I have a strange issue which i do not know how to handle:

package cmd

import (
    "fmt"
    "strings"

    "<http://github.com/google/uuid|github.com/google/uuid>"
    "<http://github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2|github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2>"
    "<http://github.com/pulumi/pulumi-azure-native/sdk/go/azure|github.com/pulumi/pulumi-azure-native/sdk/go/azure>"
    "<http://github.com/pulumi/pulumi-azure-native/sdk/go/azure/authorization|github.com/pulumi/pulumi-azure-native/sdk/go/azure/authorization>"
    "<http://github.com/pulumi/pulumi-azure-native/sdk/go/azure/network|github.com/pulumi/pulumi-azure-native/sdk/go/azure/network>"
    "<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

const DNSNamespaceUUID = "e4bbfaee-5e45-4fc8-8be2-37c4d317c83e" // Example namespace UUID

func (r *Azure) CreateIdentityAzure(ctx *pulumi.Context) error {
    clientConfig, err := authorization.GetClientConfig(ctx, nil)
    if err != nil {
       return err
    }

    otherSubscriptionID := r.Subscription
    betterProvider, err := azure.NewProvider(ctx, "otherSubscription", &azure.ProviderArgs{
       SubscriptionId: pulumi.String(otherSubscriptionID),
    })
    if err != nil {
       return err
    }

    var identities []*managedidentity.UserAssignedIdentity
    if r.Domains.Enable {
       <http://ctx.Log.Info|ctx.Log.Info>("Creating identities and zones...", nil)
       identityNames := []string{"certmanager-identity"}

       identities, err = r.createUserAssignedIdentities(ctx, identityNames)
       if err != nil {
          return err
       }

       err = r.createNewZonesAndRoles(ctx, betterProvider, clientConfig, identities)
       if err != nil {
          return err
       }
    }

    return nil
}

func (r *Azure) createUserAssignedIdentities(ctx *pulumi.Context, identityNames []string) ([]*managedidentity.UserAssignedIdentity, error) {
    identities := make([]*managedidentity.UserAssignedIdentity, len(identityNames))
    for i, idName := range identityNames {
       identity, err := managedidentity.NewUserAssignedIdentity(ctx, idName, &managedidentity.UserAssignedIdentityArgs{
          Location:          pulumi.String(r.Location),
          ResourceGroupName: r.RgResponse.Name,
          ResourceName:      pulumi.String(fmt.Sprintf("%s-%v", idName, i)),
       }, pulumi.DependsOn([]pulumi.Resource{r.AksResponse}))

       if err != nil {
          return nil, err
       }
       identities[i] = identity
    }

    return identities, nil
}

func (r *Azure) createNewZonesAndRoles(ctx *pulumi.Context, provider *azure.Provider, clientConfig *authorization.GetClientConfigResult, identities []*managedidentity.UserAssignedIdentity) error {
    for _, domain := range r.Domains.Zones {
       zone, err := network.NewZone(ctx, fmt.Sprintf("%s-zone", domain.Name), &network.ZoneArgs{
          ResourceGroupName: pulumi.String("Better"),
          ZoneName:          pulumi.String(domain.Zone),
          Location:          pulumi.String("global"),
       }, pulumi.Provider(provider), pulumi.DependsOn([]pulumi.Resource{r.AksResponse}))
       if err != nil {
          return err
       }

       uuidNamespace := uuid.MustParse(DNSNamespaceUUID) // Use a fixed namespace UUID

       for _, identity := range identities {
          roleDefinitionId := pulumi.String(fmt.Sprintf(
             "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
             clientConfig.SubscriptionId,
          ))

          nameUUID := identity.Name.ToStringOutput().ApplyT(func(name string) string {
             uuid := uuid.NewSHA1(uuidNamespace, []byte(name)).String()
             fmt.Printf("Generated nameUUID for %s: %s\n", name, uuid)
             return uuid
          }).(pulumi.StringOutput)

          pulumi.All(zone.ID(), nameUUID).ApplyT(func(args []interface{}) error {
             zoneID := args[0].(pulumi.ID)  // zone.ID() returns a pulumi.ID
             uuidString := args[1].(string) // nameUUID is already a string

             fmt.Printf("Zone ID: %s, Generated nameUUID: %s\n", zoneID, uuidString)
             fmt.Println("Test1231231231221")
             // Convert pulumi.ID to string
             zoneIDStr := string(zoneID)

             // Perform the LookupRoleAssignment
             _, err := authorization.LookupRoleAssignment(ctx, &authorization.LookupRoleAssignmentArgs{
                Scope:              zoneIDStr,
                RoleAssignmentName: uuidString,
             }, pulumi.Provider(provider))

             if err != nil {
                if strings.Contains(err.Error(), "RoleAssignmentNotFound") {
                   fmt.Printf("Role assignment not found for scope: %s, name: %s\n", zoneIDStr, uuidString)
                   // Create the role assignment if it does not exist
                   _, err = authorization.NewRoleAssignment(ctx, fmt.Sprintf("%s-roleAssignment", identity.Name), &authorization.RoleAssignmentArgs{
                      PrincipalId:        identity.PrincipalId,
                      PrincipalType:      pulumi.String(authorization.PrincipalTypeServicePrincipal),
                      RoleAssignmentName: pulumi.String(uuidString), // Pass uuidString directly
                      RoleDefinitionId:   roleDefinitionId,
                      Scope:              pulumi.String(zoneIDStr),
                   }, pulumi.Provider(provider), pulumi.DependsOn([]pulumi.Resource{identity, zone}))
                   if err != nil {
                      return fmt.Errorf("failed to create role assignment: %w", err)
                   }
                } else {
                   return err
                }
             }
             return nil
          })
       }
    }
    return nil
}

problem is that when i run pulumi it creates a role but then if i start it again it deletes it, and if i run it again it will again create it. What could be the reason. I checked the the ids and names, scops and they are the same.