fix(asea): iam role with principalarn property

source/packages/@aws-accelerator/accelerator/lib/asea-resources/iam-roles.ts

@@ -15,6 +15,7 @@ import * as cdk from 'aws-cdk-lib';
 
 import {
   AccountPrincipal,
+  ArnPrincipal,
   CfnInstanceProfile,
   CfnManagedPolicy,
   Effect,
@@ -92,6 +93,15 @@ export class Roles extends AseaResource {
           }),
         );
       }
+      if (assumedByItem.type === 'principalArn') {
+        statements.push(
+          new PolicyStatement({
+            actions: ['sts:AssumeRole'],
+            effect: Effect.ALLOW,
+            principals: [new ArnPrincipal(assumedByItem.principal)],
+          }),
+        );
+      }
       if (assumedByItem.type === 'account' && assumedByItem.principal) {
         const partition = this.props.partition;
         const accountIdRegex = /^\d{12}$/;