • Removed problematic examples that would create circular dependencies
    • Added correct wildcard resource pattern following KMS approach
    • Documented the CloudFormation limitation and workarounds
    • Provided clear examples for both standard and scoped resource policies

Before (broken):

// This had no effect - policy was ignored
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [table.tableArn], // This would also create circular dependency
}));
// CloudFormation template: No ResourcePolicy property

After (fixed):

// Now works correctly - policy appears in CloudFormation
table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: ['*'], // Wildcard avoids circular dependency (KMS pattern)
}));
// CloudFormation template: ResourcePolicy.PolicyDocument properly set

For scoped resources (requires explicit table name):

const table = new dynamodb.Table(this, 'MyTable', {
  tableName: 'my-explicit-table-name', // Explicit name enables scoped resources
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});

table.addToResourcePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:GetItem'],
  principals: [new iam.AccountRootPrincipal()],
  resources: [
    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name')
  ],
}));

Architecture Note: DynamoDB tables use inline ResourcePolicy properties (like KMS keys) rather than separate policy resources. Due to CloudFormation's circular dependency limitations, resource policies must use wildcard resources (*) when table names are auto-generated, or explicit table names must be specified for scoped resources.

Describe any new or updated permissions being added

N/A - No new IAM permissions required. This change only affects how existing resource policies are structured.

Description of how you validated changes

  • Unit tests: Added new addToResourcePolicy tests:
    • Standard wildcard resource usage (resources: ['*'])
    • Explicit table name workaround for scoped resources
    • Comprehensive limitation documentation
  • Integration tests: Added comprehensive integration test covering both wildcard and scoped resource patterns
  • Full test suite: All DynamoDB unit tests pass, confirming no regressions
  • CloudFormation validation: Verified synthesis works without circular dependency errors
  • Deployment testing: Confirmed resource policies are properly applied at deployment time

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
fix(aws-dynamodb): addToResourcePolicy method now properly synthesize…
468d711 
…s to CloudFormation

The addToResourcePolicy() method on DynamoDB Table constructs had no effect - resource
policies added after table construction were not appearing in the synthesized CloudFormation
template. This created a security gap where developers thought they were securing tables
but policies weren't actually applied.

Changes:
- Initialize this.resourcePolicy from props in Table constructor
- Use Lazy.any() for CfnTable resourcePolicy property to defer evaluation until synthesis
- Follow the same pattern used by Global Secondary Indexes for consistency
- Add comprehensive unit and integration tests

This fix enables proper IAM policy scoping using table.tableArn instead of forcing
users to use insecure "*" resource workarounds.

Closes aws#35062
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Sep 23, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team September 23, 2025 01:35
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 23, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Sep 23, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud pahud changed the title fix(aws-dynamodb): addToResourcePolicy method now properly synthesizes to CloudFormation fix(dynamodb): addToResourcePolicy method now properly synthesizes to CloudFormation Sep 23, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 23, 2025 02:10

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@pahud pahud marked this pull request as ready for review September 23, 2025 18:38
@pahud pahud mentioned this pull request Sep 23, 2025
Open
1 task
@pahud pahud changed the title fix(dynamodb): addToResourcePolicy method now properly synthesizes to CloudFormation fix(dynamodb): addToResourcePolicy has no effect Sep 23, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(aws-dynamodb): addToResourcePolicy has no effect
2 participants
@pahud @aws-cdk-automation