hashicorp · YakDriver · Sep 3, 2025 · Aug 19, 2025 · Aug 21, 2025 · Aug 21, 2025
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_servicecatalog_provisioned_product: Set `provisioning_parameters` and `provisioning_artifact_id` to the values from the last successful deployment when update fails
+```
@@ -117,6 +117,10 @@ func resourceConstraintCreate(ctx context.Context, d *schema.ResourceData, meta
 			return retry.RetryableError(err)
 		}
 
+		if errs.IsAErrorMessageContains[*awstypes.InvalidParametersException](err, "Access denied while assuming the role") {
+			return retry.RetryableError(err)
+		}
+
 		if errs.IsA[*awstypes.ResourceNotFoundException](err) {
 			return retry.RetryableError(err)
 		}

@@ -18,9 +18,10 @@ var (
 	ResourceTagOption                     = resourceTagOption
 	ResourceTagOptionResourceAssociation  = resourceTagOptionResourceAssociation
 
-	FindPortfolioByID                 = findPortfolioByID
-	FindPortfolioShare                = findPortfolioShare
-	FindPrincipalPortfolioAssociation = findPrincipalPortfolioAssociation
+	FindPortfolioByID                  = findPortfolioByID
+	FindPortfolioShare                 = findPortfolioShare
+	FindPrincipalPortfolioAssociation  = findPrincipalPortfolioAssociation
+	FindProvisionedProductByTwoPartKey = findProvisionedProductByTwoPartKey
 
 	BudgetResourceAssociationParseID             = budgetResourceAssociationParseID
 	ProductPortfolioAssociationParseID           = productPortfolioAssociationParseID
@@ -36,7 +37,6 @@ var (
 	WaitOrganizationsAccessStable           = waitOrganizationsAccessStable
 	WaitProductPortfolioAssociationDeleted  = waitProductPortfolioAssociationDeleted
 	WaitProductPortfolioAssociationReady    = waitProductPortfolioAssociationReady
-	WaitProvisionedProductReady             = waitProvisionedProductReady
 	WaitTagOptionResourceAssociationDeleted = waitTagOptionResourceAssociationDeleted
 	WaitTagOptionResourceAssociationReady   = waitTagOptionResourceAssociationReady
 

@@ -11,15 +11,18 @@ import (
 
 	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/servicecatalog"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/servicecatalog/types"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
-	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	tfservicecatalog "github.com/hashicorp/terraform-provider-aws/internal/service/servicecatalog"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -457,6 +460,127 @@ func TestAccServiceCatalogProvisionedProduct_productTagUpdateAfterError(t *testi
 	})
 }
 
