Optional ReadonlypolicyARN of an existing managed policy to attach to the build role. Mutually exclusive with policyDocument. The deployer is responsible for ensuring the referenced policy follows least-privilege principles — CDK Nag cannot inspect imported policies.
Optional ReadonlypolicyInline policy document. The construct creates a managed policy from these statements. Mutually exclusive with policyArn.
Optional ReadonlysuppressionsCDK Nag suppressions for rules triggered by this policy. Required when policyDocument uses wildcard resources. Deployers are responsible for ensuring suppression reasons are specific and auditable.
Policy configuration for the build role. Supports managed policy ARNs or inline policy documents (mutually exclusive per entry).