diff --git a/CHANGELOG.md b/CHANGELOG.md
index 97ce29f..d71f604 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,3 +62,8 @@
- create new central policies to be used for permissionsets so they can be consistent across orgs
- created policies
- policies/sc-servicecatalog-t1
+
+* 1.4.1 -- 2026-01-16
+ - created policies
+ - policies/sc-servicecatalog-t2
+ - policies/sc-servicecatalog-t3
diff --git a/common/version.tf b/common/version.tf
index 37ff20f..a34718a 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.4.0"
+ _module_version = "1.4.1"
}
diff --git a/policies/sc-servicecatalog-t2/README.md b/policies/sc-servicecatalog-t2/README.md
new file mode 100644
index 0000000..33cb3c2
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/README.md
@@ -0,0 +1,44 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.12 |
+| [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| [name](#output\_name) | Permission Set Name for which all settings apply |
+| [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/sc-servicecatalog-t2/data.tf b/policies/sc-servicecatalog-t2/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t2/defaults.tf b/policies/sc-servicecatalog-t2/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t2/locals.tf b/policies/sc-servicecatalog-t2/locals.tf
new file mode 100644
index 0000000..6aa29cd
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/locals.tf
@@ -0,0 +1,12 @@
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.region
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = local._module_name
+ "boc:created_by" = "terraform"
+ }
+}
diff --git a/policies/sc-servicecatalog-t2/main.tf b/policies/sc-servicecatalog-t2/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/sc-servicecatalog-t2/module_name.tf b/policies/sc-servicecatalog-t2/module_name.tf
new file mode 100644
index 0000000..75a2032
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-sso/policies/sc-servicecatalog-t2"
+}
diff --git a/policies/sc-servicecatalog-t2/outputs.tf b/policies/sc-servicecatalog-t2/outputs.tf
new file mode 100644
index 0000000..776869b
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+ description = "Permission Set Name for which all settings apply"
+ value = local.name
+}
+
+output "managed_policy_names" {
+ description = "Names of AWS Managed Policy to attach to the permissionset"
+ value = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+ description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+ value = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+ description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+ value = local.inline_policy
+}
+
+output "relay_state" {
+ description = "Relay State to pass along to permissionset"
+ value = local.relay_state
+}
diff --git a/policies/sc-servicecatalog-t2/policy.tf b/policies/sc-servicecatalog-t2/policy.tf
new file mode 100644
index 0000000..425ab7f
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/policy.tf
@@ -0,0 +1,13 @@
+data "aws_iam_policy_document" "inline" {
+ statement {
+ sid = "OnlyReadOperationsOnOrganizations"
+ effect = "Allow"
+ actions = [
+ "organizations:Describe*",
+ "organizations:List*",
+ "account:Get*",
+ "account:List*"
+ ]
+ resources = ["*"]
+ }
+}
diff --git a/policies/sc-servicecatalog-t2/prefixes.tf b/policies/sc-servicecatalog-t2/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t2/settings.tf b/policies/sc-servicecatalog-t2/settings.tf
new file mode 100644
index 0000000..fe23f92
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/settings.tf
@@ -0,0 +1,11 @@
+locals {
+ name = "servicecatalog-t2"
+ managed_policy_names = [
+ "ReadOnlyAccess",
+ "AWSServiceCatalogEndUserFullAccess",
+ "AWSServiceCatalogAdminFullAccess",
+ ]
+ customer_managed_policy_names = {}
+ relay_state = data.aws_arn.current.partition == "aws-us-gov" ? "https://console.amazonaws-us-gov.com/servicecatalog/home" : "https://console.aws.amazon.com/servicecatalog/home"
+ inline_policy = data.aws_iam_policy_document.inline
+}
diff --git a/policies/sc-servicecatalog-t2/variables.common.tf b/policies/sc-servicecatalog-t2/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t2/variables.tf.unused b/policies/sc-servicecatalog-t2/variables.tf.unused
new file mode 100644
index 0000000..53d6bf1
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/variables.tf.unused
@@ -0,0 +1,29 @@
+variable "name" {
+ description = "Permission Set Name for which all settings apply"
+ type = string
+ default = null
+}
+
+variable "managed_policy_names" {
+ description = "Names of AWS Managed Policy to attach to the permissionset"
+ type = list(string)
+ default = []
+}
+
+variable "customer_managed_policy_names" {
+ description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+ type = map(string)
+ default = {}
+}
+
+# variable "inline_policy" {
+# description = "AWS Policy document for the single allowed inline policy"
+# type = string
+# default = null
+# }
+
+variable "relay_state" {
+ description = "Relay State to pass along to permissionset"
+ type = string
+ default = null
+}
diff --git a/policies/sc-servicecatalog-t2/version.tf b/policies/sc-servicecatalog-t2/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t2/versions.tf b/policies/sc-servicecatalog-t2/versions.tf
new file mode 120000
index 0000000..cbeda73
--- /dev/null
+++ b/policies/sc-servicecatalog-t2/versions.tf
@@ -0,0 +1 @@
+../../common/versions.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/README.md b/policies/sc-servicecatalog-t3/README.md
