feat: add variables to control creation of IAM roles and IAM role policies in place of checking if roles or policies were provided

Author: bryantbiggs

README.md

@@ -111,12 +111,18 @@ Examples codified under the [`examples`](./examples) are intended to give users
 | <a name="input_create_api_vpce"></a> [create\_api\_vpce](#input\_create\_api\_vpce) | Controls whether a API endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_bucket"></a> [create\_bucket](#input\_create\_bucket) | Controls whether an S3 artifact bucket should be created. this is used for the zip archive as well as caching tags | `bool` | `true` | no |
 | <a name="input_create_log_forwarder"></a> [create\_log\_forwarder](#input\_create\_log\_forwarder) | Controls whether log forwarder resources should be created | `bool` | `true` | no |
+| <a name="input_create_log_forwarder_role"></a> [create\_log\_forwarder\_role](#input\_create\_log\_forwarder\_role) | Controls whether an IAM role is created for the log forwarder | `bool` | `true` | no |
+| <a name="input_create_log_forwarder_role_policy"></a> [create\_log\_forwarder\_role\_policy](#input\_create\_log\_forwarder\_role\_policy) | Controls whether an IAM role policy is created for the log forwarder | `bool` | `true` | no |
 | <a name="input_create_log_forwarder_vpce"></a> [create\_log\_forwarder\_vpce](#input\_create\_log\_forwarder\_vpce) | Controls whether a log forwarder endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_metrics_vpce"></a> [create\_metrics\_vpce](#input\_create\_metrics\_vpce) | Controls whether a metrics VPC endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_processes_vpce"></a> [create\_processes\_vpce](#input\_create\_processes\_vpce) | Controls whether a processes endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_rds_em_forwarder"></a> [create\_rds\_em\_forwarder](#input\_create\_rds\_em\_forwarder) | Controls whether RDS enhanced monitoring forwarder resources should be created | `bool` | `true` | no |
+| <a name="input_create_rds_em_forwarder_role"></a> [create\_rds\_em\_forwarder\_role](#input\_create\_rds\_em\_forwarder\_role) | Controls whether an IAM role is created for the RDS enhanced monitoring forwarder | `bool` | `true` | no |
+| <a name="input_create_rds_em_forwarder_role_policy"></a> [create\_rds\_em\_forwarder\_role\_policy](#input\_create\_rds\_em\_forwarder\_role\_policy) | Controls whether an IAM role policy is created for the RDS enhanced monitoring forwarder | `bool` | `true` | no |
 | <a name="input_create_traces_vpce"></a> [create\_traces\_vpce](#input\_create\_traces\_vpce) | Controls whether a traces endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_vpc_fl_forwarder"></a> [create\_vpc\_fl\_forwarder](#input\_create\_vpc\_fl\_forwarder) | Controls whether VPC flow log forwarder resources should be created | `bool` | `true` | no |
+| <a name="input_create_vpc_fl_forwarder_role"></a> [create\_vpc\_fl\_forwarder\_role](#input\_create\_vpc\_fl\_forwarder\_role) | Controls whether an IAM role is created for the VPC flow log forwarder | `bool` | `true` | no |
+| <a name="input_create_vpc_fl_forwarder_role_policy"></a> [create\_vpc\_fl\_forwarder\_role\_policy](#input\_create\_vpc\_fl\_forwarder\_role\_policy) | Controls whether an IAM role policy is created for the VPC flow log forwarder | `bool` | `true` | no |
 | <a name="input_dd_api_key"></a> [dd\_api\_key](#input\_dd\_api\_key) | The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value will not be used. This value must still be set, however | `string` | `""` | no |
 | <a name="input_dd_api_key_secret_arn"></a> [dd\_api\_key\_secret\_arn](#input\_dd\_api\_key\_secret\_arn) | The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager. You still need to set a dummy value for `dd_api_key` to satisfy the requirement, though that value won't be used | `string` | `""` | no |
 | <a name="input_dd_app_key"></a> [dd\_app\_key](#input\_dd\_app\_key) | The Datadog application key associated with the user account that created it, which can be found from the APIs page | `string` | `""` | no |
@@ -130,12 +136,12 @@ Examples codified under the [`examples`](./examples) are intended to give users
 | <a name="input_log_forwarder_log_retention_days"></a> [log\_forwarder\_log\_retention\_days](#input\_log\_forwarder\_log\_retention\_days) | Log forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_log_forwarder_memory_size"></a> [log\_forwarder\_memory\_size](#input\_log\_forwarder\_memory\_size) | Memory size for the log forwarder lambda function | `number` | `1024` | no |
 | <a name="input_log_forwarder_name"></a> [log\_forwarder\_name](#input\_log\_forwarder\_name) | Log forwarder lambda name | `string` | `"datadog-log-forwarder"` | no |
