Describe the bug

The IAM statement changes table produced by running cdk diff doesn't render the changes for permission sets nicely. It seems that if the resource is not *, the table row does not contain info on which permission set the operation happens at all.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

not known

Expected Behavior

Not sure how it should look like.
But the second line with Resource=arn:aws:s3:::example-bucket/* doesn't mention the permission set at all, making the diff hard to read, especially when having multiple permission sets in the same stack.
edit: While it's technically not a principal, I think having the permissionset in the Principal colum seems reasonable

Current Behavior

The "IAM Statement Changes" table looks like this

Reproduction Steps

const app = new App();
const stack = new Stack(app, "Example");
new CfnPermissionSet(stack, "PermissionSet", {
  name: "example",
  instanceArn: "exampleArn",
  inlinePolicy: new PolicyDocument({
    statements: [
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ["s3:ListBucket"],
        resources: ["*"], // unscoped
      }),
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ["s3:GetObject"],
        resources: ["arn:aws:s3:::example-bucket/*"], // scoped
      }),
    ],
  }),
});

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.221.1

AWS CDK CLI version

2.1031.1 (build a560d1e)

Node.js Version

v22.15.0

OS

macOs 15.6.1

Language

TypeScript

Language Version

TypeScript (5.9.3)

Other information

No response