diff --git a/aws-aurora-postgres/README.md b/aws-aurora-postgres/README.md
index ee98c20f..c3534c58 100644
--- a/aws-aurora-postgres/README.md
+++ b/aws-aurora-postgres/README.md
@@ -85,6 +85,9 @@ No resources.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aws_rds_cluster_instance_endpoint"></a> [aws\_rds\_cluster\_instance\_endpoint](#output\_aws\_rds\_cluster\_instance\_endpoint) | n/a |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | n/a |
+| <a name="output_cluster_resource_id"></a> [cluster\_resource\_id](#output\_cluster\_resource\_id) | n/a |
 | <a name="output_database_name"></a> [database\_name](#output\_database\_name) | n/a |
 | <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | n/a |
 | <a name="output_master_password"></a> [master\_password](#output\_master\_password) | n/a |
diff --git a/aws-aurora/README.md b/aws-aurora/README.md
index 3567c3fa..7dafb43f 100644
--- a/aws-aurora/README.md
+++ b/aws-aurora/README.md
@@ -68,6 +68,8 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aws_rds_cluster_instance_endpoint"></a> [aws\_rds\_cluster\_instance\_endpoint](#output\_aws\_rds\_cluster\_instance\_endpoint) | n/a |
+| <a name="output_cluster_resource_id"></a> [cluster\_resource\_id](#output\_cluster\_resource\_id) | n/a |
 | <a name="output_database_name"></a> [database\_name](#output\_database\_name) | n/a |
 | <a name="output_database_password"></a> [database\_password](#output\_database\_password) | n/a |
 | <a name="output_database_username"></a> [database\_username](#output\_database\_username) | n/a |
diff --git a/aws-cloudfront-logs-bucket/README.md b/aws-cloudfront-logs-bucket/README.md
index 55f06029..60076d1b 100644
--- a/aws-cloudfront-logs-bucket/README.md
+++ b/aws-cloudfront-logs-bucket/README.md
@@ -47,6 +47,8 @@ No requirements.
 
 | Name | Type |
 |------|------|
+| [aws_s3_bucket_acl.cloudfront-owner-grant](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_ownership_controls.cloudfront-owner-preferred](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_canonical_user_id.current_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 
 ## Inputs
@@ -58,6 +60,7 @@ No requirements.
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | n/a | `string` | `""` | no |
 | <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
+| <a name="input_kms_encryption"></a> [kms\_encryption](#input\_kms\_encryption) | n/a | `bool` | `false` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]</pre> | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `string` | n/a | yes |
@@ -69,6 +72,7 @@ No requirements.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_bucket_kms_encryption_key_arn"></a> [bucket\_kms\_encryption\_key\_arn](#output\_bucket\_kms\_encryption\_key\_arn) | n/a |
 | <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | n/a |
 | <a name="output_id"></a> [id](#output\_id) | n/a |
 | <a name="output_name"></a> [name](#output\_name) | HACK(el): we do this to hint TF dependency graph since modules can't depend\_on |
diff --git a/aws-iam-policy-dynamodb-rw/README.md b/aws-iam-policy-dynamodb-rw/README.md
index 32b13bcd..0d846c88 100644
--- a/aws-iam-policy-dynamodb-rw/README.md
+++ b/aws-iam-policy-dynamodb-rw/README.md
@@ -3,13 +3,16 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.45 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5.1 |
 
 ## Modules
 
@@ -19,17 +22,18 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role_policy_attachment.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | n/a | `string` | `"/"` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | optional role to attach this policy to. | `string` | `null` | no |
 | <a name="input_table_arn"></a> [table\_arn](#input\_table\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to policy | `object({ project : string, env : string, service : string, owner : string, managedBy : string })` | n/a | yes |
 
 ## Outputs
 
diff --git a/aws-iam-role-github-action/README.md b/aws-iam-role-github-action/README.md
index eb44e762..f08a3e12 100644
--- a/aws-iam-role-github-action/README.md
+++ b/aws-iam-role-github-action/README.md
@@ -22,14 +22,16 @@ NOTE: this module doesn't manage the role's permissions. Users of this module sh
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_assert"></a> [assert](#provider\_assert) | n/a |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.45 |
 
