Merge pull request #418 from mdr-engineering/feature/ftd_MSOCI-2142_Formatting

Applied `terraform fmt` to all modules

base/CA_Infrastructure/root_CA/audit_bucket.tf

@@ -1,8 +1,8 @@
 resource "aws_s3_bucket" "audit_reports" {
   provider = aws.c2 # The reports go in the c2 bucket
   bucket   = "xdr-ca-audit-reports"
-  
-  tags     = merge(var.standard_tags, var.tags)
+
+  tags = merge(var.standard_tags, var.tags)
 
 }
 
@@ -21,37 +21,37 @@ resource "aws_s3_bucket_acl" "s3_acl_audit_reports" {
 
 }
 
-  # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
-  #resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
-  #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
-  #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
-  #}
+# TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
+#resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
+#  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
+#  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
+#}
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_audit_reports" {
   provider = aws.c2
   bucket   = aws_s3_bucket.audit_reports.id
-  
+
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
-      }
     }
+  }
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_audit_reports" {
   provider = aws.c2
   bucket   = aws_s3_bucket.audit_reports.id
-  
+
   rule {
     id     = "CleanUp"
     status = "Enabled"
-    
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 7
     }
 
     noncurrent_version_expiration {
-      noncurrent_days       = 365
+      noncurrent_days = 365
     }
   }
 }
@@ -88,7 +88,7 @@ resource "aws_s3_bucket_policy" "audit_reports" {
   provider   = aws.c2 # The reports go in the c2 bucket
   bucket     = aws_s3_bucket.audit_reports.id
   policy     = data.aws_iam_policy_document.audit_reports_bucket_access.json
-  depends_on = [ aws_s3_bucket.audit_reports ]
+  depends_on = [aws_s3_bucket.audit_reports]
 }
 
 resource "aws_s3_bucket_public_access_block" "audit_reports_bucket_block_public_access" {
@@ -98,7 +98,7 @@ resource "aws_s3_bucket_public_access_block" "audit_reports_bucket_block_public_
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
-  depends_on              = [ aws_s3_bucket.audit_reports ]
+  depends_on              = [aws_s3_bucket.audit_reports]
 }
 
 //AWS Provider outdated arguments <4.4.0

base/CA_Infrastructure/root_CA/ca.tf

@@ -5,9 +5,9 @@ resource "aws_acmpca_certificate_authority" "root_CA" {
     signing_algorithm = "SHA512WITHECDSA"
 
     subject {
-      common_name = "XDR Root CA v2"
-      country = "US"
-      organization = "Accenture Federal Services"
+      common_name         = "XDR Root CA v2"
+      country             = "US"
+      organization        = "Accenture Federal Services"
       organizational_unit = "XDR"
     }
   }
@@ -21,7 +21,7 @@ resource "aws_acmpca_certificate_authority" "root_CA" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags       = merge(var.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }
 

base/CA_Infrastructure/root_CA/crl.tf

@@ -1,51 +1,51 @@
 resource "aws_s3_bucket" "crl" {
   bucket = "xdr-root-crl"
 
-  tags   = merge(var.standard_tags, var.tags)
+  tags = merge(var.standard_tags, var.tags)
 
 }
 
-  # CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions
+# CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions
 
 resource "aws_s3_bucket_versioning" "s3_version_crl" {
-  bucket   = aws_s3_bucket.crl.id
+  bucket = aws_s3_bucket.crl.id
 
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-  # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
-  #resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
-  #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
-  #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
-  #}
+# TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
+#resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
+#  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
+#  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
+#}
 
 resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_crl" {
-  bucket   = aws_s3_bucket.crl.id
-  
+  bucket = aws_s3_bucket.crl.id
+
   rule {
     id     = "CleanUp"
     status = "Enabled"
-    
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 7
     }
 
     noncurrent_version_expiration {
-      noncurrent_days       = 365
+      noncurrent_days = 365
     }
   }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_crl" {
-  bucket   = aws_s3_bucket.crl.id
-  
+  bucket = aws_s3_bucket.crl.id
+
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
-      }
     }
+  }
 }
 
 data "aws_iam_policy_document" "acmpca_bucket_access" {

base/CA_Infrastructure/root_CA/iam_splunk_sh.tf

@@ -3,25 +3,25 @@ resource "aws_iam_role" "run_audit_report_role" {
   name = "run_audit_report_role"
   path = "/service/"
 
-  assume_role_policy = jsonencode( 
+  assume_role_policy = jsonencode(
     {
-      "Version": "2012-10-17",
-      "Statement": [
+      "Version" : "2012-10-17",
+      "Statement" : [
         {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
           },
-          "Action": "sts:AssumeRole"
+          "Action" : "sts:AssumeRole"
         }
       ]
-    })
+  })
 
   tags = merge(var.standard_tags, var.tags)
 }
 
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {
-    statement {
+  statement {
     sid       = ""
     effect    = "Allow"
     resources = ["*"]
@@ -33,9 +33,9 @@ data "aws_iam_policy_document" "run_audit_report_policy_doc" {
 }
 
 resource "aws_iam_policy" "run_audit_report_policy" {
-  name        = "run_audit_report_policy"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.run_audit_report_policy_doc.json
+  name   = "run_audit_report_policy"
+  path   = "/"
+  policy = data.aws_iam_policy_document.run_audit_report_policy_doc.json
 }
 
 resource "aws_iam_role_policy_attachment" "run_audit_report_policy_attach" {

base/CA_Infrastructure/root_CA/locals.tf

@@ -1,4 +1,4 @@
 locals {
   # A list of people to receive the alert
-  recipients = toset([ "frederick.t.damstra@accenturefederal.com" ])
+  recipients = toset(["frederick.t.damstra@accenturefederal.com"])
 }

base/CA_Infrastructure/root_CA/outputs.tf

@@ -1,7 +1,7 @@
-output root_authority_arn {
+output "root_authority_arn" {
   value = aws_acmpca_certificate_authority.root_CA.arn
 }
 
-output role_arn {
+output "role_arn" {
   value = aws_iam_role.run_audit_report_role.arn
 }

base/CA_Infrastructure/root_CA/sns_alerts.tf

@@ -3,7 +3,7 @@ resource "aws_cloudwatch_log_group" "CAAccountCAAccountCloudTrailAnalysis" {
 }
 
 resource "aws_iam_role" "ca_account_cloudtrail_role" {
-  name = "ca_account_cloudtrail_role"
+  name               = "ca_account_cloudtrail_role"
   assume_role_policy = <<EOF
 {
     "Version": "2012-10-17",
@@ -49,7 +49,7 @@ resource "aws_sns_topic" "ca_account_notification" {
 }
 
 resource "aws_sns_topic_subscription" "ca_account_notification" {
-  for_each = local.recipients
+  for_each  = local.recipients
   topic_arn = aws_sns_topic.ca_account_notification.arn
   protocol  = "email"
   endpoint  = each.value

base/CA_Infrastructure/root_CA/vars.tf

@@ -1,6 +1,6 @@
-variable "c2_accounts" { type = map }
-variable "tags" { type = map }
-variable "standard_tags" { type = map }
+variable "c2_accounts" { type = map(any) }
+variable "tags" { type = map(any) }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_account_id" { type = string }

base/CA_Infrastructure/subordinate_CAs/ca_identity.tf

@@ -1,5 +1,5 @@
 resource "aws_acmpca_certificate_authority_certificate" "subordinate" {
-  provider = aws.common # COMMON SERVICES
+  provider                  = aws.common # COMMON SERVICES
   certificate_authority_arn = aws_acmpca_certificate_authority.subordinate.arn
 
   certificate       = aws_acmpca_certificate.subordinate.certificate
@@ -21,16 +21,16 @@ resource "aws_acmpca_certificate" "subordinate" {
 
 resource "aws_acmpca_certificate_authority" "subordinate" {
   provider = aws.common # COMMON SERVICES
-  type = "SUBORDINATE"
+  type     = "SUBORDINATE"
 
   certificate_authority_configuration {
     key_algorithm     = "EC_secp384r1"
     signing_algorithm = "SHA512WITHECDSA"
 
     subject {
-      common_name = "XDR Identity Certificates Subordinate CA v2"
-      country = "US"
-      organization = "Accenture Federal Services"
+      common_name         = "XDR Identity Certificates Subordinate CA v2"
+      country             = "US"
+      organization        = "Accenture Federal Services"
       organizational_unit = "XDR"
     }
   }
@@ -44,6 +44,6 @@ resource "aws_acmpca_certificate_authority" "subordinate" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags       = merge(var.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }

base/CA_Infrastructure/subordinate_CAs/ca_www.tf

@@ -1,5 +1,5 @@
 resource "aws_acmpca_certificate_authority_certificate" "www_subordinate" {
-  provider = aws.common # COMMON SERVICES
+  provider                  = aws.common # COMMON SERVICES
   certificate_authority_arn = aws_acmpca_certificate_authority.www_subordinate.arn
 
   certificate       = aws_acmpca_certificate.www_subordinate.certificate
@@ -21,16 +21,16 @@ resource "aws_acmpca_certificate" "www_subordinate" {
 
 resource "aws_acmpca_certificate_authority" "www_subordinate" {
   provider = aws.common # COMMON SERVICES
-  type = "SUBORDINATE"
+  type     = "SUBORDINATE"
 
   certificate_authority_configuration {
     key_algorithm     = "EC_secp384r1"
     signing_algorithm = "SHA512WITHECDSA"
 
     subject {
-      common_name = "XDR WWW Certificates Subordinate CA v2"
-      country = "US"
-      organization = "Accenture Federal Services"
+      common_name         = "XDR WWW Certificates Subordinate CA v2"
+      country             = "US"
+      organization        = "Accenture Federal Services"
       organizational_unit = "XDR"
     }
   }
@@ -44,6 +44,6 @@ resource "aws_acmpca_certificate_authority" "www_subordinate" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags       = merge(var.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }

base/CA_Infrastructure/subordinate_CAs/crl.tf

@@ -2,7 +2,7 @@ resource "aws_s3_bucket" "crl" {
   provider = aws.common # COMMON SERVICES
   bucket   = "xdr-subordinate-crl"
 
-  tags     = merge(var.standard_tags, var.tags)
+  tags = merge(var.standard_tags, var.tags)
 
 }
 
@@ -11,32 +11,32 @@ resource "aws_s3_bucket" "crl" {
 resource "aws_s3_bucket_versioning" "s3_version_subordinate_crl" {
   provider = aws.common
   bucket   = aws_s3_bucket.crl.id
-  
+
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-  # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
-  #resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
-  #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
-  #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
-  #}
+# TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
+#resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
+#  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
+#  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
+#}
 
 resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_subordinate_crl" {
   provider = aws.common
   bucket   = aws_s3_bucket.crl.id
-  
+
   rule {
     id     = "CleanUp"
     status = "Enabled"
-    
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 7
     }
     # Clean up old versions after a year
     noncurrent_version_expiration {
-      noncurrent_days       = 365
+      noncurrent_days = 365
     }
   }
 }
@@ -44,12 +44,12 @@ resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_subordinate_crl" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_subordinate_crl" {
   provider = aws.common
   bucket   = aws_s3_bucket.crl.id
-  
+
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
-      }
     }
+  }
 }
 
 data "aws_iam_policy_document" "acmpca_bucket_access" {

base/CA_Infrastructure/subordinate_CAs/iam_splunk_sh.tf

@@ -1,28 +1,28 @@
 # Creates an IAM role so that splunk can trigger creation of audit reports
 resource "aws_iam_role" "run_audit_report_role" {
   provider = aws.common # COMMON SERVICES
-  name = "run_audit_report_role"
-  path = "/service/"
+  name     = "run_audit_report_role"
+  path     = "/service/"
 
-  assume_role_policy = jsonencode( 
+  assume_role_policy = jsonencode(
     {
-      "Version": "2012-10-17",
-      "Statement": [
+      "Version" : "2012-10-17",
+      "Statement" : [
         {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
           },
-          "Action": "sts:AssumeRole"
+          "Action" : "sts:AssumeRole"
         }
       ]
-    })
+  })
 
   tags = merge(var.standard_tags, var.tags)
 }
 
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {
-    statement {
+  statement {
     sid       = ""
     effect    = "Allow"
     resources = ["*"]
@@ -35,13 +35,13 @@ data "aws_iam_policy_document" "run_audit_report_policy_doc" {
 
 resource "aws_iam_policy" "run_audit_report_policy" {
   provider = aws.common # COMMON SERVICES
-  name        = "run_audit_report_policy"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.run_audit_report_policy_doc.json
+  name     = "run_audit_report_policy"
+  path     = "/"
+  policy   = data.aws_iam_policy_document.run_audit_report_policy_doc.json
 }
 
 resource "aws_iam_role_policy_attachment" "run_audit_report_policy_attach" {
-  provider = aws.common # COMMON SERVICES
+  provider   = aws.common # COMMON SERVICES
   role       = aws_iam_role.run_audit_report_role.name
   policy_arn = aws_iam_policy.run_audit_report_policy.arn
 }

base/CA_Infrastructure/subordinate_CAs/locals.tf

@@ -1,4 +1,4 @@
 locals {
   # A list of people to receive the alert
-  recipients = toset([ "frederick.t.damstra@accenturefederal.com" ])
+  recipients = toset(["frederick.t.damstra@accenturefederal.com"])
 }

base/CA_Infrastructure/subordinate_CAs/outputs.tf

@@ -1,10 +1,10 @@
-output CA_ARNs {
-  value = { 
-    "Identity": aws_acmpca_certificate_authority.subordinate.arn,
-    "WWW": aws_acmpca_certificate_authority.www_subordinate.arn
+output "CA_ARNs" {
+  value = {
+    "Identity" : aws_acmpca_certificate_authority.subordinate.arn,
+    "WWW" : aws_acmpca_certificate_authority.www_subordinate.arn
   }
 }
 
-output role_arn {
+output "role_arn" {
   value = aws_iam_role.run_audit_report_role.arn
 }

base/CA_Infrastructure/subordinate_CAs/sns_alerts.tf

@@ -1,11 +1,11 @@
 resource "aws_cloudwatch_log_group" "SubordinateCACloudTrailAnalysis" {
   provider = aws.common # COMMON SERVICES
-  name = "SubordinateCACloudTrailAnalysis"
+  name     = "SubordinateCACloudTrailAnalysis"
 }
 
 resource "aws_iam_role" "subordinate_ca_cloudtrail_role" {
-  provider = aws.common # COMMON SERVICES
-  name = "subordinate_ca_cloudtrail_role"
+  provider           = aws.common # COMMON SERVICES
+  name               = "subordinate_ca_cloudtrail_role"
   assume_role_policy = <<EOF
 {
     "Version": "2012-10-17",
@@ -25,8 +25,8 @@ EOF
 
 resource "aws_iam_role_policy" "allow_stream_policy" {
   provider = aws.common # COMMON SERVICES
-  name = "allow_stream_change"
-  role = aws_iam_role.subordinate_ca_cloudtrail_role.id
+  name     = "allow_stream_change"
+  role     = aws_iam_role.subordinate_ca_cloudtrail_role.id
 
   policy = <<EOF
 {
@@ -49,12 +49,12 @@ EOF
 
 resource "aws_sns_topic" "subordinate_ca_notification" {
   provider = aws.common # COMMON SERVICES
-  name = "SubordinateCANotification"
+  name     = "SubordinateCANotification"
 }
 
 resource "aws_sns_topic_subscription" "subordinate_ca_notification" {
-  provider = aws.common # COMMON SERVICES
-  for_each = local.recipients
+  provider  = aws.common # COMMON SERVICES
+  for_each  = local.recipients
   topic_arn = aws_sns_topic.subordinate_ca_notification.arn
   protocol  = "email"
   endpoint  = each.value

base/CA_Infrastructure/subordinate_CAs/vars.tf

@@ -1,8 +1,8 @@
-variable "c2_accounts" { type = map }
+variable "c2_accounts" { type = map(any) }
 variable "root_authority_arn" { type = string }
 