-| <a name="input_log_forwarder_policy_arn"></a> [log\_forwarder\_policy\_arn](#input\_log\_forwarder\_policy\_arn) | IAM policy arn for log forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_log_forwarder_policy_arn"></a> [log\_forwarder\_policy\_arn](#input\_log\_forwarder\_policy\_arn) | IAM policy arn for log forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_log_forwarder_policy_name"></a> [log\_forwarder\_policy\_name](#input\_log\_forwarder\_policy\_name) | Log forwarder policy name | `string` | `""` | no |
 | <a name="input_log_forwarder_policy_path"></a> [log\_forwarder\_policy\_path](#input\_log\_forwarder\_policy\_path) | Log forwarder policy path | `string` | `null` | no |
 | <a name="input_log_forwarder_publish"></a> [log\_forwarder\_publish](#input\_log\_forwarder\_publish) | Whether to publish creation/change as a new Lambda Function Version | `bool` | `false` | no |
 | <a name="input_log_forwarder_reserved_concurrent_executions"></a> [log\_forwarder\_reserved\_concurrent\_executions](#input\_log\_forwarder\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for the log forwarder lambda function | `number` | `100` | no |
-| <a name="input_log_forwarder_role_arn"></a> [log\_forwarder\_role\_arn](#input\_log\_forwarder\_role\_arn) | IAM role arn for log forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_log_forwarder_role_arn"></a> [log\_forwarder\_role\_arn](#input\_log\_forwarder\_role\_arn) | IAM role arn for log forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_log_forwarder_role_max_session_duration"></a> [log\_forwarder\_role\_max\_session\_duration](#input\_log\_forwarder\_role\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. | `number` | `null` | no |
 | <a name="input_log_forwarder_role_name"></a> [log\_forwarder\_role\_name](#input\_log\_forwarder\_role\_name) | Log forwarder role name | `string` | `""` | no |
 | <a name="input_log_forwarder_role_path"></a> [log\_forwarder\_role\_path](#input\_log\_forwarder\_role\_path) | Log forwarder role path | `string` | `null` | no |
@@ -174,12 +180,12 @@ Examples codified under the [`examples`](./examples) are intended to give users
 | <a name="input_rds_em_forwarder_log_retention_days"></a> [rds\_em\_forwarder\_log\_retention\_days](#input\_rds\_em\_forwarder\_log\_retention\_days) | RDS enhanced monitoring forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_rds_em_forwarder_memory_size"></a> [rds\_em\_forwarder\_memory\_size](#input\_rds\_em\_forwarder\_memory\_size) | Memory size for the RDS enhanced monitoring forwarder lambda function | `number` | `256` | no |
 | <a name="input_rds_em_forwarder_name"></a> [rds\_em\_forwarder\_name](#input\_rds\_em\_forwarder\_name) | RDS enhanced monitoring forwarder lambda name | `string` | `"datadog-rds-enhanced-monitoring-forwarder"` | no |
-| <a name="input_rds_em_forwarder_policy_arn"></a> [rds\_em\_forwarder\_policy\_arn](#input\_rds\_em\_forwarder\_policy\_arn) | IAM policy arn for RDS enhanced monitoring forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_rds_em_forwarder_policy_arn"></a> [rds\_em\_forwarder\_policy\_arn](#input\_rds\_em\_forwarder\_policy\_arn) | IAM policy arn for RDS enhanced monitoring forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_rds_em_forwarder_policy_name"></a> [rds\_em\_forwarder\_policy\_name](#input\_rds\_em\_forwarder\_policy\_name) | RDS enhanced monitoring forwarder policy name | `string` | `""` | no |
 | <a name="input_rds_em_forwarder_policy_path"></a> [rds\_em\_forwarder\_policy\_path](#input\_rds\_em\_forwarder\_policy\_path) | RDS enhanced monitoring forwarder policy path | `string` | `null` | no |
 | <a name="input_rds_em_forwarder_publish"></a> [rds\_em\_forwarder\_publish](#input\_rds\_em\_forwarder\_publish) | Whether to publish creation/change as a new fambda function Version | `bool` | `false` | no |
 | <a name="input_rds_em_forwarder_reserved_concurrent_executions"></a> [rds\_em\_forwarder\_reserved\_concurrent\_executions](#input\_rds\_em\_forwarder\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for the RDS enhanced monitoring forwarder lambda function | `number` | `10` | no |
-| <a name="input_rds_em_forwarder_role_arn"></a> [rds\_em\_forwarder\_role\_arn](#input\_rds\_em\_forwarder\_role\_arn) | IAM role arn for RDS enhanced monitoring forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_rds_em_forwarder_role_arn"></a> [rds\_em\_forwarder\_role\_arn](#input\_rds\_em\_forwarder\_role\_arn) | IAM role arn for RDS enhanced monitoring forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_rds_em_forwarder_role_max_session_duration"></a> [rds\_em\_forwarder\_role\_max\_session\_duration](#input\_rds\_em\_forwarder\_role\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. | `number` | `null` | no |
 | <a name="input_rds_em_forwarder_role_name"></a> [rds\_em\_forwarder\_role\_name](#input\_rds\_em\_forwarder\_role\_name) | RDS enhanced monitoring forwarder role name | `string` | `""` | no |
