apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
  name: deny-non-approved-regions
  namespace: aws-organization
  labels:
    policy-type: scp
    purpose: compliance
spec:
  forProvider:
    name: DenyNonApprovedRegions
    description: Only allow specific AWS regions for compliance
    type: SERVICE_CONTROL_POLICY
    content: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "DenyNonApprovedRegions",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
              "StringNotEquals": {
                "aws:RequestedRegion": [
                  "eu-west-1",
                  "us-east-1",
                  "us-west-2"
                ]
              },
              "ArnNotLike": {
                "aws:PrincipalArn": [
                  "arn:aws:iam::*:role/OrganizationAccountAccessRole",
                  "arn:aws:iam::*:role/Admin*"
                ]
              }
            }
          }
        ]
      }
  providerConfigRef:
    name: org-config