fix: Add missing IAM permission for AgentCore service-linked role creation

- Add iam:CreateServiceLinkedRole permission to Custom Resource role
- Required for AWSServiceRoleForBedrockAgentCoreRuntimeIdentity creation
- Fixes deployment failure since October 13, 2025 AgentCore Runtime changes
- Resolves AccessDeniedException when creating AgentCore Runtime

Fixes issue where GenU deployment fails with:
'Failed creating service linked role. Please verify that the calling role has sufficient permissions to create a service linked role.'

Reference: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/service-linked-roles.html
According to AWS documentation, starting October 13, 2025, new AgentCore Runtime resources automatically require the AWSServiceRoleForBedrockAgentCoreRuntimeIdentity service-linked role.

Author: icoxfog417

packages/cdk/lib/construct/generic-agent-core.ts

@@ -185,6 +185,23 @@ export class GenericAgentCore extends Construct {
       })
     );
 
+    // Add permission to create AgentCore service-linked role (required since Oct 13, 2025)
+    role.addToPolicy(
+      new PolicyStatement({
+        sid: 'CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole',
+        effect: Effect.ALLOW,
+        actions: ['iam:CreateServiceLinkedRole'],
+        resources: [
+          `arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity`,
+        ],
+        conditions: {
+          StringEquals: {
+            'iam:AWSServiceName': 'runtime-identity.bedrock-agentcore.amazonaws.com',
+          },
+        },
+      })
+    );
+
     return role;
   }