chore(docs): update readme documentation for security design decisions

Author: bryantbiggs

README.md

@@ -16,12 +16,19 @@ The following resources are supported:
 
 Please refer to the official Datadog [`datadog-serverless-functions`](https://github.com/DataDog/datadog-serverless-functions/tree/master/aws) for further information on the forwarder lambda functions, configuraion via environment variables, and integration with PrivateLink endpoints.
 
-## Terraform versions
+## Security
 
-Terraform 0.12 and above are supported.
+There are several factors to keep in mind when working with and/or using this module that largely revolve around the decisions made based on security implications.
+
+1. Based on the functionality provided by the Datadog team at [`datadog-serverless-functions`](https://github.com/DataDog/datadog-serverless-functions/tree/master/aws), the recommended approach for providing your Datadog API key is through AWS Secrets Manager. The creation of this secret is not facilitated by this module and should be created manually (or through some other means where the secret is not passed as plain text into Terraform as input).
+    - Note: even though this is the recommended approach, the pattern used in the past of providing the `DD_API_KEY` as an environment variable is still supported by the module. Users are able to provde any and all environment variables to the forwarders through inputs (i.e. - `log_forwarder_environment_variables`) to configure the forwarders as desired. See [`settings.py`](https://github.com/DataDog/datadog-serverless-functions/blob/master/aws/logs_monitoring/settings.py) for more details on what environment variables are supported to configure the forwarders.
+2. The use of a KMS key to encrypt/decrypt API and APP keys is required by the [`rds_enhanced_monitoring_forwarder`](./modules/rds_enhanced_monitoring_forwarder) and [`vpc_flow_log_forwarder`](./modules/vpc_flow_log_forwarder) modules/functions per the uptream source at [`datadog-serverless-functions`](https://github.com/DataDog/datadog-serverless-functions/tree/master/aws). The creation of a KMS key has been left out of this module so that users are able to better manage their KMS CMK key (and therefore the policies and usage of said key) as they see fit without over-complicating this module.
+3. The roles and their permissions created by this module have several built in conditional checks in order to provide permission sets that allow the desired functionality while following the recommended approach of least privelege access. Nearly all attributes for the IAM roles and their permissions are accessible via inputs - even allowing users to provide their own IAM roles and/or policies to meet their organizational requirements.
 
 ## Usage
 
+See [`examples`](./examples) directory for working examples to reference:
+
 ```hcl
 # Note: you will need to create this secret manually prior to running
 # This avoids having to pass the key to Terraform in plaintext
@@ -44,6 +51,8 @@ module "datadog_forwarders" {
 
 ## Examples
 
+Examples codified under the [`examples`](./examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
+
 - [Complete](./examples/complete)
 - [Simple](./examples/simple)
 

modules/log_forwarder/README.md

@@ -2,9 +2,18 @@
 
 Terraform module which creates Datadog log forwarder resources on AWS.
 
-## Terraform versions
-
-Terraform 0.12 and above are supported.
+> The Datadog log forwarder is an AWS Lambda function that ships logs, custom metrics, and traces from your environment to Datadog. The Forwarder can:
+>
+> - Forward CloudWatch, ELB, S3, CloudTrail, VPC, SNS, and CloudFront logs to Datadog
+> - Forward S3 events to Datadog
+> - Forward Kinesis data stream events to Datadog (only CloudWatch logs are supported)
+> - Forward custom metrics from AWS Lambda functions using CloudWatch logs
+> - Forward traces from AWS Lambda functions using CloudWatch logs
+> - Generate and submit enhanced Lambda metrics (`aws.lambda.enhanced.*`) parsed from the AWS REPORT log: duration, billed_duration, max_memory_used, timeouts, out_of_memory, and estimated_cost
+>
+> For additional information on sending AWS services logs with the Datadog Forwarder, see [here](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/).
+
+Taken from: [`datadog-serverless-functions/aws/log_monitoring`](https://github.com/DataDog/datadog-serverless-functions/blob/master/aws/logs_monitoring/README.md)
 
 ## Usage