-variable "tags" { type = map }
-variable "standard_tags" { type = map }
+variable "tags" { type = map(any) }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_account_id" { type = string }

base/_archive/cisco_vpn/main.tf

@@ -13,62 +13,62 @@ data "aws_subnet" "private_subnet" {
 }
 
 resource "random_password" "password" {
-  keepers          = {
-    "version": 1 # increment to change the password
+  keepers = {
+    "version" : 1 # increment to change the password
     # n.b. you could add other stuff to make this change automatically, e.g.
     # "instance_type": var.instance_type
     # Would then change this password every time the instance type changes.
   }
-  length           = 32
-  special          = false
-  min_lower = 1
+  length      = 32
+  special     = false
+  min_lower   = 1
   min_numeric = 1
-  min_upper = 1
+  min_upper   = 1
   min_special = 0
   #override_special = "~!%^()-_+"
 }
 
 resource "aws_network_interface" "management" {
-  subnet_id = var.private_subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.inside.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  subnet_id       = var.private_subnets[0]
+  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.inside.id]
+  description     = var.instance_name
+  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_network_interface" "outside" {
-  subnet_id = var.public_subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.outside.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  subnet_id       = var.public_subnets[0]
+  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.outside.id]
+  description     = var.instance_name
+  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_network_interface" "inside" {
-  subnet_id = var.private_subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.inside.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  subnet_id       = var.private_subnets[0]
+  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.inside.id]
+  description     = var.instance_name
+  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip" "outside" {
-  vpc = true
+  vpc  = true
   tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip_association" "outside" {
   network_interface_id = aws_network_interface.outside.id
-  allocation_id = aws_eip.outside.id
+  allocation_id        = aws_eip.outside.id
 }
 
 resource "aws_instance" "instance" {
   #availability_zone = var.azs[count.index % 2]
-  tenancy = "default"
-  ebs_optimized = true
-  disable_api_termination = var.instance_termination_protection
+  tenancy                              = "default"
+  ebs_optimized                        = true
+  disable_api_termination              = var.instance_termination_protection
   instance_initiated_shutdown_behavior = "stop"
-  instance_type = var.instance_type
-  key_name = "msoc-build"
-  monitoring = false
-  iam_instance_profile = "msoc-default-instance-profile"
+  instance_type                        = var.instance_type
+  key_name                             = "msoc-build"
+  monitoring                           = false
+  iam_instance_profile                 = "msoc-default-instance-profile"
 
   ami = "ami-04fe5af2dfd9c9d5e" # not quite sure how to determine other than to launch one
   # Owner: 
@@ -79,7 +79,7 @@ resource "aws_instance" "instance" {
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
   # that could be removed.
-  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
 
   network_interface {
     network_interface_id = aws_network_interface.management.id
@@ -98,35 +98,35 @@ resource "aws_instance" "instance" {
 
   user_data = templatefile("${path.module}/files/userdata.tpl",
     {
-      "hostname" = var.instance_name,
-      "VPNPoolFrom1" = "172.16.32.15",
-      "VPNPoolTo1" = "172.16.32.200",
-      "VPNPoolMask1" = "255.255.255.0",
-      "VPNUser" = "admin",
-      "VPNPassword" = random_password.password.result,
-      "dns1" = var.dns_servers[0],
-      "dns2" = var.dns_servers[1],
+      "hostname"           = var.instance_name,
+      "VPNPoolFrom1"       = "172.16.32.15",
+      "VPNPoolTo1"         = "172.16.32.200",
+      "VPNPoolMask1"       = "255.255.255.0",
+      "VPNUser"            = "admin",
+      "VPNPassword"        = random_password.password.result,
+      "dns1"               = var.dns_servers[0],
+      "dns2"               = var.dns_servers[1],
       "PrivateSubnet1CIDR" = data.aws_subnet.private_subnet.cidr_block
-      "PrivateSubnet1GW" = cidrhost(data.aws_subnet.private_subnet.cidr_block,1),
-      "PrivateSubnet1Pool" = cidrhost(data.aws_subnet.private_subnet.cidr_block,0),
+      "PrivateSubnet1GW"   = cidrhost(data.aws_subnet.private_subnet.cidr_block, 1),
+      "PrivateSubnet1Pool" = cidrhost(data.aws_subnet.private_subnet.cidr_block, 0),
       "PrivateSubnet1Mask" = cidrnetmask(data.aws_subnet.private_subnet.cidr_block)
       #"PrivateSubnet1CIDR" = var.private_cidr[0],
       #"PrivateSubnet1GW" = cidrhost(var.private_cidr[0], 1),
       #"PrivateSubnet1Pool" = cidrhost(var.private_cidr[0], 0),
       #"PrivateSubnet1Mask" = cidrnetmask(var.private_cidr[0])
-    }  
+    }
   )
 
-  tags = merge( var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
+  tags        = merge(var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
+  volume_tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 module "private_dns_record" {
   source = "../../submodules/dns/private_A_record"
 
-  name = var.instance_name
-  ip_addresses = [ aws_network_interface.management.private_ip ]
-  dns_info = var.dns_info
+  name            = var.instance_name
+  ip_addresses    = [aws_network_interface.management.private_ip]
+  dns_info        = var.dns_info
   reverse_enabled = true
 
   providers = {
@@ -137,9 +137,9 @@ module "private_dns_record" {
 module "public_dns_record" {
   source = "../../submodules/dns/public_A_record"
 
-  name = var.instance_name
-  ip_addresses = [ aws_eip.outside.public_ip ]
-  dns_info = var.dns_info
+  name         = var.instance_name
+  ip_addresses = [aws_eip.outside.public_ip]
+  dns_info     = var.dns_info
 
   providers = {
     aws.mdr-common-services-commercial = aws.mdr-common-services-commercial

base/_archive/cisco_vpn/outputs.tf

@@ -1,20 +1,20 @@
-output admin_password {
-  value = random_password.password.result
+output "admin_password" {
+  value     = random_password.password.result
   sensitive = true # To get this output, request it specifically with `terragrunt output db_password`
 }
 
-output management {
+output "management" {
   value = aws_network_interface.management.private_ip
 }
 
-output inside {
+output "inside" {
   value = aws_network_interface.inside.private_ip
 }
 
-output outside {
+output "outside" {
   value = aws_network_interface.outside.private_ip
 }
 
-output public {
+output "public" {
   value = aws_eip.outside.public_ip
 }

base/_archive/cisco_vpn/security-groups.tf

@@ -1,8 +1,8 @@
 resource "aws_security_group" "outside" {
-  name_prefix = "${ var.instance_name }_outside"
+  name_prefix = "${var.instance_name}_outside"
   description = "Security Group for the AWS VPN"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
+  vpc_id      = var.vpc_id
+  tags        = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_security_group_rule" "vpn-in-443-tcp" {
@@ -10,7 +10,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.outside.id
 }
 
@@ -19,7 +19,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.outside.id
 }
 
@@ -28,7 +28,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.outside.id
 }
 
@@ -37,7 +37,7 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.outside.id
 }
 
@@ -46,13 +46,13 @@ resource "aws_security_group_rule" "vpn-out" {
   from_port         = -1
   to_port           = -1
   protocol          = -1
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.outside.id
 }
 
 resource "aws_security_group" "inside" {
-  name_prefix = "${ var.instance_name }_inside"
+  name_prefix = "${var.instance_name}_inside"
   description = "Security Group for the AWS VPN"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
+  vpc_id      = var.vpc_id
+  tags        = merge(var.standard_tags, var.tags)
 }

base/_archive/cisco_vpn/vars.tf

@@ -1,13 +1,13 @@
 variable "instance_name" {
-  type = string
+  type        = string
   description = "Instance Name"
-  default = "cisco-vpn"
+  default     = "cisco-vpn"
 }
 
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
 
 #variable "private_cidr" {
@@ -16,12 +16,12 @@ variable "tags" {
 #}
 
 variable "instance_type" {
-  type = string
+  type    = string
   default = "c5.large"
 }
 
-variable "instance_tags" { 
-  type = map
+variable "instance_tags" {
+  type    = map(any)
   default = {}
 }
 
@@ -29,10 +29,10 @@ variable "azs" { type = list(string) }
 variable "private_subnets" { type = list(string) }
 variable "public_subnets" { type = list(string) }
 variable "vpc_id" { type = string }
-variable "cidr_map" { type = map }
-variable "dns_info" { type = map }
+variable "cidr_map" { type = map(any) }
+variable "dns_info" { type = map(any) }
 variable "dns_servers" { type = list(string) }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }

base/account_standards/cloudtrail.tf

@@ -12,5 +12,5 @@ module "cloudtrail-logging" {
   # This is not enabled by default due to the recursive nature: A log is written, splunk reads it, which results in a log being written.
   # This is not a CIS requirement.
   #s3_object_level_buckets = [ "arn:${var.aws_partition}:s3:::"  ]
-  lambda_functions        = [ "arn:${var.aws_partition}:lambda" ]
+  lambda_functions = ["arn:${var.aws_partition}:lambda"]
 }

base/account_standards/cloudwatch_metrics_and_alarms.tf

@@ -17,12 +17,12 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "UnauthorizedAPICalls"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "UnauthorizedAPICalls"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
@@ -37,7 +37,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
   alarm_description         = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."
   alarm_actions             = ["arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts"]
   insufficient_data_actions = []
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on                = [module.cloudtrail-logging]
 }
 
 # This doesn't match the CIS exactly, because we do our MFA through okta instead of through AWS, so MFA is false for our
@@ -52,12 +52,12 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "NoMFAConsoleSignin"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "NoMFAConsoleSignin"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
@@ -81,12 +81,12 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "RootUsage"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "RootUsage"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "root_usage" {
@@ -110,12 +110,12 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "IAMChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "IAMChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "iam_changes" {
@@ -139,13 +139,13 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "CloudTrailCfgChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "CloudTrailCfgChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
 
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
@@ -169,12 +169,12 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "ConsoleSigninFailures"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "ConsoleSigninFailures"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
@@ -198,12 +198,12 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "DisableOrDeleteCMK"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "DisableOrDeleteCMK"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
@@ -227,12 +227,12 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "S3BucketPolicyChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "S3BucketPolicyChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
@@ -256,12 +256,12 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "AWSConfigChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "AWSConfigChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
@@ -285,12 +285,12 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "SecurityGroupChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "SecurityGroupChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
@@ -314,12 +314,12 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "NACLChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "NACLChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
@@ -343,12 +343,12 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "NetworkGWChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "NetworkGWChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
@@ -372,12 +372,12 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "RouteTableChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "RouteTableChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
@@ -401,12 +401,12 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = "VPCChanges"
-    namespace = local.alarm_namespace
-    value     = "1"
+    name          = "VPCChanges"
+    namespace     = local.alarm_namespace
+    value         = "1"
     default_value = 0
   }
-  depends_on = [ module.cloudtrail-logging ]
+  depends_on = [module.cloudtrail-logging]
 }
 
 resource "aws_cloudwatch_metric_alarm" "vpc_changes" {

base/account_standards/config.tf

@@ -5,14 +5,14 @@ resource "aws_config_aggregate_authorization" "authorization" {
   tags       = merge(var.standard_tags, var.tags)
 }
 
-output authorizations {
+output "authorizations" {
   value = aws_config_aggregate_authorization.authorization
 }
 
 ########### IAM Role for AWS Config
 data "aws_iam_policy_document" "awsconfig" {
   statement {
-    sid = "PutConfigS3BucketObjects"
+    sid     = "PutConfigS3BucketObjects"
     effect  = "Allow"
     actions = ["s3:PutObject"]
     resources = [
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "awsconfig" {
     }
   }
   statement {
-    sid = "GetConfigS3BucketACL"
+    sid     = "GetConfigS3BucketACL"
     effect  = "Allow"
     actions = ["s3:GetBucketAcl"]
     resources = [
@@ -34,19 +34,19 @@ data "aws_iam_policy_document" "awsconfig" {
   }
 
   statement {
-    sid = "PublishAlertsToSNS"
-    effect = "Allow"
-    actions = [ "sns:Publish" ]
-    resources = [ "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications" ]
+    sid       = "PublishAlertsToSNS"
+    effect    = "Allow"
+    actions   = ["sns:Publish"]
+    resources = ["arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications"]
   }
 
   statement {
-    sid = "PermissionsForRuleChecks"
+    sid    = "PermissionsForRuleChecks"
     effect = "Allow"
     actions = [
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 }
 

base/account_standards/default-vpc.tf

@@ -4,11 +4,11 @@ resource "aws_default_vpc" "default" {
 }
 
 resource "aws_flow_log" "default-flowlogs" {
-  iam_role_arn = aws_iam_role.flowlogs.arn
+  iam_role_arn    = aws_iam_role.flowlogs.arn
   log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
 
   traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
-  vpc_id = aws_default_vpc.default.id
+  vpc_id       = aws_default_vpc.default.id
 }
 
 # CIS 4.3 - Default security group should restrict all traffic
@@ -17,5 +17,5 @@ resource "aws_flow_log" "default-flowlogs" {
 # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
 resource "aws_default_security_group" "default" {
   vpc_id = aws_default_vpc.default.id
-  tags = merge(var.standard_tags, var.tags)
+  tags   = merge(var.standard_tags, var.tags)
 }

base/account_standards/ebs-kms-key.tf

@@ -6,19 +6,19 @@ locals {
 module "ebs_root_encrypt_decrypt" {
   source = "../../submodules/kms/ebs-key"
 
-  name = "ebs_root_encrypt_decrypt"
-  alias = "alias/ebs_root_encrypt_decrypt"
-  description = "encrypt and decrypt root volume" # updated to match legacy
-  tags = merge(var.standard_tags, var.tags)
-  key_admin_arns = var.extra_ebs_key_admins
-  key_user_arns = concat([ local.root_arn ], var.extra_ebs_key_users)
-  key_attacher_arns = concat([ local.root_arn ], var.extra_ebs_key_attachers)
-  standard_tags = var.standard_tags
-  aws_account_id = var.aws_account_id
-  aws_partition = var.aws_partition
-  is_legacy = var.is_legacy
+  name              = "ebs_root_encrypt_decrypt"
+  alias             = "alias/ebs_root_encrypt_decrypt"
+  description       = "encrypt and decrypt root volume" # updated to match legacy
+  tags              = merge(var.standard_tags, var.tags)
+  key_admin_arns    = var.extra_ebs_key_admins
+  key_user_arns     = concat([local.root_arn], var.extra_ebs_key_users)
+  key_attacher_arns = concat([local.root_arn], var.extra_ebs_key_attachers)
+  standard_tags     = var.standard_tags
+  aws_account_id    = var.aws_account_id
+  aws_partition     = var.aws_partition
+  is_legacy         = var.is_legacy
 
-  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
+  depends_on = [aws_iam_service_linked_role.AWSServiceRoleForAutoScaling]
 }
 
