From 1af6ad72c0bc9f7b8f15c246cbcfaa859605fabc Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Mon, 16 Mar 2026 16:56:19 -0400
Subject: [PATCH 1/8] feat(sc-db-user) add policy for sc-db-user

---
 .tflint.hcl                             |  16 ++--
 CHANGELOG.md                            |   4 +
 policies/sc-db-user/README.md           |  44 ++++++++++
 policies/sc-db-user/base_arn.tf         |   3 +
 policies/sc-db-user/data.tf             |   1 +
 policies/sc-db-user/defaults.tf         |   1 +
 policies/sc-db-user/locals.tf           |  12 +++
 policies/sc-db-user/main.tf             |   2 +
 policies/sc-db-user/module_name.tf      |   3 +
 policies/sc-db-user/outputs.tf          |  24 +++++
 policies/sc-db-user/policy.tf           | 112 ++++++++++++++++++++++++
 policies/sc-db-user/prefixes.tf         |   1 +
 policies/sc-db-user/settings.tf         |  12 +++
 policies/sc-db-user/variables.common.tf |   1 +
 policies/sc-db-user/variables.tf.unused |  29 ++++++
 policies/sc-db-user/version.tf          |   1 +
 policies/sc-db-user/versions.tf         |   1 +
 17 files changed, 259 insertions(+), 8 deletions(-)
 create mode 100644 policies/sc-db-user/README.md
 create mode 100644 policies/sc-db-user/base_arn.tf
 create mode 120000 policies/sc-db-user/data.tf
 create mode 120000 policies/sc-db-user/defaults.tf
 create mode 100644 policies/sc-db-user/locals.tf
 create mode 100644 policies/sc-db-user/main.tf
 create mode 100644 policies/sc-db-user/module_name.tf
 create mode 100644 policies/sc-db-user/outputs.tf
 create mode 100644 policies/sc-db-user/policy.tf
 create mode 120000 policies/sc-db-user/prefixes.tf
 create mode 100644 policies/sc-db-user/settings.tf
 create mode 120000 policies/sc-db-user/variables.common.tf
 create mode 100644 policies/sc-db-user/variables.tf.unused
 create mode 120000 policies/sc-db-user/version.tf
 create mode 120000 policies/sc-db-user/versions.tf

diff --git a/.tflint.hcl b/.tflint.hcl
index fcc2fa8..a4029d7 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -1,15 +1,15 @@
 config {
-  module = true
-  force = false
+  module              = true
+  force               = false
   disabled_by_default = false
 
-#  ignore_module = {
-#    "terraform-aws-modules/vpc/aws"            = true
-#    "terraform-aws-modules/security-group/aws" = true
-#  }
+  #  ignore_module = {
+  #    "terraform-aws-modules/vpc/aws"            = true
+  #    "terraform-aws-modules/security-group/aws" = true
+  #  }
 
-#  varfile = ["example1.tfvars", "example2.tfvars"]
-#  variables = ["foo=bar", "bar=[\"baz\"]"]
+  #  varfile = ["example1.tfvars", "example2.tfvars"]
+  #  variables = ["foo=bar", "bar=[\"baz\"]"]
 }
 
