From 87685a985fab04f1d54f7dff24cad0d5d7f596d5 Mon Sep 17 00:00:00 2001
From: Pradeep <pradeep.nokwal@rackspace.com>
Date: Fri, 30 May 2025 09:11:25 +0530
Subject: [PATCH] expose 'disabled_securityhub_controls' list to other tf repo

---
 modules/security_hub/outputs.tf   |  4 ++++
 modules/security_hub/variables.tf | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/modules/security_hub/outputs.tf b/modules/security_hub/outputs.tf
index bdb5b15..a004bf6 100644
--- a/modules/security_hub/outputs.tf
+++ b/modules/security_hub/outputs.tf
@@ -1,3 +1,7 @@
 output "security_hub" {
   value = aws_securityhub_account.security_hub
 }
+
+output "disabled_securityhub_controls" {
+  value = var.disabled_securityhub_controls
+}
diff --git a/modules/security_hub/variables.tf b/modules/security_hub/variables.tf
index d142046..b3dcbc4 100644
--- a/modules/security_hub/variables.tf
+++ b/modules/security_hub/variables.tf
@@ -12,3 +12,15 @@ variable "admin_account" {
     prod = "636967684097"
   }
 }
+
+variable "disabled_securityhub_controls" {
+  type = list(string)
+  description = "List of Security Hub controls to disable"
+  default = [
+    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/Config.1",
+    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/IAM.6",
+    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/Inspector.1",
+    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5",
+    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.8"
+  ]
+}