From c31e4e36f7f2b6f8c4df43e1be01ee04236d1a11 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Sun, 1 Feb 2026 17:30:36 +0900
Subject: [PATCH] feat(iam): allow cloudfront function updates

- grant CloudFront Function and invalidation permissions
---
 policies/cloudformation-write-policy.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policies/cloudformation-write-policy.yaml b/policies/cloudformation-write-policy.yaml
index 4d22101..273f792 100644
--- a/policies/cloudformation-write-policy.yaml
+++ b/policies/cloudformation-write-policy.yaml
@@ -63,3 +63,14 @@ Resources:
             Action:
               - s3:PutObject
             Resource: "*"
+          - Effect: Allow
+            Action:
+              - cloudfront:CreateFunction
+              - cloudfront:UpdateFunction
+              - cloudfront:PublishFunction
+              - cloudfront:DescribeFunction
+              - cloudfront:GetFunction
+              - cloudfront:DeleteFunction
+              - cloudfront:ListFunctions
+              - cloudfront:CreateInvalidation
+            Resource: "*"