 rule "aws_instance_invalid_type" {
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c733f4f..c816a8c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -76,3 +76,7 @@
 * 1.5.0 -- 2026-02-12
   - created policies
     - policies/sc-developer
+
+* 1.5.1 -- 2026-03-10
+  - created policies
+    - policies/sc-db-user
\ No newline at end of file
diff --git a/policies/sc-db-user/README.md b/policies/sc-db-user/README.md
new file mode 100644
index 0000000..33cb3c2
--- /dev/null
+++ b/policies/sc-db-user/README.md
@@ -0,0 +1,44 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| <a name="output_inline_policy"></a> [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| <a name="output_managed_policy_names"></a> [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| <a name="output_name"></a> [name](#output\_name) | Permission Set Name for which all settings apply |
+| <a name="output_relay_state"></a> [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/sc-db-user/base_arn.tf b/policies/sc-db-user/base_arn.tf
new file mode 100644
index 0000000..5eba500
--- /dev/null
+++ b/policies/sc-db-user/base_arn.tf
@@ -0,0 +1,3 @@
+locals {
+  all_account_arn_iam = format("arn:%v:%v::%v:%%v", data.aws_arn.current.partition, "iam", "*")
+}
diff --git a/policies/sc-db-user/data.tf b/policies/sc-db-user/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/policies/sc-db-user/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/policies/sc-db-user/defaults.tf b/policies/sc-db-user/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/policies/sc-db-user/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/policies/sc-db-user/locals.tf b/policies/sc-db-user/locals.tf
new file mode 100644
index 0000000..6aa29cd
--- /dev/null
+++ b/policies/sc-db-user/locals.tf
@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.region
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}
diff --git a/policies/sc-db-user/main.tf b/policies/sc-db-user/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/sc-db-user/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/sc-db-user/module_name.tf b/policies/sc-db-user/module_name.tf
new file mode 100644
index 0000000..711d77e
--- /dev/null
+++ b/policies/sc-db-user/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/sc-db-user"
+}
diff --git a/policies/sc-db-user/outputs.tf b/policies/sc-db-user/outputs.tf
new file mode 100644
index 0000000..776869b
--- /dev/null
+++ b/policies/sc-db-user/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+  description = "Permission Set Name for which all settings apply"
+  value       = local.name
+}
+
+output "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  value       = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  value       = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+  value       = local.inline_policy
+}
+
+output "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  value       = local.relay_state
+}
diff --git a/policies/sc-db-user/policy.tf b/policies/sc-db-user/policy.tf
new file mode 100644
index 0000000..0812850
--- /dev/null
+++ b/policies/sc-db-user/policy.tf
@@ -0,0 +1,112 @@
+data "aws_iam_policy_document" "inline" {
+  statement {
+    sid       = "AllowEC2Read"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "ec2:Describe*",
+      "ec2:Get*",
+      "ec2:List*",
+    ]
+  }
+  statement {
+    sid       = "AllowKMSList"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "kms:Describe*",
+      "kms:List*",
+    ]
+  }
+  statement {
+    sid       = "RDSKMSDefaultKeyAccess"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "kms:Decrypt",
+      "kms:EnableK*",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ResourceAliases"
+      values = [
+        "alias/aws/rds",
+        "alias/aws/secretsmanager"
+      ]
+    }
+  }
+  statement {
+    sid       = "RestrictInfKMS"
+    effect    = "Deny"
+    resources = ["*"]
+    actions   = ["kms:*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:RequestAlias"
+      values = [
+        "alias/k-kms-inf*"
+      ]
+    }
+  }
+  statement {
+    sid       = "AllowRDSDB"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "rds-db:connect",
+      "rds:DescribeDBInstances",
+      "rds:DescribeDBClusters",
+      "rds:DescribeDBInstancesPerformance",
+      "rds:DescribeDBClustersPerformance",
+      "pi:DescribeDimensionKeys",
+      "pi:GetResourceMetrics",
+      "pi:ListAvailableResourceDimensions",
+      "pi:ListAvailableResourceMetrics"
+    ]
+  }
+  statement {
+    sid       = "AllowSecretsManagerList"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "secretsmanager:List*",
+    ]
+  }
+  statement {
+    sid       = "AllowSecretsManagerReadByJBID"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "secretsmanager:BatchGetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue",
+    ]
+    # Enforce expected principal attribute shape: 8-character JBID.
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/jbid"
+      values = [
+        "????????"
+      ]
+    }
+    # Secret must be tagged to the same JBID as the caller.
+    condition {
+      test     = "StringEquals"
+      variable = "secretsmanager:ResourceTag/jbid"
+      values = [
+        "&{aws:PrincipalTag/jbid}"
+      ]
+    }
+    # Name tag pattern includes the caller identifier.
+    condition {
+      test     = "StringLike"
+      variable = "secretsmanager:ResourceTag/Name"
+      values = [
+        "*&{aws:PrincipalTag/jbid}*"
+      ]
+    }
+  }
+}
diff --git a/policies/sc-db-user/prefixes.tf b/policies/sc-db-user/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/policies/sc-db-user/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/policies/sc-db-user/settings.tf b/policies/sc-db-user/settings.tf
new file mode 100644
index 0000000..a70df81
--- /dev/null
+++ b/policies/sc-db-user/settings.tf
@@ -0,0 +1,12 @@
+locals {
+  name        = "sc-db-user"
+  description = "System Common DB User"
+  managed_policy_names = [
+    "ReadOnlyAccess",
+  ]
+  customer_managed_policy_names = {
+    "p-inf-tfstate-write" = null
+  }
+  relay_state   = null
+  inline_policy = data.aws_iam_policy_document.inline
+}
diff --git a/policies/sc-db-user/variables.common.tf b/policies/sc-db-user/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/policies/sc-db-user/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/policies/sc-db-user/variables.tf.unused b/policies/sc-db-user/variables.tf.unused
new file mode 100644
index 0000000..53d6bf1
--- /dev/null
+++ b/policies/sc-db-user/variables.tf.unused
@@ -0,0 +1,29 @@
+variable "name" {
+  description = "Permission Set Name for which all settings apply"
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+# variable "inline_policy" {
+#   description = "AWS Policy document for the single allowed inline policy"
+#   type        = string
+#   default     = null
+# }
+
+variable "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  type        = string
+  default     = null
+}
diff --git a/policies/sc-db-user/version.tf b/policies/sc-db-user/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/policies/sc-db-user/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/policies/sc-db-user/versions.tf b/policies/sc-db-user/versions.tf
new file mode 120000
index 0000000..cbeda73
--- /dev/null
+++ b/policies/sc-db-user/versions.tf
@@ -0,0 +1 @@
+../../common/versions.tf
\ No newline at end of file

