CAPA false-positive reconciliation failures because capa-iam-operator deletes IAM principal too early

[AndiDog]

IAM role nodes-nodepool0-<name of WC> gets deleted as soon as the AWSMachinePool goes away. But CAPA still needs it for reconciling AWSCluster – which can get reconciled normally for a few minutes before it gets deleted. CAPA puts an IAM policy on the cluster's S3 bucket which references the mentioned IAM role, and since that role is deleted too early, AWSCluster reconciliation fails to reconcile the bucket (failed to reconcile S3 Bucket for AWSCluster org-giantswarm/andreas84: ensuring bucket policy: creating S3 bucket policy: MalformedPolicy: Invalid principal in policy) and even marks the AWSCluster as non-ready with LoadBalancerFailed as meaningless error. Also, its logs are filled with useless errors that only confuse.

Proposal: We could check in the isRoleUsedElsewhere function whether the role is used in the S3 bucket of the AWSCluster, or just wait until the AWSCluster goes away (no finalizer needed for that) before deleting.

Issue was found in #2714, but is not causally related.