apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
  name: deny-leave-organization
  namespace: aws-organization
  labels:
    policy-type: scp
    purpose: security
spec:
  forProvider:
    name: DenyLeaveOrganization
    description: Prevent accounts from leaving the organization
    type: SERVICE_CONTROL_POLICY
    content: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "DenyLeaveOrg",
            "Effect": "Deny",
            "Action": "organizations:LeaveOrganization",
            "Resource": "*"
          }
        ]
      }
  providerConfigRef:
    name: org-config