From ffd68d8b1e82b0a82dd6311a94eafdf8ba3c651f Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 20 Mar 2026 12:50:38 -0400
Subject: [PATCH 2/8] rename to sc-dbuser

---
 policies/sc-db-user/module_name.tf                     | 3 ---
 policies/{sc-db-user => sc-dbuser}/README.md           | 0
 policies/{sc-db-user => sc-dbuser}/base_arn.tf         | 0
 policies/{sc-db-user => sc-dbuser}/data.tf             | 0
 policies/{sc-db-user => sc-dbuser}/defaults.tf         | 0
 policies/{sc-db-user => sc-dbuser}/locals.tf           | 0
 policies/{sc-db-user => sc-dbuser}/main.tf             | 0
 policies/sc-dbuser/module_name.tf                      | 3 +++
 policies/{sc-db-user => sc-dbuser}/outputs.tf          | 0
 policies/{sc-db-user => sc-dbuser}/policy.tf           | 0
 policies/{sc-db-user => sc-dbuser}/prefixes.tf         | 0
 policies/{sc-db-user => sc-dbuser}/settings.tf         | 6 ++----
 policies/{sc-db-user => sc-dbuser}/variables.common.tf | 0
 policies/{sc-db-user => sc-dbuser}/variables.tf.unused | 0
 policies/{sc-db-user => sc-dbuser}/version.tf          | 0
 policies/{sc-db-user => sc-dbuser}/versions.tf         | 0
 16 files changed, 5 insertions(+), 7 deletions(-)
 delete mode 100644 policies/sc-db-user/module_name.tf
 rename policies/{sc-db-user => sc-dbuser}/README.md (100%)
 rename policies/{sc-db-user => sc-dbuser}/base_arn.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/data.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/defaults.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/locals.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/main.tf (100%)
 create mode 100644 policies/sc-dbuser/module_name.tf
 rename policies/{sc-db-user => sc-dbuser}/outputs.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/policy.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/prefixes.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/settings.tf (63%)
 rename policies/{sc-db-user => sc-dbuser}/variables.common.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/variables.tf.unused (100%)
 rename policies/{sc-db-user => sc-dbuser}/version.tf (100%)
 rename policies/{sc-db-user => sc-dbuser}/versions.tf (100%)

