diff --git a/aws/main.tf b/aws/main.tf
index 5aabd66..5139861 100644
--- a/aws/main.tf
+++ b/aws/main.tf
@@ -1,279 +1,15 @@
-////////////////////////////////
-// Terraform Provider AWS
-terraform {
-  required_version = ">= 0.12.0" 
-}
-
-provider "aws" {
-  region                  = var.aws_region
-  profile                 = var.aws_profile
-  shared_credentials_file = file(var.credentials_file)
-}
-
-resource "random_id" "instance_id" {
-  byte_length = 4
-}
-
-data "aws_caller_identity" "current" {}
-
-resource "aws_s3_bucket" "lacework_cloudtrail_bucket" {
-  bucket        = "${var.bucket_name}-${random_id.instance_id.hex}"
-  force_destroy = var.force_destroy_bucket
-}
-
-resource "aws_s3_bucket_policy" "lacework_cloudtrail_bucket_policy" {
-  bucket = aws_s3_bucket.lacework_cloudtrail_bucket.id
-
-  policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailAclCheck20150319",
-            "Effect": "Allow",
-            "Principal": {
-              "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::${aws_s3_bucket.lacework_cloudtrail_bucket.id}"
-        },
-        {
-            "Sid": "AWSCloudTrailWrite20150319",
-            "Effect": "Allow",
-            "Principal": {
-              "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:PutObject",
-            "Resource": "arn:aws:s3:::${aws_s3_bucket.lacework_cloudtrail_bucket.id}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
-            "Condition": {
-                "StringEquals": {
-                    "s3:x-amz-acl": "bucket-owner-full-control"
-                }
-            }
-        }
-    ]
-}
-POLICY
-}
-
-resource "aws_sns_topic" "lacework_cloudtrail_sns_topic" {
-  name = var.sns_topic_name
-}
-
-resource "aws_sqs_queue" "lacework_cloudtrail_sqs_queue" {
-  name = var.sqs_queue_name
-}
-
-resource "aws_sns_topic_policy" "default" {
-  arn = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
-  
-  policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailSNSPolicy20131101",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "SNS:Publish",
-            "Resource": "${aws_sns_topic.lacework_cloudtrail_sns_topic.id}"
-        }
-    ]
-}
-POLICY
-}
-
-resource "aws_sqs_queue_policy" "lacework_sqs_queue_policy" {
-  queue_url = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
+provider "aws" {}
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "lacework_sqs_policy_${random_id.instance_id.hex}",
-  "Statement": [
-    {
-      "Sid": "AllowLaceworkSNSTopicToSendMessage",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SQS:SendMessage",
-      "Resource": "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}",
-      "Condition": {
-        "ArnEquals": {
-          "aws:SourceArn": "${aws_sns_topic.lacework_cloudtrail_sns_topic.id}"
-        }
-      }
-    }
-  ]
-}
-POLICY
-}
-
-resource "aws_sns_topic_subscription" "lacework_sns_topic_sub" {
-  topic_arn = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
-  protocol  = "sqs"
-  endpoint  = aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn
-}
-
-resource "aws_cloudtrail" "lacework_cloudtrail" {
-  name                          = var.cloudtrail_name
-  s3_bucket_name                = aws_s3_bucket.lacework_cloudtrail_bucket.id
-  include_global_service_events = true
-  is_multi_region_trail         = true
-  sns_topic_name                = aws_sns_topic.lacework_cloudtrail_sns_topic.id
-  depends_on                    = [aws_s3_bucket_policy.lacework_cloudtrail_bucket_policy, aws_s3_bucket.lacework_cloudtrail_bucket]
-}
-
-resource "aws_iam_role" "lacework_iam_role" {
-  name = var.iam_role_name
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Principal": {
-      "AWS": "arn:aws:iam::${var.lacework_aws_account_id}:root"
-    },
-    "Action": "sts:AssumeRole",
-    "Condition": {
-      "StringEquals": {
-        "sts:ExternalId": "${var.external_id}"
-      }
-    }
-  }
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "security_audit_iam_role_policy_attachment" {
-  role       = aws_iam_role.lacework_iam_role.name
-  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
-}
-
-resource "aws_iam_policy" "cross_account_policy" {
-  name        = var.cross_account_policy_name
-  description = "A cross account policy to allow Lacework to pull config and cloudtrail"
-
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": [
-                "sqs:GetQueueAttributes",
-                "sqs:GetQueueUrl",
-                "sqs:DeleteMessage",
-                "sqs:ReceiveMessage"
-            ],
-            "Resource": [
-                "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}"
-            ],
-            "Effect": "Allow",
-            "Sid": "ConsumeNotifications"
-        },
-        {
-            "Condition": {
-                "StringLike": {
-                    "s3:prefix": [
-                        "*AWSLogs/"
-                    ]
-                }
-            },
-            "Action": [
-                "s3:ListBucket"
-            ],
-            "Resource": [
-                "${aws_s3_bucket.lacework_cloudtrail_bucket.arn}"
-            ],
-            "Effect": "Allow",
-            "Sid": "ListLogFiles"
-        },
-        {
-            "Action": [
-                "s3:Get*"
-            ],
-            "Resource": [
-                "${aws_s3_bucket.lacework_cloudtrail_bucket.arn}/*"
-            ],
-            "Effect": "Allow",
-            "Sid": "ReadLogFiles"
-        },
-        {
-            "Action": [
-                "iam:ListAccountAliases"
-            ],
-            "Resource": "*",
-            "Effect": "Allow",
-            "Sid": "GetAccountAlias"
-        },
-        {
-            "Action": [
-                "cloudtrail:DescribeTrails",
-                "cloudtrail:GetTrailTopics",
-                "cloudtrail:GetTrailStatus",
-                "cloudtrail:ListPublicKeys",
-                "s3:GetBucketAcl",
-                "s3:GetBucketPolicy",
-                "s3:ListAllMyBuckets",
-                "s3:GetBucketLocation",
-                "s3:GetBucketLogging",
-                "sns:GetSubscriptionAttributes",
-                "sns:GetTopicAttributes",
-                "sns:ListSubscriptions",
-                "sns:ListSubscriptionsByTopic",
-                "sns:ListTopics"
-            ],
-            "Resource": "*",
-            "Effect": "Allow",
-            "Sid": "Debug"
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "lacework_crossaccount_iam_role_policy_attachment" {
-  role       = aws_iam_role.lacework_iam_role.name
-  policy_arn = aws_iam_policy.cross_account_policy.arn 
-}
-
-provider "lacework" {
-  account    = var.lacework_account
-  api_key    = var.lacework_api_key
-  api_secret = var.lacework_api_secret
-}
+provider "lacework" {}
 
-resource "lacework_integration_aws_cfg" "default" {
-  name = var.lacework_integration_config_name
-  credentials {
-      role_arn    = aws_iam_role.lacework_iam_role.arn
-      external_id = var.external_id
-  }
-  depends_on = [
-    aws_iam_role_policy_attachment.security_audit_iam_role_policy_attachment,
-    aws_sns_topic_subscription.lacework_sns_topic_sub,
-    aws_sqs_queue_policy.lacework_sqs_queue_policy,
-    aws_iam_policy.cross_account_policy,
-    aws_cloudtrail.lacework_cloudtrail
-  ]
+module "aws_config" {
+	source = "./modules/config"
 }
 
-resource "lacework_integration_aws_ct" "default" {
-  name      = var.lacework_integration_cloudtrail_name
-  queue_url = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
-  credentials {
-      role_arn    = aws_iam_role.lacework_iam_role.arn
