Renaming PermissionSet does not delete original

[richardkeit]

Describe the bug Renaming PermissionSet fails to delete original PermissionSet in Cloudformation (leaves two visible in Identity Centre)

To Reproduce Deploy the following iam-config.yaml:

---
homeRegion: &HOME_REGION ap-southeast-2
ssoSessionDuration: &SSO_SESSION_DURATION 60

identityCenter:
  name: identityCenter1
  delegatedAdminAccount: Audit
  identityCenterPermissionSets:

    - name: myApplicationWorkloadAdmin
      policies:
        acceleratorManaged:
          - app-service-myApplication
          - app-boundary-policy-myApplication
        awsManaged:
          - arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
          - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
          - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
          - arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
          - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
          - arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnly
      sessionDuration: 60

  identityCenterAssignments:

    - name: myApplicationProdAssignment
      permissionSetName: myApplicationWorkloadAdmin #Assumes Prod & Non-Prod have same permissions)
      principals:
        - type: GROUP
          name: AAD_aws_workoad_admin_myApplication_prod
        - type: GROUP
          name: AAD_AWS_platform_admin # Ease of debugging permissions
      deploymentTargets:
        accounts:
          - workloads-prod-myApplication-prod
    - name: myApplicationDevAssignment
      permissionSetName: myApplicationWorkloadAdmin #Assumes Prod & Non-Prod have same permissions)
      principals:
        - type: GROUP
          name: AAD_aws_workoad_admin_myApplication_dev
        - type: GROUP
          name: AAD_AWS_platform_admin # Ease of debugging permissions
      deploymentTargets:
        accounts:
          - workloads-non-prod-myApplication-dev

Rename myApplicationProdAssignment -> myApplicationProdAssignment2 Run pipeline again

Expected behavior Original Permission Set deleted New Permission Set Available

Please complete the following information about the solution:

• [x] Version: v1.7.2]
• [x] Region: ap-southeast-2
• [ ] Was the solution modified from the version published on this repository?
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ ] Have you checked your service quotas for the services this solution uses?
• [ ] Were there any errors in the CloudWatch Logs?

Screenshot:

Additional context Cloudtrail:

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAW3MEFJJDARFA3ZM6Q:AWSCodeBuild-bb104709-a5a1-4fe4-bf91-8e51a02eb6ff",
        "arn": "arn:aws:sts::XXXXXXXXXX:assumed-role/AWSAccelerator-PipelineSt-AdminCdkToolkitRole292E16-1snHngp74Iee/AWSCodeBuild-bb104709-a5a1-4fe4-bf91-8e51a02eb6ff",
        "accountId": "XXXXXXXXXX",
        "accessKeyId": "AAAAAA",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "BBBBBBBB",
                "arn": "arn:aws:iam::XXXXXXXXXX:role/AWSAccelerator-PipelineSt-AdminCdkToolkitRole292E16-1snHngp74Iee",
                "accountId": "XXXXXXXXXX",
                "userName": "AWSAccelerator-PipelineSt-AdminCdkToolkitRole292E16-1snHngp74Iee"
            },
            "attributes": {
                "creationDate": "2024-08-13T02:55:23Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "codebuild.amazonaws.com"
    },
    "eventTime": "2024-08-13T03:16:29Z",
    "eventSource": "sso.amazonaws.com",
    "eventName": "DeletePermissionSet",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "codebuild.amazonaws.com",
    "userAgent": "codebuild.amazonaws.com",
    "errorCode": "ConflictException",
    "errorMessage": "Could not delete because PermissionSet has ApplicationProfile associated with it.",
    "requestParameters": {
        "instanceArn": "arn:aws:sso:::instance/ssoins-YYYYYYY",
        "permissionSetArn": "arn:aws:sso:::permissionSet/ssoins-YYYYYYY/ps-cf2627dac43cf238"
    },
    "responseElements": null,
    "requestID": "74d35b0d-3a29-4d44-aecc-fbb48711c33c",
    "eventID": "173046b1-8e25-4583-9d78-28cd4dd54889",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXXXXXXX",
    "eventCategory": "Management"
}

[amitsmlaws]

At this point it would not, as CFN won't identify it as a change. I would suggest, removing the block of code which deletes the permission sets and then re-creating another one

[richardkeit]

At this point it would not, as CFN won't identify it as a change. I would suggest, removing the block of code which deletes the permission sets and then re-creating another one

Hi @amitsmlaws , Via Cloudtrail & Cloudformation we can see that DeletePermissionSet was called, but the relationship has been managed correctly and is unable to delete.