fix: Account for cases when we are using an existing cloudwatch log group for flow logs

[danielmklein]

Description

When generating the flow log group ARNs to include in the policy, if we are using a pre-existing log group, take that into account and use the destination ARN passed in as a variable, rather than assuming that we created a log group ourselves.

Motivation and Context

Since 5.12.0, if you are using an existing CloudWatch Log Group for your flow logs destination ARN, this module tries to update the relevant IAM policy with an invalid policy document, which fails. See PR #1088.

This fixes #1117

Breaking Changes

None

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects
  I have tested this in our own workspaces using a fork of this module -- I am happy to go further with the examples here if needed/desired.
• I have executed pre-commit run -a on my pull request

[danielmklein]

Hiya @antonbabenko, apologies for poking, but is there anything I can do to help ferry this along? Am I missing anything here?

[danielmklein]

@antonbabenko / @bryantbiggs -- sorry to re-bump, but I'd love to get this upstream. Please let me know if I'm missing anything critical here!