diff --git a/policies/sc-db-user/module_name.tf b/policies/sc-db-user/module_name.tf
deleted file mode 100644
index 711d77e..0000000
--- a/policies/sc-db-user/module_name.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
-  _module_name = "aws-sso/policies/sc-db-user"
-}
diff --git a/policies/sc-db-user/README.md b/policies/sc-dbuser/README.md
similarity index 100%
rename from policies/sc-db-user/README.md
rename to policies/sc-dbuser/README.md
diff --git a/policies/sc-db-user/base_arn.tf b/policies/sc-dbuser/base_arn.tf
similarity index 100%
rename from policies/sc-db-user/base_arn.tf
rename to policies/sc-dbuser/base_arn.tf
diff --git a/policies/sc-db-user/data.tf b/policies/sc-dbuser/data.tf
similarity index 100%
rename from policies/sc-db-user/data.tf
rename to policies/sc-dbuser/data.tf
diff --git a/policies/sc-db-user/defaults.tf b/policies/sc-dbuser/defaults.tf
similarity index 100%
rename from policies/sc-db-user/defaults.tf
rename to policies/sc-dbuser/defaults.tf
diff --git a/policies/sc-db-user/locals.tf b/policies/sc-dbuser/locals.tf
similarity index 100%
rename from policies/sc-db-user/locals.tf
rename to policies/sc-dbuser/locals.tf
diff --git a/policies/sc-db-user/main.tf b/policies/sc-dbuser/main.tf
similarity index 100%
rename from policies/sc-db-user/main.tf
rename to policies/sc-dbuser/main.tf
diff --git a/policies/sc-dbuser/module_name.tf b/policies/sc-dbuser/module_name.tf
new file mode 100644
index 0000000..cd0ea8b
--- /dev/null
+++ b/policies/sc-dbuser/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/sc-dbuser"
+}
diff --git a/policies/sc-db-user/outputs.tf b/policies/sc-dbuser/outputs.tf
similarity index 100%
rename from policies/sc-db-user/outputs.tf
rename to policies/sc-dbuser/outputs.tf
diff --git a/policies/sc-db-user/policy.tf b/policies/sc-dbuser/policy.tf
similarity index 100%
rename from policies/sc-db-user/policy.tf
rename to policies/sc-dbuser/policy.tf
diff --git a/policies/sc-db-user/prefixes.tf b/policies/sc-dbuser/prefixes.tf
similarity index 100%
rename from policies/sc-db-user/prefixes.tf
rename to policies/sc-dbuser/prefixes.tf
diff --git a/policies/sc-db-user/settings.tf b/policies/sc-dbuser/settings.tf
similarity index 63%
rename from policies/sc-db-user/settings.tf
rename to policies/sc-dbuser/settings.tf
index a70df81..90cf79d 100644
--- a/policies/sc-db-user/settings.tf
+++ b/policies/sc-dbuser/settings.tf
@@ -1,12 +1,10 @@
 locals {
-  name        = "sc-db-user"
+  name        = "sc-dbuser"
   description = "System Common DB User"
   managed_policy_names = [
     "ReadOnlyAccess",
   ]
-  customer_managed_policy_names = {
-    "p-inf-tfstate-write" = null
-  }
+  customer_managed_policy_names = {}
   relay_state   = null
   inline_policy = data.aws_iam_policy_document.inline
 }
diff --git a/policies/sc-db-user/variables.common.tf b/policies/sc-dbuser/variables.common.tf
similarity index 100%
rename from policies/sc-db-user/variables.common.tf
rename to policies/sc-dbuser/variables.common.tf
diff --git a/policies/sc-db-user/variables.tf.unused b/policies/sc-dbuser/variables.tf.unused
similarity index 100%
rename from policies/sc-db-user/variables.tf.unused
rename to policies/sc-dbuser/variables.tf.unused
diff --git a/policies/sc-db-user/version.tf b/policies/sc-dbuser/version.tf
similarity index 100%
rename from policies/sc-db-user/version.tf
rename to policies/sc-dbuser/version.tf
diff --git a/policies/sc-db-user/versions.tf b/policies/sc-dbuser/versions.tf
similarity index 100%
rename from policies/sc-db-user/versions.tf
rename to policies/sc-dbuser/versions.tf

From b4cb30eb5b04902c376f4b2c4bcd2fb76bd8f14d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 20 Mar 2026 13:28:30 -0400
Subject: [PATCH 3/8] update from comments

---
 policies/sc-dbuser/policy.tf   | 8 --------
 policies/sc-dbuser/settings.tf | 4 ++--
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/policies/sc-dbuser/policy.tf b/policies/sc-dbuser/policy.tf
index 0812850..e073441 100644
--- a/policies/sc-dbuser/policy.tf
+++ b/policies/sc-dbuser/policy.tf
@@ -84,14 +84,6 @@ data "aws_iam_policy_document" "inline" {
       "secretsmanager:DescribeSecret",
       "secretsmanager:GetSecretValue",
     ]
-    # Enforce expected principal attribute shape: 8-character JBID.
-    condition {
-      test     = "StringLike"
-      variable = "aws:PrincipalTag/jbid"
-      values = [
-        "????????"
-      ]
-    }
     # Secret must be tagged to the same JBID as the caller.
     condition {
       test     = "StringEquals"
diff --git a/policies/sc-dbuser/settings.tf b/policies/sc-dbuser/settings.tf
index 90cf79d..7e8bede 100644
--- a/policies/sc-dbuser/settings.tf
+++ b/policies/sc-dbuser/settings.tf
@@ -5,6 +5,6 @@ locals {
     "ReadOnlyAccess",
   ]
   customer_managed_policy_names = {}
-  relay_state   = null
-  inline_policy = data.aws_iam_policy_document.inline
+  relay_state                   = null
+  inline_policy                 = data.aws_iam_policy_document.inline
 }

