diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 3f33bca..e506eec 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -32,14 +32,24 @@ provider "datadog" { } provider "mcaf" { - aws {} + aws { + region = "eu-west-1" + } } module "landing_zone" { providers = { aws = aws, aws.audit = aws.audit, aws.logging = aws.logging } source = "../../" - + aws_security_hub = { + disabled_standards_arns = [{ + standards_control_arn = "bla" + disabled_reason = "Daarom" + }, { + standards_control_arn = "bla" + disabled_reason = "Daarom" + }] + } control_tower_account_ids = local.control_tower_account_ids tags = { Terraform = true } } diff --git a/security_hub.tf b/security_hub.tf index 5f04a7f..673be92 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -65,6 +65,17 @@ resource "aws_securityhub_standards_subscription" "default" { depends_on = [aws_securityhub_account.default] } +resource "aws_securityhub_standards_control" "default" { + for_each = toset(var.aws_security_hub.disabled_standards_arns) + provider = aws.audit + + standards_control_arn = each.key + control_status = "DISABLED" + disabled_reason = each.value + + depends_on = [aws_securityhub_account.default] +} + resource "aws_cloudwatch_event_rule" "security_hub_findings" { provider = aws.audit diff --git a/variables.tf b/variables.tf index 447c81b..7a754ef 100644 --- a/variables.tf +++ b/variables.tf @@ -162,6 +162,10 @@ variable "aws_security_hub" { create_cis_metric_filters = optional(bool, true) product_arns = optional(list(string), []) standards_arns = optional(list(string), null) + disabled_standards_arns = optional(list(object({ + standards_control_arn = string + disabled_reason = string + })), null) }) default = { enabled = true @@ -171,6 +175,7 @@ variable "aws_security_hub" { create_cis_metric_filters = true product_arns = [] standards_arns = null + disabled_standards_arns = null } description = "AWS Security Hub settings"