Skip to content

Support aws_dynamodb_resource_policy for replicasΒ #108

New issue
New issue
Open
Open
Support aws_dynamodb_resource_policy for replicas#108
Labels
enhancement
@tcarreira

Description

@tcarreira
tcarreira
opened on Oct 24, 2025

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • Yes βœ…: aws_dynamodb_resource_policy (>= v5.43.0)

Is your request related to a problem? Please describe.

When using replica_regions and resource_policy, I would expect the resource policy to be applied on all main table and its replicas.
This is not happening. The policy is created only on the main table.

Describe the solution you'd like.

Also create aws_dynamodb_resource_policy for all replicas.

In order to support this without breaking changes, we could have the following:

  • replicate_policy flag to make all table replicas to have the same main policy (default to false for backwards compatibility)
  • an additional field resource_policy for each replica_regions object (defaults to null. Should override previous flag on each replica)

I think replicate_policy should default to true, if you are OK with a "small" breaking change.

Describe alternatives you've considered.

We can create the policies outside the module (making the usage of the module less relevant):

locals {
  dynamodb_name     = "my-table-${random_pet.this.id}"
  dynamodb_replicas = ["us-east-2", "eu-west-1"] 
  dynamodb_policy   = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDummyRoleAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
      },
      "Action": "dynamodb:GetItem",
      "Resource": "__DYNAMODB_TABLE_ARN__"
    }
  ]
}
POLICY
}

module "dynamodb_table" {
  source  = "terraform-aws-modules/dynamodb-table/aws"
  version = "5.0.0"

  name                        = local.dynamodb_name
  hash_key                    = "id"
  range_key                   = "title"
  table_class                 = "STANDARD"
  deletion_protection_enabled = false

  attributes = [
    {
      name = "id"
      type = "N"
    },
    {
      name = "title"
      type = "S"
    },
    {
      name = "age"
      type = "N"
    }
  ]

  resource_policy = local.dynamodb_policy

  replica_regions = [
    for region in local.dynamodb_replicas: {
      region_name            = region
      propagate_tags         = true
      point_in_time_recovery = true
    }
  ]
}

resource "aws_dynamodb_resource_policy" "replicas" {
  for_each =  local.dynamodb_replicas

  resource_arn = "arn:aws:dynamodb:${each.value}:${data.aws_caller_identity.current.account_id}:table/${local.dynamodb_name}"
  policy       = replace(local.dynamodb_policy, "__DYNAMODB_TABLE_ARN__", "arn:aws:dynamodb:${each.value}:${data.aws_caller_identity.current.account_id}:table/${local.dynamodb_name}")
}

Additional context

I can create a PR to implement this

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions