I'm running the Lambda from the Serverless Application Repository. It attempts to delete one of the groups but fails with this message:

Notifying Lambda and mark this execution as Failure: AccessDeniedException: User: arn:aws:sts::X:assumed-role/serverlessrepo-X-ssosyn-SSOSyncFunctionRole-X/serverlessrepo-X-ssosync-go-SSOSyncFunction-X is not authorized to perform: identitystore:DeleteGroup on resource: arn:aws:identitystore::X:identitystore/d-X because no identity-based policy allows the identitystore:DeleteGroup action

I checked in IAM and confirmed that the policy does not include this action. It doesn't look like it's included in the template. I believe the DeleteGroup action needs to be added to the template and this issue would be resolved.

To Reproduce
Steps to reproduce the behavior:

1. Set up a new organization using AWS Control Tower.
2. Deploy the SSO sync Lambda.
3. SSO sync will attempt to delete a pre-existing group.

Expected behavior
The group is successfully deleted.