 # Note: The following wasn't configured in tf11
@@ -34,7 +34,7 @@ resource "aws_kms_grant" "ASG_access_to_EBS_Default_CMK" {
   name              = "ASG_access_to_EBS_Default_CMK"
   key_id            = module.ebs_root_encrypt_decrypt.key_arn
   grantee_principal = aws_iam_service_linked_role.AWSServiceRoleForAutoScaling.arn
-  operations        = [
+  operations = [
     "Decrypt",
     "Encrypt",
     "GenerateDataKey",
@@ -46,5 +46,5 @@ resource "aws_kms_grant" "ASG_access_to_EBS_Default_CMK" {
     "DescribeKey",
   ]
 
-  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
+  depends_on = [aws_iam_service_linked_role.AWSServiceRoleForAutoScaling]
 }

base/account_standards/flowlogs.tf

@@ -1,9 +1,9 @@
 # Flow logs need to be created per VPC, but we need a role
 resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
-  name = "vpc_flow_logs"
+  name              = "vpc_flow_logs"
   retention_in_days = 7
-  kms_key_id = var.cloudtrail_key_arn
-  tags = merge(var.standard_tags, var.tags)
+  kms_key_id        = var.cloudtrail_key_arn
+  tags              = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_iam_role" "flowlogs" {
@@ -54,19 +54,19 @@ EOF
 
 # Spit vpc flow logs to splunk
 module "kinesis_firehose" {
-  source = "../../thirdparty/terraform-aws-kinesis-firehose-splunk"
-  region = var.aws_region
-  arn_cloudwatch_logs_to_ship = "arn:${var.aws_partition}:logs:${var.aws_region}::log-group:/vpc_flow_logs/*"
-  name_cloudwatch_logs_to_ship = "vpc_flow_logs"
-  hec_token = var.aws_flowlogs_hec_token
-  hec_url = "https://${var.hec_pub_ack}:8088"
-  firehose_name = "vpc_flow_logs_to_splunk"
-  tags = merge(var.standard_tags, var.tags)
-  cloudwatch_log_retention = 30 # keep kinesis logs this long
-  log_stream_name = "SplunkDelivery_VPCFlowLogs"
-  s3_bucket_name = "kinesis-flowlogs-${var.aws_account_id}-${var.aws_region}"
+  source                                = "../../thirdparty/terraform-aws-kinesis-firehose-splunk"
+  region                                = var.aws_region
+  arn_cloudwatch_logs_to_ship           = "arn:${var.aws_partition}:logs:${var.aws_region}::log-group:/vpc_flow_logs/*"
+  name_cloudwatch_logs_to_ship          = "vpc_flow_logs"
+  hec_token                             = var.aws_flowlogs_hec_token
+  hec_url                               = "https://${var.hec_pub_ack}:8088"
+  firehose_name                         = "vpc_flow_logs_to_splunk"
+  tags                                  = merge(var.standard_tags, var.tags)
+  cloudwatch_log_retention              = 30 # keep kinesis logs this long
+  log_stream_name                       = "SplunkDelivery_VPCFlowLogs"
+  s3_bucket_name                        = "kinesis-flowlogs-${var.aws_account_id}-${var.aws_region}"
   s3_bucket_block_public_access_enabled = 1
-  s3_backup_mode = "FailedEventsOnly"
-  s3_expiration = 30
+  s3_backup_mode                        = "FailedEventsOnly"
+  s3_expiration                         = 30
 }
 

base/account_standards/iam.tf

@@ -6,12 +6,12 @@
 #
 # Basic profile to allow basic things
 resource "aws_iam_instance_profile" "default_instance_profile" {
-  name  = "msoc-default-instance-profile"
+  name = "msoc-default-instance-profile"
   role = aws_iam_role.default_instance_role.name
 }
 
-resource "aws_iam_role"  "default_instance_role" {
-  name = "msoc-default-instance-role"
+resource "aws_iam_role" "default_instance_role" {
+  name               = "msoc-default-instance-role"
   assume_role_policy = <<EOF
 {
     "Version": "2012-10-17",
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "default_instance_policy_doc" {
   statement {
     effect = "Allow"
     actions = [
-        "ec2:DescribeTags"
+      "ec2:DescribeTags"
     ]
 
     resources = [
@@ -76,8 +76,8 @@ data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
   }
 
   statement {
-    sid       = "UseTheKey"
-    effect    = "Allow"
+    sid    = "UseTheKey"
+    effect = "Allow"
     resources = [
       "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${var.binaries_key}"
     ]
@@ -125,7 +125,7 @@ data "aws_iam_policy_document" "cloudwatch_events" {
       "events:PutRule"
     ]
 
-    resources = [ "*" ]
+    resources = ["*"]
   }
 }
 
@@ -163,8 +163,8 @@ EOF
 }
 
 resource "aws_iam_role_policy" "dlm_lifecycle" {
-  name = "dlm-lifecycle-policy"
-  role = aws_iam_role.dlm_lifecycle_role.id
+  name   = "dlm-lifecycle-policy"
+  role   = aws_iam_role.dlm_lifecycle_role.id
   policy = <<EOF
 {
    "Version": "2012-10-17",
@@ -230,11 +230,11 @@ EOF
 # 
 # See https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions
 locals {
-  trusted_principals_govcloud   = [
+  trusted_principals_govcloud = [
     "arn:${var.aws_partition}:iam::${local.c2_account}:role/instance/moose-hf",
     "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf"
   ]
-  trusted_principals_commercial = [ 
+  trusted_principals_commercial = [
     "arn:${var.aws_partition}:iam::${var.legacy_account}:role/splunk-aws-instance-role",
     "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf",
   ]
@@ -264,8 +264,8 @@ EOF
 }
 
 resource "aws_iam_role_policy" "splunk_addon_for_aws" {
-  name = "splunk-addon-for-aws"
-  role = aws_iam_role.splunk_addon_for_aws.id
+  name   = "splunk-addon-for-aws"
+  role   = aws_iam_role.splunk_addon_for_aws.id
   policy = <<EOF
 {
   "Version": "2012-10-17",

base/account_standards/outputs.tf

@@ -1,5 +1,5 @@
 output "key_pair_names" {
-  value = [ for k, v in aws_key_pair.key_pair : v.key_name ] # Should just be the keys, but that might change
+  value = [for k, v in aws_key_pair.key_pair : v.key_name] # Should just be the keys, but that might change
 }
 
 output "kms_key_id" {

base/account_standards/shared_ami_key.tf

@@ -1,5 +1,5 @@
 data "aws_kms_key" "shared_ami_key" {
-  key_id = "alias/shared_ami_key"
+  key_id   = "alias/shared_ami_key"
   provider = aws.common
 }
 
@@ -11,7 +11,7 @@ resource "aws_kms_grant" "ASG_access_to_Shared_AMI" {
   name              = "ASG_access_to_Shared_AMI"
   key_id            = data.aws_kms_key.shared_ami_key.arn
   grantee_principal = aws_iam_service_linked_role.AWSServiceRoleForAutoScaling.arn
-  operations        = [
+  operations = [
     "Decrypt",
     "Encrypt",
     "GenerateDataKey",
@@ -23,5 +23,5 @@ resource "aws_kms_grant" "ASG_access_to_Shared_AMI" {
     "DescribeKey",
   ]
 
-  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
+  depends_on = [aws_iam_service_linked_role.AWSServiceRoleForAutoScaling]
 }

base/account_standards/vars.tf

@@ -1,6 +1,6 @@
 variable "tags" {
-  type = map
-  default = { } 
+  type    = map(any)
+  default = {}
 }
 
 variable "cloudtrail_key_arn" {
@@ -8,28 +8,28 @@ variable "cloudtrail_key_arn" {
   type = string
 }
 
-variable extra_ebs_key_admins {
+variable "extra_ebs_key_admins" {
   description = "Extra EBS encryption key admins."
-  type = list
-  default = [ ]
+  type        = list(any)
+  default     = []
 }
 
-variable extra_ebs_key_users {
+variable "extra_ebs_key_users" {
   description = "Extra EBS encryption key users."
-  type = list
-  default = [ ]
+  type        = list(any)
+  default     = []
 }
 
-variable extra_ebs_key_attachers {
+variable "extra_ebs_key_attachers" {
   description = "Extra EBS encryption key attachers."
-  type = list
-  default = [ ]
+  type        = list(any)
+  default     = []
 }
 
 variable "log_group_name" {
   description = "Cloudtrail Log Group Name to Use. Keep the default unless you have a good reason."
-  type = string
-  default = "cloudtrail-local-account"
+  type        = string
+  default     = "cloudtrail-local-account"
 }
 
 
@@ -37,25 +37,25 @@ variable "log_group_name" {
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
 variable "account_name" { type = string }
-variable "binaries_bucket" { type = string}
-variable "binaries_key" { type = string}
+variable "binaries_bucket" { type = string }
+variable "binaries_key" { type = string }
 variable "is_legacy" { type = bool }
 variable "legacy_account" { type = string }
 variable "common_services_account" { type = string }
-variable "standard_tags" { type = map }
-variable "account_list" { type = list }
+variable "standard_tags" { type = map(any) }
+variable "account_list" { type = list(any) }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }
 variable "environment" { type = string }
-variable "key_pairs" { type = map }
-variable "c2_accounts" { type = map }
+variable "key_pairs" { type = map(any) }
+variable "c2_accounts" { type = map(any) }
 variable "aws_flowlogs_hec_token" { type = string }
 variable "hec_pub_ack" { type = string }
 
 # Calculate some local variables
 locals {
   logging_environment = var.environment == "common" ? "prod" : var.environment # common logs to prod
-  c2_account = var.c2_accounts[var.aws_partition]
-  is_c2 = var.aws_account_id == local.c2_account ? true : false
+  c2_account          = var.c2_accounts[var.aws_partition]
+  is_c2               = var.aws_account_id == local.c2_account ? true : false
 }

base/account_standards_c2/account_alerts.tf

@@ -1,6 +1,6 @@
 # An SNS queue for email alerts
 resource "aws_sns_topic" "account-alerts" {
-  name              = "account-alerts"
+  name = "account-alerts"
   tags = merge(var.standard_tags, var.tags)
 }
 
@@ -11,23 +11,23 @@ resource "aws_sns_topic_policy" "account-alerts" {
 
 data "aws_iam_policy_document" "account-alerts" {
   statement {
-    sid = "AllowAllAccountsToPublish"
-    actions = [ "SNS:Publish" ]
-    effect = "Allow"
-    resources = [ aws_sns_topic.account-alerts.arn ]
+    sid       = "AllowAllAccountsToPublish"
+    actions   = ["SNS:Publish"]
+    effect    = "Allow"
+    resources = [aws_sns_topic.account-alerts.arn]
     principals {
-      type = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      type        = "AWS"
+      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
   }
   statement {
-    sid = "AllowCloudWatchToPublic"
-    actions = [ "SNS:Publish" ]
-    effect = "Allow"
-    resources = [ aws_sns_topic.account-alerts.arn ]
+    sid       = "AllowCloudWatchToPublic"
+    actions   = ["SNS:Publish"]
+    effect    = "Allow"
+    resources = [aws_sns_topic.account-alerts.arn]
     principals {
-      type = "Service"
-      identifiers = [ "cloudwatch.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["cloudwatch.amazonaws.com"]
     }
   }
 }
@@ -36,13 +36,13 @@ data "aws_iam_policy_document" "account-alerts" {
 
 # SQS to get alerts into Splunk
 resource "aws_sqs_queue" "account-alerts" {
-  name                       = "account-alerts"
-  visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
-  message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
-  receive_wait_time_seconds  = 0 # how long to wait for a message before returning
-  redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.account-alerts-dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                       = merge(var.standard_tags, var.tags)
-  kms_master_key_id          = aws_kms_key.account-alerts-key.id
+  name                              = "account-alerts"
+  visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
+  message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
+  receive_wait_time_seconds         = 0      # how long to wait for a message before returning
+  redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.account-alerts-dlq.arn}\",\"maxReceiveCount\":4}"
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.account-alerts-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -51,17 +51,17 @@ data "aws_iam_policy_document" "account-alerts-sns-topic-can-publish" {
     effect = "Allow"
 
     principals {
-      identifiers = [ "*" ]
-      type = "AWS"
+      identifiers = ["*"]
+      type        = "AWS"
     }
 
-    actions = [ "SQS:SendMessage" ]
+    actions = ["SQS:SendMessage"]
 
-    resources = [ aws_sqs_queue.account-alerts.arn ]
+    resources = [aws_sqs_queue.account-alerts.arn]
 
     condition {
-      test = "ArnEquals"
-      values = [ aws_sns_topic.account-alerts.arn ]
+      test     = "ArnEquals"
+      values   = [aws_sns_topic.account-alerts.arn]
       variable = "aws:SourceArn"
     }
   }
@@ -69,11 +69,11 @@ data "aws_iam_policy_document" "account-alerts-sns-topic-can-publish" {
 
 // Dead Letter queue, use same parameters as main queue
 resource "aws_sqs_queue" "account-alerts-dlq" {
-  name                      = "account-alerts-dlq"
-  message_retention_seconds = 300
-  receive_wait_time_seconds = 0
-  tags                      = merge(var.standard_tags, var.tags)
-  kms_master_key_id         = aws_kms_key.account-alerts-key.id
+  name                              = "account-alerts-dlq"
+  message_retention_seconds         = 300
+  receive_wait_time_seconds         = 0
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.account-alerts-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -89,45 +89,45 @@ resource "aws_sns_topic_subscription" "account-alerts-to-queue" {
 }
 
 resource "aws_kms_key" "account-alerts-key" {
-  description             = "Encryption of SNS and SQS queue for account alerts notifications"
-  policy                  = data.aws_iam_policy_document.account-alerts-kms-policy.json
-  enable_key_rotation     = true
+  description         = "Encryption of SNS and SQS queue for account alerts notifications"
+  policy              = data.aws_iam_policy_document.account-alerts-kms-policy.json
+  enable_key_rotation = true
 }
 
 data "aws_iam_policy_document" "account-alerts-kms-policy" {
   statement {
-    sid = "AllowServices"
+    sid    = "AllowServices"
     effect = "Allow"
     principals {
       identifiers = ["cloudwatch.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
-      type = "Service"
+      type        = "Service"
     }
     actions = [
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
   statement {
-    sid = "AllowOtherAccounts"
+    sid    = "AllowOtherAccounts"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      type        = "AWS"
+      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
     actions = [
       "kms:GenerateDataKey",
       "kms:Encrypt"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
   # allow account to modify/manage key
   statement {
-    sid = "AllowThisAccount"
+    sid    = "AllowThisAccount"
     effect = "Allow"
     principals {
       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-      type = "AWS"
+      type        = "AWS"
     }
     actions = [
       "kms:*"

base/account_standards_c2/config_aggregator.tf

@@ -8,7 +8,7 @@ resource "aws_config_configuration_aggregator" "account" {
 }
 
 resource "aws_sns_topic" "config-notifications" {
-  name              = "config-notifications"
+  name = "config-notifications"
   #kms_master_key_id = aws_kms_key.config-notifications-key.id # TODO
 }
 
