konokenj.cdk-api-mcp-server 0.48.0__py3-none-any.whl → 0.57.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudfront-origins/integ.function-url-origin-ip-address-type.ts

@@ -0,0 +1,84 @@
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { FunctionUrlOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { App, Stack } from 'aws-cdk-lib';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { OriginIpAddressType } from 'aws-cdk-lib/aws-cloudfront';
+
+const app = new App();
+const stack = new Stack(app, 'FunctionUrlOriginIpAddressTypeStack');
+
+// Lambda function
+const fn = new lambda.Function(stack, 'TestFunction', {
+  code: lambda.Code.fromInline('exports.handler = async () => ({ statusCode: 200, body: "Hello" });'),
+  handler: 'index.handler',
+  runtime: lambda.Runtime.NODEJS_20_X,
+});
+
+// Function URL with IAM auth
+const fnUrl = fn.addFunctionUrl({
+  authType: lambda.FunctionUrlAuthType.AWS_IAM,
+});
+
+// CloudFront distribution with IPv4 IP address type
+new cloudfront.Distribution(stack, 'DistributionWithoutIpAddressTypeProp(IPv4)', {
+  defaultBehavior: {
+    origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {}),
+  },
+});
+
+// CloudFront distribution with IPv4 IP address type
+const distributionIPv4 = new cloudfront.Distribution(stack, 'DistributionWithIPv4', {
+  defaultBehavior: {
+    origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+      ipAddressType: OriginIpAddressType.IPV4,
+    }),
+  },
+});
+
+// CloudFront distribution with IPv6 IP address type
+const distributionIPv6 = new cloudfront.Distribution(stack, 'DistributionWithIPv6', {
+  defaultBehavior: {
+    origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+      ipAddressType: OriginIpAddressType.IPV6,
+    }),
+  },
+});
+
+// CloudFront distribution with dualstack IP address type
+const distributionDualstack = new cloudfront.Distribution(stack, 'DistributionWithDualstack', {
+  defaultBehavior: {
+    origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+      ipAddressType: OriginIpAddressType.DUALSTACK,
+    }),
+  },
+});
+
+const integ = new IntegTest(app, 'FunctionUrlOriginIpAddressTypeTest', {
+  testCases: [stack],
+});
+
+// Assert that distributions are created with expected IP address type settings
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionIPv4.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV4Enabled', ExpectedResult.exact(true));
+
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionIPv4.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV6Enabled', ExpectedResult.exact(false));
+
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionIPv6.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV4Enabled', ExpectedResult.exact(false));
+
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionIPv6.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV6Enabled', ExpectedResult.exact(true));
+
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionDualstack.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV4Enabled', ExpectedResult.exact(true));
+
+integ.assertions.awsApiCall('CloudFront', 'getDistribution', {
+  Id: distributionDualstack.distributionId,
+}).assertAtPath('Distribution.DistributionConfig.IsIPV6Enabled', ExpectedResult.exact(true));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudfront-origins/integ.origin-response-completion-timeout.ts

@@ -13,7 +13,7 @@ const httpOrigin = new origins.HttpOrigin('example.com', {
 });
 
 const fn = new lambda.Function(stack, 'Function', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   handler: 'index.handler',
   code: lambda.Code.fromInline('exports.handler = async () => ({ statusCode: 200, body: "Hello from Lambda!" });'),
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudtrail/integ.cloudtrail-data-events-only.ts

@@ -13,7 +13,7 @@ const stack = new cdk.Stack(app, 'integ-cloudtrail-data-events');
 
 const bucket = new s3.Bucket(stack, 'Bucket', { removalPolicy: cdk.RemovalPolicy.DESTROY });
 const lambdaFunction = new lambda.Function(stack, 'LambdaFunction', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   handler: 'hello.handler',
   code: lambda.Code.fromInline('exports.handler = {}'),
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudwatch/README.md

@@ -479,7 +479,7 @@ const metric = new cloudwatch.Metric({
   namespace: 'AWS/EC2',
   metricName: 'CPUUtilization',
   statistic: 'Average',
-  period: Duration.minutes(5),
+  period: Duration.hours(1), // Alarm will use the metric's period
 });
 
 // Create an anomaly detection alarm

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudwatch/integ.anomaly-detection-alarm.ts