+// Validates that a provisioned product in tainted status properly triggers an update
+// on subsequent applies.
+// Ref: https://github.com/hashicorp/terraform-provider-aws/issues/42585
+func TestAccServiceCatalogProvisionedProduct_retryTaintedUpdate(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_servicecatalog_provisioned_product.test"
+	artifactsDataSourceName := "data.aws_servicecatalog_provisioning_artifacts.product_artifacts"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	initialArtifactID := "provisioning_artifact_details.0.id"
+	newArtifactID := "provisioning_artifact_details.1.id"
+	var v awstypes.ProvisionedProductDetail
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.ServiceCatalogServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckProvisionedProductDestroy(ctx),
+		Steps: []resource.TestStep{
+			// Step 1 - Setup
+			{
+				Config: testAccProvisionedProductConfig_retryTaintedUpdate(rName, false, false, "original"),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckProvisionedProductExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttrPair(resourceName, "provisioning_artifact_id", artifactsDataSourceName, initialArtifactID),
+				),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrStatus), knownvalue.StringExact("AVAILABLE")),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("provisioning_parameters"), knownvalue.ListExact([]knownvalue.Check{
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("FailureSimulation"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact(acctest.CtFalse),
+						}),
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("ExtraParam"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact("original"),
+						}),
+					})),
+				},
+			},
+			// Step 2 - Trigger a failure, leaving the provisioned product tainted
+			{
+				Config:      testAccProvisionedProductConfig_retryTaintedUpdate(rName, true, true, "updated"),
+				ExpectError: regexache.MustCompile(`The following resource\(s\) failed to update:`),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(resourceName, tfjsonpath.New("provisioning_parameters"), knownvalue.ListExact([]knownvalue.Check{
+							knownvalue.ObjectExact(map[string]knownvalue.Check{
+								names.AttrKey:        knownvalue.StringExact("FailureSimulation"),
+								"use_previous_value": knownvalue.Bool(false),
+								names.AttrValue:      knownvalue.StringExact(acctest.CtTrue),
+							}),
+							knownvalue.ObjectExact(map[string]knownvalue.Check{
+								names.AttrKey:        knownvalue.StringExact("ExtraParam"),
+								"use_previous_value": knownvalue.Bool(false),
+								names.AttrValue:      knownvalue.StringExact("updated"),
+							}),
+						})),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrStatus), knownvalue.StringExact("TAINTED")),
+					// Verify state is rolled back to the parameters from the original setup run
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("provisioning_parameters"), knownvalue.ListExact([]knownvalue.Check{
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("FailureSimulation"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact(acctest.CtFalse),
+						}),
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("ExtraParam"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact("original"),
+						}),
+					})),
+				},
+			},
+			// Step 3 - Verify an update is planned, even without configuration changes
+			{
+				Config: testAccProvisionedProductConfig_retryTaintedUpdate(rName, true, true, "updated"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+				ExpectError: regexache.MustCompile(`The following resource\(s\) failed to update:`),
+			},
+			// Step 4 - Resolve the failure, verifying an update is completed
+			{
+				Config: testAccProvisionedProductConfig_retryTaintedUpdate(rName, true, false, "updated"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckProvisionedProductExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttrPair(resourceName, "provisioning_artifact_id", artifactsDataSourceName, newArtifactID),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrStatus), knownvalue.StringExact("AVAILABLE")),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("provisioning_parameters"), knownvalue.ListExact([]knownvalue.Check{
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("FailureSimulation"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact(acctest.CtFalse),
+						}),
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							names.AttrKey:        knownvalue.StringExact("ExtraParam"),
+							"use_previous_value": knownvalue.Bool(false),
+							names.AttrValue:      knownvalue.StringExact("updated"),
+						}),
+					})),
+				},
+			},
+		},
+	})
+}
+
 func testAccCheckProvisionedProductDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).ServiceCatalogClient(ctx)
@@ -466,43 +590,39 @@ func testAccCheckProvisionedProductDestroy(ctx context.Context) resource.TestChe
 				continue
 			}
 
-			input := &servicecatalog.DescribeProvisionedProductInput{
-				Id:             aws.String(rs.Primary.ID),
-				AcceptLanguage: aws.String(rs.Primary.Attributes["accept_language"]),
-			}
-			_, err := conn.DescribeProvisionedProduct(ctx, input)
+			_, err := tfservicecatalog.FindProvisionedProductByTwoPartKey(ctx, conn, rs.Primary.ID, rs.Primary.Attributes["accept_language"])
 
-			if errs.IsA[*awstypes.ResourceNotFoundException](err) {
+			if tfresource.NotFound(err) {
 				continue
 			}
 
 			if err != nil {
 				return err
 			}
 
-			return fmt.Errorf("Service Catalog Provisioned Product (%s) still exists", rs.Primary.ID)
+			return fmt.Errorf("Service Catalog Provisioned Product %s still exists", rs.Primary.ID)
 		}
 
 		return nil
 	}
 }
 
-func testAccCheckProvisionedProductExists(ctx context.Context, resourceName string, pprod *awstypes.ProvisionedProductDetail) resource.TestCheckFunc {
+func testAccCheckProvisionedProductExists(ctx context.Context, n string, v *awstypes.ProvisionedProductDetail) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		rs, ok := s.RootModule().Resources[resourceName]
-
+		rs, ok := s.RootModule().Resources[n]
 		if !ok {
-			return fmt.Errorf("resource not found: %s", resourceName)
+			return fmt.Errorf("Not found: %s", n)
 		}
 
 		conn := acctest.Provider.Meta().(*conns.AWSClient).ServiceCatalogClient(ctx)
 
-		out, err := tfservicecatalog.WaitProvisionedProductReady(ctx, conn, tfservicecatalog.AcceptLanguageEnglish, rs.Primary.ID, "", tfservicecatalog.ProvisionedProductReadyTimeout)
+		output, err := tfservicecatalog.FindProvisionedProductByTwoPartKey(ctx, conn, rs.Primary.ID, rs.Primary.Attributes["accept_language"])
+
 		if err != nil {
-			return fmt.Errorf("describing Service Catalog Provisioned Product (%s): %w", rs.Primary.ID, err)
+			return err
 		}
 
