sec(iac): enforce non-empty ExternalId on cross-account AssumeRole at IAM layer

[cristim]

Summary

• Adds Condition: { StringLike: { "sts:ExternalId": "*" } } to the cross_account_sts IAM policy in both terraform/modules/compute/aws/lambda/main.tf and terraform/modules/compute/aws/fargate/main.tf
• IAM now requires a non-empty sts:ExternalId on every AssumeRole call from these compute roles; calls without the field are denied at the IAM layer before reaching the target account
• Per-account ExternalId value validation continues at the application layer (credentials resolver); this is a second defence layer closing the gap where an app-layer bug could omit the field entirely
• Mirrors what the CloudFormation target-account trust policy already enforced on the other side of the call
• terraform fmt -check passes with no changes on both modules

Closes #436

[coderabbitai]

Warning

Review limit reached

@cristim, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 2 reviews/hour. Refill in 24 minutes and 21 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9aaf22d3-c24b-4aab-ae2c-7aeb633c68b3

📥 Commits

Reviewing files that changed from the base of the PR and between bc7bf0f and 9563602.

📒 Files selected for processing (2)

• terraform/modules/compute/aws/fargate/main.tf
• terraform/modules/compute/aws/lambda/main.tf

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/436-cross-account-external-id

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.