@@ -5,12 +5,19 @@ import { Metric, ComparisonOperator, AnomalyDetectionAlarm, Alarm } from 'aws-cd
 const app = new App();
 const stack = new Stack(app, 'AnomalyDetectionAlarmTestStack');
 
-// Create the test metric
+// Create the test metric. Period will default to 300 seconds.
 const metric = new Metric({
   namespace: 'AWS/EC2',
   metricName: 'CPUUtilization',
   statistic: 'Average',
-  period: Duration.minutes(5),
+});
+
+// Create test metric with custom period
+const customPeriodMetric = new Metric({
+  namespace: 'AWS/EC2',
+  metricName: 'CPUUtilization',
+  statistic: 'Average',
+  period: Duration.days(1),
 });
 
 // Create an anomaly detection alarm with default operator
@@ -40,6 +47,14 @@ const descriptiveAlarm = Metric.anomalyDetectionFor({
   comparisonOperator: ComparisonOperator.GREATER_THAN_UPPER_THRESHOLD,
 });
 
+// Create an anomaly detection alarm with custom period
+const customPeriodAlarm = new AnomalyDetectionAlarm(stack, 'CustomPeriodAnomalyAlarm', {
+  metric: customPeriodMetric,
+  stdDevs: 2,
+  evaluationPeriods: 1,
+  comparisonOperator: ComparisonOperator.LESS_THAN_LOWER_OR_GREATER_THAN_UPPER_THRESHOLD,
+});
+
 // Create the integration test
 const integ = new IntegTest(app, 'AnomalyDetectionAlarmIntegTest', {
   testCases: [stack],
@@ -122,3 +137,30 @@ integ.assertions
       }),
     ]),
   }));
+
+integ.assertions
+  .awsApiCall('CloudWatch', 'describeAlarms', {
+    AlarmNames: [customPeriodAlarm.alarmName],
+  })
+  .expect(ExpectedResult.objectLike({
+    MetricAlarms: Match.arrayWith([
+      Match.objectLike({
+        ComparisonOperator: 'LessThanLowerOrGreaterThanUpperThreshold',
+        EvaluationPeriods: 1,
+        ThresholdMetricId: 'expr_1',
+        Metrics: Match.arrayWith([
+          Match.objectLike({
+            Expression: 'ANOMALY_DETECTION_BAND(m0, 2)',
+            Id: 'expr_1',
+            ReturnData: true,
+          }),
+          Match.objectLike({
+            Id: 'm0',
+            MetricStat: Match.objectLike({
+              Period: 86400, // 1 day in seconds, orignal metric period got overriden
+            }),
+          }),
+        ]),
+      }),
+    ]),
+  }));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codebuild/README.md

@@ -651,7 +651,6 @@ const project = new codebuild.Project(this, 'MyProject', {
   // vpc,
 });
 ```
->>>>>>> 39ec36ec6a (feat(codebuild): add custom instance type and VPC to Fleets)
 
 ## Logs
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codepipeline-actions/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -5,7 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { App, Fn, RemovalPolicy, Stack, UnscopedValidationError } from 'aws-cdk-lib';
+import { App, Fn, RemovalPolicy, ResourceEnvironment, Stack, UnscopedValidationError } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
 import { Node } from 'constructs';
@@ -56,6 +56,9 @@ function makePolicy(arn: string): IManagedPolicy {
     get node(): Node {
       throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
     },
+    get env(): ResourceEnvironment {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
   };
 }
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cognito/README.md

@@ -480,13 +480,13 @@ new cognito.UserPool(this, 'myuserpool', {
 
 ### Threat Protection
 
-This feature is only available if your Feature Plan is set to PLUS. 
-
 Threat Protection can be set to configure enforcement levels and automatic responses for users in password-based and custom-challenge authentication flows.
 For configuration, there are 2 options for standard authentication and custom authentication.
 These are represented with properties `standardThreatProtectionMode` and `customThreatProtectionMode`.
 See the [documentation on Threat Protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html)
 
+**Note**: Threat Protection requires the PLUS feature plan for new user pools. CDK allows you to configure threat protection settings at synthesis time, and CloudFormation will validate feature plan requirements at deployment time. Existing user pools that are grandfathered on LITE plans with threat protection enabled will continue to work.
+
 
 ### Emails
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/README.md

@@ -381,7 +381,7 @@ https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
 
 Secondary indexes allow efficient access to data with attributes other than the `primaryKey`. DynamoDB supports two types of secondary indexes:
 
-* Global secondary index - An index with a `partitionKey` and a `sortKey` that can be different from those on the base table. A `globalSecondaryIndex` is considered "global" because queries on the index can span all of the data in the base table, across all partitions. A `globalSecondaryIndex` is stored in its own partition space away from the base table and scales separately from the base table.
+* Global secondary index - An index with partition key(s) and optional sort key(s) that can be different from those on the base table. A `globalSecondaryIndex` is considered "global" because queries on the index can span all of the data in the base table, across all partitions. A `globalSecondaryIndex` is stored in its own partition space away from the base table and scales separately from the base table.
 
 * Local secondary index - An index that has the same `partitionKey` as the base table, but a different `sortKey`. A `localSecondaryIndex` is "local" in the sense that every partition of a `localSecondaryIndex` is scoped to a base table partition that has the same `partitionKey` value.
 
@@ -404,7 +404,41 @@ const table = new dynamodb.TableV2(this, 'Table', {
 });
 ```
 