@@ -19,25 +19,25 @@ resource "aws_sns_topic_policy" "config-notifications" {
 
 data "aws_iam_policy_document" "config-sns" {
   statement {
-    sid = "AllowConfig"
-    actions = [ "SNS:Publish" ]
-    effect = "Allow"
-    resources = [ aws_sns_topic.config-notifications.arn ]
+    sid       = "AllowConfig"
+    actions   = ["SNS:Publish"]
+    effect    = "Allow"
+    resources = [aws_sns_topic.config-notifications.arn]
     principals {
-      type = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      type        = "AWS"
+      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
   }
 }
 
 resource "aws_sqs_queue" "config-notifications" {
-  name                       = "config-notifications"
-  visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
-  message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
-  receive_wait_time_seconds  = 0 # how long to wait for a message before returning
-  redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                       = merge(var.standard_tags, var.tags)
-  kms_master_key_id          = aws_kms_key.config-notifications-key.id
+  name                              = "config-notifications"
+  visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
+  message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
+  receive_wait_time_seconds         = 0      # how long to wait for a message before returning
+  redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}"
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.config-notifications-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -46,17 +46,17 @@ data "aws_iam_policy_document" "config-notifications-sns-topic-can-publish" {
     effect = "Allow"
 
     principals {
-      identifiers = [ "*" ]
-      type = "AWS"
+      identifiers = ["*"]
+      type        = "AWS"
     }
 
-    actions = [ "SQS:SendMessage" ]
+    actions = ["SQS:SendMessage"]
 
-    resources = [ aws_sqs_queue.config-notifications.arn ]
+    resources = [aws_sqs_queue.config-notifications.arn]
 
     condition {
-      test = "ArnEquals"
-      values = [ aws_sns_topic.config-notifications.arn ]
+      test     = "ArnEquals"
+      values   = [aws_sns_topic.config-notifications.arn]
       variable = "aws:SourceArn"
     }
   }
@@ -64,11 +64,11 @@ data "aws_iam_policy_document" "config-notifications-sns-topic-can-publish" {
 
 // Dead Letter queue, use same parameters as main queue
 resource "aws_sqs_queue" "config-notifications-dlq" {
-  name                      = "config-notifications-dlq"
-  message_retention_seconds = 300
-  receive_wait_time_seconds = 0
-  tags                      = merge(var.standard_tags, var.tags)
-  kms_master_key_id         = aws_kms_key.config-notifications-key.id
+  name                              = "config-notifications-dlq"
+  message_retention_seconds         = 300
+  receive_wait_time_seconds         = 0
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.config-notifications-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -84,45 +84,45 @@ resource "aws_sns_topic_subscription" "config-notifications-to-queue" {
 }
 
 resource "aws_kms_key" "config-notifications-key" {
-  description             = "Encryption of SNS and SQS queue for config change notifications"
-  policy                  = data.aws_iam_policy_document.config-notifications-kms-policy.json
-  enable_key_rotation     = true
+  description         = "Encryption of SNS and SQS queue for config change notifications"
+  policy              = data.aws_iam_policy_document.config-notifications-kms-policy.json
+  enable_key_rotation = true
 }
 
 data "aws_iam_policy_document" "config-notifications-kms-policy" {
   statement {
-    sid = "AllowServices"
+    sid    = "AllowServices"
     effect = "Allow"
     principals {
       identifiers = ["config.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
-      type = "Service"
+      type        = "Service"
     }
     actions = [
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
   statement {
-    sid = "AllowOtherAccounts"
+    sid    = "AllowOtherAccounts"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      type        = "AWS"
+      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
     actions = [
       "kms:GenerateDataKey",
       "kms:Encrypt"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
   # allow account to modify/manage key
   statement {
-    sid = "AllowThisAccount"
+    sid    = "AllowThisAccount"
     effect = "Allow"
     principals {
       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-      type = "AWS"
+      type        = "AWS"
     }
     actions = [
       "kms:*"

base/account_standards_c2/config_bucket.tf

@@ -5,15 +5,15 @@ module "xdr_config_logging_bucket" {
   bucket_name = "xdr-config-${var.environment}-access-logs"
   lifecycle_rules = [
     {
-      id                            = "expire-old-logs"
-      enabled                       = true
-      prefix                        = ""
-      expiration                    = 30
-      noncurrent_version_expiration = 30
+      id                                     = "expire-old-logs"
+      enabled                                = true
+      prefix                                 = ""
+      expiration                             = 30
+      noncurrent_version_expiration          = 30
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags = merge(var.standard_tags, var.tags)
+  tags               = merge(var.standard_tags, var.tags)
   versioning_enabled = true
 }
 
@@ -32,7 +32,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "xdr_config_bucket
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm     = "aws:kms"
       kms_master_key_id = aws_kms_key.config_encryption.arn
     }
   }
@@ -61,38 +61,38 @@ resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_acce
 
 data "aws_iam_policy_document" "awsconfig_bucket_policy" {
   statement {
-    sid = "AWSConfigBucketPermissionsCheck"
+    sid    = "AWSConfigBucketPermissionsCheck"
     effect = "Allow"
     principals {
-      type = "Service"
-      identifiers = [ "config.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
     }
-    actions = [ "s3:GetBucketAcl" ]
-    resources = [ aws_s3_bucket.xdr_config_bucket.arn ]
+    actions   = ["s3:GetBucketAcl"]
+    resources = [aws_s3_bucket.xdr_config_bucket.arn]
   }
   statement {
-    sid = "AWSConfigBucketExistenceCheck"
+    sid    = "AWSConfigBucketExistenceCheck"
     effect = "Allow"
     principals {
-      type = "Service"
-      identifiers = [ "config.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
     }
-    actions = [ "s3:ListBucket" ]
-    resources = [ aws_s3_bucket.xdr_config_bucket.arn ]
+    actions   = ["s3:ListBucket"]
+    resources = [aws_s3_bucket.xdr_config_bucket.arn]
   }
   statement {
-    sid = "AWSConfigBucketDelivery"
+    sid    = "AWSConfigBucketDelivery"
     effect = "Allow"
     principals {
-      type = "Service"
-      identifiers = [ "config.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
     }
-    actions = [ "s3:PutObject" ]
-    resources = [ "${aws_s3_bucket.xdr_config_bucket.arn}/AWSLogs/*" ]
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.xdr_config_bucket.arn}/AWSLogs/*"]
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "s3:x-amz-acl"
-      values = [ "bucket-owner-full-control" ]
+      values   = ["bucket-owner-full-control"]
     }
   }
 }
@@ -102,15 +102,15 @@ resource "aws_s3_bucket_policy" "awsconfig_bucket_policy" {
   policy = data.aws_iam_policy_document.awsconfig_bucket_policy.json
 
   # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
-  depends_on = [ aws_s3_bucket_public_access_block.awsconfig_bucket_block_public_access ]
+  depends_on = [aws_s3_bucket_public_access_block.awsconfig_bucket_block_public_access]
 }
 
 resource "aws_kms_key" "config_encryption" {
   description             = "This key is used to encrypt AWS config"
   deletion_window_in_days = 30
-  policy = data.aws_iam_policy_document.config_encryption_key_policy.json
-  enable_key_rotation = true
-  tags = merge(var.standard_tags, var.tags)
+  policy                  = data.aws_iam_policy_document.config_encryption_key_policy.json
+  enable_key_rotation     = true
+  tags                    = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_kms_alias" "config_encryption" {

base/account_standards_c2/elb_bucket.tf

@@ -7,22 +7,22 @@ module "elb_logging_logging_bucket" {
   bucket_name = "xdr-elb-${var.environment}-access-logs"
   lifecycle_rules = [
     {
-      id                            = "expire-old-logs"
-      enabled                       = true
-      prefix                        = ""
-      expiration                    = 30
-      noncurrent_version_expiration = 30
+      id                                     = "expire-old-logs"
+      enabled                                = true
+      prefix                                 = ""
+      expiration                             = 30
+      noncurrent_version_expiration          = 30
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." } )
+  tags               = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." })
   versioning_enabled = true
 }
 
 resource "aws_s3_bucket" "elb_logging_bucket" {
   bucket = "xdr-elb-${var.environment}"
-  
-  tags   = merge(var.standard_tags, var.tags)
+
+  tags = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_elb_logging_bucket" {
@@ -31,7 +31,7 @@ resource "aws_s3_bucket_acl" "s3_acl_elb_logging_bucket" {
 }
 
 resource "aws_s3_bucket_versioning" "s3_version_elb_logging_bucket" {
-  bucket   = aws_s3_bucket.elb_logging_bucket.id
+  bucket = aws_s3_bucket.elb_logging_bucket.id
   versioning_configuration {
     status = "Enabled"
   }
@@ -44,13 +44,13 @@ resource "aws_s3_bucket_logging" "elb_logging_bucket" {
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_elb_logging_bucket" {
-  bucket   = aws_s3_bucket.elb_logging_bucket.id
-  
+  bucket = aws_s3_bucket.elb_logging_bucket.id
+
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256" # ELB logging only supports SSE-S3
-      }
     }
+  }
 }
 
 resource "aws_s3_bucket_public_access_block" "aws_elb_bucket_block_public_access" {
@@ -71,36 +71,36 @@ data "aws_iam_policy_document" "aws_elb_bucket_policy" {
     #  identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
     #}
     principals {
-      type = "AWS"
-      identifiers = [ data.aws_elb_service_account.main.arn ] 
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.main.arn]
     }
 
     resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
   }
 
   statement {
-    effect = "Allow"
-    actions = [ "s3:PutObject" ]
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
     principals {
-      type = "Service"
-      identifiers = [ "delivery.logs.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
     }
-    resources = [ "arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*" ]
+    resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "s3:x-amz-acl"
-      values = [ "bucket-owner-full-control" ]
+      values   = ["bucket-owner-full-control"]
     }
   }
 
   statement {
-    effect = "Allow"
-    actions = [ "s3:GetBucketAcl" ]
+    effect  = "Allow"
+    actions = ["s3:GetBucketAcl"]
     principals {
-      type = "Service"
-      identifiers = [ "delivery.logs.amazonaws.com" ]
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
     }
-    resources = [ "arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}" ]
+    resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}"]
   }
 }
 
@@ -109,7 +109,7 @@ resource "aws_s3_bucket_policy" "aws_elb_bucket_policy" {
   policy = data.aws_iam_policy_document.aws_elb_bucket_policy.json
 
   # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
-  depends_on = [ aws_s3_bucket_public_access_block.aws_elb_bucket_block_public_access ]
+  depends_on = [aws_s3_bucket_public_access_block.aws_elb_bucket_block_public_access]
 }
 
 #### SQS Queue for Splunk
@@ -128,7 +128,7 @@ resource "aws_s3_bucket_notification" "on_new_elb_log" {
 }
 
 resource "aws_sns_topic" "new_elb_log_event" {
-  name = "s3-notification-topic-${aws_s3_bucket.elb_logging_bucket.bucket}"
+  name              = "s3-notification-topic-${aws_s3_bucket.elb_logging_bucket.bucket}"
   kms_master_key_id = aws_kms_key.new_object_key.id
 }
 
@@ -181,7 +181,7 @@ data "aws_iam_policy_document" "elblog_bucket_can_publish" {
 
     condition {
       test     = "ArnEquals"
-      values   = [ aws_sqs_queue.new_elblog.arn ]
+      values   = [aws_sqs_queue.new_elblog.arn]
       variable = "aws:SourceArn"
     }
 
@@ -194,13 +194,13 @@ data "aws_iam_policy_document" "elblog_bucket_can_publish" {
 }
 
 resource "aws_sqs_queue" "new_elblog" {
-  name                       = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}"
-  visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
-  message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
-  receive_wait_time_seconds  = 0 # how long to wait for a message before returning
-  redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.elblog-dlg.arn}\",\"maxReceiveCount\":4}"
-  tags                       = merge(var.standard_tags, var.tags)
-  kms_master_key_id = aws_kms_key.new_object_key.id
+  name                              = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}"
+  visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
+  message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
+  receive_wait_time_seconds         = 0      # how long to wait for a message before returning
+  redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.elblog-dlg.arn}\",\"maxReceiveCount\":4}"
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -238,11 +238,11 @@ data "aws_iam_policy_document" "sns_topic_elblog_can_publish" {
 
 // Dead Letter queue, use same parameters as main queue
 resource "aws_sqs_queue" "elblog-dlg" {
-  name                      = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}-dlq"
-  message_retention_seconds = 300
-  receive_wait_time_seconds = 0
-  tags                      = merge(var.standard_tags, var.tags)
-  kms_master_key_id = aws_kms_key.new_object_key.id
+  name                              = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}-dlq"
+  message_retention_seconds         = 300
+  receive_wait_time_seconds         = 0
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 

base/account_standards_c2/iam.moose-hf.tf

@@ -26,15 +26,15 @@ resource "aws_iam_access_key" "moose-hf-v1" {
   user = aws_iam_user.moose-hf.name
 }
 
-output access_keys {
+output "access_keys" {
   value = {
-    "current" = { 
-      "aws_access_key_id": aws_iam_access_key.moose-hf-v1.id
-      "aws_secret_access_key": aws_iam_access_key.moose-hf-v1.secret
+    "current" = {
+      "aws_access_key_id" : aws_iam_access_key.moose-hf-v1.id
+      "aws_secret_access_key" : aws_iam_access_key.moose-hf-v1.secret
     },
     "previous" = {
-      "aws_access_key_id": aws_iam_access_key.moose-hf-v0.id
-      "aws_secret_access_key": aws_iam_access_key.moose-hf-v0.secret
+      "aws_access_key_id" : aws_iam_access_key.moose-hf-v0.id
+      "aws_secret_access_key" : aws_iam_access_key.moose-hf-v0.secret
     }
   }
   sensitive = true
@@ -119,7 +119,7 @@ resource "aws_iam_group" "moose-hf" {
 resource "aws_iam_user_group_membership" "moose-hf" {
   user = aws_iam_user.moose-hf.name
 
-  groups = [ aws_iam_group.moose-hf.name ]
+  groups = [aws_iam_group.moose-hf.name]
 }
 
 resource "aws_iam_group_policy_attachment" "moose-hf-group" {

base/account_standards_c2/main.tf

@@ -5,15 +5,15 @@ module "s3_logging_bucket" {
   bucket_name = "xdr-cloudtrail-logs-${var.environment}-access-logs"
   lifecycle_rules = [
     {
-      id                            = "expire-old-logs"
-      enabled                       = true
-      prefix                        = ""
-      expiration                    = 30
-      noncurrent_version_expiration = 30
+      id                                     = "expire-old-logs"
+      enabled                                = true
+      prefix                                 = ""
+      expiration                             = 30
+      noncurrent_version_expiration          = 30
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags = merge(var.standard_tags, var.tags)
+  tags               = merge(var.standard_tags, var.tags)
   versioning_enabled = true
 }
 
@@ -21,17 +21,17 @@ module "cloudtrail_logging_bucket" {
   source = "../../thirdparty/terraform-aws-cloudtrail-bucket"
 
   allowed_account_ids = var.account_list
-  bucket_name = "xdr-cloudtrail-logs-${var.environment}"
-  logging_bucket = module.s3_logging_bucket.s3_bucket_name
-  region = var.aws_region
-  tags = merge(var.standard_tags, var.tags)
+  bucket_name         = "xdr-cloudtrail-logs-${var.environment}"
+  logging_bucket      = module.s3_logging_bucket.s3_bucket_name
+  region              = var.aws_region
+  tags                = merge(var.standard_tags, var.tags)
   lifecycle_rules = [
     {
-      id                            = "expire-old-logs"
-      enabled                       = true
-      prefix                        = ""
-      expiration                    = 30
-      noncurrent_version_expiration = 30
+      id                                     = "expire-old-logs"
+      enabled                                = true
+      prefix                                 = ""
+      expiration                             = 30
+      noncurrent_version_expiration          = 30
       abort_incomplete_multipart_upload_days = 7
     }
   ]
@@ -52,7 +52,7 @@ resource "aws_s3_bucket_notification" "on_new_object" {
 }
 
 resource "aws_sns_topic" "new_object_event" {
-  name = "s3-notification-topic-${module.cloudtrail_logging_bucket.s3_bucket_name}"
+  name              = "s3-notification-topic-${module.cloudtrail_logging_bucket.s3_bucket_name}"
   kms_master_key_id = aws_kms_key.new_object_key.id
 }
 