 ## Modules
 
@@ -40,15 +42,17 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [assert_test.authorized_github_org](https://registry.terraform.io/providers/bwoznicki/assert/latest/docs/data-sources/test) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_authorized_github_repos"></a> [authorized\_github\_repos](#input\_authorized\_github\_repos) | A map that specifies the authorized repos to assume the created role.<br>  Keys specify the name of the GitHub org.<br>  Values specify the authorized repos within that org.<br><br>  NOTE: "chanzuckerberg" is, currently, the only authorized GitHub org. | `map(list(string))` | n/a | yes |
+| <a name="input_additional_assume_role_policies_json"></a> [additional\_assume\_role\_policies\_json](#input\_additional\_assume\_role\_policies\_json) | The JSON string of any other additional assume role policies to add to the Github Actions role | `string` | `""` | no |
+| <a name="input_authorized_aws_accounts"></a> [authorized\_aws\_accounts](#input\_authorized\_aws\_accounts) | The map of authorized AWS accounts to assume the created role. | `map(string)` | `{}` | no |
+| <a name="input_authorized_github_repos"></a> [authorized\_github\_repos](#input\_authorized\_github\_repos) | A map that specifies the authorized repos to assume the created role.<br>  Keys specify the name of the GitHub org.<br>  Values specify the authorized repos within that org. | `map(list(string))` | n/a | yes |
 | <a name="input_role"></a> [role](#input\_role) | Configure the AWS IAM Role. | <pre>object({<br>    name : string,<br>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Standard tagging. | <pre>object({<br>    env : string,<br>    owner : string,<br>    managedBy : string,<br>    project : string<br>    service : string<br>  })</pre> | n/a | yes |
 
diff --git a/aws-iam-role/README.md b/aws-iam-role/README.md
index c126426b..08838acc 100644
--- a/aws-iam-role/README.md
+++ b/aws-iam-role/README.md
@@ -38,7 +38,9 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_assume_role_policy"></a> [assume\_role\_policy](#module\_assume\_role\_policy) | ../aws-assume-role-policy | n/a |
 
 ## Resources
 
@@ -47,7 +49,6 @@ No modules.
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -58,6 +59,7 @@ No modules.
 | <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | The IAM path under which the IAM role will be created. | `string` | `null` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of inline policies to be associated with the IAM role. | `list(object({ name = string, policy = string }))` | `[]` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | The maximum amount of time, in seconds, that a principal can assume this role. | `number` | `3600` | no |
+| <a name="input_oidc"></a> [oidc](#input\_oidc) | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
 | <a name="input_principals"></a> [principals](#input\_principals) | AWS IAM Principals which will be able to assume this role. | `list(object({ type = string, identifiers = list(string) }))` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
@@ -66,6 +68,7 @@ No modules.
 | <a name="input_saml_idp_arns"></a> [saml\_idp\_arns](#input\_saml\_idp\_arns) | The AWS SAML IDP arns to establish a trust relationship. Ignored if empty or not provided. | `set(string)` | `[]` | no |
 | <a name="input_saml_idps"></a> [saml\_idps](#input\_saml\_idps) | The AWS SAML IDPs to establish a trust relationship.<br>  Ignored if empty or missing."<br>  If unsure, saml\_auds would typically be ["https://signin.aws.amazon.com/saml"]. | <pre>list(object({<br>    saml_idp_arns : list(string),<br>    saml_auds : list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_service"></a> [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | The source AWS account IDs to establish a trust relationship. Ignored if empty or not provided. | `set(string)` | `[]` | no |
 
 ## Outputs
 
diff --git a/aws-iam-role/main.tf b/aws-iam-role/main.tf
index 2c4012ec..11b424bc 100644
--- a/aws-iam-role/main.tf
+++ b/aws-iam-role/main.tf
@@ -6,46 +6,20 @@ locals {
     owner     = var.owner
     managedBy = "terraform"
   }
-  all_saml_idps = concat(
-    var.saml_idps,
-    // NOTE(el): by default, these assume SAML assertions signed for AWS specifically.
-    [for aws_saml_idp_arn in var.saml_idp_arns : {
-      saml_idp_arn = [aws_saml_idp_arn],
-      saml_aud     = ["https://signin.aws.amazon.com/saml"]
-  }])
 }
 
