Scaffold a new Service Control Policy with JSON policy, Terraform resources, outputs, and validation scripts. Use this skill whenever the user wants to create a new SCP, add a deny policy, scaffold an organization policy, or says something like "add a policy for data protection" or "create a new SCP to restrict regions".
Create a new SCP with all required files following repo conventions.
Argument: $ARGUMENTS contains two parts:
policy-name: kebab-case name for the policy (e.g., data-protection)target-type: either org-root or ou (e.g., ou)terraform/scps/main.tf to understand existing SCP patterns.terraform/scps/outputs.tf to understand output naming patterns.terraform/scps/policies/dev-restrictions.json)
for structure reference.terraform/scps/policies/<policy-name>.json with:
Version and Statement arrayDenyDeny"*"terraform/scps/main.tf to add:
aws_organizations_policy.<snake_case_name> resource with:
name in PascalCase (convert from kebab-case)content = file("${path.module}/policies/<policy-name>.json")aws_organizations_policy_attachment.<snake_case_name>_<target> resource:
org-root: target_id = data.aws_organizations_organization.current.roots[0].idou: target_id = var.dev_ou_id (user may need to adjust)terraform/scps/outputs.tf to add:
<snake_case_name>_scp_id output<snake_case_name>_scp_arn output.github/scripts/validate-deployment.sh to add validation for the new SCP..github/scripts/get-terraform-outputs.sh to include new output keys.terraform fmt terraform/scps/ to format the new code.terraform validate in terraform/scps/ to confirm syntax (may fail without
backend — that is expected locally).kebab-case.json (e.g., data-protection.json)snake_case (e.g., data_protection)PascalCase (e.g., DataProtection)PascalCase starting with Deny (e.g., DenyUnencryptedUploads)Tell the user:
pre-commit run --all-files to validate