From f41ffa4f796fc7ff113fb4ae1b4f23b7d22da8cd Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 28 May 2026 12:15:22 -0400
Subject: [PATCH 1/3] add deny product updates to sc-servicecatalog t1 and t2

---
 policies/sc-servicecatalog-t1/policy.tf | 9 +++++++++
 policies/sc-servicecatalog-t2/policy.tf | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/policies/sc-servicecatalog-t1/policy.tf b/policies/sc-servicecatalog-t1/policy.tf
index 425ab7f..e2ac35f 100644
--- a/policies/sc-servicecatalog-t1/policy.tf
+++ b/policies/sc-servicecatalog-t1/policy.tf
@@ -10,4 +10,13 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
+  statement {
+    sid    = "DenyProductUpdates"
+    effect = "Deny"
+    actions = [
+      "servicecatalog:UpdateProvisionedProduct",
+      "servicecatalog:UpdateProvisionedProductProperties",
+    ]
+    resources = ["*"]
+   }
 }
diff --git a/policies/sc-servicecatalog-t2/policy.tf b/policies/sc-servicecatalog-t2/policy.tf
index 77c67fb..0d024d6 100644
--- a/policies/sc-servicecatalog-t2/policy.tf
+++ b/policies/sc-servicecatalog-t2/policy.tf
@@ -31,5 +31,14 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
+  statement {
+    sid    = "DenyProductUpdates"
+    effect = "Deny"
+    actions = [
+      "servicecatalog:UpdateProvisionedProduct",
+      "servicecatalog:UpdateProvisionedProductProperties",
+    ]
+    resources = ["*"]
+   }
 }
 

From 1fa689b59c333b8aa0ca55e2512c4d701e0c883b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 28 May 2026 12:25:18 -0400
Subject: [PATCH 2/3] update CHANGELOG.md

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4ae3cb..b40949e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -98,3 +98,6 @@
   - group-assignment
     - add validation that the provided account_names actuall exist within the organization
 
+* 1.8.1 -- 2026-05-28
+  - updated policies/sc-servicecatalog-t1,-t2
+    - deny update to provisioned products and properties of provisioned products
\ No newline at end of file

From adaf5b7b8f93a6ef724740322dcae4b79a16ebd7 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 28 May 2026 12:25:55 -0400
Subject: [PATCH 3/3] increment version

---
 common/version.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/version.tf b/common/version.tf
index c36b41b..1f44b67 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.8.0"
+  _module_version = "1.8.1"
 }