-Alternatively, you can add a `globalSecondaryIndex` using the `addGlobalSecondaryIndex` method:
+#### Compound Keys
+
+Global secondary indexes support compound keys, allowing you to specify multiple partition keys and/or multiple sort keys. This enables more flexible query patterns for complex data models.
+
+**Key Constraints:**
+- You can specify up to **4 partition keys** per global secondary index
+- You can specify up to **4 sort keys** per global secondary index
+- Use **either** `partitionKey` (singular) **or** `partitionKeys` (plural), but not both
+- Use **either** `sortKey` (singular) **or** `sortKeys` (plural), but not both
+- At least one partition key must be specified (either `partitionKey` or `partitionKeys`)
+- For multiple keys, you **must** use the plural parameters (`partitionKeys` and/or `sortKeys`)
+- **Keys cannot be added or modified after index creation** - attempting to add additional keys to an existing index will result in an error
+
+**Example with compound partition and sort keys:**
+
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+  globalSecondaryIndexes: [
+    {
+      indexName: 'compound-gsi',
+      partitionKeys: [
+        { name: 'gsi_pk1', type: dynamodb.AttributeType.STRING },
+        { name: 'gsi_pk2', type: dynamodb.AttributeType.NUMBER },
+      ],
+      sortKeys: [
+        { name: 'gsi_sk1', type: dynamodb.AttributeType.STRING },
+        { name: 'gsi_sk2', type: dynamodb.AttributeType.BINARY },
+      ],
+    },
+  ],
+});
+```
+
+You can also add a `globalSecondaryIndex` using the `addGlobalSecondaryIndex` method:
 
 ```ts
 const table = new dynamodb.TableV2(this, 'Table', {
@@ -421,6 +455,16 @@ table.addGlobalSecondaryIndex({
   indexName: 'gsi2',
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
 });
+
+// Add a GSI with compound keys
+table.addGlobalSecondaryIndex({
+  indexName: 'compound-gsi2',
+  partitionKeys: [
+    { name: 'compound_pk1', type: dynamodb.AttributeType.STRING },
+    { name: 'compound_pk2', type: dynamodb.AttributeType.NUMBER },
+  ],
+  sortKey: { name: 'sk', type: dynamodb.AttributeType.STRING },
+});
 ```
 
