* Declarative Policies
* Resource Control Policies
* Centralized Root Management
    * Include sample script to remove the root creds from existing accounts.
* The Audit Role can be sources from S3 or locally.
* Allow each account to override the primary account contact
* Leverage new GuardDuty feature that auto-enables in existing accounts.
* Removes lots of resources (each existing account in each region)

Changes to the tfvars:
* Add `audit_role_stack_set_template_url`
* Add `declarative_policy_bucket_name`
* Add `primary_contact` as an option to an account
* Add `declarative_policies` block
* Add `resource_control_policies` block