26138: Managed Policy Attachment - Check before Create

CHANGELOG.md

@@ -4,6 +4,7 @@ BUG FIXES:
 
 * resource/aws_autoscaling_attachment: Retry errors like `ValidationError: Trying to update too many Load Balancers/Target Groups at once. The limit is 10` when creating or deleting resource ([#26654](https://github.com/hashicorp/terraform-provider-aws/issues/26654))
 * resource/aws_instance: Prevents errors in ISO regions when not using DisableApiStop attribute ([#26745](https://github.com/hashicorp/terraform-provider-aws/issues/26745))
+* resource/aws_ssoadmin_managed_policy_attachment: Prevent existing managed policy on permission set from being attached again causing InternalFailure due to infinite loop. ([#26138](https://github.com/hashicorp/terraform-provider-aws/issues/26138))
 
 ## 4.30.0 (September  9, 2022)
 

internal/service/ssoadmin/managed_policy_attachment.go

@@ -64,9 +64,15 @@ func resourceManagedPolicyAttachmentCreate(d *schema.ResourceData, meta interfac
 		PermissionSetArn: aws.String(permissionSetArn),
 	}
 
+	policy, _ := FindManagedPolicy(conn, managedPolicyArn, permissionSetArn, instanceArn)
+
 	_, err := conn.AttachManagedPolicyToPermissionSet(input)
 
 	if err != nil {
+		if tfawserr.ErrCodeEquals(err, ssoadmin.ErrCodeConflictException) && policy != nil {
+			log.Printf("[WARN] Managed Policy (%s) is already attached to SSO Permission Set (%s)", managedPolicyArn, permissionSetArn)
+			return nil
+		}
 		return fmt.Errorf("error attaching Managed Policy to SSO Permission Set (%s): %w", permissionSetArn, err)
 	}
 

internal/service/ssoadmin/managed_policy_attachment_test.go

@@ -167,6 +167,44 @@ func TestAccSSOAdminManagedPolicyAttachment_multipleManagedPolicies(t *testing.T
 	})
 }
 
+func TestAccSSOAdminManagedPolicyAttachment_duplicateManagedPolicies(t *testing.T) {
+	resourceName := "aws_ssoadmin_managed_policy_attachment.test"
+	permissionSetResourceName := "aws_ssoadmin_permission_set.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); testAccPreCheckInstances(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, ssoadmin.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckManagedPolicyAttachmentDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccManagedPolicyAttachmentConfig_basic(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckManagedPolicyAttachmentExists(resourceName),
+				),
+			},
+			{
+				Config: testAccManagedPolicyAttachmentConfig_basic(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckManagedPolicyAttachmentExists(resourceName),
+					//lintignore:AWSAT001
+					resource.TestMatchResourceAttr(resourceName, "managed_policy_arn", regexp.MustCompile(`policy/AlexaForBusinessDeviceSetup`)),
+					resource.TestCheckResourceAttr(resourceName, "managed_policy_name", "AlexaForBusinessDeviceSetup"),
+					resource.TestCheckResourceAttrPair(resourceName, "instance_arn", permissionSetResourceName, "instance_arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "permission_set_arn", permissionSetResourceName, "arn"),
+				),
+				ExpectNonEmptyPlan: false,
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckManagedPolicyAttachmentDestroy(s *terraform.State) error {
 	conn := acctest.Provider.Meta().(*conns.AWSClient).SSOAdminConn