From b2068fea45c20816b1b40ab8cceffd0dab514353 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 24 Mar 2026 12:39:02 -0400
Subject: [PATCH 4/8] fix syntax for passthrough var

---
 policies/sc-dbuser/policy.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policies/sc-dbuser/policy.tf b/policies/sc-dbuser/policy.tf
index e073441..0f09dc0 100644
--- a/policies/sc-dbuser/policy.tf
+++ b/policies/sc-dbuser/policy.tf
@@ -89,7 +89,7 @@ data "aws_iam_policy_document" "inline" {
       test     = "StringEquals"
       variable = "secretsmanager:ResourceTag/jbid"
       values = [
-        "&{aws:PrincipalTag/jbid}"
+        "$${aws:PrincipalTag/jbid}"
       ]
     }
     # Name tag pattern includes the caller identifier.
@@ -97,7 +97,7 @@ data "aws_iam_policy_document" "inline" {
       test     = "StringLike"
       variable = "secretsmanager:ResourceTag/Name"
       values = [
-        "*&{aws:PrincipalTag/jbid}*"
+        "*$${aws:PrincipalTag/jbid}*"
       ]
     }
   }

From 7ece04ca0c11ef9433dfb79e93f051c52ef4b8bc Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 24 Mar 2026 14:58:53 -0400
Subject: [PATCH 5/8] remove jbid stuff

---
 policies/sc-dbuser/.terraform.lock.hcl | 25 +++++++++++++++++++++++++
 policies/sc-dbuser/policy.tf           | 18 +-----------------
 2 files changed, 26 insertions(+), 17 deletions(-)
 create mode 100644 policies/sc-dbuser/.terraform.lock.hcl

diff --git a/policies/sc-dbuser/.terraform.lock.hcl b/policies/sc-dbuser/.terraform.lock.hcl
new file mode 100644
index 0000000..32cc8cc
--- /dev/null
+++ b/policies/sc-dbuser/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "6.37.0"
+  constraints = ">= 6.0.0"
+  hashes = [
+    "h1:w3z/TApcKD3b/aMZoZZKSxOld4xw+gEtQ1ka6C1UN+4=",
+    "zh:0427fadb719ed5a32feb09f047539d2348e659056f3b8a8589d34d8f0a95be7a",
+    "zh:3891c670674aba2125a7ac6d4348cde43646b1b46ce6f829e6f4724091bc0dcd",
+    "zh:632cb24b7b5790b730b33bcbe9f1a7b75f2644fb52f9d6aaafb0249c9e7601d2",
+    "zh:6e96ed1f824c2efa9de5b7c22ab3715624ba34c28564a06e9a15e71bc3d3a30b",
+    "zh:7b8fd86907b659bc45f4a3f42c3c0ccc66925a74e265b01e9e66242c0b2cafef",
+    "zh:81f9a587deddef4dfcc2101c54ec28a3a554056837f68ebb920c83fe8327b16f",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a9a38a67cb98d690fec951ec3e133b6836279629db2ed3a0ebf97a5bea58674f",
+    "zh:b18f60d62e4bd4d466077e09c39259d1a85355f0f00b801fe8aedbc50193d357",
+    "zh:b7a51bc0faf60d17043b4df1d1b7bb55129eaa4bdeb65ff55f5b00b9b8fee9f7",
+    "zh:c28c42f91ca3a6b65b3fd3ed6e891fc0fc28d0cb5ab65dea65eda8eec5cea5f3",
+    "zh:d895ddc04280ed26b6ca64ca05b78caaa7b72c8e167af4093545efbc608d5482",
+    "zh:f4a56f5157009ef160fbd79105078fe675df479cb73c1b7e1fea2741403a0b67",
+    "zh:f547d6ca371b96fec97b972fc0c93bcfc23d58e34a9da215b94e9d2aa170fb77",
+    "zh:f7b0a3cd4adadd3f4b9609a54e651ed5eafa22c196ab229042fc1d0aa0ab8f3a",
+  ]
+}
diff --git a/policies/sc-dbuser/policy.tf b/policies/sc-dbuser/policy.tf
index 0f09dc0..8dc4ab1 100644
--- a/policies/sc-dbuser/policy.tf
+++ b/policies/sc-dbuser/policy.tf
@@ -76,7 +76,7 @@ data "aws_iam_policy_document" "inline" {
     ]
   }
   statement {
-    sid       = "AllowSecretsManagerReadByJBID"
+    sid       = "AllowSecretsManagerRead"
     effect    = "Allow"
     resources = ["*"]
     actions = [
@@ -84,21 +84,5 @@ data "aws_iam_policy_document" "inline" {
       "secretsmanager:DescribeSecret",
       "secretsmanager:GetSecretValue",
     ]
-    # Secret must be tagged to the same JBID as the caller.
-    condition {
-      test     = "StringEquals"
-      variable = "secretsmanager:ResourceTag/jbid"
-      values = [
-        "$${aws:PrincipalTag/jbid}"
-      ]
-    }
-    # Name tag pattern includes the caller identifier.
-    condition {
-      test     = "StringLike"
-      variable = "secretsmanager:ResourceTag/Name"
-      values = [
-        "*$${aws:PrincipalTag/jbid}*"
-      ]
-    }
   }
 }

