feat: support disabling individual securityhub controls

schubergphilis · May 15, 2024 · ee6820b · ee6820b
1 parent 8dee354
commit ee6820b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/security_hub.tf b/security_hub.tf
@@ -65,6 +65,17 @@ resource "aws_securityhub_standards_subscription" "default" {
   depends_on = [aws_securityhub_account.default]
 }
 
+resource "aws_securityhub_standards_control" "default" {
+  for_each = var.aws_security_hub.disabled_standards_arns
+  provider = aws.audit
+
+  standards_control_arn = each.key
+  control_status        = "DISABLED"
+  disabled_reason       = each.value
+
+  depends_on = [aws_securityhub_account.default]
+}
+
 resource "aws_cloudwatch_event_rule" "security_hub_findings" {
   provider = aws.audit
 

diff --git a/variables.tf b/variables.tf
@@ -162,6 +162,10 @@ variable "aws_security_hub" {
     create_cis_metric_filters     = optional(bool, true)
     product_arns                  = optional(list(string), [])
     standards_arns                = optional(list(string), null)
+    disabled_standards_arns = optional(object({
+      standards_control_arn = string
+      disabled_reason       = string
+    }), null)
   })
   default = {
     enabled                       = true
@@ -171,6 +175,7 @@ variable "aws_security_hub" {
     create_cis_metric_filters     = true
     product_arns                  = []
     standards_arns                = null
+    disabled_standards_arns       = null
   }
   description = "AWS Security Hub settings"