-      external_id = var.external_id
-  }
-  depends_on = [
-    aws_iam_role_policy_attachment.security_audit_iam_role_policy_attachment,
-    aws_sns_topic_subscription.lacework_sns_topic_sub,
-    aws_sqs_queue_policy.lacework_sqs_queue_policy,
-    aws_iam_policy.cross_account_policy,
-    lacework_integration_aws_cfg.default,
-    aws_cloudtrail.lacework_cloudtrail
-  ]
+module "aws_cloudtrail" {
+	source                = "./modules/cloudtrail"
+	bucket_force_destroy  = true
+	use_existing_iam_role = true
+	iam_role_name         = module.aws_config.iam_role_name
+	iam_role_external_id  = module.aws_config.external_id
 }
diff --git a/aws/modules/cloudtrail/examples/complete-cloudtrail/main.tf b/aws/modules/cloudtrail/examples/complete-cloudtrail/main.tf
new file mode 100644
index 0000000..623c5c8
--- /dev/null
+++ b/aws/modules/cloudtrail/examples/complete-cloudtrail/main.tf
@@ -0,0 +1,7 @@
+provider "lacework" { }
+
+provider "aws" { }
+
+module "aws_cloudtrail" {
+	source = "../../"
+}
diff --git a/aws/modules/cloudtrail/examples/existing-cloudtrail-iam-role/main.tf b/aws/modules/cloudtrail/examples/existing-cloudtrail-iam-role/main.tf
new file mode 100644
index 0000000..6d04fba
--- /dev/null
+++ b/aws/modules/cloudtrail/examples/existing-cloudtrail-iam-role/main.tf
@@ -0,0 +1,17 @@
+provider "lacework" { }
+
+provider "aws" { }
+
+module "aws_cloudtrail" {
+	source = "../../"
+
+	# Use an existing CloudTrail
+	enable_cloudtrail    = false
+	bucket_name          = "lacework-ct-bucket-7bb591f4"
+	sns_topic_name       = "lacework-ct-sns-7bb591f4"
+
+	# Use an existing IAM role
+	use_existing_iam_role = true
+	iam_role_name         = "lacework_iam_role"
+	iam_role_external_id  = "1GrDkEZV5VJ@=nLm"
+}
diff --git a/aws/modules/cloudtrail/examples/existing-cloudtrail/main.tf b/aws/modules/cloudtrail/examples/existing-cloudtrail/main.tf
new file mode 100644
index 0000000..f9c9c0a
--- /dev/null
+++ b/aws/modules/cloudtrail/examples/existing-cloudtrail/main.tf
@@ -0,0 +1,13 @@
+provider "lacework" { }
+
+provider "aws" { }
+
+module "aws_cloudtrail" {
+	source = "../../"
+
+	# Use an existing CloudTrail
+	enable_cloudtrail    = false
+	bucket_name          = "lacework-ct-bucket-8805c0bf"
+	sns_topic_name       = "lacework-ct-sns-8805c0bf"
+}
+
diff --git a/aws/modules/cloudtrail/main.tf b/aws/modules/cloudtrail/main.tf
new file mode 100644
index 0000000..3daa286
--- /dev/null
+++ b/aws/modules/cloudtrail/main.tf
@@ -0,0 +1,223 @@
+locals {
+	bucket_name    = length(var.bucket_name) > 0 ?    var.bucket_name :    "${var.prefix}-bucket-${random_id.uniq.hex}"
+	sns_topic_name = length(var.sns_topic_name) > 0 ? var.sns_topic_name : "${var.prefix}-sns-${random_id.uniq.hex}"
+	sqs_queue_name = length(var.sqs_queue_name) > 0 ? var.sqs_queue_name : "${var.prefix}-sqs-${random_id.uniq.hex}"
+	cross_account_policy_name = (
+		length(var.cross_account_policy_name) > 0 ? var.cross_account_policy_name : "${var.prefix}-cross-acct-policy-${random_id.uniq.hex}"
+	)
+	iam_role_name  = var.use_existing_iam_role ? var.iam_role_name : (
+		length(var.iam_role_name) > 0 ? var.iam_role_name : "${var.prefix}-iam-${random_id.uniq.hex}"
+	)
+	external_id    = var.use_existing_iam_role ? var.iam_role_external_id : module.lacework_ct_iam_role.external_id
+}
+
+resource "random_id" "uniq" {
+	byte_length = 4
+}
+
+resource "aws_cloudtrail" "lacework_cloudtrail" {
+	count                 = var.enable_cloudtrail ? 1 : 0
+	name                  = var.cloudtrail_name
+	is_multi_region_trail = true
+	s3_bucket_name        = local.bucket_name
+	sns_topic_name        = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
+	depends_on            = [aws_s3_bucket.cloudtrail_bucket]
+}
+
+# we need the identity of the caller to get their account_id for the s3 bucket
+data "aws_caller_identity" "current" {}
