From 51d62d2b652c8f4f8a73e4b628fbc8059147f254 Mon Sep 17 00:00:00 2001
From: Jason Cao <jasoncao99@hotmail.com>
Date: Wed, 1 Nov 2023 13:44:02 -0400
Subject: [PATCH] readded custom resource permission change

---
 .../custom-resources/lib/provider-framework/provider.ts      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts
index 394570aeefcc2..7c13bf7018644 100644
--- a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts
+++ b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts
@@ -231,6 +231,11 @@ export class Provider extends Construct implements ICustomResourceProvider {
 
     fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn);
     this.onEventHandler.grantInvoke(fn);
+    fn.addToRolePolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['lambda:GetFunctionConfiguration'],
+      resources: [this.onEventHandler.functionArn],
+    }));
 
     if (this.isCompleteHandler) {
       fn.addEnvironment(consts.USER_IS_COMPLETE_FUNCTION_ARN_ENV, this.isCompleteHandler.functionArn);