fix(custom-resource): provider framework lambda missing GetFunction p…

…ermission (#33315)

### Issue # (if applicable)

Closes #26838.

### Reason for this change

In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic):

https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80

The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API:
https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57

However, the Provider Framework lambda does not have the `lambda:GetFunction` permission.

##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`?

At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66

### Description of changes

Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda.

### Describe any new or updated permissions being added

The `lambda:GetFunction` permission is added.


### Description of how you validated changes

There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test.

What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

.gitattributes

@@ -14,3 +14,5 @@
 **/*.snapshot/**/*.template.json -linguist-generated
 **/*.snapshot/**/*DeployAssert*.template.json linguist-generated
 packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-big-response.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk/*-alpha/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.template.json

@@ -291,7 +291,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
        },
-       "/9f9e7436ed98342a4f1f0b598ef9976aa52d9ad4f145e5ef3b06928a267551fd.json"
+       "/1b09badc4e19e59ec158617bd51789ee6ed15cfe942f7a98932d5b6a3a0a0e56.json"
       ]
      ]
     }

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/awscdkdynamodbglobalreplicasprovisionedawscdkawsdynamodbReplicaProviderEA32CB30.nested.template.json

@@ -419,6 +419,24 @@
         }
        ]
       },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
+      },
       {
        "Action": "states:StartExecution",
        "Effect": "Allow",
@@ -570,6 +588,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -712,6 +748,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"