DynamoDB IAM policy doesn't include `dynamodb:ConditionCheck`

[cmcnicholas]

I noticed whilst deploying recently that a feature I was using for DynamoDB using ConditionCheck for write transactions is not allowed out of the box with lift. I can't see any documentation as to why this is the case and believe it is an oversight as it is a useful feature when writing transacted statements with dynamodb, see this aws article for details:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/transaction-apis-iam.html

The offending line is: https://github.com/getlift/lift/blob/71b15804ec24bceda35e8a1cf6fe48f2c32567eb/src/constructs/aws/DatabaseDynamoDBSingleTable.ts#LL88C29-L88C29

I believe simply adding "dynamodb:ConditionCheckItem" would enable this feature without having to modify the default permissions manually.