IC Groups deletion delayed when removing last Account Assignment

[tcsc]

Expected behavior:

When I remove the last role containing an account assignment role from an Access List, the corresponding group should be immediately deleted in AWS Identity Center

Current behavior:

The Identity Center group persists until the next full provisioning cycle (default interval ~5 mins) and is then deleted from Identity Center

Working Theory:

The IC provisioning system only attempts to provision Access Lists where the access list has at least one Account Assignment granted by a role. Once the last account-assignment granting role is removed from the Access List, the provisioning system disregards any events on that list, including noticing that it needs to delete the corresponding group.

Situation should be detectable by checking if an excluded Access List has an existing provisioning state. If it does, then the provisioning system should delete the downstream group (and the provisioning state record) immediately.