From 1e6b2ccaf3095c2fedb78deb8c1fe80a6efc0be4 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 7 Apr 2026 17:00:12 -0400
Subject: [PATCH 6/8] reduce to postgres usecase requirements only

---
 policies/sc-dbuser/policy.tf | 70 ------------------------------------
 1 file changed, 70 deletions(-)

diff --git a/policies/sc-dbuser/policy.tf b/policies/sc-dbuser/policy.tf
index 8dc4ab1..1b2c448 100644
--- a/policies/sc-dbuser/policy.tf
+++ b/policies/sc-dbuser/policy.tf
@@ -1,56 +1,4 @@
 data "aws_iam_policy_document" "inline" {
-  statement {
-    sid       = "AllowEC2Read"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "ec2:Describe*",
-      "ec2:Get*",
-      "ec2:List*",
-    ]
-  }
-  statement {
-    sid       = "AllowKMSList"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "kms:Describe*",
-      "kms:List*",
-    ]
-  }
-  statement {
-    sid       = "RDSKMSDefaultKeyAccess"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "kms:Decrypt",
-      "kms:EnableK*",
-      "kms:Encrypt",
-      "kms:GenerateDataKey*",
-      "kms:ReEncrypt*",
-    ]
-    condition {
-      test     = "StringEquals"
-      variable = "kms:ResourceAliases"
-      values = [
-        "alias/aws/rds",
-        "alias/aws/secretsmanager"
-      ]
-    }
-  }
-  statement {
-    sid       = "RestrictInfKMS"
-    effect    = "Deny"
-    resources = ["*"]
-    actions   = ["kms:*"]
-    condition {
-      test     = "StringLike"
-      variable = "kms:RequestAlias"
-      values = [
-        "alias/k-kms-inf*"
-      ]
-    }
-  }
   statement {
     sid       = "AllowRDSDB"
     effect    = "Allow"
@@ -67,22 +15,4 @@ data "aws_iam_policy_document" "inline" {
       "pi:ListAvailableResourceMetrics"
     ]
   }
-  statement {
-    sid       = "AllowSecretsManagerList"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "secretsmanager:List*",
-    ]
-  }
-  statement {
-    sid       = "AllowSecretsManagerRead"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "secretsmanager:BatchGetSecretValue",
-      "secretsmanager:DescribeSecret",
-      "secretsmanager:GetSecretValue",
-    ]
-  }
 }

From 10688cc9fa563e2530ebf61a3c1015146090c73e Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 7 Apr 2026 17:01:38 -0400
Subject: [PATCH 7/8] update changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d885af1..88e82b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -94,6 +94,6 @@
    - updated policies/sc-developer
      - add kms:UpdateKeyDescription
 
-* 1.7.2 -- 2026-03-26
+* 1.7.2 -- 2026-04-07
   - created policies
     - policies/sc-db-user

From dc4ebc534443ae5d3abd9fec6c05a8a0d0c5108a Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 7 Apr 2026 17:02:15 -0400
Subject: [PATCH 8/8] fix name

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 88e82b3..bf80a1b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -96,4 +96,4 @@
 
 * 1.7.2 -- 2026-04-07
   - created policies
-    - policies/sc-db-user
+    - policies/sc-dbuser