feat(dynamodb): adds deletion protection for tables (#24581)

You can enable deletion protection for a table by setting the `deletionProtection` property to `true`. 
When deletion protection is enabled for a table, it cannot be deleted by anyone. By default, deletion protection is disabled.

Closes #24540

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: daschaa

Diff for: packages/@aws-cdk/aws-dynamodb/README.md

@@ -236,3 +236,15 @@ new cloudwatch.Alarm(stack, 'Alarm', {
   threshold: 1,
 });
 ```
+
+## Deletion Protection for Tables
+
+You can enable deletion protection for a table by setting the `deletionProtection` property to `true`. 
+When deletion protection is enabled for a table, it cannot be deleted by anyone. By default, deletion protection is disabled.
+
+```ts
+const table = new dynamodb.Table(this, 'Table', {
+  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
+  deletionProtection: true,
+});
+```

Diff for: packages/@aws-cdk/aws-dynamodb/lib/table.ts

@@ -291,6 +291,13 @@ export interface TableOptions extends SchemaOptions {
    * @default false
    */
   readonly contributorInsightsEnabled?: boolean;
+
+  /**
+   * Enables deletion protection for the table.
+   *
+   * @default false
+   */
+  readonly deletionProtection?: boolean;
 }
 
 /**
@@ -1238,6 +1245,7 @@ export class Table extends TableBase {
       timeToLiveSpecification: props.timeToLiveAttribute ? { attributeName: props.timeToLiveAttribute, enabled: true } : undefined,
       contributorInsightsSpecification: props.contributorInsightsEnabled !== undefined ? { enabled: props.contributorInsightsEnabled } : undefined,
       kinesisStreamSpecification: props.kinesisStream ? { streamArn: props.kinesisStream.streamArn } : undefined,
+      deletionProtectionEnabled: props.deletionProtection,
     });
     this.table.applyRemovalPolicy(props.removalPolicy);
 

Diff for: packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts

@@ -3194,3 +3194,46 @@ function testGrant(expectedActions: string[], invocation: (user: iam.IPrincipal,
     ],
   });
 }
+
+describe('deletionProtectionEnabled', () => {
+  test.each([
+    [true],
+    [false],
+  ])('gets passed to table', (state) => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Table(stack, 'Table', {
+      partitionKey: {
+        name: 'id',
+        type: AttributeType.STRING,
+      },
+      deletionProtection: state,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', {
+      DeletionProtectionEnabled: state,
+    });
+  });
+
+  test('is not passed when not set', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Table(stack, 'Table', {
+      partitionKey: {
+        name: 'id',
+        type: AttributeType.STRING,
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', Match.objectLike({
+      DeletionProtectionEnabled: Match.absent(),
+    }));
+  });
+});
+

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"31.0.0"}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/deletion-protection-stack.assets.json

@@ -0,0 +1,20 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "f87ba4fca1a1119dcfae7e01fe3db2422f42d132352c5519b5ca76cb608f74d3": {
+      "source": {
+        "path": "deletion-protection-stack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "889855614607-us-east-1": {
+          "bucketName": "cdk-hnb659fds-assets-889855614607-us-east-1",
+          "objectKey": "f87ba4fca1a1119dcfae7e01fe3db2422f42d132352c5519b5ca76cb608f74d3.json",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::889855614607:role/cdk-hnb659fds-file-publishing-role-889855614607-us-east-1"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/deletion-protection-stack.template.json

@@ -0,0 +1,63 @@
+{
+ "Resources": {
+  "TableCD117FA1": {
+   "Type": "AWS::DynamoDB::Table",
+   "Properties": {
+    "KeySchema": [
+     {
+      "AttributeName": "pk",
+      "KeyType": "HASH"
+     }
+    ],
+    "AttributeDefinitions": [
+     {
+      "AttributeName": "pk",
+      "AttributeType": "S"
+     }
+    ],
+    "DeletionProtectionEnabled": true,
+    "ProvisionedThroughput": {
+     "ReadCapacityUnits": 5,
+     "WriteCapacityUnits": 5
+    },
+    "TableName": "deletion-protection-test"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/deletionprotectionintegtestDefaultTestDeployAssertA66823A5.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/deletionprotectionintegtestDefaultTestDeployAssertA66823A5.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/integ.json

@@ -0,0 +1,27 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "deletion-protection-integ-test/DefaultTest": {
+      "stacks": [
+        "deletion-protection-stack"
+      ],
+      "hooks": {
+        "postDeploy": [
+          "aws dynamodb update-table --no-cli-pager --region us-east-1 --table-name deletion-protection-test --no-deletion-protection-enabled"
+        ]
+      },
+      "regions": [
+        "us-east-1"
+      ],
+      "cdkCommandOptions": {
+        "deploy": {
+          "args": {
+            "rollback": true
+          }
+        }
+      },
+      "assertionStack": "deletion-protection-integ-test/DefaultTest/DeployAssert",
+      "assertionStackName": "deletionprotectionintegtestDefaultTestDeployAssertA66823A5"
+    }
+  }
+}

Diff for: packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.deletion-protection.js.snapshot/manifest.json

@@ -0,0 +1,122 @@
+{
+  "version": "31.0.0",
+  "artifacts": {
+    "deletion-protection-stack.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "deletion-protection-stack.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "deletion-protection-stack": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://889855614607/us-east-1",
+      "properties": {
+        "templateFile": "deletion-protection-stack.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::889855614607:role/cdk-hnb659fds-deploy-role-889855614607-us-east-1",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::889855614607:role/cdk-hnb659fds-cfn-exec-role-889855614607-us-east-1",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-889855614607-us-east-1/f87ba4fca1a1119dcfae7e01fe3db2422f42d132352c5519b5ca76cb608f74d3.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "deletion-protection-stack.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::889855614607:role/cdk-hnb659fds-lookup-role-889855614607-us-east-1",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "deletion-protection-stack.assets"
+      ],
+      "metadata": {
+        "/deletion-protection-stack/Table": [
+          {
+            "type": "aws:cdk:hasPhysicalName",
+            "data": {
+              "Ref": "TableCD117FA1"
+            }
+          }
+        ],
+        "/deletion-protection-stack/Table/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "TableCD117FA1",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_REPLACE"
+            ]
+          }
+        ],
+        "/deletion-protection-stack/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/deletion-protection-stack/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "deletion-protection-stack"
+    },
+    "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "deletionprotectionintegtestDefaultTestDeployAssertA66823A5": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "deletionprotectionintegtestDefaultTestDeployAssertA66823A5.assets"
+      ],
+      "metadata": {
+        "/deletion-protection-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/deletion-protection-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "deletion-protection-integ-test/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    }
+  }
+}