+resource "aws_s3_bucket" "cloudtrail_bucket" {
+	count         = var.enable_cloudtrail ? 1 : 0
+	bucket        = local.bucket_name
+	force_destroy = var.bucket_force_destroy
+	policy        = <<POLICY
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AWSCloudTrailAclCheck20150319",
+			"Effect": "Allow",
+			"Principal": {"Service": "cloudtrail.amazonaws.com"},
+			"Action": "s3:GetBucketAcl",
+			"Resource": "arn:aws:s3:::${local.bucket_name}"
+		},
+		{
+			"Sid": "AWSCloudTrailWrite20150319",
+			"Effect": "Allow",
+			"Principal": {"Service": "cloudtrail.amazonaws.com"},
+			"Action": "s3:PutObject",
+			"Resource": "arn:aws:s3:::${local.bucket_name}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+			"Condition": {
+				"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}
+			}
+		}
+	]
+}
+POLICY
+}
+
+# we use this data source to point to the S3 ARN for the cross-account policy,
+# it is useful when the user has already CT enabled and we do NOT create a bucket
+data "aws_s3_bucket" "selected" {
+	bucket     = local.bucket_name
+	depends_on = [aws_s3_bucket.cloudtrail_bucket]
+}
+
+resource "aws_sns_topic" "lacework_cloudtrail_sns_topic" {
+	name   = local.sns_topic_name
+}
+
+data "aws_iam_policy_document" "sns_topic_policy" {
+	version = "2012-10-17"
+	statement {
+		actions   = ["SNS:Publish"]
+		sid       = "AWSCloudTrailSNSPolicy20131101"
+		resources = [aws_sns_topic.lacework_cloudtrail_sns_topic.arn]
+	
+		principals {
+			type        = "Service"
+			identifiers = ["cloudtrail.amazonaws.com"]
+		}
+	}
+}
+
+resource "aws_sns_topic_policy" "default" { 
+	arn    = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
+	policy = data.aws_iam_policy_document.sns_topic_policy.json
+}
+
+resource "aws_sqs_queue" "lacework_cloudtrail_sqs_queue" {
+	name = local.sqs_queue_name
+}
+
+resource "aws_sqs_queue_policy" "lacework_sqs_queue_policy" {
+	queue_url = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
+	policy    = <<POLICY
+{
+	"Version": "2012-10-17",
+	"Id": "lacework_sqs_policy_${random_id.uniq.hex}",
+	"Statement": [
+		{
+			"Sid": "AllowLaceworkSNSTopicToSendMessage",
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": "*"
+			},
+			"Action": "SQS:SendMessage",
+			"Resource": "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}",
+			"Condition": {
+				"ArnEquals": {
+					"aws:SourceArn": "${aws_sns_topic.lacework_cloudtrail_sns_topic.arn}"
+				}
+			}
+		}
+	]
+}
+POLICY
+}
+
+resource "aws_sns_topic_subscription" "lacework_sns_topic_sub" {
+	topic_arn = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
+	protocol  = "sqs"
+	endpoint  = aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn
+}
+
+data "aws_iam_policy_document" "cross_account_policy" {
+	version = "2012-10-17"
+
+	statement { 
+		sid       = "ReadLogFiles"
+		actions   = ["s3:Get*"]
+		resources = ["${data.aws_s3_bucket.selected.arn}/*"]
+	}
+
+	statement { 
+		sid       = "GetAccountAlias"
+		actions   = ["iam:ListAccountAliases"]
+		resources = ["*"]
+	}
+
+	statement { 
+		sid       = "ListLogFiles"
+		resources = [data.aws_s3_bucket.selected.arn]
+		actions   = ["s3:ListBucket"]
+
+		condition {
+			test     = "StringLike"
+			variable = "s3:prefix"
+			values   = ["*AWSLogs/"]
+		}
+	}
+
+	statement { 
+		sid       = "ConsumeNotifications"
+		resources = [aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn]
+		actions   = [
+			"sqs:GetQueueAttributes",
+			"sqs:GetQueueUrl",
+			"sqs:DeleteMessage",
+			"sqs:ReceiveMessage"
+		]
+	}
+
+	statement { 
+		sid       = "Debug"
+		resources = ["*"]
+		actions   = [
+			"cloudtrail:DescribeTrails",
+			"cloudtrail:GetTrail",
+			"cloudtrail:GetTrailStatus",
+			"cloudtrail:ListPublicKeys",
+			"s3:GetBucketAcl",
+			"s3:GetBucketPolicy",
+			"s3:ListAllMyBuckets",
+			"s3:GetBucketLocation",
