Correct, they are on the roadmap, I've been waffling on the implementation because this could open security issues. I'm happy to say we'll at least be able to use k8s RBAC to gate who can get, list, create, update and delete the Roles but your security posture from the node perspective still will need to gate what the pods could assume. https://github.com/awslabs/aws-service-operator/issues/58https://github.com/awslabs/aws-service-operator/issues/59 are the issues if you'd like to add any extra notes or check out the potential implementation.
Great question, it's a little more complicated than one might think at first. In trying to build a "batteries included" experience I'd need to have per-view into your cluster and what VPC, Subnet and AZ you are running in I don't want to make this a configuration option so I need to build out a way to collect this information dynamically so that I can make sure we create DB subnets for the RDS to provision into. Then I need to configure depending on the engine (pg, mysql etc) the port and security group configuration. All in all the CFT and is more complicated and with the way the resources are code generated it requires heavy customization. All that being said it is well up on the top of my list to implement. Also always interested in letting other folks come and contribute if they feel inclined. :)