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    dynamic "principals" {
-      for_each = var.principals
-      content {
-        type        = principals.value.type
-        identifiers = principals.value.identifiers
-      }
-    }
-    actions = ["sts:AssumeRole"]
-  }
-
-  dynamic "statement" {
-    for_each = local.all_saml_idps
-    content {
-      principals {
-        type        = "Federated"
-        identifiers = statement.value.saml_idp_arns
-      }
-
-      actions = ["sts:AssumeRoleWithSAML"]
-
-      condition {
-        test     = "StringEquals"
-        variable = "SAML:aud"
-        values   = statement.value.saml_auds
-      }
-    }
-  }
+module "assume_role_policy" {
+  source             = "../aws-assume-role-policy"
+  source_account_ids = var.source_account_ids
+  saml_idp_arns      = toset(var.saml_idps.saml_idp_arns)
+  oidc               = var.oidc
+  env                = var.env
+  owner              = var.owner
+  service            = var.service
+  project            = var.project
 }
 
+
 resource "aws_iam_role" "role" {
   name               = var.role_name
   description        = var.role_description
diff --git a/aws-iam-role/variables.tf b/aws-iam-role/variables.tf
index fc7c2e59..f279ea78 100755
--- a/aws-iam-role/variables.tf
+++ b/aws-iam-role/variables.tf
@@ -55,6 +55,20 @@ variable "saml_idps" {
   EOF
 }
 
+
+variable "oidc" {
+  type = list(object(
+    {
+      idp_arn : string,          # the AWS IAM IDP arn
+      client_ids : list(string), # a list of oidc client ids
+      provider : string          # your provider url, such as foo.okta.com
+    }
+  ))
+
+  default     = []
+  description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
+}
+
 variable "role_name" {
   type        = string
   description = "IAM role name."
@@ -77,3 +91,9 @@ variable "attached_policies_names_arns" {
   description = "Map of policy names to the respective ARNs to be attached to the IAM role."
   default     = {}
 }
+
+variable "source_account_ids" {
+  type        = set(string)
+  default     = []
+  description = "The source AWS account IDs to establish a trust relationship. Ignored if empty or not provided."
+}
diff --git a/aws-lambda-function/README.md b/aws-lambda-function/README.md
index 33806347..1f595ed2 100644
--- a/aws-lambda-function/README.md
+++ b/aws-lambda-function/README.md
@@ -57,6 +57,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_at_edge"></a> [at\_edge](#input\_at\_edge) | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no |
+| <a name="input_datadog_enabled"></a> [datadog\_enabled](#input\_datadog\_enabled) | Indicates if Datadog integration is enabled (see https://www.datadoghq.com/blog/monitoring-aws-lambda-with-datadog/ for details). | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Map of environment variables. | `map(string)` | `{}` | no |
 | <a name="input_filename"></a> [filename](#input\_filename) | n/a | `string` | `null` | no |
diff --git a/aws-s3-private-bucket/README.md b/aws-s3-private-bucket/README.md
index 6dc13c06..2ca34abb 100644
--- a/aws-s3-private-bucket/README.md
+++ b/aws-s3-private-bucket/README.md
@@ -33,13 +33,15 @@ module "s3-bucket" {
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.76.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.76.1 |
 
 ## Modules
 
@@ -49,9 +51,13 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_kms_key.bucket_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.bucket_kms_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.bucket_sse_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -65,22 +71,25 @@ No modules.
 | <a name="input_cors_rules"></a> [cors\_rules](#input\_cors\_rules) | List of maps containing the cors rule configuration objects. | `any` | `[]` | no |
 | <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Allow objects to be deleted when the bucket is destroyed without errors. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of objects containing the grant configurations. Used when we want to grant permissions to AWS accounts via the S3 ACL system. | `any` | `[]` | no |
+| <a name="input_kms_encryption"></a> [kms\_encryption](#input\_kms\_encryption) | Flag to indicate whether the bucket will be encrypted using a new customer-managed KMS key. Default behavior is no, and SSE-S3 is used instead. KMS is required for direct cross-account access (as opposed to via an assumed role in the target account) | `bool` | `null` | no |
+| <a name="input_kms_key_type"></a> [kms\_key\_type](#input\_kms\_key\_type) | KMS key type with which to encrypt bucket | `string` | `"SYMMETRIC_DEFAULT"` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "abort_incomplete_multipart_upload_days": 7,<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]</pre> | no |
 | <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | Log bucket name and prefix to enable logs for this bucket | `object({ name = string, prefix = string })` | `null` | no |
+| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Set default owner of all objects within bucket (e.g., bucket vs. object owner) | `string` | `null` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `string` | n/a | yes |
 | <a name="input_public_access_block"></a> [public\_access\_block](#input\_public\_access\_block) | n/a | `bool` | `true` | no |
 | <a name="input_service"></a> [service](#input\_service) | n/a | `string` | n/a | yes |
 | <a name="input_transfer_acceleration"></a> [transfer\_acceleration](#input\_transfer\_acceleration) | n/a | `bool` | `false` | no |
-| <a name="kms_encryption"></a> [kms\_encryption](#kms\_encryption) | Use KMS encryption instead of the default (SSE) | `bool` | `false` | no |
-| <a name="kms_key_type"></a> [kms\_encryption](#kms\_key\_type) | KMS encryption key type, if `kms_encryption`` is set to true| `string` | `SYMMETRIC_DEFAULT` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_bucket_kms_encryption_key_arn"></a> [bucket\_kms\_encryption\_key\_arn](#output\_bucket\_kms\_encryption\_key\_arn) | n/a |
 | <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | n/a |
 | <a name="output_id"></a> [id](#output\_id) | n/a |
 | <a name="output_name"></a> [name](#output\_name) | HACK(el): we do this to hint TF dependency graph since modules can't depend\_on |
diff --git a/aws-s3-public-bucket/README.md b/aws-s3-public-bucket/README.md
index 27ed13b5..f55c55a4 100644
--- a/aws-s3-public-bucket/README.md
+++ b/aws-s3-public-bucket/README.md
@@ -1,13 +1,15 @@
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.29.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.29.0 |
 
