[lakeformation] CfnDataLakeSettings Leaves deleted roles in administrative-roles

[alonsadovski12]

What is the problem?

In CDK, There is an issue when renaming a role that is already registered to lake formation admins with CfnDataLakeSettings construct. The previous role name stays in the roles list, and that so all the further deployments get the following error:

Invalid principal, arn: arn:aws:iam::**:role/ (Service: AWSLakeFormation; Status Code: 400; Error Code: InvalidInputException; ...)

Fixed the issue by deleting the previous role entity ( which does not exist anymore in IAM) manually from the lake admins list.

Reproduction Steps

1. create a role with cdk and register it to lake admins with the following command: admins = [lf.CfnDataLakeSettings.DataLakePrincipalProperty(data_lake_principal_identifier=lambda_role_arn)] admins_settings = lf.CfnDataLakeSettings(self, 'DLAdminsSettings', admins=admins)

2. after that rename the created role and redeploy

3. all further deployments (after step 2) will fail.

What did you expect to happen?

when renaming the role, The previous role name (which is not exists anymore) should be removed from the lake admins list

What actually happened?

the previous role name (which is not exists anymore) stays in lake admins settings list

CDK CLI Version

2.8.0

Framework Version

No response

Node.js Version

14.15.5

OS

macOS Big Sur 11.6.1

Language

Python

Language Version

No response

Other information

No response

[rix0rrr]

This is CloudFormation behavior that we cannot change. The Cfn classes have no logic written by us in them, and so we do not control their behavior.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.