feat(CSVDIES-9980): pass ExternalId at assume-role; default to sc-aut…

…omation-codebuild-role

Two related changes to wire the executor to the new cross-account role
deployed by the terraform-service-catalog-census StackSet (PR #13):

1. CROSS_ACCOUNT_ROLE default changed from r-inf-terraform to
   sc-automation-codebuild-role — the new purpose-built role for this
   automation system, deployed org-wide via CFN StackSet.

2. --external-id "${TARGET_ACCOUNT_ID}" added to the aws sts assume-role
   call — required by the ExternalId condition on sc-automation-codebuild-role
   (sts:ExternalId = AWS::AccountId) per ADR-004 confused-deputy protection.

The r-inf-terraform role can still be used by passing CROSS_ACCOUNT_ROLE=r-inf-terraform
as an env var override; it is not removed from the CodeBuild IAM policy.

See ADR-004: docs/decisions/004-account-baseline-iam-role.md
Jira: CSVDIES-9980

buildspec-executor.yml

@@ -34,7 +34,7 @@ env:
     NO_PROXY: "github.e.it.census.gov,169.254.169.254,169.254.170.2"
     # Per-build defaults (overridden via environmentVariablesOverride in Lambda)
     TARGET_ACCOUNT_ID: ""
-    CROSS_ACCOUNT_ROLE: "r-inf-terraform"
+    CROSS_ACCOUNT_ROLE: "sc-automation-codebuild-role"
     TF_RUN_START_TAG: ""
     DRY_RUN: "false"
 
@@ -113,6 +113,7 @@ phases:
           CREDS=$(aws sts assume-role \
             --role-arn "${ROLE_ARN}" \
             --role-session-name "sc-automation-${ACCOUNT_REPO}" \
+            --external-id "${TARGET_ACCOUNT_ID}" \
             --query Credentials \
             --output json)
           export AWS_ACCESS_KEY_ID=$(echo "$CREDS"     | python3 -c "import json,sys; print(json.load(sys.stdin)['AccessKeyId'])")