+			"s3:GetBucketLogging",
+			"sns:GetSubscriptionAttributes",
+			"sns:GetTopicAttributes",
+			"sns:ListSubscriptions",
+			"sns:ListSubscriptionsByTopic",
+			"sns:ListTopics"
+		]
+	}
+}
+
+resource "aws_iam_policy" "cross_account_policy" {
+	name        = local.cross_account_policy_name
+	description = "A cross account policy to allow Lacework to pull config and cloudtrail"
+	policy      = data.aws_iam_policy_document.cross_account_policy.json
+}
+
+module "lacework_ct_iam_role" {
+	source                  = "../iam_role"
+	create                  = var.use_existing_iam_role ? false : true
+	iam_role_name           = local.iam_role_name
+	lacework_aws_account_id = var.lacework_aws_account_id
+	external_id_length      = var.external_id_length
+}
+
+resource "aws_iam_role_policy_attachment" "lacework_cross_account_iam_role_policy" {
+	role       = module.lacework_ct_iam_role.name
+	policy_arn = aws_iam_policy.cross_account_policy.arn 
+}
+
+# wait for 5 seconds for things to settle down in the AWS side
+# before trying to create the Lacework external integration
+resource "time_sleep" "wait_5_seconds" {
+	create_duration = "5s"
+	depends_on      = [
+		aws_iam_role_policy_attachment.lacework_cross_account_iam_role_policy,
+		aws_sns_topic_subscription.lacework_sns_topic_sub,
+		aws_cloudtrail.lacework_cloudtrail
+	]
+}
+
+resource "lacework_integration_aws_ct" "default" {
+	name      = var.lacework_integration_name
+	queue_url = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
+	credentials {
+		role_arn    = module.lacework_ct_iam_role.arn
+		external_id = local.external_id
+	}
+	depends_on = [time_sleep.wait_5_seconds]
+}
diff --git a/aws/modules/cloudtrail/variables.tf b/aws/modules/cloudtrail/variables.tf
new file mode 100644
index 0000000..ba02d0e
--- /dev/null
+++ b/aws/modules/cloudtrail/variables.tf
@@ -0,0 +1,74 @@
+variable "use_existing_iam_role" {
+	type        = bool
+	default     = false
+	description = "Set this to true to use an existing IAM role"
+}
+
+variable "iam_role_name" {
+	type    = string
+	default = ""
+}
+
+variable "iam_role_external_id" {
+	type    = string
+	default = ""
+}
+
+variable "external_id_length" {
+	type        = number
+	default     = 16
+	description = "The length of the external ID to generate"
+}
+
+variable "prefix" {
+	type        = string
+	default     = "lacework-ct"
+	description = "The prefix that will be use at the beginning of every generated resource"
+}
+
+variable "bucket_name" {
+	type    = string
+	default = ""
+}
+
+variable "bucket_force_destroy" {
+	type    = bool
+	default = false
+}
+
+variable "sns_topic_name" {
+	type    = string
+	default = ""
+}
+
+variable "sqs_queue_name" {
+	type    = string
+	default = ""
+}
+
+variable "enable_cloudtrail" {
+	type        = bool
+	default     = true
+	description = "Set this to false to use an existing cloudtrail"
+}
+
+variable "cloudtrail_name" {
+	type    = string
+	default = "lacework-cloudtrail"
+}
+
+variable "cross_account_policy_name" {
+	type    = string
+	default = ""
+}
+
+variable "lacework_integration_name" {
+	type    = string
+	default = "TF cloudtrail"
+}
+
+variable "lacework_aws_account_id" {
+	type        = string
+	default     = "434813966438"
+	description = "The Lacework AWS account that the IAM role will grant access"
+}
diff --git a/aws/modules/config/examples/custom-config/main.tf b/aws/modules/config/examples/custom-config/main.tf
new file mode 100644
index 0000000..ee7d3f6
--- /dev/null
+++ b/aws/modules/config/examples/custom-config/main.tf
@@ -0,0 +1,10 @@
+provider "lacework" { }
+
+provider "aws" { }
+
+module "aws_config" {
+	source                    = "../../"
+	iam_role_name             = "lw-custom-role"
+	lacework_integration_name = "account-abc"
+	external_id_length        = 1000
+}
