build: Add lifecycle prevention for agent space destruction and enhance IAM role validation

Author: JG-Cloud

main.tf

@@ -21,6 +21,10 @@ resource "awscc_devopsagent_agent_space" "this" {
   }
 
   depends_on = [time_sleep.iam_propagation]
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 # Primary account association (hosting account as monitor)

modules/spoke/main.tf

@@ -2,6 +2,12 @@ data "aws_iam_policy" "devops_agent_access" {
   name = "AIDevOpsAgentAccessPolicy"
 }
 
+locals {
+  # Extract the hosting account ID from the AgentSpace ARN for SourceAccount condition.
+  # arn:aws:aidevops:<region>:<account-id>:agentspace/<id>
+  hub_account_id = regex("arn:aws:aidevops:[^:]+:([0-9]+):agentspace/.*", var.agent_space_arn)[0]
+}
+
 resource "aws_iam_role" "devops_agent" {
   name                 = var.role_name
   permissions_boundary = var.permissions_boundary_arn
@@ -16,11 +22,14 @@ resource "aws_iam_role" "devops_agent" {
         }
         Action = "sts:AssumeRole"
         Condition = {
-          # ArnEquals pins account + Agent Space — no wildcard,
-          # unlike the hub roles which use agentspace/*.
+          # ArnEquals pins to the exact AgentSpace — no wildcard unlike hub roles.
+          # SourceAccount is defense-in-depth; ArnEquals already implicitly validates account.
           ArnEquals = {
             "aws:SourceArn" = var.agent_space_arn
           }
+          StringEquals = {
+            "aws:SourceAccount" = local.hub_account_id
+          }
         }
       }
     ]

variables.tf

@@ -7,6 +7,10 @@ variable "name_prefix" {
   description = "Short slug used in IAM role names — no spaces or special chars (defaults to agent_space_name if not set)"
   type        = string
   default     = ""
+  validation {
+    condition     = length(var.name_prefix) <= 35
+    error_message = "name_prefix must be 35 characters or fewer — IAM role names are limited to 64 chars and the longest prefix 'DevOpsAgentRole-WebappAdmin-' is 29 chars."
+  }
 }
 
 variable "agent_space_description" {