fix(cloudfront): use wildcard when grant some cloudfront permission

[phuhung273]

Issue # (if applicable)

Closes #33249

Reason for this change

CloudFront doesn't support resource-level permission for some permission as per Actions, resources, and condition keys for Amazon CloudFront

Description of changes

Use wildcard(*) when grant some cloudfront permission

Describe any new or updated permissions being added

Use wildcard(*) when grant some cloudfront permission

Description of how you validated changes

Unit + Integ

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (74cbe27) to head (5ac8de6).
Report is 12 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33802   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112           

Flag	Coverage Δ
suite.unit	83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Tietew]

This change seems to be incorrect because the ListInvalidations action can be restricted by distribution ARN. In other words, the action supports resource-level permissions.

Evidence:
Actions, resources, and condition keys for Amazon CloudFront
The ListDistributions row shows it requires distribution resource type.

[phuhung273]

Thanks for the doc reference, I've updated the list of wildcard only permission.

[aws-cdk-automation]

(This review is outdated)

[aws-cdk-automation]

(This review is outdated)

Dismissing outdated PRLinter review.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

(This review is outdated)

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kumsmrit]

Thank you for your contribution; the PR looks good, except for a few minor comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 067a99d
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.