new file mode 100644
index 0000000..33cb3c2
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/README.md
@@ -0,0 +1,44 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.12 |
+| [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| [name](#output\_name) | Permission Set Name for which all settings apply |
+| [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/sc-servicecatalog-t3/data.tf b/policies/sc-servicecatalog-t3/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/defaults.tf b/policies/sc-servicecatalog-t3/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/locals.tf b/policies/sc-servicecatalog-t3/locals.tf
new file mode 100644
index 0000000..6aa29cd
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/locals.tf
@@ -0,0 +1,12 @@
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.region
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = local._module_name
+ "boc:created_by" = "terraform"
+ }
+}
diff --git a/policies/sc-servicecatalog-t3/main.tf b/policies/sc-servicecatalog-t3/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/sc-servicecatalog-t3/module_name.tf b/policies/sc-servicecatalog-t3/module_name.tf
new file mode 100644
index 0000000..1ac04e3
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-sso/policies/sc-servicecatalog-t3"
+}
diff --git a/policies/sc-servicecatalog-t3/outputs.tf b/policies/sc-servicecatalog-t3/outputs.tf
new file mode 100644
index 0000000..776869b
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+ description = "Permission Set Name for which all settings apply"
+ value = local.name
+}
+
+output "managed_policy_names" {
+ description = "Names of AWS Managed Policy to attach to the permissionset"
+ value = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+ description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+ value = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+ description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+ value = local.inline_policy
+}
+
+output "relay_state" {
+ description = "Relay State to pass along to permissionset"
+ value = local.relay_state
+}
diff --git a/policies/sc-servicecatalog-t3/policy.tf b/policies/sc-servicecatalog-t3/policy.tf
new file mode 100644
index 0000000..a146041
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/policy.tf
@@ -0,0 +1,39 @@
+data "aws_iam_policy_document" "inline" {
+ statement {
+ sid = "OnlyReadOperationsOnOrganizations"
+ effect = "Allow"
+ actions = [
+ "organizations:Describe*",
+ "organizations:List*",
+ "account:Get*",
+ "account:List*"
+ ]
+ resources = ["*"]
+ }
+ statement {
+ sid = "EC2AndServiceCatalogAdminActions"
+ effect = "Allow"
+ actions = [
+ "cloudwatch:DescribeAlarms",
+ "ec2:AttachVolume",
+ "ec2:CreateTags",
+ "ec2:CreateVolume",
+ "ec2:DeleteTags",
+ "ec2:DescribeTags",
+ "ec2:DescribeVolumeAttribute",
+ "ec2:DescribeVolumeStatus",
+ "ec2:DescribeVolumes",
+ "ec2:DescribeVolumesModifications",
+ "ec2:ModifyInstanceAttribute",
+ "ec2:ModifyVolume",
+ "ec2:ModifyVolumeAttribute",
+ "ec2:RebootInstances",
+ "ec2:RegisterImage",
+ "ec2:RunInstances",
+ "ec2:StartInstances",
+ "ec2:StopInstances",
+ "ec2:TerminateInstances",
+ ]
+ resources = ["*"]
+ }
+}
diff --git a/policies/sc-servicecatalog-t3/prefixes.tf b/policies/sc-servicecatalog-t3/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/settings.tf b/policies/sc-servicecatalog-t3/settings.tf
new file mode 100644
index 0000000..dccacbb
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/settings.tf
@@ -0,0 +1,11 @@
+locals {
+ name = "servicecatalog-t3"
+ managed_policy_names = [
+ "ReadOnlyAccess",
+ "AWSServiceCatalogEndUserFullAccess",
+ "AWSServiceCatalogAdminFullAccess",
+ ]
+ customer_managed_policy_names = {}
+ relay_state = data.aws_arn.current.partition == "aws-us-gov" ? "https://console.amazonaws-us-gov.com/servicecatalog/home" : "https://console.aws.amazon.com/servicecatalog/home"
+ inline_policy = data.aws_iam_policy_document.inline
+}
diff --git a/policies/sc-servicecatalog-t3/variables.common.tf b/policies/sc-servicecatalog-t3/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/variables.tf.unused b/policies/sc-servicecatalog-t3/variables.tf.unused
new file mode 100644
index 0000000..53d6bf1
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/variables.tf.unused
@@ -0,0 +1,29 @@
+variable "name" {
+ description = "Permission Set Name for which all settings apply"
+ type = string
+ default = null
+}
+
+variable "managed_policy_names" {
+ description = "Names of AWS Managed Policy to attach to the permissionset"
+ type = list(string)
+ default = []
+}
+
+variable "customer_managed_policy_names" {
+ description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+ type = map(string)
+ default = {}
+}
+
+# variable "inline_policy" {
+# description = "AWS Policy document for the single allowed inline policy"
+# type = string
+# default = null
+# }
+
+variable "relay_state" {
+ description = "Relay State to pass along to permissionset"
+ type = string
+ default = null
+}
diff --git a/policies/sc-servicecatalog-t3/version.tf b/policies/sc-servicecatalog-t3/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t3/versions.tf b/policies/sc-servicecatalog-t3/versions.tf
new file mode 120000
index 0000000..cbeda73
--- /dev/null
+++ b/policies/sc-servicecatalog-t3/versions.tf
@@ -0,0 +1 @@
+../../common/versions.tf
\ No newline at end of file