 | <a name="input_rds_em_forwarder_role_path"></a> [rds\_em\_forwarder\_role\_path](#input\_rds\_em\_forwarder\_role\_path) | RDS enhanced monitoring forwarder role path | `string` | `null` | no |
@@ -205,13 +211,13 @@ Examples codified under the [`examples`](./examples) are intended to give users
 | <a name="input_vpc_fl_forwarder_log_retention_days"></a> [vpc\_fl\_forwarder\_log\_retention\_days](#input\_vpc\_fl\_forwarder\_log\_retention\_days) | VPC flow log forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_vpc_fl_forwarder_memory_size"></a> [vpc\_fl\_forwarder\_memory\_size](#input\_vpc\_fl\_forwarder\_memory\_size) | Memory size for the VPC flow log forwarder lambda function | `number` | `256` | no |
 | <a name="input_vpc_fl_forwarder_name"></a> [vpc\_fl\_forwarder\_name](#input\_vpc\_fl\_forwarder\_name) | VPC flow log forwarder lambda name | `string` | `"datadog-vpc-flow-log-forwarder"` | no |
-| <a name="input_vpc_fl_forwarder_policy_arn"></a> [vpc\_fl\_forwarder\_policy\_arn](#input\_vpc\_fl\_forwarder\_policy\_arn) | IAM policy arn for VPC flow log forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_vpc_fl_forwarder_policy_arn"></a> [vpc\_fl\_forwarder\_policy\_arn](#input\_vpc\_fl\_forwarder\_policy\_arn) | IAM policy arn for VPC flow log forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_vpc_fl_forwarder_policy_name"></a> [vpc\_fl\_forwarder\_policy\_name](#input\_vpc\_fl\_forwarder\_policy\_name) | VPC flow log forwarder policy name | `string` | `""` | no |
 | <a name="input_vpc_fl_forwarder_policy_path"></a> [vpc\_fl\_forwarder\_policy\_path](#input\_vpc\_fl\_forwarder\_policy\_path) | VPC flow log forwarder policy path | `string` | `null` | no |
 | <a name="input_vpc_fl_forwarder_publish"></a> [vpc\_fl\_forwarder\_publish](#input\_vpc\_fl\_forwarder\_publish) | Whether to publish creation/change as a new fambda function Version | `bool` | `false` | no |
 | <a name="input_vpc_fl_forwarder_read_cloudwatch_logs"></a> [vpc\_fl\_forwarder\_read\_cloudwatch\_logs](#input\_vpc\_fl\_forwarder\_read\_cloudwatch\_logs) | Whether the VPC flow log forwarder will read CloudWatch log groups for VPC flow logs | `bool` | `false` | no |
 | <a name="input_vpc_fl_forwarder_reserved_concurrent_executions"></a> [vpc\_fl\_forwarder\_reserved\_concurrent\_executions](#input\_vpc\_fl\_forwarder\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for the VPC flow log forwarder lambda function | `number` | `10` | no |
-| <a name="input_vpc_fl_forwarder_role_arn"></a> [vpc\_fl\_forwarder\_role\_arn](#input\_vpc\_fl\_forwarder\_role\_arn) | IAM role arn for VPC flow log forwarder lambda function to utilize | `string` | `""` | no |
+| <a name="input_vpc_fl_forwarder_role_arn"></a> [vpc\_fl\_forwarder\_role\_arn](#input\_vpc\_fl\_forwarder\_role\_arn) | IAM role arn for VPC flow log forwarder lambda function to utilize | `string` | `null` | no |
 | <a name="input_vpc_fl_forwarder_role_max_session_duration"></a> [vpc\_fl\_forwarder\_role\_max\_session\_duration](#input\_vpc\_fl\_forwarder\_role\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. | `number` | `null` | no |
 | <a name="input_vpc_fl_forwarder_role_name"></a> [vpc\_fl\_forwarder\_role\_name](#input\_vpc\_fl\_forwarder\_role\_name) | VPC flow log forwarder role name | `string` | `""` | no |
 | <a name="input_vpc_fl_forwarder_role_path"></a> [vpc\_fl\_forwarder\_role\_path](#input\_vpc\_fl\_forwarder\_role\_path) | VPC flow log forwarder role path | `string` | `null` | no |

examples/complete/README.md

@@ -30,27 +30,30 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.51.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_default"></a> [default](#module\_default) | ../../ | n/a |
-| <a name="module_log_bucket_1"></a> [log\_bucket\_1](#module\_log\_bucket\_1) | terraform-aws-modules/s3-bucket/aws | ~> 1.17 |
-| <a name="module_log_bucket_2"></a> [log\_bucket\_2](#module\_log\_bucket\_2) | terraform-aws-modules/s3-bucket/aws | ~> 1.17 |
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 3.17 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.64 |
+| <a name="module_log_bucket_1"></a> [log\_bucket\_1](#module\_log\_bucket\_1) | terraform-aws-modules/s3-bucket/aws | ~> 2.6 |
+| <a name="module_log_bucket_2"></a> [log\_bucket\_2](#module\_log\_bucket\_2) | terraform-aws-modules/s3-bucket/aws | ~> 2.6 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.3 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.2 |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 3.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_kms_alias.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.datadog_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_secretsmanager_secret.datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret_version.datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |