fix(apprunner): auto deployment fails after new container image pushed due to lack of a permission (aws#30630)

### Issue # (if applicable)

Closes aws#26640

### Reason for this change
According to the [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles), required permissions for an App Runner's AccessRole to access images in ECR repository are the followings:

1. "ecr:GetDownloadUrlForLayer",
2. "ecr:BatchCheckLayerAvailability",
3. "ecr:BatchGetImage",
4. "ecr:DescribeImages",
5. "ecr:GetAuthorizationToken"

No.1~3 are granted by the [grantPull](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ecr/lib/repository.ts#L385) method of `ecr.Repository`.

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303

Permission for No.5 is granted by the following.
**Note** : It is correct that the resources here is set to `*`(Ref: [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles))
> If you create your own custom policy for your access role, be sure to specify "Resource": "*" for the ecr:GetAuthorizationToken action. Tokens can be used to access any Amazon ECR registry that you have access to.

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368

At the moment, No.4 permission is missing. So we need to add.


### Description of changes
Add a `ecr:DescribeImages` permisison to the AccessRole.



### Description of how you validated changes
Update a unit test and a integ test.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

@@ -1311,9 +1311,11 @@ export class Service extends cdk.Resource implements iam.IGrantable {
       } : undefined,
     });
 
-    // grant required privileges for the role
+    // grant required privileges for the role to access an image in Amazon ECR
+    // See https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles
     if (this.source.ecrRepository && this.accessRole) {
       this.source.ecrRepository.grantPull(this.accessRole);
+      this.source.ecrRepository.grant(this.accessRole, 'ecr:DescribeImages');
     }
 
     this.serviceArn = resource.attrServiceArn;

packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/cdk.out

@@ -1,5 +1,22 @@
 {
  "Resources": {
+  "Service3InstanceRoleD40BEE82": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "Service3AccessRole3ACBAAA0": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -31,6 +48,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -72,6 +90,19 @@
   "Service342D067F2": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service3InstanceRoleD40BEE82",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -91,19 +122,23 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service3InstanceRoleD40BEE82",
-          "Arn"
-        ]
+    }
+   }
+  },
+  "Service2InstanceRole3F57F2AA": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
       }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
+     ],
+     "Version": "2012-10-17"
     }
    }
   },
@@ -138,6 +173,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -179,6 +215,19 @@
   "Service2AB4D14D8": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service2InstanceRole3F57F2AA",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -217,56 +266,9 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service2InstanceRole3F57F2AA",
-          "Arn"
-        ]
-      }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
-    }
-   }
-  },
-  "Service3InstanceRoleD40BEE82": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
-    }
-   },
-   "Service2InstanceRole3F57F2AA": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
     }
    }
+  }
  },
  "Outputs": {
   "URL3": {