 You can configure `readCapacity` and `writeCapacity` on a `globalSecondaryIndex` when an `TableV2` is configured with provisioned `billing`. If `TableV2` is configured with provisioned `billing` but `readCapacity` or `writeCapacity` are not configured on a `globalSecondaryIndex`, then they will be inherited from the capacity settings specified with the `billing` configuration:
@@ -816,9 +860,88 @@ Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.c
     });
 ```
 
+### Adding Resource Policy Statements Dynamically
+
+You can also add resource policy statements to a table after it's created using the `addToResourcePolicy` method. Following the same pattern as KMS, resource policies use wildcard resources to avoid circular dependencies:
+
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Standard resource policy (recommended approach)
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:Query'],
+  principals: [new iam.AccountRootPrincipal()],
+  resources: ['*'], // Wildcard avoids circular dependency - same pattern as KMS
+}));
+
+// Allow specific service access
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:Query'],
+  principals: [new iam.ServicePrincipal('lambda.amazonaws.com')],
+  resources: ['*'],
+}));
+```
+
+#### Scoped Resource Policies (Advanced)
+
+For scoped resource policies that reference specific table ARNs, you must specify an explicit table name:
+
+```ts
+import { Fn } from 'aws-cdk-lib';
+
+// Table with explicit name enables scoped resource policies
+const table = new dynamodb.TableV2(this, 'Table', {
+  tableName: 'my-explicit-table-name', // Required for scoped resources
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Now you can use scoped resources
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:GetItem'],
+  principals: [new iam.AccountRootPrincipal()],
+  resources: [
+    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name'),
+    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name/index/*'),
+  ],
+}));
+```
+
+**Important Limitations:**
+- **Auto-generated table names**: Must use `resources: ['*']` to avoid circular dependencies
+- **Explicit table names**: Enable scoped resources but lose CDK's automatic naming benefits
+- **CloudFormation constraint**: Resource policies cannot reference the resource they're attached to during creation
+
 TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
 To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
 
+### Grant Methods and Resource Policies
+
+Grant methods like `grantReadData()`, `grantWriteData()`, and `grantReadWriteData()` automatically add permissions to resource policies when used with same-account principals (like `AccountRootPrincipal`). This happens transparently:
+
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Automatically adds to table's resource policy (same account)
+table.grantReadData(new iam.AccountRootPrincipal());
+
+// Adds to IAM user's policy (not resource policy)
+declare const user: iam.User;
+table.grantReadData(user);
+```
+
+**How it works:**
+- **Same-account principals** (AccountRootPrincipal, AccountPrincipal): Grant adds statement to table's resource policy
+- **IAM identities** (User, Role, Group): Grant adds statement to the identity's IAM policy
+- **Resource policy statements**: Automatically use wildcard resources (`*`) to avoid circular dependencies
+
+This behavior follows the same pattern as other AWS services like KMS and S3, where grants intelligently choose between resource policies and identity policies based on the principal type.
+
+**To avoid wildcards in resource policies:** If you need scoped resource ARNs instead of wildcards, use `addToResourcePolicy()` directly with an explicit table name instead of grant methods. See the "Scoped Resource Policies (Advanced)" section above for details.
+
 ## Grants
 
 Using any of the `grant*` methods on an instance of the `TableV2` construct will only apply to the primary table, its indexes, and any associated `encryptionKey`. As an example, `grantReadData` used below will only apply the table in `us-west-2`:

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md

@@ -210,12 +210,55 @@ To get the partition key and sort key of the table or indexes you have configure
 
 ```ts
 declare const table: dynamodb.Table;
+
+// For single keys, use schema() (deprecated for compound keys)
 const schema = table.schema();
 const partitionKey = schema.partitionKey;
 const sortKey = schema.sortKey;
 