@@ -105,7 +105,7 @@ data "aws_iam_policy_document" "bucket_can_publish" {
 
     condition {
       test     = "ArnEquals"
-      values   = [ aws_sqs_queue.new_s3_object.arn ]
+      values   = [aws_sqs_queue.new_s3_object.arn]
       variable = "aws:SourceArn"
     }
 
@@ -119,13 +119,13 @@ data "aws_iam_policy_document" "bucket_can_publish" {
 
 # This is the queue for splunk to subscribe to
 resource "aws_sqs_queue" "new_s3_object" {
-  name                       = "new-objects-for-${module.cloudtrail_logging_bucket.s3_bucket_name}"
-  visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
-  message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
-  receive_wait_time_seconds  = 0 # how long to wait for a message before returning
-  redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                       = merge(var.standard_tags, var.tags)
-  kms_master_key_id = aws_kms_key.new_object_key.id
+  name                              = "new-objects-for-${module.cloudtrail_logging_bucket.s3_bucket_name}"
+  visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
+  message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
+  receive_wait_time_seconds         = 0      # how long to wait for a message before returning
+  redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.dlq.arn}\",\"maxReceiveCount\":4}"
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -163,11 +163,11 @@ data "aws_iam_policy_document" "sns_topic_can_publish" {
 
 // Dead Letter queue, use same parameters as main queue
 resource "aws_sqs_queue" "dlq" {
-  name                      = "new-objects-for-${module.cloudtrail_logging_bucket.s3_bucket_name}-dlq"
-  message_retention_seconds = 300
-  receive_wait_time_seconds = 0
-  tags                      = merge(var.standard_tags, var.tags)
-  kms_master_key_id = aws_kms_key.new_object_key.id
+  name                              = "new-objects-for-${module.cloudtrail_logging_bucket.s3_bucket_name}-dlq"
+  message_retention_seconds         = 300
+  receive_wait_time_seconds         = 0
+  tags                              = merge(var.standard_tags, var.tags)
+  kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
 
@@ -183,9 +183,9 @@ resource "aws_sns_topic_subscription" "bucket_change_notification_to_queue" {
 }
 
 resource "aws_kms_key" "new_object_key" {
-  description             = "Encryption of SNS and SQS queues on new S3 objects"
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.new_object_key_kms_policy.json
+  description         = "Encryption of SNS and SQS queues on new S3 objects"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.new_object_key_kms_policy.json
 }
 
 data "aws_iam_policy_document" "new_object_key_kms_policy" {
@@ -193,20 +193,20 @@ data "aws_iam_policy_document" "new_object_key_kms_policy" {
     effect = "Allow"
     principals {
       identifiers = ["s3.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
-      type = "Service"
+      type        = "Service"
     }
     actions = [
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
   # allow account to modify/manage key
   statement {
     effect = "Allow"
     principals {
       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-      type = "AWS"
+      type        = "AWS"
     }
     actions = [
       "kms:*"

base/account_standards_c2/secrets.tf

@@ -4,10 +4,10 @@ output "secrets_manager_reminder" {
 }
 
 resource "aws_secretsmanager_secret" "codebuild_ghe_key" {
-  name = "GHE/mdr-aws-codebuild/key"
-  description = "GitHub Personal Access Key for the mdr-aws-codebuild account"
+  name                    = "GHE/mdr-aws-codebuild/key"
+  description             = "GitHub Personal Access Key for the mdr-aws-codebuild account"
   recovery_window_in_days = 30
-  tags = merge(var.standard_tags, var.tags)
+  tags                    = merge(var.standard_tags, var.tags)
 }
 
 # This just seeds an initial value. It will not be overwritten each update.

base/account_standards_c2/vars.tf

@@ -1,16 +1,16 @@
 variable "tags" {
-  type = map
-  default = { } 
+  type    = map(any)
+  default = {}
 }
 
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map }
-variable "account_list" { type = list }
+variable "standard_tags" { type = map(any) }
+variable "account_list" { type = list(any) }
 variable "responsible_accounts" { type = map(list(string)) }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }
 variable "environment" { type = string }
-variable "key_pairs" { type = map }
+variable "key_pairs" { type = map(any) }

base/account_standards_regional/backup_ami_key.tf

@@ -1,7 +1,7 @@
 resource "aws_kms_key" "key" {
-  description = "Key for AMI Backups"
+  description         = "Key for AMI Backups"
   enable_key_rotation = true
-  policy = data.aws_iam_policy_document.kms_policy.json
+  policy              = data.aws_iam_policy_document.kms_policy.json
   tags = merge(
     var.standard_tags,
     { "Name" = "ami_backup_key" },
@@ -18,27 +18,27 @@ data "aws_iam_policy_document" "kms_policy" {
   policy_id = "backup-ami-key-policy"
 
   statement {
-    sid = "Enable IAM User Permissions"
+    sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         # The 'root' account is the entire account, we don't want that
         #"arn:${var.aws_partition}:iam::${var.aws_account_id}:root" 
-        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",            # MDRAdmin as a break glass
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
       ]
     }
-    actions = [ "kms:*" ]
-    resources = [ "*" ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow access for Key Administrators"
+    sid    = "Allow access for Key Administrators"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ]
+      type        = "AWS"
+      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"]
     }
 
     actions = [
@@ -57,15 +57,15 @@ data "aws_iam_policy_document" "kms_policy" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid =  "Allow use of the key"
+    sid    = "Allow use of the key"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/dlm-lifecycle-role"
       ]
@@ -77,11 +77,11 @@ data "aws_iam_policy_document" "kms_policy" {
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow attachment of persistent resources"
+    sid    = "Allow attachment of persistent resources"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -95,6 +95,6 @@ data "aws_iam_policy_document" "kms_policy" {
       "kms:ListGrants",
       "kms:RevokeGrant"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 }

base/account_standards_regional/main.tf

@@ -4,6 +4,6 @@ resource "aws_config_aggregate_authorization" "authorization" {
   tags       = merge(var.standard_tags, var.tags)
 }
 
-output authorizations {
+output "authorizations" {
   value = aws_config_aggregate_authorization.authorization
 }

base/account_standards_regional/vars.tf

@@ -1,22 +1,22 @@
 variable "tags" {
-  type = map
-  default = { } 
+  type    = map(any)
+  default = {}
 }
 
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map }
-variable "account_list" { type = list }
+variable "standard_tags" { type = map(any) }
+variable "account_list" { type = list(any) }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }
 variable "environment" { type = string }
-variable "key_pairs" { type = map }
-variable "c2_accounts" { type = map }
+variable "key_pairs" { type = map(any) }
+variable "c2_accounts" { type = map(any) }
 
 locals {
   logging_environment = var.environment == "common" ? "prod" : var.environment # common logs to prod
-  c2_account = var.c2_accounts[var.aws_partition]
-  is_c2 = var.aws_account_id == local.c2_account ? true : false
+  c2_account          = var.c2_accounts[var.aws_partition]
+  is_c2               = var.aws_account_id == local.c2_account ? true : false
 }

base/amis.tf

@@ -1,23 +1,23 @@
 locals {
   ami_map = {
-    "base"       = data.aws_ami.base.image_id,
-    "minion"     = data.aws_ami.minion.image_id,
-    "master"     = data.aws_ami.master.image_id,
+    "base"   = data.aws_ami.base.image_id,
+    "minion" = data.aws_ami.minion.image_id,
+    "master" = data.aws_ami.master.image_id,
     #    "ubuntu1804" = data.aws_ami.ubuntu1804.image_id,
   }
   # We need some data from the block devices
   block_device_mappings = {
-    "base"       = {
-      for bd in data.aws_ami.base.block_device_mappings:
-        bd.device_name => bd
+    "base" = {
+      for bd in data.aws_ami.base.block_device_mappings :
+      bd.device_name => bd
     }
-    "minion"     = {
-      for bd in data.aws_ami.minion.block_device_mappings:
-        bd.device_name => bd
+    "minion" = {
+      for bd in data.aws_ami.minion.block_device_mappings :
+      bd.device_name => bd
     }
-    "master"     = {
-      for bd in data.aws_ami.master.block_device_mappings:
-        bd.device_name => bd
+    "master" = {
+      for bd in data.aws_ami.master.block_device_mappings :
+      bd.device_name => bd
     }
     #    "ubuntu1804" = data.aws_ami.ubuntu1804.image_id,
   }
@@ -25,7 +25,7 @@ locals {
 
 data "aws_ami" "base" {
   most_recent = true
-  owners = [ var.common_services_account ]
+  owners      = [var.common_services_account]
 
   filter {
     name   = "virtualization-type"
@@ -33,19 +33,19 @@ data "aws_ami" "base" {
   }
 
   filter {
-    name = "root-device-type"
+    name   = "root-device-type"
     values = ["ebs"]
   }
 
   filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Base_*" ]
+    name   = "name"
+    values = ["MSOC_RedHat_Base_*"]
   }
 }
 
 data "aws_ami" "minion" {
   most_recent = true
-  owners = [ var.common_services_account ]
+  owners      = [var.common_services_account]
 
   filter {
     name   = "virtualization-type"
@@ -53,19 +53,19 @@ data "aws_ami" "minion" {
   }
 
   filter {
-    name = "root-device-type"
+    name   = "root-device-type"
     values = ["ebs"]
   }
 
   filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Minion_*" ]
+    name   = "name"
+    values = ["MSOC_RedHat_Minion_*"]
   }
 }
 
 data "aws_ami" "master" {
   most_recent = true
-  owners = [ var.common_services_account ]
+  owners      = [var.common_services_account]
 
   filter {
     name   = "virtualization-type"
@@ -73,13 +73,13 @@ data "aws_ami" "master" {
   }
 
   filter {
-    name = "root-device-type"
+    name   = "root-device-type"
     values = ["ebs"]
   }
 
   filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Master_*" ]
+    name   = "name"
+    values = ["MSOC_RedHat_Master_*"]
   }
 }
 

base/aws_client_vpn/auth.tf

@@ -1,5 +1,5 @@
 resource "aws_ec2_client_vpn_authorization_rule" "vpn_auth_rule" {
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
-  target_network_cidr = "0.0.0.0/0"
-  authorize_all_groups = true
+  target_network_cidr    = "0.0.0.0/0"
+  authorize_all_groups   = true
 }

base/aws_client_vpn/certificate.tf

@@ -1,6 +1,6 @@
 #Certificate 
 resource "aws_acm_certificate" "cert" {
-  domain_name       = "${ var.dns_name }${var.suffix}.${var.dns_info["public"]["zone"]}"
+  domain_name       = "${var.dns_name}${var.suffix}.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
   lifecycle {
@@ -18,7 +18,7 @@ resource "aws_acm_certificate" "cert" {
 
 resource "aws_acm_certificate_validation" "cert" {
   certificate_arn         = aws_acm_certificate.cert.arn
-  validation_record_fqdns = [for record in aws_route53_record.cert_validation: record.fqdn]
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
 }
 
 resource "aws_route53_record" "cert_validation" {

base/aws_client_vpn/cloudwatch.tf

@@ -1,10 +1,10 @@
 resource "aws_cloudwatch_log_group" "vpn" {
-  name = "/aws/vpn${var.suffix}"
+  name              = "/aws/vpn${var.suffix}"
   retention_in_days = 30
 
   # TODO: Encrypt
   # kms_key_id = <arn>
-  
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/aws_client_vpn/lambda.tf

@@ -1,7 +1,7 @@
 # Lambda function to refuse concurrent connections
 data "archive_file" "lambda_connection_authorization" {
-  type             = "zip"
-  source_file      = "${path.module}/files/connection_authorization/connection_handler_disconnect_multiples.py"
+  type        = "zip"
+  source_file = "${path.module}/files/connection_authorization/connection_handler_disconnect_multiples.py"
   # 0666 results in "more consistent behavior" according to https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/archive_file
   output_file_mode = "0666"
   output_path      = "${path.module}/files/connection_authorization/connection_handle_with_disconnect.zip"
@@ -45,9 +45,9 @@ data "aws_iam_policy_document" "lambda_connection_authorization_policy_doc" {
 }
 
 resource "aws_iam_policy" "lambda_connection_authorization_policy" {
-  name        = "awsclientvpn-connection-handler${var.suffix}"
-  path        = "/lambda/"
-  policy      = data.aws_iam_policy_document.lambda_connection_authorization_policy_doc.json
+  name   = "awsclientvpn-connection-handler${var.suffix}"
+  path   = "/lambda/"
+  policy = data.aws_iam_policy_document.lambda_connection_authorization_policy_doc.json
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_connection_authorization_policy_attachment" {
@@ -70,11 +70,11 @@ resource "aws_lambda_function" "lambda_connection_authorization" {
 
   environment {
     variables = {
-      LOGLEVEL = var.log_level
+      LOGLEVEL       = var.log_level
       MODULELOGLEVEL = var.module_log_level
     }
   }
- 
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/aws_client_vpn/outputs.tf

@@ -7,7 +7,7 @@ output "vpn_id" {
 }
 
 output "self_service_url" {
-  value = "https://gov.self-service.clientvpn.amazonaws.com/endpoints/${ aws_ec2_client_vpn_endpoint.vpn.id }"
+  value = "https://gov.self-service.clientvpn.amazonaws.com/endpoints/${aws_ec2_client_vpn_endpoint.vpn.id}"
 }
 
 output "lambda_function_arn" {

base/aws_client_vpn/saml.tf

@@ -1,11 +1,11 @@
 resource "aws_iam_saml_provider" "okta" {
   name                   = "okta_aws_vpn${var.suffix}"
   saml_metadata_document = file("files/saml-metadata-okta-${var.environment}.xml")
-  tags = merge(var.standard_tags, var.tags)
+  tags                   = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_iam_saml_provider" "okta-self-service" {
   name                   = "okta_aws_vpn_self_service${var.suffix}"
   saml_metadata_document = file("files/saml-metadata-okta-self-service-${var.environment}.xml")
-  tags = merge(var.standard_tags, var.tags)
+  tags                   = merge(var.standard_tags, var.tags)
 }

base/aws_client_vpn/security-groups.tf

@@ -1,8 +1,8 @@
 resource "aws_security_group" "vpn_access" {
-  name_prefix = "${ var.dns_name }${ var.suffix}_vpn_access"
+  name_prefix = "${var.dns_name}${var.suffix}_vpn_access"
   description = "Security Group for the AWS VPN"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
+  vpc_id      = var.vpc_id
+  tags        = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_security_group_rule" "vpn-in-443-tcp" {
@@ -10,7 +10,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -19,7 +19,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -28,7 +28,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -37,7 +37,7 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -46,6 +46,6 @@ resource "aws_security_group_rule" "vpn-out" {
   from_port         = -1
   to_port           = -1
   protocol          = -1
-  cidr_blocks       = [ "0.0.0.0/0" ]
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.vpn_access.id
 }

base/aws_client_vpn/vars.tf

@@ -1,51 +1,51 @@
 variable "log_level" {
   description = "Log Level in syslog format, all caps. (CRITICAL|ERROR|WARNING|INFO|DEBUG|NOTSET)"
-  type = string
-  default = "INFO"
+  type        = string
+  default     = "INFO"
 }
 
 variable "module_log_level" {
   description = "Log Level for modues such as boto3 in syslog format, all caps. (CRITICAL|ERROR|WARNING|INFO|DEBUG|NOTSET)"
-  type = string
-  default = "INFO"
+  type        = string
+  default     = "INFO"
 }
 
 variable "split_tunnel" {
-  type = bool
+  type        = bool
   description = "Whether or not to split tunnel."
 }
 
 variable "suffix" {
-  type = string
+  type        = string
   description = "Suffix String for Unique Naming"
-  default = ""
+  default     = ""
 }
 
 variable "protocol" {
-  type = string
+  type        = string
   description = "'tcp' or 'udp'"
-  default = "tcp"
+  default     = "tcp"
 }
 
 variable "dns_name" {
-  type = string
+  type        = string
   description = "Used for the certificate"
 }
 
