I have the following Terraform based on the recommended SCP:
data "aws_iam_policy_document" "restrict-regions-policy" {
statement {
sid = "RegionRestriction"
effect = "Deny"
not_actions = [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
]
actions = ["*"]
resources = ["*"]
condition {
test = "StringNotEquals"
variable = "aws:RequestedRegion"
values = [
"us-east-1",
"eu-west-1",
]
}
}
}
resource "aws_organizations_policy" "restrict-regions" {
name = "restrict-regions"
description = "Deny all regions except the ones we use"
content = data.aws_iam_policy_document.restrict-regions-policy.json
}
When I am trying to deploy it I get the following error:
Plan: 2 to add, 0 to change, 0 to destroy.
aws_organizations_policy.restrict-regions: Creating...
╷
│ Error: creating Organizations Policy (restrict-regions): MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type.
│
│ with aws_organizations_policy.restrict-regions,
│ on scp-deny-regions.tf line 63, in resource "aws_organizations_policy" "restrict-regions":
│ 63: resource "aws_organizations_policy" "restrict-regions" {
│
╵
I am not sure what is missing from the policy document.