From f662259af41ce55acf274aeb8df950be5121573c Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Tue, 29 Aug 2023 15:53:26 -0700
Subject: [PATCH 1/2] Defaults control_finding_generator to null to allow org
 to manage setting

---
 README.md                    |  2 +-
 modules/account/README.md    |  2 +-
 modules/account/variables.tf | 11 ++++++++++-
 variables.tf                 | 11 ++++++++++-
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2143f2c..c3e84bb 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
 | <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `null` | no |
 | <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
diff --git a/modules/account/README.md b/modules/account/README.md
index 75c3308..811a222 100644
--- a/modules/account/README.md
+++ b/modules/account/README.md
@@ -24,7 +24,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `null` | no |
 | <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
 
 ## Outputs
diff --git a/modules/account/variables.tf b/modules/account/variables.tf
index c5a017b..b22c5cf 100644
--- a/modules/account/variables.tf
+++ b/modules/account/variables.tf
@@ -7,7 +7,16 @@ variable "auto_enable_controls" {
 variable "control_finding_generator" {
   description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard."
   type        = string
-  default     = "SECURITY_CONTROL"
+  default     = null
+
+  validation {
+    condition = (
+      var.control_finding_generator != null ?
+      contains(["SECURITY_CONTROL", "STANDARDS_CONTROL"], var.control_finding_generator) :
+      true
+    )
+    error_message = "control_finding_generator must be one of: SECURITY_CONTROL, STANDARDS_CONTROL, null"
+  }
 }
 
 variable "enable_default_standards" {
diff --git a/variables.tf b/variables.tf
index d816beb..876d478 100644
--- a/variables.tf
+++ b/variables.tf
@@ -17,7 +17,16 @@ variable "auto_enable_controls" {
 variable "control_finding_generator" {
   description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard."
   type        = string
-  default     = "SECURITY_CONTROL"
+  default     = null
+
+  validation {
+    condition = (
+      var.control_finding_generator != null ?
+      contains(["SECURITY_CONTROL", "STANDARDS_CONTROL"], var.control_finding_generator) :
+      true
+    )
+    error_message = "control_finding_generator must be one of: SECURITY_CONTROL, STANDARDS_CONTROL, null"
+  }
 }
 
 variable "enable_default_standards" {

From 6f32268216a9a2a4d73caab56ce8d62ee90c085a Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Tue, 29 Aug 2023 15:53:29 -0700
Subject: [PATCH 2/2] Bumps version to 4.2.1

---
 .bumpversion.cfg |  2 +-
 CHANGELOG.md     | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 650010f..2d2497a 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.2.0
+current_version = 4.2.1
 commit = True
 message = Bumps version to {new_version}
 tag = False
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0dd0d48..14e3608 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,24 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+
+### [4.2.1](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.2.1)
+
+**Released**: 2023.08.30
+
+**Summary**:
+
+*   Defaults `control_finding_generator` to `null` to allow AWS Security Hub Administrator
+    Account to manage the setting
+
+### [4.2.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.2.0)
+
+**Released**: 2023.06.02
+
+**Summary**:
+
+*   Adds inputs to account resource for `auto_enable_controls` and `enable_default_standards`
+
 ### [4.1.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.1.0)
 
 **Released**: 2023.06.01
@@ -11,7 +29,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 
 *   Brought Standards_Controls under management to enable or disable specified controls
 
-
 ### [4.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.0.0)
 
 **Released**: 2023.05.25