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
 
 variable "azs" { type = list(string) }
 variable "private_subnets" { type = list(string) }
 variable "public_subnets" { type = list(string) }
 variable "vpc_id" { type = string }
-variable "cidr_map" { type = map }
-variable "dns_info" { type = map }
+variable "cidr_map" { type = map(any) }
+variable "dns_info" { type = map(any) }
 variable "dns_servers" { type = list(string) }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }

base/aws_client_vpn/vpn.tf

@@ -8,11 +8,11 @@ locals {
 }
 
 resource "aws_ec2_client_vpn_endpoint" "vpn" {
-  description = "VPN for XDR Employee Access"
-  client_cidr_block = "172.16.0.0/22"
-  split_tunnel = var.split_tunnel
+  description            = "VPN for XDR Employee Access"
+  client_cidr_block      = "172.16.0.0/22"
+  split_tunnel           = var.split_tunnel
   server_certificate_arn = aws_acm_certificate.cert.arn
-  self_service_portal = "enabled" # requires a self_service_saml_provider in authentication_options
+  self_service_portal    = "enabled" # requires a self_service_saml_provider in authentication_options
 
   security_group_ids = [aws_security_group.vpn_access.id]
 
@@ -25,13 +25,13 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
   #}
 
   authentication_options {
-    type = "federated-authentication"
-    saml_provider_arn = aws_iam_saml_provider.okta.arn
+    type                           = "federated-authentication"
+    saml_provider_arn              = aws_iam_saml_provider.okta.arn
     self_service_saml_provider_arn = aws_iam_saml_provider.okta-self-service.arn
   }
 
   connection_log_options {
-    enabled = true
+    enabled               = true
     cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
   }
@@ -40,16 +40,16 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
   transport_protocol = var.protocol
   #transport_protocol = "tcp"
 
-  vpn_port = 443
+  vpn_port              = 443
   session_timeout_hours = 12
 
   client_login_banner_options {
     banner_text = "--- NOTICE TO USERS ---\n\nAccenture Federal Services AUTHORIZED USE ONLY\n\nThis system is the property of Accenture Federal Services.  You are accessing a U.S. Government certified information system.  By using this system you consent to monitoring for unauthorized access or activity where legally permitted and agree to use the system in accordance to Accenture Federal Services policies, local laws and regulations.\n\nUnauthorized use of this system is prohibited and subject to reprimand, dismissal, financial penalties, criminal penalties, and civil penalties. By signing in, you are agreeing to these terms."
-    enabled = true
+    enabled     = true
   }
 
   client_connect_options {
-    enabled = true
+    enabled             = true
     lambda_function_arn = aws_lambda_function.lambda_connection_authorization.arn
   }
 }
@@ -58,7 +58,7 @@ resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
   count = local.redundancy_count
 
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
-  subnet_id = var.public_subnets[count.index]
+  subnet_id              = var.public_subnets[count.index]
 
   lifecycle {
     // The issue why we are ignoring changes is that on every change
@@ -69,7 +69,7 @@ resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
 }
 
 resource "aws_ec2_client_vpn_route" "default" {
-  count = local.redundancy_count
+  count                  = local.redundancy_count
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
   #destination_cidr_block = "10.0.0.0/8"
   destination_cidr_block = "0.0.0.0/0"

base/aws_scheduler/vars.tf

@@ -1,13 +1,13 @@
 variable "tags" {
-  type = map
-  default = { } 
+  type    = map(any)
+  default = {}
 }
 
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map }
-variable "account_list" { type = list }
+variable "standard_tags" { type = map(any) }
+variable "account_list" { type = list(any) }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }

base/backups/ami_backups.tf

@@ -9,8 +9,8 @@
 # WARNING: External data sources are run before the apply, and even before any decision
 #          is made whether or not to apply, so do not make changes in such a script.
 data "external" "get_dlm_policies" {
-  program = ["bin/get_current_dlm_policies", var.aws_partition, var.aws_region, var.aws_account_id, var.account_name]
-  depends_on = [ null_resource.create_dlm_policy ]
+  program    = ["bin/get_current_dlm_policies", var.aws_partition, var.aws_region, var.aws_account_id, var.account_name]
+  depends_on = [null_resource.create_dlm_policy]
 }
 
 output "dlm_policies" {
@@ -28,10 +28,10 @@ resource "null_resource" "create_dlm_policy" {
   #count = data.external.get_dlm_policies.result["PolicyId"] == "policy-02af49210b5b375d5" ? 1 : 0
 
   triggers = {
-    aws_partition = var.aws_partition
-    aws_region = var.aws_region
+    aws_partition  = var.aws_partition
+    aws_region     = var.aws_region
     aws_account_id = var.aws_account_id
-    account_name = var.account_name
+    account_name   = var.account_name
   }
 
   provisioner "local-exec" {
@@ -44,6 +44,6 @@ resource "null_resource" "create_dlm_policy" {
   #}
 }
 
-output help {
+output "help" {
   value = "If you need to update/recreate the policy, run: terragrunt taint null_resource.create_dlm_policy"
 }

base/backups/vars.tf

@@ -1,6 +1,6 @@
 variable "tags" {
-  type = map
-  default = { } 
+  type    = map(any)
+  default = {}
 }
 
 
@@ -8,18 +8,18 @@ variable "tags" {
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
 variable "account_name" { type = string }
-variable "binaries_bucket" { type = string}
-variable "binaries_key" { type = string}
+variable "binaries_bucket" { type = string }
+variable "binaries_key" { type = string }
 variable "is_legacy" { type = bool }
 variable "legacy_account" { type = string }
 variable "common_services_account" { type = string }
-variable "standard_tags" { type = map }
-variable "account_list" { type = list }
+variable "standard_tags" { type = map(any) }
+variable "account_list" { type = list(any) }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }
 variable "environment" { type = string }
-variable "key_pairs" { type = map }
-variable "c2_accounts" { type = map }
+variable "key_pairs" { type = map(any) }
+variable "c2_accounts" { type = map(any) }
 variable "aws_flowlogs_hec_token" { type = string }
 variable "hec_pub_ack" { type = string }

base/bastion/main.tf

@@ -16,55 +16,55 @@ data "aws_kms_key" "ebs-key" {
 }
 
 resource "aws_network_interface" "instance" {
-  subnet_id = var.subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.bastion_security_group.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  subnet_id       = var.subnets[0]
+  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.bastion_security_group.id]
+  description     = var.instance_name
+  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip" "instance" {
-  vpc = true
+  vpc  = true
   tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip_association" "instance" {
   network_interface_id = aws_network_interface.instance.id
-  allocation_id = aws_eip.instance.id
+  allocation_id        = aws_eip.instance.id
 }
 
 resource "aws_instance" "instance" {
   #availability_zone = var.azs[count.index % 2]
-  tenancy = "default"
-  ebs_optimized = true
-  disable_api_termination = var.instance_termination_protection
+  tenancy                              = "default"
+  ebs_optimized                        = true
+  disable_api_termination              = var.instance_termination_protection
   instance_initiated_shutdown_behavior = "stop"
-  instance_type = var.instance_type
-  key_name = "msoc-build"
-  monitoring = false
-  iam_instance_profile = "msoc-default-instance-profile"
+  instance_type                        = var.instance_type
+  key_name                             = "msoc-build"
+  monitoring                           = false
+  iam_instance_profile                 = "msoc-default-instance-profile"
 
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
   # that could be removed.
-  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
 
   # These device definitions are optional, but added for clarity.
   root_block_device {
-      volume_type = "gp2"
-      #volume_size = "60"
-      delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+    volume_type = "gp2"
+    #volume_size = "60"
+    delete_on_termination = true
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
   }
 
   ebs_block_device {
     # swap
-    device_name = "/dev/xvdm"
-    volume_size = 48
+    device_name           = "/dev/xvdm"
+    volume_size           = 48
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
     # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
     # This may prompt replacement when the AMI is updated.
     # See:
@@ -77,9 +77,9 @@ resource "aws_instance" "instance" {
     device_name = "/dev/xvdn"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
 
   }
   ebs_block_device {
@@ -87,63 +87,63 @@ resource "aws_instance" "instance" {
     device_name = "/dev/xvdo"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
   }
   ebs_block_device {
     # /var/tmp
     device_name = "/dev/xvdp"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
   }
   ebs_block_device {
     # /var/log
     device_name = "/dev/xvdq"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
   }
   ebs_block_device {
     # /var/log/audit
     device_name = "/dev/xvdr"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
   }
   ebs_block_device {
     # /tmp
     device_name = "/dev/xvds"
     # volume_size = xx
     delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
+    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
   }
 
   network_interface {
-    device_index = 0
+    device_index         = 0
     network_interface_id = aws_network_interface.instance.id
   }
 
-  user_data = data.template_cloudinit_config.cloud-init.rendered
-  tags = merge( var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
+  user_data   = data.template_cloudinit_config.cloud-init.rendered
+  tags        = merge(var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
+  volume_tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 module "private_dns_record" {
   source = "../../submodules/dns/private_A_record"
 
-  name = var.instance_name
-  ip_addresses = [ aws_instance.instance.private_ip ]
-  dns_info = var.dns_info
+  name            = var.instance_name
+  ip_addresses    = [aws_instance.instance.private_ip]
+  dns_info        = var.dns_info
   reverse_enabled = var.reverse_enabled
 
   providers = {
@@ -154,9 +154,9 @@ module "private_dns_record" {
 module "public_dns_record" {
   source = "../../submodules/dns/public_A_record"
 
-  name = var.instance_name
-  ip_addresses = [ aws_eip.instance.public_ip ]
-  dns_info = var.dns_info
+  name         = var.instance_name
+  ip_addresses = [aws_eip.instance.public_ip]
+  dns_info     = var.dns_info
 
   providers = {
     aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
@@ -173,16 +173,16 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
       {
-        hostname = var.instance_name
-        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-        environment = var.environment
-        salt_master  = var.salt_master
-        proxy = var.proxy
-        aws_partition = var.aws_partition
+        hostname            = var.instance_name
+        fqdn                = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment         = var.environment
+        salt_master         = var.salt_master
+        proxy               = var.proxy
+        aws_partition       = var.aws_partition
         aws_partition_alias = var.aws_partition_alias
-        aws_region = var.aws_region
+        aws_region          = var.aws_region
       }
     )
   }
@@ -195,10 +195,10 @@ data "template_cloudinit_config" "cloud-init" {
 }
 
 resource "aws_security_group" "bastion_security_group" {
-  name = "bastion_security_group"
+  name        = "bastion_security_group"
   description = "Security Group for Bastion Server(s)"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
+  vpc_id      = var.vpc_id
+  tags        = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_security_group_rule" "ssh-in" {
@@ -232,39 +232,39 @@ resource "aws_security_group_rule" "ssh-in" {
 #}
 
 resource "aws_security_group_rule" "ssh-out" {
-  type = "egress"
-  from_port = 22
-  to_port = 22
-  protocol = "tcp"
-  cidr_blocks = [ "10.0.0.0/8" ]
+  type              = "egress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["10.0.0.0/8"]
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
 # Bastion can access any port internally
 resource "aws_security_group_rule" "bastion-out-all-ports" {
-  type = "egress"
-  protocol = "all"
-  from_port = -1
-  to_port = -1
-  cidr_blocks = [ "10.0.0.0/8" ]
+  type              = "egress"
+  protocol          = "all"
+  from_port         = -1
+  to_port           = -1
+  cidr_blocks       = ["10.0.0.0/8"]
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
 # Bastion gets http/https out to the internet. Most hosts need to use the proxy
 resource "aws_security_group_rule" "http-out" {
-  type = "egress"
-  from_port = 80
-  to_port = 80
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
 resource "aws_security_group_rule" "https-out" {
-  type = "egress"
-  from_port = 443
-  to_port = 443
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.bastion_security_group.id
 }

base/bastion/outputs.tf

@@ -1,11 +1,11 @@
-output instance_arn {
+output "instance_arn" {
   value = aws_instance.instance.arn
 }
 
-output instance_public_ip {
+output "instance_public_ip" {
   value = aws_eip.instance.public_ip
 }
 
-output instance_private_ip {
+output "instance_private_ip" {
   value = aws_instance.instance.private_ip
 }

base/bastion/vars.tf

@@ -1,6 +1,6 @@
 variable "instance_name" {
   description = "Hostname, DNS entry, etc."
-  type = string
+  type        = string
 }
 
 variable "azs" {
@@ -17,34 +17,34 @@ variable "vpc_id" {
 
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
 
 variable "instance_tags" {
   description = "Tags for the instance only."
-  type = map(string)
-  default = { }
+  type        = map(string)
+  default     = {}
 }
 
-variable "instance_type" { 
-  type = string
+variable "instance_type" {
+  type    = string
   default = "t3a.micro"
 }
 
-variable "reverse_enabled" { 
+variable "reverse_enabled" {
   description = "Whether to create the reverse DNS entry."
-  type = bool
-  default = true
+  type        = bool
+  default     = true
 }
 
 variable "trusted_ips" { type = list(string) }
 variable "proxy" { type = string }
 variable "salt_master" { type = string }
 
-variable "cidr_map" { type = map }
-variable "dns_info" { type = map }
-variable "standard_tags" { type = map }
+variable "cidr_map" { type = map(any) }
+variable "dns_info" { type = map(any) }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }

base/codebuild_artifact/main.tf

@@ -1,15 +1,15 @@
 data "github_repository" "this" {
-    name    = var.name
+  name = var.name
 }
 
 resource "aws_codebuild_project" "this" {
-  count                 = var.artifact_s3_bucket=="" ? 0 : 1
+  count = var.artifact_s3_bucket == "" ? 0 : 1
 
-  name                  = var.name
-  description           = "Project for ${var.name}"
-  service_role          = var.service_role
-  encryption_key        = var.kms_key
-  badge_enabled         = var.badge_enabled
+  name           = var.name
+  description    = "Project for ${var.name}"
+  service_role   = var.service_role
+  encryption_key = var.kms_key
+  badge_enabled  = var.badge_enabled
 
   source {
     type                = "GITHUB_ENTERPRISE"
@@ -18,9 +18,9 @@ resource "aws_codebuild_project" "this" {
   }
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = var.codebuild_image
-    type                = "LINUX_CONTAINER"
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = var.codebuild_image
+    type         = "LINUX_CONTAINER"
   }
 
   artifacts {
@@ -37,14 +37,14 @@ resource "aws_codebuild_project" "this" {
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
 
 resource "aws_codebuild_webhook" "this" {
   project_name  = var.name
   branch_filter = var.webhook_branch_filter
 