diff --git a/aws/modules/config/examples/default-config/main.tf b/aws/modules/config/examples/default-config/main.tf
new file mode 100644
index 0000000..a4231f5
--- /dev/null
+++ b/aws/modules/config/examples/default-config/main.tf
@@ -0,0 +1,7 @@
+provider "lacework" { }
+
+provider "aws" { }
+
+module "aws_config" {
+	source = "../../"
+}
diff --git a/aws/modules/config/main.tf b/aws/modules/config/main.tf
new file mode 100644
index 0000000..5ef308e
--- /dev/null
+++ b/aws/modules/config/main.tf
@@ -0,0 +1,28 @@
+module "lacework_cfg_iam_role" {
+	source                  = "../iam_role"
+	iam_role_name           = var.iam_role_name
+	lacework_aws_account_id = var.lacework_aws_account_id
+	external_id_length      = var.external_id_length
+}
+
+resource "aws_iam_role_policy_attachment" "security_audit_policy_attachment" {
+	role       = module.lacework_cfg_iam_role.name
+	policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+	depends_on = [module.lacework_cfg_iam_role]
+}
+
+# wait for 5 seconds for things to settle down in the AWS side
+# before trying to create the Lacework external integration
+resource "time_sleep" "wait_5_seconds" {
+	create_duration = "5s"
+	depends_on      = [aws_iam_role_policy_attachment.security_audit_policy_attachment]
+}
+
+resource "lacework_integration_aws_cfg" "default" {
+	name = var.lacework_integration_name
+	credentials {
+		role_arn    = module.lacework_cfg_iam_role.arn
+		external_id = module.lacework_cfg_iam_role.external_id
+	}
+	depends_on = [time_sleep.wait_5_seconds]
+}
diff --git a/aws/modules/config/output.tf b/aws/modules/config/output.tf
new file mode 100644
index 0000000..1ddd6d0
--- /dev/null
+++ b/aws/modules/config/output.tf
@@ -0,0 +1,11 @@
+output "external_id" {
+	value = module.lacework_cfg_iam_role.external_id
+}
+
+output "iam_role_name" {
+	value = module.lacework_cfg_iam_role.name
+}
+
+output "iam_role_arn" {
+	value = module.lacework_cfg_iam_role.arn
+}
diff --git a/aws/modules/config/variables.tf b/aws/modules/config/variables.tf
new file mode 100644
index 0000000..767ecb7
--- /dev/null
+++ b/aws/modules/config/variables.tf
@@ -0,0 +1,22 @@
+variable "iam_role_name" {
+	type        = string
+	default     = "lacework_iam_role"
+	description = "The IAM role name"
+}
+
+variable "lacework_aws_account_id" {
+	type        = string
+	default     = "434813966438"
+	description = "The Lacework AWS account that the IAM role will grant access"
+}
+
+variable "lacework_integration_name" {
+	type    = string
+	default = "TF config"
+}
+
+variable "external_id_length" {
+	type        = number
+	default     = 16
+	description = "The length of the external ID to generate"
+}
diff --git a/aws/modules/iam_role/examples/custom-config/main.tf b/aws/modules/iam_role/examples/custom-config/main.tf
new file mode 100644
index 0000000..c82a3d7
--- /dev/null
+++ b/aws/modules/iam_role/examples/custom-config/main.tf
@@ -0,0 +1,7 @@
+provider "aws" { }
+
+module "lacework_iam_role" {
+	source             = "../../"
+	iam_role_name      = "custom-role-name"
+	external_id_length = 256
+}
diff --git a/aws/modules/iam_role/examples/default-config/main.tf b/aws/modules/iam_role/examples/default-config/main.tf
new file mode 100644
index 0000000..bb47b2e
--- /dev/null
+++ b/aws/modules/iam_role/examples/default-config/main.tf
@@ -0,0 +1,5 @@
+provider "aws" { }
+
+module "lacework_iam_role" {
+	source = "../iam_role"
+}
diff --git a/aws/modules/iam_role/main.tf b/aws/modules/iam_role/main.tf
new file mode 100644
index 0000000..84b3700
--- /dev/null
+++ b/aws/modules/iam_role/main.tf
@@ -0,0 +1,41 @@
+resource "random_string" "external_id" {
+	length           = var.external_id_length
+	override_special = "=,.@:/-"
+}
+
+data "aws_iam_policy_document" "lacework_assume_role_policy" {
+	version = "2012-10-17"
+	statement {
+		actions = ["sts:AssumeRole"]
