(aws-dynamodb): replica-provider has a hardcoded `aws` partition in the IAM policy

[jacklin213]

Describe the bug

In f35b70b, a new policy statement was introduced to add permissions 'dynamodb:DeleteTable', 'dynamodb:DeleteTableReplica' to allow for custom resource to delete the replication Table. However the resource arn was hardcoded to the aws partition meaning that this code will not work in other partitions such as aws-cn. (See Line 100 below)

aws-cdk/packages/aws-cdk-lib/aws-dynamodb/lib/replica-provider.ts

Lines 97 to 108 in 04323c4

	// Required for replica table deletion
	let resources: string[] = [];
	props.regions.forEach((region) => {
	resources.push(`arn:aws:dynamodb:${region}:${this.account}:table/${props.tableName}`);
	});
	this.onEventHandler.addToRolePolicy(
	new iam.PolicyStatement({
	actions: ['dynamodb:DeleteTable', 'dynamodb:DeleteTableReplica'],
	resources: resources,
	}),
	);

The error we see when the CDK stack is deployed to CN:

Partition "aws" is not valid for resource "arn:aws:dynamodb:cn-northwest-1:1234567890:table/MyTable". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: -snip-; Proxy: null)

Expected Behavior

The policy should be create inferring the partition when specifying the tableArn for the resource of the new policy statement.

Current Behavior

The policy creation fails in CN partition as the partition is hardcoded to standard partition.

Reproduction Steps

1. Create a CDK repo that only has 1 Table resource.
2. As part of the Table resource provide replicationRegions and have either cn-north-1 or cn-northwest-1.
3. Synth the repo and attempt to deploy the stack to China

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.73.0

Framework Version

No response

Node.js Version

18.0.0

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

Thanks for the report, you're right that this is hardcoded. Should use Aws.PARTITION instead

[jacklin213]

Will get a PR out for this shortly

[jacklin213]

The current workaround for anyone experiencing this issue is to version lock to aws-cdk-lib: 2.71.0 . This will remove the new IAM policy that was introduced with the hardcoded partition

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.