 ## Modules
 
@@ -18,6 +20,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.public_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.remove_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -30,6 +34,7 @@ No modules.
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | A policy to attach to this bucket. | `string` | `""` | no |
 | <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Keep old versions of objects in this bucket. | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | Env for tagging and naming. | `string` | n/a | yes |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Allow objects to be deleted when the bucket is destroyed without errors. | `bool` | `false` | no |
 | <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | Log bucket name and prefix to enable logs for this bucket | `object({ name = string, prefix = string })` | `null` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | Owner for tagging and naming. | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project for tagging and naming. | `string` | n/a | yes |
diff --git a/aws-ssm-params-writer/README.md b/aws-ssm-params-writer/README.md
index 8de5d869..3629f0d8 100644
--- a/aws-ssm-params-writer/README.md
+++ b/aws-ssm-params-writer/README.md
@@ -13,13 +13,16 @@ in the [Terraform docs](https://www.terraform.io/docs/state/sensitive-data.html)
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.45 |
 
 ## Modules
 
diff --git a/databricks-cluster-log-permissions/README.md b/databricks-cluster-log-permissions/README.md
index 45cbf8d1..6fe9a3dd 100644
--- a/databricks-cluster-log-permissions/README.md
+++ b/databricks-cluster-log-permissions/README.md
@@ -4,14 +4,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_aws.czi-logs"></a> [aws.czi-logs](#provider\_aws.czi-logs) | n/a |
+| <a name="provider_aws.logs_destination"></a> [aws.logs\_destination](#provider\_aws.logs\_destination) | n/a |
 | <a name="provider_databricks"></a> [databricks](#provider\_databricks) | n/a |
 
 ## Modules
@@ -48,14 +48,13 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_add_reader"></a> [add\_reader](#input\_add\_reader) | Flag to add reader role for logs - should only be invoked for the ie workspace | `bool` | `false` | no |
 | <a name="input_bucket_kms_encryption_key_arn"></a> [bucket\_kms\_encryption\_key\_arn](#input\_bucket\_kms\_encryption\_key\_arn) | ARN for KMS key used to encrypt bucket for cluster logs | `string` | n/a | yes |
+| <a name="input_databricks_logs_bucket_name"></a> [databricks\_logs\_bucket\_name](#input\_databricks\_logs\_bucket\_name) | Name of the bucket to store cluster logs | `string` | n/a | yes |
+| <a name="input_destination_account_assume_role_name"></a> [destination\_account\_assume\_role\_name](#input\_destination\_account\_assume\_role\_name) | Role name to assume in the logs destination AWS account | `string` | n/a | yes |
+| <a name="input_destination_account_id"></a> [destination\_account\_id](#input\_destination\_account\_id) | Account ID for the logs destination AWS account | `string` | n/a | yes |
+| <a name="input_destination_account_region"></a> [destination\_account\_region](#input\_destination\_account\_region) | Region for the logs destination AWS account | `string` | n/a | yes |
 | <a name="input_env"></a> [env](#input\_env) | Environment name | `string` | n/a | yes |
 | <a name="input_existing_role_names"></a> [existing\_role\_names](#input\_existing\_role\_names) | List of other existing instance policy roles on the workspace for which to add cluster log write permissions | `list(string)` | `[]` | no |
-| <a name="input_databricks_logs_bucket_name"></a> [databricks\_logs\_bucke\_name](#input\_databricks\_logs\_bucket\_name) | Name of the bucket to store cluster logs | `string` | n/a | yes |
 | <a name="input_global_reader_env"></a> [global\_reader\_env](#input\_global\_reader\_env) | Name of env to grant global logs reader access to | `string` | n/a | yes |
-| <a name="input_destination_account_id"></a> [destination\_account\_id](#input\_destination\_account\_id) | Account ID for the logs destination AWS account | `string` | n/a | yes |
-| <a name="input_destination_account_region"></a> [destination\_account\_region](#input\_destination\_account\_region) | Region for the logs destination AWS account | `string` | n/a | yes |
-| <a name="input_destination_account_assume_role_name"></a> [destination\_account\_assume\_role\_name](#input\_destination\_account\_assume\_role_name) | Role name to assume in the logs destination AWS account | `string` | n/a | yes |
-
 