-// In case you want to get schema details for any secondary index
-// const { partitionKey, sortKey } = table.schema(INDEX_NAME);
+// For compound keys, use schemaV2() which returns normalized arrays
+const schemaV2 = table.schemaV2();
+const partitionKeys = schemaV2.partitionKeys; // Attribute[]
+const sortKeys = schemaV2.sortKeys; // Attribute[]
+
+// Get schema for a specific index
+const indexSchema = table.schemaV2('INDEX_NAME');
+```
+
+Note: `schema()` is deprecated for indexes with compound keys and will throw an error. Use `schemaV2()` instead, which always returns normalized arrays.
+
+## Global Secondary Indexes with Compound Keys
+
+Global secondary indexes support compound keys, allowing you to specify multiple partition keys and/or multiple sort keys. This enables more flexible query patterns for complex data models.
+
+**Key Constraints:**
+- You can specify up to **4 partition keys** per global secondary index
+- You can specify up to **4 sort keys** per global secondary index
+- Use **either** `partitionKey` (singular) **or** `partitionKeys` (plural), but not both
+- Use **either** `sortKey` (singular) **or** `sortKeys` (plural), but not both
+- At least one partition key must be specified (either `partitionKey` or `partitionKeys`)
+- For multiple keys, you **must** use the plural parameters (`partitionKeys` and/or `sortKeys`)
+- **Keys cannot be added or modified after index creation** - attempting to add additional keys to an existing index will result in an error
+
+**Example:**
+
+```ts
+const table = new dynamodb.Table(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+  sortKey: { name: 'sk', type: dynamodb.AttributeType.STRING },
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'compound-gsi',
+  partitionKeys: [
+    { name: 'gsi_pk1', type: dynamodb.AttributeType.STRING },
+    { name: 'gsi_pk2', type: dynamodb.AttributeType.NUMBER },
+  ],
+  sortKeys: [
+    { name: 'gsi_sk1', type: dynamodb.AttributeType.STRING },
+    { name: 'gsi_sk2', type: dynamodb.AttributeType.BINARY },
+  ],
+});
 ```
 
 ## Kinesis Stream

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.add-to-resource-policy.ts

@@ -0,0 +1,97 @@
+/**
+ * Integration test for DynamoDB Table.addToResourcePolicy() method
+ *
+ * This test validates the fix for issue #35062: "(aws-dynamodb): `addToResourcePolicy` has no effect"
+ *
+ * WHAT WE'RE TESTING:
+ * - The addToResourcePolicy() method was broken - it had "no effect" when called
+ * - Resource policies weren't being added to the CloudFormation template
+ * - This created a security gap where developers thought they were securing tables but policies weren't applied
+ *
+ * TEST VALIDATION:
+ * 1. Creates DynamoDB tables with different resource policy configurations
+ * 2. Tests both wildcard resources (for auto-generated names) and scoped resources (for explicit names)
+ * 3. Verifies policies get added to CloudFormation templates with correct structure
+ * 4. Ensures both patterns work without circular dependencies
+ *
+ * @see https://github.com/aws/aws-cdk/issues/35062
+ */
+
+import { App, Fn, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+export class TestStack extends Stack {
+  public readonly wildcardTable: dynamodb.Table;
+  public readonly scopedTable: dynamodb.Table;
+  public readonly grantTable: dynamodb.Table;
+
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    // TEST 1: Table with wildcard resource policy (auto-generated name)
+    // This is the standard pattern to avoid circular dependencies
+    this.wildcardTable = new dynamodb.Table(this, 'WildcardTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Add resource policy with wildcard resources
+    this.wildcardTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      resources: ['*'], // Use wildcard to avoid circular dependency - standard pattern for resource policies
+    }));
+
+    // TEST 2: Table with scoped resource policy (explicit table name)
+    // This demonstrates how to use scoped resources when table name is known at synthesis time
+    this.scopedTable = new dynamodb.Table(this, 'ScopedTable', {
+      tableName: 'my-explicit-scoped-table', // Explicit name enables scoped ARN construction
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Add resource policy with properly scoped resource using explicit table name
+    // This works because table name is known at synthesis time (no circular dependency)
+    this.scopedTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      // Use CloudFormation intrinsic function to construct table ARN with known table name
+      resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
+    }));
+
+    // TEST 3: Table using grant methods with AccountRootPrincipal
+    // This validates the fix for issue #35967: circular dependency when using grant methods
+    // Before fix: grant methods with AccountRootPrincipal caused circular dependency
+    // After fix: grant methods use resourceSelfArns: ['*'] to avoid circular dependency
