feat(s3tables-alpha): add TablePolicy support to L2 construct library

[xuxey]

Issue # (if applicable)

Related to #33054

Reason for this change

This PR includes backward-compatible changes being made to add L2 support for the CfnTable and CfnTablePolicy constructs with a consistent user interface, recommended defaults, and in-built validations for managing Table level IAM resource policies.

Description of changes

New L2 Construct: TablePolicy: defines an underlying CfnTablePolicy resource

New methods added to Table construct:

• addToResourcePolicy: Attaches a policy statement to the Table's IAM policy
• grantRead: Grants read access to the table for the given principal
• grantWrite: Grants write access to the table for the given principal
• grantReadWrite: Grants read and write access to the table for the given principal

Describe any new or updated permissions being added

Method	IAM Actions	Description
table.grantRead	s3tables:Get*	Grants read permission to S3 Table
table.grantWrite	s3tables:PutTableData s3tables:UpdateTableMetadataLocation s3tables:RenameTable	Grants write permission to S3 Table
table.grantReadWrite	s3tables:Get* s3tables:PutTableData s3tables:UpdateTableMetadataLocation s3tables:CreateTable	Grants read and write permissions to S3 Table

Description of how you validated changes

• Unit tests
• Passing Integration tests with snapshots and assertions via API calls

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kumvprat]

For all the tests which add read/write permissions to the table, can we have a test which check that the role/user policy is affected inline in the cfn templates ? The addition of read/write permissions should affect the role/user policies by adding the S3 tables based policies

[xuxey]

These tests already check for the identity policy on the principal resource, and resource policy is only added as a fallback option. This behavior is documented more here: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Grant.html#static-addwbrtowbrprincipalwbrorwbrresourceoptions

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.