From ba4085d9c8780bd9ab3e71eeb2647cbb9a5d613e Mon Sep 17 00:00:00 2001
From: Alex Boyd <alex@minware.com>
Date: Fri, 19 Apr 2024 22:32:52 -0400
Subject: [PATCH 1/4] Add variable for rule pattern details

---
 eventbridge.tf | 21 +++++++++++++--------
 variables.tf   | 11 +++++++++++
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/eventbridge.tf b/eventbridge.tf
index c8a30a6..1e72836 100644
--- a/eventbridge.tf
+++ b/eventbridge.tf
@@ -91,14 +91,19 @@ resource "aws_cloudwatch_event_rule" "imported_findings" {
   tags        = module.this.tags
 
   event_pattern = jsonencode(
-    {
-      "source" : [
-        "aws.securityhub"
-      ],
-      "detail-type" : [
-        var.cloudwatch_event_rule_pattern_detail_type
-      ]
-    }
+    merge(
+      {
+        "source" : [
+          "aws.securityhub"
+        ],
+        "detail-type" : [
+          var.cloudwatch_event_rule_pattern_detail_type
+        ]
+      },
+      var.cloudwatch_event_rule_pattern_detail != null ?
+      { "detail" : var.cloudwatch_event_rule_pattern_detail } :
+      {}
+    )
   )
 }
 
diff --git a/variables.tf b/variables.tf
index 4d03cf0..b7fff00 100644
--- a/variables.tf
+++ b/variables.tf
@@ -73,6 +73,17 @@ variable "cloudwatch_event_rule_pattern_detail_type" {
   default     = "Security Hub Findings - Imported"
 }
 
+variable "cloudwatch_event_rule_pattern_detail" {
+  description = <<-DOC
+  The detail pattern used to match events that will be sent to SNS. 
+
+  For more information, see:
+  https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html
+  DOC
+  type        = object()
+  default     = null
+}
+
 variable "finding_aggregator_enabled" {
   description = <<-DOC
   Flag to indicate whether a finding aggregator should be created

From 0de4df474e1a1a8ed97a1d8ab609c3e6a6908b9d Mon Sep 17 00:00:00 2001
From: Alex Boyd <alex@minware.com>
Date: Fri, 19 Apr 2024 23:13:24 -0400
Subject: [PATCH 2/4] Change type to any for event rule pattern detail

---
 variables.tf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/variables.tf b/variables.tf
index b7fff00..597e493 100644
--- a/variables.tf
+++ b/variables.tf
@@ -55,7 +55,7 @@ variable "imported_findings_notification_arn" {
   description = <<-DOC
   The ARN for an SNS topic to send findings notifications to. This is only used if create_sns_topic is false.
 
-  If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set 
+  If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set
   create_sns_topic to false.
   DOC
   default     = null
@@ -64,7 +64,7 @@ variable "imported_findings_notification_arn" {
 
 variable "cloudwatch_event_rule_pattern_detail_type" {
   description = <<-DOC
-  The detail-type pattern used to match events that will be sent to SNS. 
+  The detail-type pattern used to match events that will be sent to SNS.
 
   For more information, see:
   https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html
@@ -75,12 +75,12 @@ variable "cloudwatch_event_rule_pattern_detail_type" {
 
 variable "cloudwatch_event_rule_pattern_detail" {
   description = <<-DOC
-  The detail pattern used to match events that will be sent to SNS. 
+  The detail pattern used to match events that will be sent to SNS.
 
   For more information, see:
   https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html
   DOC
-  type        = object()
+  type        = any
   default     = null
 }
 
@@ -100,9 +100,9 @@ variable "finding_aggregator_enabled" {
 
 variable "finding_aggregator_linking_mode" {
   description = <<-DOC
-  Linking mode to use for the finding aggregator. 
+  Linking mode to use for the finding aggregator.
 
-  The possible values are: 
+  The possible values are:
     - `ALL_REGIONS` - Aggregate from all regions
     - `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions`
     - `SPECIFIED_REGIONS` - Aggregate from regions specified in `finding_aggregator_enabled`
@@ -113,7 +113,7 @@ variable "finding_aggregator_linking_mode" {
 
 variable "finding_aggregator_regions" {
   description = <<-DOC
-  A list of regions to aggregate findings from. 
+  A list of regions to aggregate findings from.
 
   This is only used if `finding_aggregator_enabled` is `true`.
   DOC

From 230d2ee9caf82e55da7547f56db29b0ca0d820d8 Mon Sep 17 00:00:00 2001
From: Alex Boyd <alex@minware.com>
Date: Sun, 21 Apr 2024 21:34:56 -0400
Subject: [PATCH 3/4] Add control finding generator variable

---
 main.tf      |  3 ++-
 variables.tf | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index db78b7c..1682352 100644
--- a/main.tf
+++ b/main.tf
@@ -4,7 +4,8 @@
 resource "aws_securityhub_account" "this" {
   count = local.enabled ? 1 : 0
 
-  enable_default_standards = var.enable_default_standards
+  enable_default_standards  = var.enable_default_standards
+  control_finding_generator = var.control_finding_generator
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
diff --git a/variables.tf b/variables.tf
index 597e493..c509e21 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,6 +9,19 @@ variable "enable_default_standards" {
   default     = true
 }
 
+variable "control_finding_generator" {
+  description = "Updates whether the calling account has consolidated control findings turned on.
+  If the value for this field is set to ,
+  
+  SECURITY_CONTROL - Security Hub generates a single finding for a control check even when
+  the check applies to multiple enabled standards.
+
+  STANDARD_CONTROL - Security Hub generates separate findings for a control check when the 
+  check applies to multiple enabled standards."
+  type        = string
+  default     = "SECURITY_CONTROL"
+}
+
 variable "enabled_standards" {
   description = <<-DOC
   A list of standards/rulesets to enable

From df7c3964d94bcdb5a464d4e44cc6ed8595b7d75b Mon Sep 17 00:00:00 2001
From: Alex Boyd <alex@minware.com>
Date: Sun, 21 Apr 2024 21:42:48 -0400
Subject: [PATCH 4/4] Fix doc comment on control_finding_generator

---
 variables.tf | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/variables.tf b/variables.tf
index c509e21..21124e2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,14 +10,16 @@ variable "enable_default_standards" {
 }
 
 variable "control_finding_generator" {
-  description = "Updates whether the calling account has consolidated control findings turned on.
+  description = <<-DOC
+  Updates whether the calling account has consolidated control findings turned on.
   If the value for this field is set to ,
-  
+
   SECURITY_CONTROL - Security Hub generates a single finding for a control check even when
   the check applies to multiple enabled standards.
 
-  STANDARD_CONTROL - Security Hub generates separate findings for a control check when the 
-  check applies to multiple enabled standards."
+  STANDARD_CONTROL - Security Hub generates separate findings for a control check when the
+  check applies to multiple enabled standards.
+  DOC
   type        = string
   default     = "SECURITY_CONTROL"
 }