@jaypie/constructs 1.2.28 → 1.2.29

package/dist/cjs/index.cjs

@@ -3695,6 +3695,7 @@ class JaypieSsoPermissions extends constructs.Construct {
                             "servicecatalog:*",
                             "sns:*",
                             "sqs:*",
+                            "ssm:*",
                             "states:*",
                             "tag:*",
                             "uxc:*",
@@ -3922,8 +3923,9 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
         if (process.env.CDK_ENV_REPO) {
             repo = `repo:${process.env.CDK_ENV_REPO}:*`;
         }
+        let bucketDeployRole;
         if (repo) {
-            const bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
+            bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
                 assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
                     StringLike: {
                         "token.actions.githubusercontent.com:sub": repo,
@@ -4023,6 +4025,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             new cdk.CfnOutput(this, "DistributionId", {
                 value: this.distribution.distributionId,
             });
+            // Add CloudFront invalidation permission to deploy role if it exists
+            if (bucketDeployRole) {
+                bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
+                    effect: awsIam.Effect.ALLOW,
+                    actions: ["cloudfront:CreateInvalidation"],
+                    resources: [
+                        `arn:aws:cloudfront::${cdk.Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
+                    ],
+                }));
+            }
         }
     }
     // Implement remaining IBucket methods by delegating to the bucket