+    this.grantTable = new dynamodb.Table(this, 'GrantTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // This should NOT cause circular dependency - validates fix for #35967
+    // Using grantWriteData because it has simpler actions valid for resource policies
+    this.grantTable.grantWriteData(new iam.AccountRootPrincipal());
+  }
+}
+
+// Test Setup
+const app = new App();
+const stack = new TestStack(app, 'add-to-resource-policy-test-stack');
+
+// Integration Test Configuration
+new IntegTest(app, 'add-to-resource-policy-integ-test', {
+  testCases: [stack],
+});
+

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.compound.ts

@@ -0,0 +1,32 @@
+import { App, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { AttributeType, ProjectionType, Table } from 'aws-cdk-lib/aws-dynamodb';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new App();
+const stack = new Stack(app, 'aws-cdk-dynamodb-compound-keys');
+
+const table = new Table(stack, 'Table', {
+  tableName: 'cdk-test-compound',
+  partitionKey: { name: 'pkey', type: AttributeType.NUMBER },
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'IndexA',
+  partitionKeys: [{ name: 'PK1', type: AttributeType.STRING }, { name: 'PK2', type: AttributeType.NUMBER }],
+  sortKeys: [{ name: 'SK1', type: AttributeType.STRING }, { name: 'SK2', type: AttributeType.NUMBER }],
+  projectionType: ProjectionType.INCLUDE,
+  nonKeyAttributes: ['bar'],
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'IndexB',
+  partitionKey: { name: 'baz', type: AttributeType.STRING },
+  sortKeys: [{ name: 'bar', type: AttributeType.STRING }, { name: 'foo', type: AttributeType.NUMBER }],
+  projectionType: ProjectionType.INCLUDE,
+  nonKeyAttributes: ['blah'],
+});
+
+new IntegTest(app, 'aws-cdk-dynamodb-compound-key-gsi', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.policy.ts

@@ -38,7 +38,27 @@ export class TestStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'));
+    // IMPORTANT: Cross-account grants with auto-generated table names create circular dependencies
+    //
+    // WHY NOT this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'))?
+    // - Cross-account principals cannot have policies attached to them
+    // - Grant falls back to adding a resource policy to the table
+    // - Resource policy tries to reference this.tableArn (the table's own ARN)
+    // - This creates a circular dependency: Table → ResourcePolicy → Table ARN → Table
+    // - CloudFormation fails with "Circular dependency between resources"
+    //
+    // SOLUTIONS:
+    // 1. Use addToResourcePolicy with wildcard resources (this approach)
+    // 2. Use explicit table names: tableName: 'my-table-name' (enables scoped resources)
+    // 3. Use same-account principals (grants go to principal policy, not resource policy)
+    //
+    this.tableTwo.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:*'],
+      // we need a valid account for cross-account principal otherwise it won't deploy
+      // this account is from fact-table.ts
+      principals: [new iam.AccountPrincipal('127311923021')],
+      resources: ['*'], // Wildcard avoids circular dependency - same pattern as KMS
+    }));
   }
 }
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.table-v2.compound.ts

@@ -0,0 +1,43 @@
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { App, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { AttributeType, ProjectionType, TableV2 } from 'aws-cdk-lib/aws-dynamodb';
+
+const app = new App();
+const stack = new Stack(app, 'aws-cdk-dynamodb-v2-compound-keys');
+
+const table = new TableV2(stack, 'Table', {
+  tableName: 'cdk-test-tableV2-compound',
+  partitionKey: { name: 'pkey', type: AttributeType.NUMBER },
+  globalSecondaryIndexes: [{
+    indexName: 'IndexA',
+    partitionKeys: [{ name: 'GSIAPK1', type: AttributeType.STRING }, { name: 'GSIAPK2', type: AttributeType.STRING }],
+    sortKeys: [{ name: 'GSIASK1', type: AttributeType.STRING }, { name: 'GSIASK2', type: AttributeType.NUMBER }],
+  }],
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'IndexB',
+  partitionKeys: [{ name: 'PK1', type: AttributeType.STRING }, { name: 'PK2', type: AttributeType.NUMBER }],
+  sortKeys: [{ name: 'SK1', type: AttributeType.STRING }, { name: 'SK2', type: AttributeType.NUMBER }],
+  projectionType: ProjectionType.INCLUDE,
+  nonKeyAttributes: ['bar'],
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'IndexC',
+  partitionKey: { name: 'baz', type: AttributeType.STRING },
+  sortKeys: [{ name: 'bar', type: AttributeType.STRING }],
+  projectionType: ProjectionType.INCLUDE,
+  nonKeyAttributes: ['blah'],
+});
+
+table.addGlobalSecondaryIndex({
+  indexName: 'IndexD',
+  partitionKeys: [{ name: 'PK3', type: AttributeType.STRING }, { name: 'PK4', type: AttributeType.NUMBER }],
+  sortKeys: [{ name: 'SK3', type: AttributeType.STRING }, { name: 'SK4', type: AttributeType.NUMBER }],
+});
+
+new IntegTest(app, 'aws-cdk-dynamodbv2-compound-key-gsi', {
+  testCases: [stack],
+});