fix(cloudfront): use wildcard when grant some cloudfront permission

[phuhung273]

Issue # (if applicable)

Closes #33249

Reason for this change

CloudFront doesn't support resource-level permission for some permission as per Actions, resources, and condition keys for Amazon CloudFront

Description of changes

Use wildcard(*) when grant some cloudfront permission

Describe any new or updated permissions being added

Use wildcard(*) when grant some cloudfront permission

Description of how you validated changes

Unit + Integ

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.38%. Comparing base (e6f5bc8) to head (52acbfe).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33802   +/-   ##
=======================================
  Coverage   82.38%   82.38%           
=======================================
  Files         120      120           
  Lines        6937     6937           
  Branches     1170     1170           
=======================================
  Hits         5715     5715           
  Misses       1119     1119           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.38% <ø> (-2.89%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.38% <ø> (-2.89%)	⬇️

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Tietew]

This change seems to be incorrect because the ListInvalidations action can be restricted by distribution ARN. In other words, the action supports resource-level permissions.

Evidence:
Actions, resources, and condition keys for Amazon CloudFront
The ListDistributions row shows it requires distribution resource type.

[phuhung273]

Thanks for the doc reference, I've updated the list of wildcard only permission.

[aws-cdk-automation]

(This review is outdated)

[aws-cdk-automation]

(This review is outdated)

Dismissing outdated PRLinter review.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ CodeCov is indicating a drop in code coverage

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 52acbfe
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository