From 4bd089f5cc3f6ba5ab94e9abab3207adf376f7b4 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 23 Jan 2026 13:20:01 -0500
Subject: [PATCH] * 1.4.2 -- 2026-01-23   - created policies     -
 policies/inf-idc-t1     - policies/inf-idc-t2

---
 CHANGELOG.md                            |  5 ++++
 common/version.tf                       |  2 +-
 policies/inf-idc-t1/README.md           | 33 +++++++++++++++++++++++++
 policies/inf-idc-t1/locals.tf           | 12 +++++++++
 policies/inf-idc-t1/main.tf             |  2 ++
 policies/inf-idc-t1/module_name.tf      |  3 +++
 policies/inf-idc-t1/outputs.tf          | 24 ++++++++++++++++++
 policies/inf-idc-t1/policy.tf           |  1 +
 policies/inf-idc-t1/settings.tf         | 12 +++++++++
 policies/inf-idc-t1/variables.tf.unused | 29 ++++++++++++++++++++++
 policies/inf-idc-t2/README.md           | 33 +++++++++++++++++++++++++
 policies/inf-idc-t2/locals.tf           | 12 +++++++++
 policies/inf-idc-t2/main.tf             |  2 ++
 policies/inf-idc-t2/module_name.tf      |  3 +++
 policies/inf-idc-t2/outputs.tf          | 24 ++++++++++++++++++
 policies/inf-idc-t2/policy.tf           | 23 +++++++++++++++++
 policies/inf-idc-t2/settings.tf         | 11 +++++++++
 policies/inf-idc-t2/variables.tf.unused | 29 ++++++++++++++++++++++
 18 files changed, 259 insertions(+), 1 deletion(-)
 create mode 100644 policies/inf-idc-t1/README.md
 create mode 100644 policies/inf-idc-t1/locals.tf
 create mode 100644 policies/inf-idc-t1/main.tf
 create mode 100644 policies/inf-idc-t1/module_name.tf
 create mode 100644 policies/inf-idc-t1/outputs.tf
 create mode 100644 policies/inf-idc-t1/policy.tf
 create mode 100644 policies/inf-idc-t1/settings.tf
 create mode 100644 policies/inf-idc-t1/variables.tf.unused
 create mode 100644 policies/inf-idc-t2/README.md
 create mode 100644 policies/inf-idc-t2/locals.tf
 create mode 100644 policies/inf-idc-t2/main.tf
 create mode 100644 policies/inf-idc-t2/module_name.tf
 create mode 100644 policies/inf-idc-t2/outputs.tf
 create mode 100644 policies/inf-idc-t2/policy.tf
 create mode 100644 policies/inf-idc-t2/settings.tf
 create mode 100644 policies/inf-idc-t2/variables.tf.unused

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d71f604..f9a459c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,3 +67,8 @@
   - created policies
     - policies/sc-servicecatalog-t2
     - policies/sc-servicecatalog-t3
+
+* 1.4.2 -- 2026-01-23
+  - created policies
+    - policies/inf-idc-t1
+    - policies/inf-idc-t2
diff --git a/common/version.tf b/common/version.tf
index a34718a..f549198 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.4.1"
+  _module_version = "1.4.2"
 }
diff --git a/policies/inf-idc-t1/README.md b/policies/inf-idc-t1/README.md
new file mode 100644
index 0000000..1bd0096
--- /dev/null
+++ b/policies/inf-idc-t1/README.md
@@ -0,0 +1,33 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| <a name="output_inline_policy"></a> [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| <a name="output_managed_policy_names"></a> [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| <a name="output_name"></a> [name](#output\_name) | Permission Set Name for which all settings apply |
+| <a name="output_relay_state"></a> [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/inf-idc-t1/locals.tf b/policies/inf-idc-t1/locals.tf
new file mode 100644
index 0000000..6aa29cd
--- /dev/null
+++ b/policies/inf-idc-t1/locals.tf
@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.region
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}
diff --git a/policies/inf-idc-t1/main.tf b/policies/inf-idc-t1/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/inf-idc-t1/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/inf-idc-t1/module_name.tf b/policies/inf-idc-t1/module_name.tf
new file mode 100644
index 0000000..a019a03
--- /dev/null
+++ b/policies/inf-idc-t1/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/inf-idc-t1"
+}
diff --git a/policies/inf-idc-t1/outputs.tf b/policies/inf-idc-t1/outputs.tf
new file mode 100644
index 0000000..776869b
--- /dev/null
+++ b/policies/inf-idc-t1/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+  description = "Permission Set Name for which all settings apply"
+  value       = local.name
+}
+
+output "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  value       = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  value       = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+  value       = local.inline_policy
+}
+
+output "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  value       = local.relay_state
+}
diff --git a/policies/inf-idc-t1/policy.tf b/policies/inf-idc-t1/policy.tf
new file mode 100644
index 0000000..f9c4186
--- /dev/null
+++ b/policies/inf-idc-t1/policy.tf
@@ -0,0 +1 @@
+data "aws_iam_policy_document" "inline" {}
diff --git a/policies/inf-idc-t1/settings.tf b/policies/inf-idc-t1/settings.tf
new file mode 100644
index 0000000..ee7e3e3
--- /dev/null
+++ b/policies/inf-idc-t1/settings.tf
@@ -0,0 +1,12 @@
+locals {
+  name = "inf-idc-t1"
+  managed_policy_names = [
+    "ReadOnlyAccess",
+    "AWSSSOReadOnly",
+    "AWSSSODirectoryReadOnly",
+  ]
+  customer_managed_policy_names = { "p-inf-tfstate-write" = null }
+  relay_state                   = data.aws_arn.current.partition == "aws-us-gov" ? "https://console.amazonaws-us-gov.com/singlesignon/home?region=us-gov-east-1" : "https://console.aws.amazon.com/singlesignon/home?region=us-east-1"
+  #  inline_policy                 = data.aws_iam_policy_document.inline
+  inline_policy = null
+}
diff --git a/policies/inf-idc-t1/variables.tf.unused b/policies/inf-idc-t1/variables.tf.unused
new file mode 100644
index 0000000..53d6bf1
--- /dev/null
+++ b/policies/inf-idc-t1/variables.tf.unused
@@ -0,0 +1,29 @@
+variable "name" {
+  description = "Permission Set Name for which all settings apply"
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+# variable "inline_policy" {
+#   description = "AWS Policy document for the single allowed inline policy"
+#   type        = string
+#   default     = null
+# }
+
+variable "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  type        = string
+  default     = null
+}
diff --git a/policies/inf-idc-t2/README.md b/policies/inf-idc-t2/README.md
new file mode 100644
index 0000000..1bd0096
--- /dev/null
+++ b/policies/inf-idc-t2/README.md
@@ -0,0 +1,33 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| <a name="output_inline_policy"></a> [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| <a name="output_managed_policy_names"></a> [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| <a name="output_name"></a> [name](#output\_name) | Permission Set Name for which all settings apply |
+| <a name="output_relay_state"></a> [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/inf-idc-t2/locals.tf b/policies/inf-idc-t2/locals.tf
new file mode 100644
index 0000000..6aa29cd
--- /dev/null
+++ b/policies/inf-idc-t2/locals.tf
@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.region
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}
diff --git a/policies/inf-idc-t2/main.tf b/policies/inf-idc-t2/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/inf-idc-t2/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/inf-idc-t2/module_name.tf b/policies/inf-idc-t2/module_name.tf
new file mode 100644
index 0000000..a019a03
--- /dev/null
+++ b/policies/inf-idc-t2/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/inf-idc-t1"
+}
diff --git a/policies/inf-idc-t2/outputs.tf b/policies/inf-idc-t2/outputs.tf
new file mode 100644
index 0000000..776869b
--- /dev/null
+++ b/policies/inf-idc-t2/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+  description = "Permission Set Name for which all settings apply"
+  value       = local.name
+}
+
+output "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  value       = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  value       = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+  value       = local.inline_policy
+}
+
+output "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  value       = local.relay_state
+}
diff --git a/policies/inf-idc-t2/policy.tf b/policies/inf-idc-t2/policy.tf
new file mode 100644
index 0000000..aa183dc
--- /dev/null
+++ b/policies/inf-idc-t2/policy.tf
@@ -0,0 +1,23 @@
+data "aws_iam_policy_document" "inline" {
+  statement {
+    sid    = "IDCPermissions"
+    effect = "Allow"
+    actions = [
+      "iam:Describe*",
+      "iam:Get*",
+      "iam:List*",
+      "iam:ListRoles",
+      "ec2:Describe*",
+      "ec2:Get*",
+      "ec2:List*",
+      "ec2:Report*",
+      "ec2:Search*",
+      "identitystore:*",
+      "organizations:Describe*",
+      "organizations:List*",
+      "sso:*",
+      "sso-directory:*",
+    ]
+    resources = ["*"]
+  }
+}
diff --git a/policies/inf-idc-t2/settings.tf b/policies/inf-idc-t2/settings.tf
new file mode 100644
index 0000000..2aca707
--- /dev/null
+++ b/policies/inf-idc-t2/settings.tf
@@ -0,0 +1,11 @@
+locals {
+  name = "inf-idc-t1"
+  managed_policy_names = [
+    "ReadOnlyAccess",
+    "AWSSSOReadOnly",
+    "AWSSSODirectoryAdministrator",
+  ]
+  customer_managed_policy_names = { "p-inf-tfstate-write" = null }
+  relay_state                   = data.aws_arn.current.partition == "aws-us-gov" ? "https://console.amazonaws-us-gov.com/singlesignon/home?region=us-gov-east-1" : "https://console.aws.amazon.com/singlesignon/home?region=us-east-1"
+  inline_policy                 = data.aws_iam_policy_document.inline
+}
diff --git a/policies/inf-idc-t2/variables.tf.unused b/policies/inf-idc-t2/variables.tf.unused
new file mode 100644
index 0000000..53d6bf1
--- /dev/null
+++ b/policies/inf-idc-t2/variables.tf.unused
@@ -0,0 +1,29 @@
+variable "name" {
+  description = "Permission Set Name for which all settings apply"
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+# variable "inline_policy" {
+#   description = "AWS Policy document for the single allowed inline policy"
+#   type        = string
+#   default     = null
+# }
+
+variable "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  type        = string
+  default     = null
+}