fix(bootstrap): rebootstrap breaks container Functions (#19446)

Container Functions automatically add a policy to an ECR repository to
allow Lambda to pull from it; however, when the ECR repository is
rebootstrapped and has changed, the policy might be overwritten.

Add the policy to the bootstrap stack, so we don't have to rely on
Lambda to add it and it will survive rebootstraps.

This introduces version 11 of the bootstrap stack. You do not need
to upgrade to this version unless you are affected by this issue.

Fixes #18473.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -209,6 +209,20 @@ Resources:
           - HasCustomContainerAssetsRepositoryName
           - Fn::Sub: "${ContainerAssetsRepositoryName}"
           - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
+      RepositoryPolicyText:
+        Version: "2012-10-17"
+        Statement:
+          # Necessary for Lambda container images
+          # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions
+          - Sid: LambdaECRImageRetrievalPolicy
+            Effect: Allow
+            Principal: { Service: "lambda.amazonaws.com" }
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+            Condition:
+              StringLike:
+                "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties:
@@ -493,7 +507,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '10'
+      Value: '11'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack