fix(dynamodb): resolve circular dependency with AccountRootPrincipal grants (#35983)

### Issue # (if applicable)

Closes #35967.

### Reason for this change

In CDK 2.222.0, PR #35554 fixed `addToResourcePolicy()` to actually work (it was previously a no-op). This exposed a circular dependency issue when using `grantReadData()` or other grant methods with `AccountRootPrincipal`.

When `AccountRootPrincipal` is used with grant methods, the IAM Grant system adds the policy to the table's resource policy (since it's in the same account). The resource policy statement included the table's ARN (`!GetAtt Table.Arn`), creating a circular dependency: Table → ResourcePolicy → Table.Arn → Table.

This is a regression that breaks existing user code that worked in 2.221.1.

### Description of changes

Applied the established KMS grant pattern to DynamoDB by adding `resourceSelfArns: ['*']` parameter to `Grant.addToPrincipalOrResource()` calls in the `combinedGrant` method.

**How it works:**
- `resourceArns` contains actual table ARNs → used for **principal policies** (IAM user/role policies)
- `resourceSelfArns: ['*']` → used for **resource policies** (table's resource policy)
- IAM Grant system automatically chooses which to use based on context
- No circular dependency because resource policy uses wildcard instead of `!GetAtt Table.Arn`

**Why wildcard is safe:**
- Wildcard is scoped to the table's resource policy (not global)
- Resource policy is attached to specific table resource
- Principal and Action fields still enforce access control
- Same pattern used by KMS for years in production

**Files modified:**
- `packages/aws-cdk-lib/aws-dynamodb/lib/table.ts` - Added `resourceSelfArns: ['*']` to `combinedGrant` method
- `packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts` - Applied identical change for Table V2
- `packages/aws-cdk-lib/aws-dynamodb/README.md` - Added documentation about grant methods and resource policy interaction

**Before (causes circular dependency):**
```typescript
const table = new dynamodb.Table(this, 'Table', {
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});

// This caused circular dependency error in 2.222.0
table.grantReadData(new iam.AccountRootPrincipal());
// Error: Circular dependency between resources: [Table]
```

**After (no circular dependency):**
```typescript
const table = new dynamodb.Table(this, 'Table', {
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});

// This now works correctly
table.grantReadData(new iam.AccountRootPrincipal());
// ✓ Resource policy uses wildcard, no circular dependency
```

**CloudFormation template change:**
```json
{
  "Resources": {
    "Table": {
      "Type": "AWS::DynamoDB::Table",
      "Properties": {
        "ResourcePolicy": {
          "PolicyDocument": {
            "Statement": [{
              "Action": ["dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
              "Effect": "Allow",
              "Principal": { "AWS": "arn:aws:iam::ACCOUNT:root" },
              "Resource": "*"
            }]
          }
        }
      }
    }
  }
}
```

### Describe any new or updated permissions being added

N/A - This fix does not add new permissions. It resolves how existing grant methods generate resource policies to avoid circular dependencies.

### Description of how you validated changes

- **Unit tests**: Added 2 new tests validating `AccountRootPrincipal` with grant methods
  - `packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts`: Test for Table V1
  - `packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts`: Test for Table V2
  - Both tests verify resource policy uses wildcard (`*`) to avoid circular dependency
  - All 348 unit tests pass (346 existing + 2 new)

- **Integration tests**: Enhanced existing integration test with grant scenario
  - `packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.add-to-resource-policy.ts`
  - Added TEST 3: Validates `grantWriteData(new AccountRootPrincipal())` works without circular dependency
  - Successfully deployed to AWS (us-east-1)
  - CloudFormation synthesis succeeds, no circular dependency errors
  - Snapshots updated with GrantTable resource

- **Regression testing**: All 346 existing tests pass
  - Grant methods with IAM Users still work
  - Grant methods with IAM Roles still work
  - Grant methods with Service Principals still work
  - Tables with indexes work correctly
  - Global tables (Table V2) work correctly
  - Encrypted tables work correctly

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: pahud

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.add-to-resource-policy.js.snapshot/add-to-resource-policy-test-stack.assets.json

@@ -115,6 +115,65 @@
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "GrantTable13160A8B": {
+   "Type": "AWS::DynamoDB::Table",
+   "Properties": {
+    "AttributeDefinitions": [
+     {
+      "AttributeName": "id",
+      "AttributeType": "S"
+     }
+    ],
+    "KeySchema": [
+     {
+      "AttributeName": "id",
+      "KeyType": "HASH"
+     }
+    ],
+    "ProvisionedThroughput": {
+     "ReadCapacityUnits": 5,
+     "WriteCapacityUnits": 5
+    },
+    "ResourcePolicy": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": [
+         "dynamodb:BatchWriteItem",
+         "dynamodb:DeleteItem",
+         "dynamodb:DescribeTable",
+         "dynamodb:PutItem",
+         "dynamodb:UpdateItem"
+        ],
+        "Effect": "Allow",
+        "Principal": {
+         "AWS": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
+          ]
+         }
+        },
+        "Resource": "*"
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   }
  },
  "Parameters": {

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.add-to-resource-policy.js.snapshot/add-to-resource-policy-test-stack.template.json

@@ -26,6 +26,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 export class TestStack extends Stack {
   public readonly wildcardTable: dynamodb.Table;
   public readonly scopedTable: dynamodb.Table;
+  public readonly grantTable: dynamodb.Table;
 
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
@@ -66,6 +67,22 @@ export class TestStack extends Stack {
       // Use CloudFormation intrinsic function to construct table ARN with known table name
       resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
     }));
+
+    // TEST 3: Table using grant methods with AccountRootPrincipal
+    // This validates the fix for issue #35967: circular dependency when using grant methods
+    // Before fix: grant methods with AccountRootPrincipal caused circular dependency
+    // After fix: grant methods use resourceSelfArns: ['*'] to avoid circular dependency
+    this.grantTable = new dynamodb.Table(this, 'GrantTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // This should NOT cause circular dependency - validates fix for #35967
+    // Using grantWriteData because it has simpler actions valid for resource policies
+    this.grantTable.grantWriteData(new iam.AccountRootPrincipal());
   }
 }