Redundant AWSAFTService Service Catalog Portfolio associations

[GregCKrause]

AFT Version:
1.13.1

Bug Description
The aft-account-request-processor Lambda re-associates the AWSAFTService principal with the AWS Control Tower Account Factory Portfolio, even if the principal already has access. Among other effects, this adds noise to CloudTrail event history:

To Reproduce

1. Invoke aft-account-request-processor Lambda

Expected behavior
The aft-account-request-processor Lambda should only associate the AWSAFTService principal with the AWS Control Tower Account Factory Portfolio if the principal does not already have access.

[bmorrissirromb]

I'll also add that this is a surprisingly costly little line of code. Service Catalog charges per API request at a rate of ~$0.0007/API call. By default, AFT runs this Lambda once every 5 minutes (via EventBridge rule aft-lambda-account-request-processor).

In a monthly period, that's 8640 calls to this function, which is about $5 per AFT deployment per month just due to inefficient code. This is probably costing customers -- in aggregate -- a few hundred grand per year.

Even if the call to Service Catalog is necessary, we should be able to reduce the cost by moving the association request within the conditional if sqs_message is not None:, so that it only runs if there's actually a message to process.

[sk-at-amazon]

Thanks for reporting the issue, we have added this to our backlog.