From ee6820b92329e7e4d059f269ce500db249adf8e7 Mon Sep 17 00:00:00 2001
From: Johan Steenhoven <Johan.Steenhoven@devolksbank.nl>
Date: Wed, 15 May 2024 21:55:47 +0200
Subject: [PATCH] feat: support disabling individual securityhub controls

---
 security_hub.tf | 11 +++++++++++
 variables.tf    |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/security_hub.tf b/security_hub.tf
index 5f04a7f..8243ced 100644
--- a/security_hub.tf
+++ b/security_hub.tf
@@ -65,6 +65,17 @@ resource "aws_securityhub_standards_subscription" "default" {
   depends_on = [aws_securityhub_account.default]
 }
 
+resource "aws_securityhub_standards_control" "default" {
+  for_each = var.aws_security_hub.disabled_standards_arns
+  provider = aws.audit
+
+  standards_control_arn = each.key
+  control_status        = "DISABLED"
+  disabled_reason       = each.value
+
+  depends_on = [aws_securityhub_account.default]
+}
+
 resource "aws_cloudwatch_event_rule" "security_hub_findings" {
   provider = aws.audit
 
diff --git a/variables.tf b/variables.tf
index 447c81b..dafd466 100644
--- a/variables.tf
+++ b/variables.tf
@@ -162,6 +162,10 @@ variable "aws_security_hub" {
     create_cis_metric_filters     = optional(bool, true)
     product_arns                  = optional(list(string), [])
     standards_arns                = optional(list(string), null)
+    disabled_standards_arns = optional(object({
+      standards_control_arn = string
+      disabled_reason       = string
+    }), null)
   })
   default = {
     enabled                       = true
@@ -171,6 +175,7 @@ variable "aws_security_hub" {
     create_cis_metric_filters     = true
     product_arns                  = []
     standards_arns                = null
+    disabled_standards_arns       = null
   }
   description = "AWS Security Hub settings"