feat(sc-dbuser) add policy for sc-dbuser

.tflint.hcl

@@ -1,15 +1,15 @@
 config {
-  module = true
-  force = false
+  module              = true
+  force               = false
   disabled_by_default = false
 
-#  ignore_module = {
-#    "terraform-aws-modules/vpc/aws"            = true
-#    "terraform-aws-modules/security-group/aws" = true
-#  }
+  #  ignore_module = {
+  #    "terraform-aws-modules/vpc/aws"            = true
+  #    "terraform-aws-modules/security-group/aws" = true
+  #  }
 
-#  varfile = ["example1.tfvars", "example2.tfvars"]
-#  variables = ["foo=bar", "bar=[\"baz\"]"]
+  #  varfile = ["example1.tfvars", "example2.tfvars"]
+  #  variables = ["foo=bar", "bar=[\"baz\"]"]
 }
 
 rule "aws_instance_invalid_type" {

CHANGELOG.md

@@ -93,3 +93,7 @@
 * 1.7.1 -- 2026-03-26
    - updated policies/sc-developer
      - add kms:UpdateKeyDescription
+
+* 1.7.2 -- 2026-04-07
+  - created policies
+    - policies/sc-dbuser

policies/sc-dbuser/README.md

@@ -0,0 +1,44 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| <a name="output_inline_policy"></a> [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| <a name="output_managed_policy_names"></a> [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| <a name="output_name"></a> [name](#output\_name) | Permission Set Name for which all settings apply |
+| <a name="output_relay_state"></a> [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |

policies/sc-dbuser/base_arn.tf

@@ -0,0 +1,3 @@
+locals {
+  all_account_arn_iam = format("arn:%v:%v::%v:%%v", data.aws_arn.current.partition, "iam", "*")
+}

policies/sc-dbuser/data.tf

@@ -0,0 +1 @@
+../../common/data.tf

policies/sc-dbuser/defaults.tf

@@ -0,0 +1 @@
+../../common/defaults.tf

policies/sc-dbuser/locals.tf

@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.region
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}

policies/sc-dbuser/main.tf

@@ -0,0 +1,2 @@
+/*
+*/

policies/sc-dbuser/module_name.tf

@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/sc-dbuser"
+}

policies/sc-dbuser/outputs.tf

@@ -0,0 +1,24 @@
+output "name" {
+  description = "Permission Set Name for which all settings apply"
+  value       = local.name
+}
+
+output "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  value       = local.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  value       = local.customer_managed_policy_names
+}
+
+output "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+  value       = local.inline_policy
+}
+
+output "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  value       = local.relay_state
+}

policies/sc-dbuser/policy.tf

@@ -0,0 +1,18 @@
+data "aws_iam_policy_document" "inline" {
+  statement {
+    sid       = "AllowRDSDB"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "rds-db:connect",
+      "rds:DescribeDBInstances",
+      "rds:DescribeDBClusters",
+      "rds:DescribeDBInstancesPerformance",
+      "rds:DescribeDBClustersPerformance",
+      "pi:DescribeDimensionKeys",
+      "pi:GetResourceMetrics",
+      "pi:ListAvailableResourceDimensions",
+      "pi:ListAvailableResourceMetrics"
+    ]
+  }
+}

policies/sc-dbuser/prefixes.tf

@@ -0,0 +1 @@
+../../common/prefixes.tf

policies/sc-dbuser/settings.tf

@@ -0,0 +1,10 @@
+locals {
+  name        = "sc-dbuser"
+  description = "System Common DB User"
+  managed_policy_names = [
+    "ReadOnlyAccess",
+  ]
+  customer_managed_policy_names = {}
+  relay_state                   = null
+  inline_policy                 = data.aws_iam_policy_document.inline
+}

policies/sc-dbuser/variables.common.tf

@@ -0,0 +1 @@
+../../common/variables.common.tf

policies/sc-dbuser/variables.tf.unused

@@ -0,0 +1,29 @@
+variable "name" {
+  description = "Permission Set Name for which all settings apply"
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+# variable "inline_policy" {
+#   description = "AWS Policy document for the single allowed inline policy"
+#   type        = string
+#   default     = null
+# }
+
+variable "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  type        = string
+  default     = null
+}

policies/sc-dbuser/version.tf

@@ -0,0 +1 @@
+../../common/version.tf

policies/sc-dbuser/versions.tf

@@ -0,0 +1 @@
+../../common/versions.tf