-		*pprod = *out.ProvisionedProductDetail
+		*v = *output.ProvisionedProductDetail
 
 		return nil
 	}
@@ -988,3 +1108,71 @@ resource "aws_s3_bucket" "conflict" {
 }
 `, rName, conflictingBucketName, tagValue))
 }
+
+func testAccProvisionedProductConfig_retryTaintedUpdate(rName string, useNewVersion bool, simulateFailure bool, extraParam string) string {
+	return acctest.ConfigCompose(
+		testAccProvisionedProductPortfolioBaseConfig(rName),
+		fmt.Sprintf(`
+locals {
+  initial_provisioning_artifact = data.aws_servicecatalog_provisioning_artifacts.product_artifacts.provisioning_artifact_details[0]
+  new_provisioning_artifact     = data.aws_servicecatalog_provisioning_artifacts.product_artifacts.provisioning_artifact_details[1]
+}
+
+resource "aws_servicecatalog_provisioned_product" "test" {
+  name                     = %[1]q
+  product_id               = aws_servicecatalog_product.test.id
+  provisioning_artifact_id = %[2]t ? local.new_provisioning_artifact.id : local.initial_provisioning_artifact.id
+
+  provisioning_parameters {
+    key   = "FailureSimulation"
+    value = "%[3]t"
+  }
+
+  provisioning_parameters {
+    key   = "ExtraParam"
+    value = %[4]q
+  }
+}
+
+resource "aws_servicecatalog_product" "test" {
+  description = %[1]q
+  name        = %[1]q
+  owner       = "test"
+  type        = "CLOUD_FORMATION_TEMPLATE"
+
+  provisioning_artifact_parameters {
+    name         = "%[1]s - Initial"
+    description  = "Initial"
+    template_url = "https://${aws_s3_bucket.test.bucket_regional_domain_name}/${aws_s3_object.test.key}"
+    type         = "CLOUD_FORMATION_TEMPLATE"
+  }
+}
+
+resource "aws_servicecatalog_provisioning_artifact" "new_version" {
+  product_id = aws_servicecatalog_product.test.id
+
+  name         = "%[1]s - New"
+  description  = "New"
+  template_url = "https://${aws_s3_bucket.test.bucket_regional_domain_name}/${aws_s3_object.test.key}"
+  type         = "CLOUD_FORMATION_TEMPLATE"
+}
+
+data "aws_servicecatalog_provisioning_artifacts" "product_artifacts" {
+  product_id = aws_servicecatalog_product.test.id
+
+  depends_on = [aws_servicecatalog_provisioning_artifact.new_version]
+}
+
+resource "aws_s3_bucket" "test" {
+  bucket        = %[1]q
+  force_destroy = true
+}
+
+resource "aws_s3_object" "test" {
+  bucket = aws_s3_bucket.test.id
+  key    = "product_template.yaml"
+
+  source = "${path.module}/testdata/retry-tainted-update/product_template.yaml"
+}
+`, rName, useNewVersion, simulateFailure, extraParam))
+}
@@ -321,39 +321,6 @@ func statusLaunchPaths(ctx context.Context, conn *servicecatalog.Client, acceptL
 	}
 }
 
-func statusProvisionedProduct(ctx context.Context, conn *servicecatalog.Client, acceptLanguage, id, name string) retry.StateRefreshFunc {
-	return func() (any, string, error) {
-		input := &servicecatalog.DescribeProvisionedProductInput{}
-
-		if acceptLanguage != "" {
-			input.AcceptLanguage = aws.String(acceptLanguage)
-		}
-
-		// one or the other but not both
-		if id != "" {
-			input.Id = aws.String(id)
-		} else if name != "" {
-			input.Name = aws.String(name)
-		}
-
-		output, err := conn.DescribeProvisionedProduct(ctx, input)
-
-		if errs.IsA[*awstypes.ResourceNotFoundException](err) {
-			return nil, "", nil
-		}
-
-		if err != nil {
-			return nil, "", err
-		}
-
-		if output == nil || output.ProvisionedProductDetail == nil {
-			return nil, "", nil
-		}
-
-		return output, string(output.ProvisionedProductDetail.Status), err
-	}
-}
-
 func statusPortfolioConstraints(ctx context.Context, conn *servicecatalog.Client, acceptLanguage, portfolioID, productID string) retry.StateRefreshFunc {
 	return func() (any, string, error) {
 		input := &servicecatalog.ListConstraintsForPortfolioInput{