fix(dynamodb): add missing iam permissions to custom resource for deleting dynamodb replica table (#24682)

> Adding missing iam permissions to custom resource for deleting replicated regions. Since DeleteTableReplica is not enough on its own, DeleteTable permission has also been added.
>
>
> is not authorized to perform: dynamodb:DeleteTableReplica on resource: arn:aws:dynamodb:us-east-2::table/global-replica-region-table because no identity-based policy allows the dynamodb:DeleteTableReplica action
> is not authorized to perform: dynamodb:DeleteTable on resource: arn:aws:dynamodb:us-east-2::table/global-replica-region-table because no identity-based policy allows the dynamodb:DeleteTable action

Closes #22069.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: ahmetsoykan

packages/@aws-cdk/aws-dynamodb/lib/replica-provider.ts

@@ -9,6 +9,16 @@ import { Construct } from 'constructs';
  * Properties for a ReplicaProvider
  */
 export interface ReplicaProviderProps {
+  /**
+   * The table name
+   *
+   */
+  readonly tableName: string;
+  /**
+   * Regions where replica tables will be created
+   *
+   */
+  readonly regions: string[];
   /**
    * The timeout for the replication operation.
    *
@@ -21,7 +31,7 @@ export class ReplicaProvider extends NestedStack {
   /**
    * Creates a stack-singleton resource provider nested stack.
    */
-  public static getOrCreate(scope: Construct, props: ReplicaProviderProps = {}) {
+  public static getOrCreate(scope: Construct, props: ReplicaProviderProps) {
     const stack = Stack.of(scope);
     const uid = '@aws-cdk/aws-dynamodb.ReplicaProvider';
     return stack.node.tryFindChild(uid) as ReplicaProvider ?? new ReplicaProvider(stack, uid, props);
@@ -42,7 +52,7 @@ export class ReplicaProvider extends NestedStack {
    */
   public readonly isCompleteHandler: lambda.Function;
 
-  private constructor(scope: Construct, id: string, props: ReplicaProviderProps = {}) {
+  private constructor(scope: Construct, id: string, props: ReplicaProviderProps) {
     super(scope, id);
 
     const code = lambda.Code.fromAsset(path.join(__dirname, 'replica-handler'));
@@ -84,6 +94,19 @@ export class ReplicaProvider extends NestedStack {
       }),
     );
 
+    // Required for replica table deletion
+    let resources: string[] = [];
+    props.regions.forEach((region) => {
+      resources.push(`arn:aws:dynamodb:${region}:${this.account}:table/${props.tableName}`);
+    });
+
+    this.onEventHandler.addToRolePolicy(
+      new iam.PolicyStatement({
+        actions: ['dynamodb:DeleteTable', 'dynamodb:DeleteTableReplica'],
+        resources: resources,
+      }),
+    );
+
     this.provider = new cr.Provider(this, 'Provider', {
       onEventHandler: this.onEventHandler,
       isCompleteHandler: this.isCompleteHandler,

packages/@aws-cdk/aws-dynamodb/lib/table.ts

@@ -1624,7 +1624,7 @@ export class Table extends TableBase {
       throw new Error('`replicationRegions` cannot include the region where this stack is deployed.');
     }
 
-    const provider = ReplicaProvider.getOrCreate(this, { timeout });
+    const provider = ReplicaProvider.getOrCreate(this, { tableName: this.tableName, regions, timeout });
 
     // Documentation at https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2gt_IAM.html
     // is currently incorrect. AWS Support recommends `dynamodb:*` in both source and destination regions

packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts

@@ -22,6 +22,7 @@ import {
   Operation,
   CfnTable,
 } from '../lib';
+import { ReplicaProvider } from '../lib/replica-provider';
 
 jest.mock('@aws-cdk/custom-resources');
 
@@ -567,6 +568,66 @@ test('if an encryption key is included, encrypt/decrypt permissions are added to
   });
 });
 
+test('replica-handler permission check', () => {
+  // GIVEN
+  const app = new App();
+  const stack = new Stack(app, 'Stack');
+
+  // WHEN
+  const provider = ReplicaProvider.getOrCreate(stack, {
+    tableName: 'test',
+    regions: ['eu-central-1', 'eu-west-1'],
+  });
+
+  // THEN
+  Template.fromStack(provider).hasResourceProperties('AWS::IAM::Policy', {
+    'PolicyDocument': {
+      'Statement': [
+        {
+          'Action': 'iam:CreateServiceLinkedRole',
+          'Effect': 'Allow',
+          'Resource': {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                {
+                  Ref: 'AWS::Partition',
+                },
+                ':iam::',
+                {
+                  Ref: 'AWS::AccountId',
+                },
+                ':role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication',
+              ],
+            ],
+          },
+        },
+        {
+          'Action': 'dynamodb:DescribeLimits',
+          'Effect': 'Allow',
+          'Resource': '*',
+        },
+        {
+          'Action': [
+            'dynamodb:DeleteTable',
+            'dynamodb:DeleteTableReplica',
+          ],
+          'Effect': 'Allow',
+          'Resource': [
+            {
+              'Fn::Join': ['', ['arn:aws:dynamodb:eu-central-1:', { Ref: 'AWS::AccountId' }, ':table/test']],
+            },
+            {
+              'Fn::Join': ['', ['arn:aws:dynamodb:eu-west-1:', { Ref: 'AWS::AccountId' }, ':table/test']],
+            },
+          ],
+        },
+      ],
+    },
+  });
+});
+
 test('when specifying STANDARD_INFREQUENT_ACCESS table class', () => {
   const stack = new Stack();
   new Table(stack, CONSTRUCT_NAME, {