Fix review suggestions

Author: rfairburn

addons/byo-cloudwatch-log-sharing/target-account-firehose/.header.md

@@ -9,6 +9,8 @@ Because CloudWatch Logs destinations must be created in the same region as the s
 - `aws.destination`: Region of the Fleet CloudWatch log group (source region).
 - `aws.target`: Region for the Firehose stream and S3 bucket (same region or different region).
 
+Both provider aliases must use the same AWS account credentials. Cross-account is achieved between source and target subscriptions, not between `aws.destination` and `aws.target` within this module.
+
 ## Usage
 
 ```hcl

addons/byo-cloudwatch-log-sharing/target-account-firehose/README.md

@@ -9,6 +9,8 @@ Because CloudWatch Logs destinations must be created in the same region as the s
 - `aws.destination`: Region of the Fleet CloudWatch log group (source region).
 - `aws.target`: Region for the Firehose stream and S3 bucket (same region or different region).
 
+Both provider aliases must use the same AWS account credentials. Cross-account is achieved between source and target subscriptions, not between `aws.destination` and `aws.target` within this module.
+
 ## Usage
 
 ```hcl

addons/byo-cloudwatch-log-sharing/target-account-firehose/firehose.tf

@@ -12,7 +12,7 @@ data "aws_iam_policy_document" "firehose_assume_role" {
 
 resource "aws_iam_role" "firehose" {
   provider           = aws.target
-  name               = var.firehose.role_name
+  name               = local.firehose_role_name
   assume_role_policy = data.aws_iam_policy_document.firehose_assume_role.json
   tags               = var.tags
 }

addons/byo-cloudwatch-log-sharing/target-account-firehose/iam.tf

@@ -1,11 +1,20 @@
 locals {
+  cloudwatch_destination_role_name = coalesce(
+    var.cloudwatch_destination.role_name,
+    "fleet-log-sharing-firehose-destination-role"
+  )
+  firehose_role_name = coalesce(
+    var.firehose.role_name,
+    "fleet-log-sharing-firehose-delivery-role"
+  )
+
   cloudwatch_destination_policy_name = coalesce(
     var.cloudwatch_destination.policy_name,
-    "${var.cloudwatch_destination.role_name}-policy"
+    "${local.cloudwatch_destination_role_name}-policy"
   )
   firehose_policy_name = coalesce(
     var.firehose.policy_name,
-    "${var.firehose.role_name}-policy"
+    "${local.firehose_role_name}-policy"
   )
 }
 
@@ -29,7 +38,7 @@ data "aws_iam_policy_document" "assume_role" {
 
 resource "aws_iam_role" "destination" {
   provider           = aws.destination
-  name               = var.cloudwatch_destination.role_name
+  name               = local.cloudwatch_destination_role_name
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = var.tags
 }

addons/byo-cloudwatch-log-sharing/target-account-firehose/variables.tf

@@ -22,6 +22,14 @@ variable "cloudwatch_destination" {
     policy_name = optional(string)
   })
   default = {}
+
+  validation {
+    condition = (
+      var.cloudwatch_destination.role_name == null ||
+      length(trimspace(var.cloudwatch_destination.role_name)) > 0
+    )
+    error_message = "cloudwatch_destination.role_name must be null or a non-empty string."
+  }
 }
 
 variable "firehose" {
@@ -57,6 +65,14 @@ variable "firehose" {
     ], var.firehose.compression_format)
     error_message = "firehose.compression_format must be one of: UNCOMPRESSED, GZIP, ZIP, Snappy, HADOOP_SNAPPY."
   }
+
+  validation {
+    condition = (
+      var.firehose.role_name == null ||
+      length(trimspace(var.firehose.role_name)) > 0
+    )
+    error_message = "firehose.role_name must be null or a non-empty string."
+  }
 }
 
 variable "s3" {

addons/byo-cloudwatch-log-sharing/target-account-kinesis/.header.md

@@ -7,6 +7,8 @@ Because CloudWatch Logs destinations must be created in the same region as the s
 - `aws.destination`: Region of the Fleet CloudWatch log group (source region).
 - `aws.target`: Region for the Kinesis stream (same region or different region).
 
+Both provider aliases must use the same AWS account credentials. Cross-account is achieved between source and target subscriptions, not between `aws.destination` and `aws.target` within this module.
+
 ## Usage
 
 ```hcl

addons/byo-cloudwatch-log-sharing/target-account-kinesis/README.md

@@ -7,6 +7,8 @@ Because CloudWatch Logs destinations must be created in the same region as the s
 - `aws.destination`: Region of the Fleet CloudWatch log group (source region).
 - `aws.target`: Region for the Kinesis stream (same region or different region).
 
+Both provider aliases must use the same AWS account credentials. Cross-account is achieved between source and target subscriptions, not between `aws.destination` and `aws.target` within this module.
+
 ## Usage
 
 ```hcl

addons/byo-cloudwatch-log-sharing/target-account-kinesis/iam.tf

@@ -1,7 +1,12 @@
 locals {
+  cloudwatch_destination_role_name = coalesce(
+    var.cloudwatch_destination.role_name,
+    "fleet-log-sharing-destination-role"
+  )
+
   cloudwatch_destination_policy_name = coalesce(
     var.cloudwatch_destination.policy_name,
-    "${var.cloudwatch_destination.role_name}-policy"
+    "${local.cloudwatch_destination_role_name}-policy"
   )
 }
 
@@ -25,7 +30,7 @@ data "aws_iam_policy_document" "assume_role" {
 
 resource "aws_iam_role" "destination" {
   provider           = aws.destination
-  name               = var.cloudwatch_destination.role_name
+  name               = local.cloudwatch_destination_role_name
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = var.tags
 }

addons/byo-cloudwatch-log-sharing/target-account-kinesis/variables.tf

@@ -22,6 +22,14 @@ variable "cloudwatch_destination" {
     policy_name = optional(string)
   })
   default = {}
+
+  validation {
+    condition = (
+      var.cloudwatch_destination.role_name == null ||
+      length(trimspace(var.cloudwatch_destination.role_name)) > 0
+    )
+    error_message = "cloudwatch_destination.role_name must be null or a non-empty string."
+  }
 }
 
 variable "kinesis" {