fix(dynamodb): prevent "StreamARN not found for resource" errors (aws…

…#3935)

* do not allowing adding table as stream source if streams were not enabled at create time

* make StreamArn undefinable and move error check to DynamoDB table

* add check back

* test fix

* another test fix :)

* allow this breaking change

* breaking change fix

allowed-breaking-changes.txt

@@ -15,3 +15,4 @@ removed:@aws-cdk/aws-apigateway.MockIntegration.props
 incompatible-argument:@aws-cdk/aws-lambda.Function.<initializer>
 incompatible-argument:@aws-cdk/aws-lambda.SingletonFunction.<initializer>
 incompatible-argument:@aws-cdk/aws-lambda.Function.addEnvironment
+changed-type:@aws-cdk/aws-dynamodb.Table.tableStreamArn

packages/@aws-cdk/aws-dynamodb/lib/table.ts

@@ -211,7 +211,7 @@ export class Table extends Resource {
   /**
    * @attribute
    */
-  public readonly tableStreamArn: string;
+  public readonly tableStreamArn: string | undefined;
 
   private readonly table: CfnTable;
 
@@ -266,7 +266,7 @@ export class Table extends Resource {
     });
     this.tableName = this.getResourceNameAttribute(this.table.ref);
 
-    this.tableStreamArn = this.table.attrStreamArn;
+    this.tableStreamArn = props.stream ? this.table.attrStreamArn : undefined;
 
     this.scalingRole = this.makeScalingRole();
 
@@ -452,6 +452,10 @@ export class Table extends Resource {
    * @param actions The set of actions to allow (i.e. "dynamodb:DescribeStream", "dynamodb:GetRecords", ...)
    */
   public grantStream(grantee: iam.IGrantable, ...actions: string[]) {
+    if (!this.tableStreamArn) {
+      throw new Error(`DynamoDB Streams must be enabled on the table ${this.node.path}`);
+    }
+
     return iam.Grant.addToPrincipal({
       grantee,
       actions,

packages/@aws-cdk/aws-dynamodb/test/test.dynamodb.ts

@@ -1184,6 +1184,23 @@ export = {
       test.done();
     },
 
+    '"grantStreamRead" should fail if streaming is not enabled on table"'(test: Test) {
+      // GIVEN
+      const stack = new Stack();
+      const table = new Table(stack, 'my-table', {
+        partitionKey: {
+          name: 'id',
+          type: AttributeType.STRING
+        }
+      });
+      const user = new iam.User(stack, 'user');
+
+      // WHEN
+      test.throws(() => table.grantStreamRead(user), /DynamoDB Streams must be enabled on the table my-table/);
+
+      test.done();
+    },
+
     '"grantStreamRead" allows principal to read and describe the table stream"'(test: Test) {
       // GIVEN
       const stack = new Stack();

packages/@aws-cdk/aws-lambda-event-sources/lib/dynamodb.ts

@@ -30,6 +30,10 @@ export class DynamoEventSource implements lambda.IEventSource {
   }
 
   public bind(target: lambda.IFunction) {
+    if (!this.table.tableStreamArn) {
+      throw new Error(`DynamoDB Streams must be enabled on the table ${this.table.node.path}`);
+    }
+
     target.addEventSourceMapping(`DynamoDBEventSource:${this.table.node.uniqueId}`, {
       batchSize: this.props.batchSize || 100,
       eventSourceArn: this.table.tableStreamArn,

packages/@aws-cdk/aws-lambda-event-sources/test/test.dynamo.ts

@@ -111,6 +111,26 @@ export = {
     test.done();
   },
 
+  'fails if streaming not enabled on table'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new TestFunction(stack, 'Fn');
+    const table = new dynamodb.Table(stack, 'T', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING
+      }
+    });
+
+    // WHEN
+    test.throws(() => fn.addEventSource(new sources.DynamoEventSource(table, {
+      batchSize: 50,
+      startingPosition: lambda.StartingPosition.LATEST
+    })), /DynamoDB Streams must be enabled on the table T/);
+
+    test.done();
+  },
+
   'fails if batch size < 1'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();