@jaypie/constructs 1.2.28 → 1.2.29

package/dist/esm/index.js

@@ -3661,6 +3661,7 @@ class JaypieSsoPermissions extends Construct {
                             "servicecatalog:*",
                             "sns:*",
                             "sqs:*",
+                            "ssm:*",
                             "states:*",
                             "tag:*",
                             "uxc:*",
@@ -3888,8 +3889,9 @@ class JaypieWebDeploymentBucket extends Construct {
         if (process.env.CDK_ENV_REPO) {
             repo = `repo:${process.env.CDK_ENV_REPO}:*`;
         }
+        let bucketDeployRole;
         if (repo) {
-            const bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
+            bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
                 assumedBy: new FederatedPrincipal(Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
                     StringLike: {
                         "token.actions.githubusercontent.com:sub": repo,
@@ -3989,6 +3991,16 @@ class JaypieWebDeploymentBucket extends Construct {
             new CfnOutput(this, "DistributionId", {
                 value: this.distribution.distributionId,
             });
+            // Add CloudFront invalidation permission to deploy role if it exists
+            if (bucketDeployRole) {
+                bucketDeployRole.addToPolicy(new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: ["cloudfront:CreateInvalidation"],
+                    resources: [
+                        `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
+                    ],
+                }));
+            }
         }
     }
     // Implement remaining IBucket methods by delegating to the bucket