From e5eb83864d9260312f743e01e59100c953173f5b Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:36:15 -0500
Subject: [PATCH] * 1.4.0 -- 2026-01-16   - change AWS provider to >= 6   -
 change region from name to region in locals   - require TF 1.12+   - policies
     - create new central policies to be used for permissionsets so they can
 be consistent across orgs   - created policies     -
 policies/sc-servicecatalog-t1

---
 CHANGELOG.md                 | 9 +++++++++
 common/version.tf            | 2 +-
 common/versions.tf           | 4 ++--
 group-assignment/accounts.tf | 8 ++++----
 group-assignment/locals.tf   | 2 +-
 group-assignment/outputs.tf  | 2 +-
 group-assignment/users.tf    | 2 +-
 permissionset/README.md      | 5 +++--
 permissionset/locals.tf      | 2 +-
 9 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 33db3e8..97ce29f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -53,3 +53,12 @@
 * 1.3.2 -- 2025-02-14
   - group-assignment
     - make ldap_group happen after idc group
+
+* 1.4.0 -- 2026-01-16
+  - change AWS provider to >= 6
+  - change region from name to region in locals
+  - require TF 1.12+
+  - policies
+    - create new central policies to be used for permissionsets so they can be consistent across orgs
+  - created policies
+    - policies/sc-servicecatalog-t1
diff --git a/common/version.tf b/common/version.tf
index 5ec2ece..37ff20f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.3.2"
+  _module_version = "1.4.0"
 }
diff --git a/common/versions.tf b/common/versions.tf
index 34eb3b9..3b04f30 100644
--- a/common/versions.tf
+++ b/common/versions.tf
@@ -1,9 +1,9 @@
 terraform {
+  required_version = ">= 1.12"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.66.0"
+      version = ">= 6.0"
     }
   }
-  #  required_version = ">= 0.13"
 }
diff --git a/group-assignment/accounts.tf b/group-assignment/accounts.tf
index 1f8b3e0..a0de8c1 100644
--- a/group-assignment/accounts.tf
+++ b/group-assignment/accounts.tf
@@ -9,14 +9,14 @@ locals {
   active_accounts_map = { for account in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts : account.name => account if account.status == "ACTIVE" }
   active_accounts     = { for k, v in local.active_accounts_map : k => v.id }
 
-  _id_1 = ! local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
-  _id_2 = ! local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
+  _id_1 = !local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
+  _id_2 = !local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
 
   organizational_unit_hierarchy = length(var.organizational_unit_hierarchy) > 0 ? { for k, v in var.organizational_unit_hierarchy : k => v.self_id } : {}
 
   #  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k, v in local.organizational_unit_names : lookup(local.organizational_unit_hierarchy, k, null)] : []
-  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
-  _ou_2 = ! local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
+  _ou_1 = !local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
+  _ou_2 = !local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
 
   #  organizational_units = distinct(compact(concat(local._ou_1, local._ou_2)))
   organizational_units = merge(local._ou_1, local._ou_2)
diff --git a/group-assignment/locals.tf b/group-assignment/locals.tf
index 5cba936..6aa29cd 100644
--- a/group-assignment/locals.tf
+++ b/group-assignment/locals.tf
@@ -1,7 +1,7 @@
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region              = data.aws_region.current.name
+  region              = data.aws_region.current.region
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
 
   base_tags = {
diff --git a/group-assignment/outputs.tf b/group-assignment/outputs.tf
index 3cb0848..e0cb291 100644
--- a/group-assignment/outputs.tf
+++ b/group-assignment/outputs.tf
@@ -20,6 +20,6 @@ output "users" {
   value = {
     users              = local.users
     valid_ldap_users   = { for k, v in local.ldap_user_attributes : k => v.mail if can(v.mail) }
-    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if ! can(v.mail)]
+    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if !can(v.mail)]
   }
 }
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
index cea9c08..2ce676a 100644
--- a/group-assignment/users.tf
+++ b/group-assignment/users.tf
@@ -32,7 +32,7 @@ data "aws_identitystore_user" "users" {
 
 locals {
   ldap_groups_base_dn = "o=U.S. Census Bureau,c=US"
-  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if ! startswith(m, "p-") && (m != "[DynamicDN]")]]))
+  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if !startswith(m, "p-") && (m != "[DynamicDN]")]]))
 }
 
 data "ldap_object" "ldap_groups" {
diff --git a/permissionset/README.md b/permissionset/README.md
index a119f96..ac843a7 100644
--- a/permissionset/README.md
+++ b/permissionset/README.md
@@ -2,13 +2,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
diff --git a/permissionset/locals.tf b/permissionset/locals.tf
index 5cba936..6aa29cd 100644
--- a/permissionset/locals.tf
+++ b/permissionset/locals.tf
@@ -1,7 +1,7 @@
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region              = data.aws_region.current.name
+  region              = data.aws_region.current.region
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
 
   base_tags = {