We are managing AWS IAM Roles and associated policies using Pulumi, we faced an issue that in case of any policy update (even basic changes in permissions/JSON) - Pulumi wants to recreate a policy but fails because it is associated to role
1. Why does permission change triggers resource recreation but not in-place update?
2. Is it any way to handle this without a recreation of Role? (It looks like https://www.pulumi.com/registry/packages/aws/api-docs/iam/rolepolicyattachment/ can help with this)
3. How to properly link Roles to permissions? Is depends_on enough?