feat(dynamodb): add cross-account global table replication support (#36895)

### Reason for this change

DynamoDB global tables currently only support same-account replication across regions. Customers need the ability to replicate tables across AWS accounts for multi-tenant architectures, organizational boundaries, and disaster recovery scenarios.

### Description of changes

Added support for cross-account DynamoDB global table replication through a new TableV2MultiAccountReplica construct and automatic permission management:

Core Changes:
- Added TableV2MultiAccountReplica construct for creating replicas from source tables in different accounts
- Added settingsReplicationMode property to control replication of table settings (indexes, streams, encryption)
- Implemented automatic resource policy and KMS permissions for cross-account replication
- Added TableGrants class with multiAccountReplicationTo() and multiAccountReplicationFrom() methods

Permission Management:
- Source table resource policy grants dynamodb:AssociateTableReplica to replica account
- Both tables grant DynamoDB replication service read/write permissions with aws:SourceAccount conditions
- Automatic KMS key permissions when encryption is enabled

Design Decisions:
- Used aws:SourceAccount condition instead of aws:SourceArn to avoid circular dependencies
- Only pass encryptedResource when encryption key exists to avoid unnecessary policy statements
- Validate that source and replica are in different regions
- Require explicit table names for cross-account replicas when source uses generated names

### Describe any new or updated permissions being added

DynamoDB Table Resource Policies:
- dynamodb:AssociateTableReplica - Granted to replica account on source table
- dynamodb:ReadDataForReplication, dynamodb:WriteDataForReplication, dynamodb:ReplicateSettings - Granted to replication.dynamodb.amazonaws.com service principal with aws:SourceAccount condition

KMS Key Permissions (when encryption enabled):
- kms:Decrypt, kms:DescribeKey, kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey* - Granted to replication.dynamodb.amazonaws.com service principal

### Description of how you validated changes

Unit Tests:
- Added tests for TableV2MultiAccountReplica construct
- Added tests for cross-account replication permission grants
- Added tests for KMS permission grants
- Added tests for validation (same-region check, table name requirements)

Integration Tests:
- Created integ.dynamodb-v2.cross-account-replica.ts - Tests full cross-account replication with both tables in same CDK app
- Created integ.dynamodb-v2.cross-account-replica-imported.ts - Tests replication with imported source table from different account
- Manually deployed and verified bidirectional replication works with SettingsReplicationMode.ALL

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

Author: LeeroyHannigan

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.cross-account-replica-imported.js.snapshot/ImportedReplicaTestDefaultTestDeployAssert1EFA3D60.assets.json

@@ -0,0 +1,81 @@
+{
+ "Resources": {
+  "ReplicaDDFB2A87": {
+   "Type": "AWS::DynamoDB::GlobalTable",
+   "Properties": {
+    "GlobalTableSourceArn": "arn:aws:dynamodb:eu-west-1:12345678:table/MultiAccountGlobalTable",
+    "Replicas": [
+     {
+      "GlobalTableSettingsReplicationMode": "ENABLED",
+      "Region": "ca-central-1",
+      "ResourcePolicy": {
+       "PolicyDocument": {
+        "Statement": [
+         {
+          "Action": [
+           "dynamodb:ReadDataForReplication",
+           "dynamodb:ReplicateSettings",
+           "dynamodb:WriteDataForReplication"
+          ],
+          "Condition": {
+           "StringEquals": {
+            "aws:SourceAccount": [
+             "222222222222",
+             "12345678"
+            ]
+           }
+          },
+          "Effect": "Allow",
+          "Principal": {
+           "Service": "replication.dynamodb.amazonaws.com"
+          },
+          "Resource": "*",
+          "Sid": "AllowReplicationService"
+         }
+        ],
+        "Version": "2012-10-17"
+       }
+      }
+     }
+    ],
+    "TableName": "MultiAccountGlobalTable"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}