My approach has been: tie the role to the "thing" that consumes/needs it, centralizing might seem good but can be dangerous because of a larger impact.
If you're using StackSets, why not set one region as your "main" one and create a condition on the IAM role that only creates it within that region. This way you can still use a single StackSet but only have one IAM role.
Otherwise, you could setup roles within another stack, turn on termination protection and export it's ARN. Something like `FunctionalityX-Lambda-RoleArn".
Personally I try avoid custom resources where they aren't required, especially if you see potentially a lot of updates/changes.
Template format error: Unrecognized resource types: [AWS::SES::Template] bug or expected behaviour?Accepted Answerasked 10 months ago
specifying a list of values when deploying to aws cloudformation using github actionsasked 8 months ago
Required Capabilities Cloudformation TemplateAccepted Answerasked 8 months ago
Migrate using CloudFormation templateasked 5 days ago
Troubleshooting CloudFront CloudFormation templateasked 4 months ago
Create a notification once CloudFormation StackSet is finishedasked 10 months ago
SAM Template How to add tags to a Serverless Function EventBridge Rule Schedule?asked 6 days ago
Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrlasked 4 months ago
What needs to be done to make event bridge invoke a fargate task when file added to s3asked 7 months ago
How to avoid duplicate IAM roles when deploying stackset to multiple regionsAccepted Answerasked 3 years ago