+
+		principals {
+			type        = "AWS"
+			identifiers = ["arn:aws:iam::${var.lacework_aws_account_id}:root"]
+		}
+
+		condition {
+			test     = "StringEquals"
+			variable = "sts:ExternalId"
+			values   = [random_string.external_id.result]
+		}
+	}
+}
+
+resource "aws_iam_role" "lacework_iam_role" {
+	count              = var.create ? 1 : 0
+	name               = var.iam_role_name
+	assume_role_policy = data.aws_iam_policy_document.lacework_assume_role_policy.json
+}
+
+# wait for 5 seconds for the role to be created before trying to query it
+resource "time_sleep" "wait_5_seconds" {
+	create_duration = "5s"
+	depends_on      = [aws_iam_role.lacework_iam_role]
+}
+
+# we use this data source to access the ARN of the generated IAM Role,
+# or the provided IAM Role name if the user decides not to create it
+data "aws_iam_role" "selected" {
+	name       = var.iam_role_name
+	depends_on = [time_sleep.wait_5_seconds]
+}
diff --git a/aws/modules/iam_role/output.tf b/aws/modules/iam_role/output.tf
new file mode 100644
index 0000000..094eac8
--- /dev/null
+++ b/aws/modules/iam_role/output.tf
@@ -0,0 +1,19 @@
+output "created" {
+	value       = var.create
+	description = "Was the IAM Role created"
+}
+
+output "name" {
+	value       = var.iam_role_name
+	description = "IAM Role name"
+}
+
+output "arn" {
+	value       = data.aws_iam_role.selected.arn
+	description = "IAM Role ARN"
+}
+
+output "external_id" {
+	value       = var.create ? random_string.external_id.result : ""
+	description = "The External ID configured into the IAM role"
+}
diff --git a/aws/modules/iam_role/variables.tf b/aws/modules/iam_role/variables.tf
new file mode 100644
index 0000000..f3859ab
--- /dev/null
+++ b/aws/modules/iam_role/variables.tf
@@ -0,0 +1,23 @@
+variable "iam_role_name" {
+	type        = string
+	default     = "lacework_iam_role"
+	description = "The IAM role name"
+}
+
+variable "lacework_aws_account_id" {
+	type        = string
+	default     = "434813966438"
+	description = "The Lacework AWS account that the IAM role will grant access"
+}
+
+variable "external_id_length" {
+	type        = number
+	default     = 16
+	description = "The length of the external ID to generate"
+}
+
+variable "create" {
+	type        = bool
+	default     = true
+	description = "Set to false to prevent the module from creating any resources"
+}
diff --git a/aws/variables.tf b/aws/variables.tf
deleted file mode 100644
index 6a38854..0000000
--- a/aws/variables.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-////////////////////////////////
-// Lacework
-//
-variable "lacework_account" {
-  type = string
-}
-
-variable "lacework_api_key" {
-  type = string
-}
-
-variable "lacework_api_secret" {
-  type = string
-}
-
-variable "lacework_integration_config_name" {
-  type = string
-  default = "AWS config"
-}
-
-variable "lacework_integration_cloudtrail_name" {
-  type = string
-  default = "AWS cloundtrail"
-}
-
-////////////////////////////////
-// AWS Connection
-
-variable "aws_profile" {
-  type = string
-  default = "default"
-}
-
-variable "aws_region" {}
-
-variable "credentials_file" {
-  default = "~/.aws/credentials"
-}
-
-////////////////////////////////
-// ENV
-
-variable "bucket_name" {
-  default = "lacework-cloudtrail-bucket"
-}
-
-variable "external_id" {
-  default = "12345"
-}
-
-variable "iam_role_name" {
-  default = "lacework_iam_role"
-}
-
-variable "sns_topic_name" {
-  default = "lacework-sns-topic"
-}
-
-variable "sqs_queue_name" {
-  default = "lacework-sqs-queue"
-}
-
-variable "cloudtrail_name" {
-  default = "lacework-cloudtrail"
-}
-
-variable "force_destroy_bucket" {
-  default = false
-}
-
-variable "cross_account_policy_name" {
-  default = "lacework-cross-account-policy"
-}
-
-variable "lacework_aws_account_id" {
-  default = "434813966438"
-}