I have an Operations team that is utilizing an IAM Role I deploy and maintain via AWS Control Tower. From time to time I have to delete the IAM Role in order to address issues in Control Tower failures. When this happens, they contend that they lose configuration changes and access to KMS keys (apparently they have my IAM Role set as the key owner).
Is this correct? Is there a better way for them to initiate their terraform modules so that they can be run by different IAM Roles and/or users (as long as the user or role is authorized) without losing access to KMS keys or other permissions. My understanding is that nothing deployed via an assumed IAM Role by terraform should be owned/tied exclusively to a single IAM Role.