From d21447ea983eb21127277171610834563ddbc86f Mon Sep 17 00:00:00 2001
From: Sylvia McLaughlin <sylvia.mclaughlin@cds-snc.ca>
Date: Mon, 25 Mar 2024 15:19:44 -0700
Subject: [PATCH 1/2] SCP to deny everything in case of an emergency

---
 terragrunt/org_account/organization/scp.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf
index e9259334..87f9d09f 100644
--- a/terragrunt/org_account/organization/scp.tf
+++ b/terragrunt/org_account/organization/scp.tf
@@ -157,3 +157,21 @@ resource "aws_organizations_policy" "cds_snc_universal_guardrails" {
   type    = "SERVICE_CONTROL_POLICY"
   content = data.aws_iam_policy_document.cds_snc_universal_guardrails.json
 }
+
+data "aws_iam_policy_document" "qurantine_deny_all_policy" {
+  statement {
+    sid    = "DenyAllActions"
+    effect = "Deny"
+
+    actions = ["*"]
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_organizations_policy" "qurantine_deny_all_policy" {
+  name    = "Qurantine account and Deny All Policy"
+  type    = "SERVICE_CONTROL_POLICY"
+  content = data.aws_iam_policy_document.qurantine_deny_all_policy.json
+}
\ No newline at end of file

From 80152c7bab1cf41a0da6fe3c1f1479c35ea111e5 Mon Sep 17 00:00:00 2001
From: Sylvia McLaughlin <sylvia.mclaughlin@cds-snc.ca>
Date: Mon, 25 Mar 2024 16:19:28 -0700
Subject: [PATCH 2/2] Attaching the deny all scp to the dumpsterfire
 organizational ou

---
 terragrunt/org_account/organization/organizations.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/terragrunt/org_account/organization/organizations.tf b/terragrunt/org_account/organization/organizations.tf
index 75a05ab9..670b2be0 100644
--- a/terragrunt/org_account/organization/organizations.tf
+++ b/terragrunt/org_account/organization/organizations.tf
@@ -106,3 +106,8 @@ resource "aws_organizations_policy_attachment" "Test-cds_snc_universal_guardrail
   policy_id = aws_organizations_policy.cds_snc_universal_guardrails.id
   target_id = aws_organizations_organizational_unit.Test.id
 }
+
+resource "aws_organizations_policy_attachment" "DumpsterFire-qurantine_deny_all_policy" {
+  policy_id = aws_organizations_policy.qurantine_deny_all_policy.id
+  target_id = aws_organizations_organizational_unit.DumpsterFire.id
+}
\ No newline at end of file