feat(dynamodb): add TableGrants and StreamGrants (#36093)

### What is changing?

This PR introduces two new classes, `TableGrants` and `StreamGrants`, that allow the assignment of permissions, in a uniform way, to both L1s and L2s:

```ts
const table = new Table(...); // or new CfnTable(...)
const role = new Role(...);

// Allow the role to read data from the table
const grant = TableGrants._fromTable(table).readData(role);
```

To make the interface more similar to the auto-generated grants (e.g., `TopicGrants`), `TableGrants._fromTable()` takes a new interface, `IIndexableRegionalTable` as a parameter.

```ts
export interface IIndexableRegionalTable extends ITableRef {  
  /**  
   * Additional regions other than the main one that this table is replicated to    *   
   * @default no regions  
   */  
   readonly regions?: string[];  
  
  /**  
   * Whether this table has indexes   
   *   
   * If so, permissions are granted on all table indexes as well.   
   *   
   * @default false  
   */  
   readonly hasIndex?: boolean;  
}
```

And now `TableBase` implements `IIndexableRegionalTable`. `TableBase` has also gained two additional public immutable properties: `grants` and `streamGrants`, that should be used to grant permissions on a table. The existing `grant*()` methods will be deprecated soon.

### Why did the integration test templates change?

The current implementation uses `Lazy.string()` to produce the regional ARNs. Since the `produce()` method has to return _something_, it returned `Aws.NO_VALUE` when there was no real value to produce. In `TableGrants`, by contrast, the ARNs are computed eagerly in the constructor, so there is no need for pseudo-values. This is what caused the integration test templates to change. There are additional changes that are purely in the order of JSON properties.

### Why does `StreamGrants` not have a `_fromStream()` static method?

Unlike table, a table stream is not a resource in CloudFormation. So, although we could try to mimic one, by creating interfaces like `ITableStream`,  `ITableStreamRef`, `TableStreamReference`, there is nothing to gain from it. The consumer would still have to assemble an object from properties of a `Table` of `CfnTable` anyway.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: otaviomacedo

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-integrations/test/websocket/integ.lambda-connect-disconnect-trigger.js.snapshot/integ-apigwv2-lambda-connect-integration.template.json

@@ -52,17 +52,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "WebSocketLogTable7F74AAC5",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "WebSocketLogTable7F74AAC5",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -97,7 +92,7 @@
       "Arn"
      ]
     },
-    "Runtime": "nodejs14.x",
+    "Runtime": "nodejs22.x",
     "Timeout": 5
    },
    "DependsOn": [
@@ -157,17 +152,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "WebSocketLogTable7F74AAC5",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "WebSocketLogTable7F74AAC5",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -202,7 +192,7 @@
       "Arn"
      ]
     },
-    "Runtime": "nodejs14.x",
+    "Runtime": "nodejs22.x",
     "Timeout": 5
    },
    "DependsOn": [

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-integrations/test/websocket/integ.lambda-connect-disconnect-trigger.ts

@@ -17,7 +17,7 @@ const webSocketTableName = 'WebSocketConnections';
 
 const connectFunction = new lambda.Function(stack, 'Connect Function', {
   functionName: 'process_connect_requests',
-  runtime: lambda.Runtime.NODEJS_14_X,
+  runtime: lambda.Runtime.NODEJS_22_X,
   handler: 'index.handler',
   code: lambda.Code.fromAsset(path.join(__dirname, 'lambdas', 'connect')),
   timeout: cdk.Duration.seconds(5),
@@ -31,7 +31,7 @@ const disconnectFunction = new lambda.Function(
   'Disconnect Function',
   {
     functionName: 'process_disconnect_requests',
-    runtime: lambda.Runtime.NODEJS_14_X,
+    runtime: lambda.Runtime.NODEJS_22_X,
     handler: 'index.handler',
     code: lambda.Code.fromAsset(
       path.join(__dirname, 'lambdas', 'disconnect'),

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.appsync-eventapi-dynamodb.js.snapshot/EventApiDynamoDBStack.template.json

@@ -77,17 +77,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "table8235A42E",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "table8235A42E",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.assets.json

@@ -71,17 +71,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "TestTable5769773A",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "TestTable5769773A",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -103,8 +98,6 @@
       "ApiId"
      ]
     },
-    "Name": "testDataSource",
-    "Type": "AMAZON_DYNAMODB",
     "DynamoDBConfig": {
      "AwsRegion": {
       "Ref": "AWS::Region"
@@ -113,12 +106,14 @@
       "Ref": "TestTable5769773A"
      }
     },
+    "Name": "testDataSource",
     "ServiceRoleArn": {
      "Fn::GetAtt": [
       "ApitestDataSourceServiceRoleACBC3F3D",
       "Arn"
      ]
-    }
+    },
+    "Type": "AMAZON_DYNAMODB"
    }
   },
   "ApiQueryGetTestsF8C40170": {
@@ -130,12 +125,12 @@
       "ApiId"
      ]
     },
-    "FieldName": "getTests",
-    "TypeName": "Query",
     "DataSourceName": "testDataSource",
+    "FieldName": "getTests",
     "Kind": "UNIT",
     "RequestMappingTemplate": "{\"version\" : \"2017-02-28\", \"operation\" : \"Scan\", \"consistentRead\": false}",
-    "ResponseMappingTemplate": "$util.toJson($ctx.result.items)"
+    "ResponseMappingTemplate": "$util.toJson($ctx.result.items)",
+    "TypeName": "Query"
    },
    "DependsOn": [
     "ApiSchema510EECD7",
@@ -151,12 +146,12 @@
       "ApiId"
      ]
     },
-    "FieldName": "addTest",
-    "TypeName": "Mutation",
     "DataSourceName": "testDataSource",
+    "FieldName": "addTest",
     "Kind": "UNIT",
     "RequestMappingTemplate": "\n      #set($input = $ctx.args.test)\n      \n      {\n        \"version\": \"2017-02-28\",\n        \"operation\": \"PutItem\",\n        \"key\" : {\n      \"id\" : $util.dynamodb.toDynamoDBJson($util.autoId())\n    },\n        \"attributeValues\": $util.dynamodb.toMapValuesJson($input)\n      }",
-    "ResponseMappingTemplate": "$util.toJson($ctx.result)"
+    "ResponseMappingTemplate": "$util.toJson($ctx.result)",
+    "TypeName": "Mutation"
    },
    "DependsOn": [
     "ApiSchema510EECD7",
@@ -166,19 +161,19 @@
   "TestTable5769773A": {
    "Type": "AWS::DynamoDB::Table",
    "Properties": {
-    "KeySchema": [
+    "AttributeDefinitions": [
      {
       "AttributeName": "id",
-      "KeyType": "HASH"
+      "AttributeType": "S"
      }
     ],
-    "AttributeDefinitions": [
+    "BillingMode": "PAY_PER_REQUEST",
+    "KeySchema": [
      {
       "AttributeName": "id",
-      "AttributeType": "S"
+      "KeyType": "HASH"
      }
-    ],
-    "BillingMode": "PAY_PER_REQUEST"
+    ]
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"