fix: match upstream Datadog serverless functions and allow kms:Decrypt by default

Author: bryantbiggs

examples/complete/README.md

@@ -30,8 +30,8 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.51.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

modules/log_forwarder/policy.tmpl

@@ -14,6 +14,12 @@
       "Resource": "*",
       "Sid": "AnyResourceAccess"
     },
+    {
+      "Action": "kms:Decrypt",
+      "Effect": "Allow",
+      "Resource": "*",
+      "Sid": "KmsDecrypt"
+    },
     {
       "Action": [
         "s3:GetObject",

modules/rds_enhanced_monitoring_forwarder/policy.tmpl

@@ -12,6 +12,12 @@
       "Effect": "Allow",
       "Resource": "*",
       "Sid": "WriteLogs"
+    },
+    {
+      "Action": "kms:Decrypt",
+      "Effect": "Allow",
+      "Resource": "*",
+      "Sid": "KmsDecrypt"
     }%{ if dd_api_key_secret_arn != "" },
     {
       "Action": "secretsmanager:GetSecretValue",

modules/vpc_flow_log_forwarder/policy.tmpl

@@ -18,12 +18,12 @@
       "Effect": "Allow",
       "Resource": ${s3_log_bucket_arns},
       "Sid": "ReadS3Logs"
-    }%{ endif }%{ if kms_arn != "" },
+    }%{ endif },
     {
       "Action": "kms:Decrypt",
       "Effect": "Allow",
-      "Resource": "${kms_arn}",
-      "Sid": "DecryptKeys"
-    }%{ endif }
+      "Resource": "*",
+      "Sid": "KmsDecrypt"
+    }
   ]
 }