 ## Outputs
 
diff --git a/databricks-default-cluster-policies/README.md b/databricks-default-cluster-policies/README.md
index e9af1435..cfc5170b 100644
--- a/databricks-default-cluster-policies/README.md
+++ b/databricks-default-cluster-policies/README.md
@@ -3,7 +3,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
@@ -25,6 +25,7 @@
 | <a name="module_personal_compute_cluster_policy"></a> [personal\_compute\_cluster\_policy](#module\_personal\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
 | <a name="module_power_user_compute_cluster_policy"></a> [power\_user\_compute\_cluster\_policy](#module\_power\_user\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
 | <a name="module_small_clusters"></a> [small\_clusters](#module\_small\_clusters) | ../databricks-cluster-policy | n/a |
+| <a name="module_small_job_compute_cluster_policy"></a> [small\_job\_compute\_cluster\_policy](#module\_small\_job\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
 | <a name="module_superset_compute_cluster_policy"></a> [superset\_compute\_cluster\_policy](#module\_superset\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
 
 ## Resources
@@ -40,9 +41,10 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_instance_profile_arns"></a> [additional\_instance\_profile\_arns](#input\_additional\_instance\_profile\_arns) | Additional instance profiles to allow clusters to run on | `list(string)` | `[]` | no |
 | <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks host name for tagging | `string` | n/a | yes |
-| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes |
 | <a name="input_databricks_log_bucket"></a> [databricks\_log\_bucket](#input\_databricks\_log\_bucket) | Name of S3 bucket to store Databricks logs | `string` | n/a | yes |
-| <a name="input_policy_name_prefix"></a> [policy\_name\_prefix](#input\_policy\_name\_prefix) | Prefix for policy names | `string` | n/a | no |
+| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes |
+| <a name="input_personal_compute_pool_ids"></a> [personal\_compute\_pool\_ids](#input\_personal\_compute\_pool\_ids) | List of personal compute pool ids allowed | `list(string)` | `[]` | no |
+| <a name="input_policy_name_prefix"></a> [policy\_name\_prefix](#input\_policy\_name\_prefix) | Prefix for policy names | `string` | `""` | no |
 
 ## Outputs
 
diff --git a/databricks-metastore/README.md b/databricks-metastore/README.md
index b28d903e..8ae7405d 100644
--- a/databricks-metastore/README.md
+++ b/databricks-metastore/README.md
@@ -3,7 +3,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
diff --git a/databricks-workspace-e2/README.md b/databricks-workspace-e2/README.md
index 9f879b4f..e5dec99a 100644
--- a/databricks-workspace-e2/README.md
+++ b/databricks-workspace-e2/README.md
@@ -6,7 +6,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
@@ -42,7 +42,6 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_audit_log_bucket_name"></a> [audit\_log\_bucket\_name](#input\_audit\_log\_bucket\_name) | Name of bucket to write cluster logs to - also where the audit logs go, too | `string` | `"czi-audit-logs"` | no |
 | <a name="input_databricks_external_id"></a> [databricks\_external\_id](#input\_databricks\_external\_id) | The ID of a Databricks root account. | `string` | n/a | yes |
 | <a name="input_env"></a> [env](#input\_env) | The environment / stage. Aka staging, dev, prod. | `string` | n/a | yes |
 | <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Set default owner of all objects within bucket (e.g., bucket vs. object owner) | `string` | `null` | no |