-  depends_on = [ aws_codebuild_project.this  ]
+  depends_on = [aws_codebuild_project.this]
 }
 
 resource "github_repository_webhook" "this" {

base/codebuild_artifact/vars.tf

@@ -1,9 +1,9 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_partition_alias" { type = string }
@@ -11,29 +11,29 @@ variable "aws_account_id" { type = string }
 variable "name" { type = string }
 variable "service_role" { type = string }
 variable "artifact_s3_bucket" { type = string }
-variable "codebuild_image" {type = string }
+variable "codebuild_image" { type = string }
 
 variable "artifact_namespace_type" {
-    type = string
-    default = "BUILD_ID"
+  type    = string
+  default = "BUILD_ID"
 }
 
 variable "override_artifact_name" {
-    type = bool
-    default = false
+  type    = bool
+  default = false
 }
 
 variable "kms_key" {
-    type = string
-    default = ""
+  type    = string
+  default = ""
 }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_branch_filter" {
-    type = string
-    default = "^(master|develop)$"
+  type    = string
+  default = "^(master|develop)$"
 }

base/codebuild_ecr_base/iam.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "codebuild_role" {
-  name     = "codebuild_role"
+  name = "codebuild_role"
 
   assume_role_policy = <<EOF
 {
@@ -134,7 +134,7 @@ EOF
 #       "ecr:DescribeImages",
 #       "ecr:BatchGetImage"
 #     ]
-    
+
 #     resources = [
 #       "*"
 #     ]

base/codebuild_ecr_base/kms.tf

@@ -1,9 +1,9 @@
 # Codebuild artifacts by rule must be encrypted by a KMS key
 # using the default aws/s3 key doesn't work with cross-account access
 resource "aws_kms_key" "s3_codebuild_artifacts" {
-  description             = "Codebuild Artifacts S3 bucket"
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
+  description         = "Codebuild Artifacts S3 bucket"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
 }
 
 resource "aws_kms_alias" "codebuilt-artifacts" {
@@ -15,22 +15,22 @@ resource "aws_kms_alias" "codebuilt-artifacts" {
 data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
   #policy_id = "key-consolepolicy-3"
   statement {
-    sid = "Enable IAM User Permissions"
+    sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_feedmgmt_readonly",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-        ]
+      ]
     }
-    actions   = [ "kms:*" ]
-    resources = [ "*" ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow access for Key Administrators"
+    sid    = "Allow access for Key Administrators"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -55,11 +55,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid =  "Allow use of the key"
+    sid    = "Allow use of the key"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -74,46 +74,46 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
-  statement  {
-    sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
+  statement {
+    sid    = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ "*" ]
+      type        = "AWS"
+      identifiers = ["*"]
     }
     actions = [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.ViaService"
-      values = [ "s3.${var.aws_region}.amazonaws.com" ]
+      values   = ["s3.${var.aws_region}.amazonaws.com"]
     }
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.CallerAccount"
-      values = [ var.aws_account_id ]
+      values   = [var.aws_account_id]
     }
   }
 
-  statement  {
-    sid = "Allow access from the codebuild role"
+  statement {
+    sid    = "Allow access from the codebuild role"
     effect = "Allow"
     principals {
       type = "AWS"
-    
+
       # FIXME this needs to be a better role by far
-      identifiers = [ aws_iam_role.codebuild_role.arn ]
+      identifiers = [aws_iam_role.codebuild_role.arn]
     }
     actions = [
       "kms:Encrypt",
@@ -122,11 +122,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
-  
+
   statement {
-    sid = "Allow attachment of persistent resources"
+    sid    = "Allow attachment of persistent resources"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -139,11 +139,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:ListGrants",
       "kms:RevokeGrant"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
     condition {
-      test = "Bool"
-      variable =  "kms:GrantIsForAWSResource"
-      values = [ "true" ]
-      }
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
     }
+  }
 }

base/codebuild_ecr_base/outputs.tf

@@ -1,12 +1,12 @@
-output service_role {
+output "service_role" {
   value = aws_iam_role.codebuild_role.arn
 }
 
-output kms_key {
+output "kms_key" {
   value = aws_kms_key.s3_codebuild_artifacts.arn
 }
 
-output artifact_s3_bucket {
+output "artifact_s3_bucket" {
   value = aws_s3_bucket.artifacts.id
 }
 

base/codebuild_ecr_base/s3.tf

@@ -11,7 +11,7 @@ resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
   bucket = aws_s3_bucket.artifacts.id
-  
+
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
@@ -28,12 +28,12 @@ resource "aws_s3_bucket_policy" "artifacts" {
 data "aws_iam_policy_document" "artifacts" {
   statement {
     sid       = "AllowS3Access"
-    actions   = [ "s3:GetObject", "s3:GetObjectVersion" ]
+    actions   = ["s3:GetObject", "s3:GetObjectVersion"]
     effect    = "Allow"
-    resources = [ "${aws_s3_bucket.artifacts.arn}/*" ]
+    resources = ["${aws_s3_bucket.artifacts.arn}/*"]
     principals {
       type        = "AWS"
-      identifiers = sort([ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ])
+      identifiers = sort([for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
     }
   }
 }

base/codebuild_ecr_base/vars.tf

@@ -1,9 +1,9 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_region" { type = string }

base/codebuild_ecr_customer_portal/ghe-key.tf

@@ -1,11 +1,11 @@
 data "aws_secretsmanager_secret" "ghe-key" {
-  name = "GHE/mdr-aws-codebuild/key"
+  name     = "GHE/mdr-aws-codebuild/key"
   provider = aws.c2
 }
 
 data "aws_secretsmanager_secret_version" "ghe-key" {
   secret_id = data.aws_secretsmanager_secret.ghe-key.id
-  provider = aws.c2
+  provider  = aws.c2
 }
 
 #locals {

base/codebuild_ecr_customer_portal/main.tf

@@ -1,15 +1,15 @@
 data "github_repository" "this" {
-    name    = var.name
+  name = var.name
 }
 
 resource "aws_codebuild_project" "this_no_artifact" {
-  count                 = var.artifact_s3_bucket=="" ? 1 : 0
+  count = var.artifact_s3_bucket == "" ? 1 : 0
 
-  name                  = var.name
-  description           = "Container for ${var.name}"
-  service_role          = var.service_role
-  encryption_key        = var.kms_key
-  badge_enabled         = var.badge_enabled
+  name           = var.name
+  description    = "Container for ${var.name}"
+  service_role   = var.service_role
+  encryption_key = var.kms_key
+  badge_enabled  = var.badge_enabled
 
   source {
     type                = "GITHUB_ENTERPRISE"
@@ -22,42 +22,42 @@ resource "aws_codebuild_project" "this_no_artifact" {
   }
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = var.codebuild_image
-    type                = "LINUX_CONTAINER"
-    privileged_mode     = true
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = var.codebuild_image
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
   }
 
   artifacts {
-    type                = "NO_ARTIFACTS"
+    type = "NO_ARTIFACTS"
   }
 
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
- 
+
 resource "aws_ecr_repository" "this-server" {
-    name  = "portal_server"
+  name = "portal_server"
 
-    image_scanning_configuration {
-      scan_on_push = true
-    }
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 resource "aws_ecr_repository" "this-nginx" {
-    name  = "django_nginx"
+  name = "django_nginx"
 
-    image_scanning_configuration {
-      scan_on_push = true
-    }
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {
   statement {
-    sid = "ECRWrite"
+    sid    = "ECRWrite"
     effect = "Allow"
     actions = [
       "ecr:GetAuthorizationToken",
@@ -73,7 +73,7 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
       "ecr:DescribeImages",
     ]
     principals {
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
       type        = "AWS"
     }
   }
@@ -81,26 +81,26 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
 
 resource "aws_ecr_repository_policy" "this-server" {
   repository = aws_ecr_repository.this-server.name
-  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
+  policy     = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
 resource "aws_ecr_lifecycle_policy" "this-server" {
   repository = aws_ecr_repository.this-server.name
-  policy = file("${path.module}/lifecycle-policy.json")
+  policy     = file("${path.module}/lifecycle-policy.json")
 }
 
 resource "aws_ecr_repository_policy" "this-nginx" {
   repository = aws_ecr_repository.this-nginx.name
-  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
+  policy     = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
 resource "aws_ecr_lifecycle_policy" "this-nginx" {
   repository = aws_ecr_repository.this-nginx.name
-  policy = file("${path.module}/lifecycle-policy.json")
+  policy     = file("${path.module}/lifecycle-policy.json")
 }
 
 resource "aws_codebuild_webhook" "this" {
-  project_name  = var.name
+  project_name = var.name
   filter_group {
     filter {
       type    = "EVENT"
@@ -113,7 +113,7 @@ resource "aws_codebuild_webhook" "this" {
     }
   }
 
-  depends_on = [ aws_codebuild_project.this_no_artifact  ]
+  depends_on = [aws_codebuild_project.this_no_artifact]
 }
 
 resource "github_repository_webhook" "this" {

base/codebuild_ecr_customer_portal/vars.tf

@@ -1,9 +1,9 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_partition_alias" { type = string }
@@ -14,19 +14,19 @@ variable "responsible_accounts" { type = map(list(string)) }
 variable "name" { type = string }
 variable "service_role" { type = string }
 variable "artifact_s3_bucket" { type = string }
-variable "codebuild_image" {type = string }
+variable "codebuild_image" { type = string }
 
 variable "kms_key" {
-    type = string
-    default = ""
+  type    = string
+  default = ""
 }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_branch_filter" {
-    type = string
-    default = "^(master|develop)$"
+  type    = string
+  default = "^(master|develop)$"
 }

base/codebuild_ecr_project/ghe-key.tf

@@ -1,11 +1,11 @@
 data "aws_secretsmanager_secret" "ghe-key" {
-  name = "GHE/mdr-aws-codebuild/key"
+  name     = "GHE/mdr-aws-codebuild/key"
   provider = aws.c2
 }
 
 data "aws_secretsmanager_secret_version" "ghe-key" {
   secret_id = data.aws_secretsmanager_secret.ghe-key.id
-  provider = aws.c2
+  provider  = aws.c2
 }
 
 #locals {

base/codebuild_ecr_project/main.tf

@@ -1,15 +1,15 @@
 data "github_repository" "this" {
-    name    = var.name
+  name = var.name
 }
 
 resource "aws_codebuild_project" "this_no_artifact" {
-  count                 = var.artifact_s3_bucket=="" ? 1 : 0
+  count = var.artifact_s3_bucket == "" ? 1 : 0
 
-  name                  = var.name
-  description           = "Container for ${var.name}"
-  service_role          = var.service_role
-  encryption_key        = var.kms_key
-  badge_enabled         = var.badge_enabled
+  name           = var.name
+  description    = "Container for ${var.name}"
+  service_role   = var.service_role
+  encryption_key = var.kms_key
+  badge_enabled  = var.badge_enabled
 
   source {
     type                = "GITHUB_ENTERPRISE"
@@ -24,25 +24,25 @@ resource "aws_codebuild_project" "this_no_artifact" {
   source_version = var.source_version
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = var.codebuild_image
-    type                = "LINUX_CONTAINER"
-    privileged_mode     = true
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = var.codebuild_image
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
   }
 
   artifacts {
-    type                = "NO_ARTIFACTS"
+    type = "NO_ARTIFACTS"
   }
 
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
- 
+
 resource "aws_ecr_repository" "this" {
-  name  = var.name
+  name = var.name
 
   image_scanning_configuration {
     scan_on_push = true
@@ -51,7 +51,7 @@ resource "aws_ecr_repository" "this" {
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {
   statement {
-    sid = "ECRWrite"
+    sid    = "ECRWrite"
     effect = "Allow"
     actions = [
       "ecr:GetAuthorizationToken",
@@ -67,8 +67,8 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
       "ecr:DescribeImages",
     ]
     principals {
-      type = "AWS"
-      identifiers = sort([ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ])
+      type        = "AWS"
+      identifiers = sort([for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
     }
   }
   # Allow codebuild access
@@ -91,19 +91,19 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
 
 resource "aws_ecr_repository_policy" "this" {
   repository = aws_ecr_repository.this.name
-  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
+  policy     = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
 resource "aws_ecr_lifecycle_policy" "this" {
   repository = aws_ecr_repository.this.name
-  policy = file("${path.module}/default-lifecycle-policy.json")
+  policy     = file("${path.module}/default-lifecycle-policy.json")
 }
 
 resource "aws_codebuild_webhook" "this" {
   project_name  = var.name
   branch_filter = var.webhook_branch_filter
 
-  depends_on = [ aws_codebuild_project.this_no_artifact ]
+  depends_on = [aws_codebuild_project.this_no_artifact]
 }
 
 resource "github_repository_webhook" "this" {

base/codebuild_ecr_project/outputs.tf

@@ -1,3 +1,3 @@
-output repo_url {
+output "repo_url" {
   value = aws_ecr_repository.this.repository_url
 }

base/codebuild_ecr_project/vars.tf

@@ -1,28 +1,28 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
 
 variable "fetch_submodules" {
   description = "Fetch submodules for git?"
-  type = bool
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "source_version" {
   description = "Tag or branch for the git repository."
-  type = string
-  default = "master"
+  type        = string
+  default     = "master"
 }
 
 variable "enable_webhooks" {
   description = "Build on changes?"
-  type = bool
-  default = true
+  type        = bool
+  default     = true
 }
 
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_partition_alias" { type = string }
@@ -31,19 +31,19 @@ variable "name" { type = string }
 variable "service_role" { type = string }
 variable "responsible_accounts" { type = map(list(string)) }
 variable "artifact_s3_bucket" { type = string }
-variable "codebuild_image" {type = string }
+variable "codebuild_image" { type = string }
 
 variable "kms_key" {
-    type = string
-    default = ""
+  type    = string
+  default = ""
 }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_branch_filter" {
-    type = string
-    default = "^(master|develop)$"
+  type    = string
+  default = "^(master|develop)$"
 }

base/codebuild_portal_lambda/ghe-key.tf

@@ -1,11 +1,11 @@
 data "aws_secretsmanager_secret" "ghe-key" {
-  name = "GHE/mdr-aws-codebuild/key"
+  name     = "GHE/mdr-aws-codebuild/key"
   provider = aws.c2
 }
 
 data "aws_secretsmanager_secret_version" "ghe-key" {
   secret_id = data.aws_secretsmanager_secret.ghe-key.id
-  provider = aws.c2
+  provider  = aws.c2
 }
 
 #locals {

base/codebuild_portal_lambda/iam.tf

@@ -1,6 +1,6 @@
 resource "aws_iam_role" "codebuild_service_role" {
-  name     = "codebuild_${var.name}_role"
-  path     = "/aws_services/"
+  name = "codebuild_${var.name}_role"
+  path = "/aws_services/"
 
   assume_role_policy = <<EOF
 {
@@ -33,7 +33,7 @@ resource "aws_iam_role_policy_attachment" "codebuild_service_policy_attach" {
 resource "aws_iam_policy" "codebuild_service_policy" {
   name        = "codebuild_${var.name}_policy"
   description = "Policy for AWS codebuild for ${var.name}"
-  path     = "/aws_services/"
+  path        = "/aws_services/"
 
   policy = <<EOF
 {

base/codebuild_portal_lambda/kms.tf

@@ -1,9 +1,9 @@
 #Codebuild artifacts by rule must be encrypted by a KMS key
 # using the default aws/s3 key doesn't work with cross-account access
 resource "aws_kms_key" "s3_codebuild" {
-  description             = "Codebuild ${var.name}"
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
+  description         = "Codebuild ${var.name}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
 }
 
 resource "aws_kms_alias" "codebuilt-artifacts" {
@@ -15,21 +15,21 @@ resource "aws_kms_alias" "codebuilt-artifacts" {
 data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
   #policy_id = "key-consolepolicy-3"
   statement {
-    sid = "Enable IAM User Permissions"
+    sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-        ]
+      ]
     }
-    actions   = [ "kms:*" ]
-    resources = [ "*" ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow access for Key Administrators"
+    sid    = "Allow access for Key Administrators"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -54,11 +54,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid =  "Allow use of the key"
+    sid    = "Allow use of the key"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -73,45 +73,45 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
-  statement  {
-    sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
+  statement {
+    sid    = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ "*" ]
+      type        = "AWS"
+      identifiers = ["*"]
     }
     actions = [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.ViaService"
-      values = [ "s3.${var.aws_region}.amazonaws.com" ]
+      values   = ["s3.${var.aws_region}.amazonaws.com"]
     }
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.CallerAccount"
-      values = [ var.aws_account_id ]
+      values   = [var.aws_account_id]
     }
   }
 
-  statement  {
-    sid = "Allow access from the codebuild role"
+  statement {
+    sid    = "Allow access from the codebuild role"
     effect = "Allow"
     principals {
       type = "AWS"
-    
-      identifiers = [ 
+
+      identifiers = [
         aws_iam_role.codebuild_service_role.arn,
       ]
     }
@@ -122,11 +122,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
-  
+
   statement {
-    sid = "Allow attachment of persistent resources"
+    sid    = "Allow attachment of persistent resources"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -139,11 +139,11 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
       "kms:ListGrants",
       "kms:RevokeGrant"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
     condition {
-      test = "Bool"
-      variable =  "kms:GrantIsForAWSResource"
-      values = [ "true" ]
-      }
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
     }
+  }
 }

base/codebuild_portal_lambda/main.tf

@@ -1,16 +1,16 @@
 data "github_repository" "this" {
-    name    = var.name
+  name = var.name
 }
 
 resource "aws_codebuild_project" "this" {
-  name                  = var.name
-  description           = "Project for ${var.name}"
-  service_role          = aws_iam_role.codebuild_service_role.arn
-  encryption_key        = aws_kms_key.s3_codebuild.arn
-  badge_enabled         = var.badge_enabled
+  name                   = var.name
+  description            = "Project for ${var.name}"
+  service_role           = aws_iam_role.codebuild_service_role.arn
+  encryption_key         = aws_kms_key.s3_codebuild.arn
+  badge_enabled          = var.badge_enabled
   concurrent_build_limit = 1
   #project_visibility     = "PRIVATE"
-  build_timeout          = 60
+  build_timeout = 60
 
   source {
     type                = "GITHUB_ENTERPRISE"
@@ -24,36 +24,36 @@ resource "aws_codebuild_project" "this" {
   source_version = var.source_version
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = "aws/codebuild/standard:5.0"
-    type                = "LINUX_CONTAINER"
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = "aws/codebuild/standard:5.0"
+    type         = "LINUX_CONTAINER"
 
     environment_variable {
-      name = "ARTIFACTS_PATH"
-      type = "PLAINTEXT"
+      name  = "ARTIFACTS_PATH"
+      type  = "PLAINTEXT"
       value = "s3://${aws_s3_bucket.bucket.id}/"
     }
 
   }
 
   artifacts {
-    type                = "S3"
-    location            = aws_s3_bucket.bucket.id
-    name                = "/"
-    path                = var.name
-    namespace_type      = "NONE"
-    packaging           = "NONE"
+    type           = "S3"
+    location       = aws_s3_bucket.bucket.id
+    name           = "/"
+    path           = var.name
+    namespace_type = "NONE"
+    packaging      = "NONE"
   }
-  
+
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
 
 resource "aws_codebuild_webhook" "this" {
-  project_name  = var.name
+  project_name = var.name
   filter_group {
     filter {
       type    = "EVENT"
@@ -66,7 +66,7 @@ resource "aws_codebuild_webhook" "this" {
     }
   }
 
-  depends_on = [ aws_codebuild_project.this  ]
+  depends_on = [aws_codebuild_project.this]
 }
 
 resource "github_repository_webhook" "this" {

base/codebuild_portal_lambda/s3.tf

@@ -8,7 +8,7 @@ locals {
 resource "aws_s3_bucket" "bucket" {
   bucket        = local.bucket_name
   force_destroy = true
-  tags = merge(var.standard_tags, var.tags)
+  tags          = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {
@@ -17,7 +17,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
 }
 
 resource "aws_s3_bucket_versioning" "s3_version_bucket" {
-  bucket   = aws_s3_bucket.bucket.id
+  bucket = aws_s3_bucket.bucket.id
   versioning_configuration {
     status = "Suspended"
   }
@@ -29,8 +29,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.s3_codebuild.arn
       sse_algorithm     = "aws:kms"
-      }
     }
+  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -52,12 +52,12 @@ resource "aws_s3_bucket_policy" "artifacts" {
 
 data "aws_iam_policy_document" "artifacts" {
   statement {
-    sid = "AllowS3Access"
-    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-    effect = "Allow"
-    resources = [ "${aws_s3_bucket.bucket.arn}/*" ]
+    sid       = "AllowS3Access"
+    actions   = ["s3:GetObject", "s3:GetObjectVersion"]
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.bucket.arn}/*"]
     principals {
-      type = "AWS"
+      type        = "AWS"
       identifiers = local.account_arns
     }
   }

base/codebuild_portal_lambda/vars.tf

@@ -1,9 +1,9 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
@@ -12,22 +12,22 @@ variable "aws_account_id" { type = string }
 variable "name" { type = string }
 
 variable "kms_key" {
-    type = string
-    default = ""
+  type    = string
+  default = ""
 }
 
 variable "source_version" {
   description = "Tag or branch for the git repository."
-  type = string
-  default = "master"
+  type        = string
+  default     = "master"
 }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_filter_pattern" {
-    type = string
-    default = "^refs/heads/develop$"
+  type    = string
+  default = "^refs/heads/develop$"
 }

base/codebuild_project_no_artifact/codebuild.tf

@@ -1,8 +1,8 @@
 resource "aws_codebuild_project" "this" {
-  name                  = var.name
-  description           = "Container for ${var.name}"
-  service_role          = var.service_role
-  encryption_key        = var.kms_key
+  name           = var.name
+  description    = "Container for ${var.name}"
+  service_role   = var.service_role
+  encryption_key = var.kms_key
   #badge_enabled         = var.badge_enabled
 
   source {
@@ -16,42 +16,42 @@ resource "aws_codebuild_project" "this" {
   source_version = var.source_version
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = var.image
-    type                = "LINUX_CONTAINER"
-    privileged_mode     = var.privileged_mode
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = var.image
+    type            = "LINUX_CONTAINER"
+    privileged_mode = var.privileged_mode
 
     dynamic "environment_variable" {
       for_each = var.env_vars
       iterator = each
       content {
-        name = each.key
+        name  = each.key
         value = each.value["value"]
-        type = try(each.value["type"],"PLAINTEXT")
+        type  = try(each.value["type"], "PLAINTEXT")
       }
     }
   }
 
   artifacts {
-    type                = "NO_ARTIFACTS"
+    type = "NO_ARTIFACTS"
   }
 
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
 
 # Only build the cloudwatch trigger if it's needed
 resource "aws_cloudwatch_event_rule" "schedule_rule" {
-  count               = var.schedule_expression=="" ? 0 : 1
+  count               = var.schedule_expression == "" ? 0 : 1
   name                = "scheduled_build-${var.name}"
   schedule_expression = var.schedule_expression
 }
 
 resource "aws_cloudwatch_event_target" "trigger_build" {
-  count     = var.schedule_expression=="" ? 0 : 1
+  count     = var.schedule_expression == "" ? 0 : 1
   target_id = "trigger_build"
   rule      = aws_cloudwatch_event_rule.schedule_rule[count.index].name
   arn       = aws_codebuild_project.this.id
@@ -62,5 +62,5 @@ resource "aws_codebuild_webhook" "this" {
   count         = var.enable_webhook == true ? 1 : 0
   project_name  = var.name
   branch_filter = var.webhook_branch_filter
-  depends_on    = [ aws_codebuild_project.this ]
+  depends_on    = [aws_codebuild_project.this]
 }

base/codebuild_project_no_artifact/vars.tf

@@ -1,16 +1,16 @@
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 
-variable "name" { type=string }
-variable "service_role" { type=string }
-variable "github_clone_url" { type=string }
-variable "source_version" { type=string }
+variable "name" { type = string }
+variable "service_role" { type = string }
+variable "github_clone_url" { type = string }
+variable "source_version" { type = string }
 variable "env_vars" {
-  type    = map
+  type    = map(any)
   default = {}
 }
 

base/codebuild_splunk_apps/cloudwatch.tf

@@ -2,7 +2,7 @@
 # 
 # Being polite aws users, we randomize the schedule over the hours of the early morning
 resource "random_integer" "hour" {
-  min = 5 # Midnight ET
+  min = 5  # Midnight ET
   max = 11 # 6am ET
 }
 
@@ -12,9 +12,9 @@ resource "random_integer" "minute" {
 }
 
 resource "aws_cloudwatch_event_rule" "schedule_rule" {
-  for_each               = local.splunk_server_types
+  for_each = local.splunk_server_types
 
-  name = "scheduled_build_${var.repository}_${each.value}"
+  name                = "scheduled_build_${var.repository}_${each.value}"
   schedule_expression = "cron(${random_integer.minute.result} ${random_integer.hour.result} * * ? *)"
 }
 
@@ -81,17 +81,17 @@ POLICY
 }
 
 resource "aws_iam_policy_attachment" "service_role_attachment" {
-  name = "splunk_apps_policy_attachment"
-  policy_arn = "${aws_iam_policy.codebuild_policy.arn}"
-  roles = ["${aws_iam_role.codebuild_role.id}"]
+  name       = "splunk_apps_policy_attachment"
+  policy_arn = aws_iam_policy.codebuild_policy.arn
+  roles      = ["${aws_iam_role.codebuild_role.id}"]
 }
 
 resource "aws_cloudwatch_event_target" "trigger_build" {
   for_each = local.splunk_server_types
 
   target_id = "trigger_build_${var.repository}_${each.value}"
-  rule = "${aws_cloudwatch_event_rule.schedule_rule[each.value].name}"
-  arn = "${aws_codebuild_project.this[each.value].id}"
+  rule      = aws_cloudwatch_event_rule.schedule_rule[each.value].name
+  arn       = aws_codebuild_project.this[each.value].id
 
-  role_arn = "${aws_iam_role.codebuild_role.arn}"
+  role_arn = aws_iam_role.codebuild_role.arn
 }

base/codebuild_splunk_apps/ghe-key.tf

@@ -1,11 +1,11 @@
 data "aws_secretsmanager_secret" "ghe-key" {
-  name = "GHE/mdr-aws-codebuild/key"
+  name     = "GHE/mdr-aws-codebuild/key"
   provider = aws.c2
 }
 
 data "aws_secretsmanager_secret_version" "ghe-key" {
   secret_id = data.aws_secretsmanager_secret.ghe-key.id
-  provider = aws.c2
+  provider  = aws.c2
 }
 
 #locals {

base/codebuild_splunk_apps/iam.tf

@@ -33,7 +33,7 @@ resource "aws_iam_role_policy_attachment" "codebuild_splunk_apps_role_policy_att
 resource "aws_iam_policy" "codebuild_splunk_apps_policy" {
   name_prefix = "codebuild_splunk_apps_policy"
   description = "Policy for AWS codebuild to build and store artifacts"
-  path     = "/aws_services/"
+  path        = "/aws_services/"
 
   policy = <<EOF
 {

base/codebuild_splunk_apps/kms.tf

@@ -1,9 +1,9 @@
 #Codebuild artifacts by rule must be encrypted by a KMS key
 # using the default aws/s3 key doesn't work with cross-account access
 resource "aws_kms_key" "s3_codebuild_splunk_apps_artifacts" {
-  description             = "Codebuild Artifacts S3 bucket - ${var.repository}"
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.codebuild_splunk_apps_kms_key_encryption_policy.json
+  description         = "Codebuild Artifacts S3 bucket - ${var.repository}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.codebuild_splunk_apps_kms_key_encryption_policy.json
 }
 
 resource "aws_kms_alias" "codebuilt-artifacts" {
@@ -15,21 +15,21 @@ resource "aws_kms_alias" "codebuilt-artifacts" {
 data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy" {
   #policy_id = "key-consolepolicy-3"
   statement {
-    sid = "Enable IAM User Permissions"
+    sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-        ]
+      ]
     }
-    actions   = [ "kms:*" ]
-    resources = [ "*" ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow access for Key Administrators"
+    sid    = "Allow access for Key Administrators"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -54,11 +54,11 @@ data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy"
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid =  "Allow use of the key"
+    sid    = "Allow use of the key"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -73,47 +73,47 @@ data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy"
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
-  statement  {
-    sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
+  statement {
+    sid    = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ "*" ]
+      type        = "AWS"
+      identifiers = ["*"]
     }
     actions = [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.ViaService"
-      values = [ "s3.${var.aws_region}.amazonaws.com" ]
+      values   = ["s3.${var.aws_region}.amazonaws.com"]
     }
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.CallerAccount"
-      values = [ var.aws_account_id ]
+      values   = [var.aws_account_id]
     }
   }
 
-  statement  {
-    sid = "Allow access from the codebuild role"
+  statement {
+    sid    = "Allow access from the codebuild role"
     effect = "Allow"
     principals {
       type = "AWS"
-    
-      identifiers = [ 
+
+      identifiers = [
         aws_iam_role.codebuild_splunk_apps_role.arn,
-        "arn:${ var.aws_partition}:iam::${ var.aws_account_id}:role/service/splunk-apps-s3"
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/service/splunk-apps-s3"
       ]
     }
     actions = [
@@ -123,11 +123,11 @@ data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy"
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
-  
+
   statement {
-    sid = "Allow attachment of persistent resources"
+    sid    = "Allow attachment of persistent resources"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -140,11 +140,11 @@ data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy"
       "kms:ListGrants",
       "kms:RevokeGrant"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
     condition {
-      test = "Bool"
-      variable =  "kms:GrantIsForAWSResource"
-      values = [ "true" ]
-      }
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
     }
+  }
 }

base/codebuild_splunk_apps/main.tf

@@ -1,15 +1,15 @@
 data "github_repository" "this" {
-    name    = var.repository
+  name = var.repository
 }
 
 resource "aws_codebuild_project" "this" {
-  for_each               = local.splunk_server_types
+  for_each = local.splunk_server_types
 
-  name                  = "splunk_apps_${var.splunk_prefix}_${each.value}_${var.repository}"
-  description           = "Splunk Application build for ${each.value} from ${var.repository} repository"
-  service_role          = aws_iam_role.codebuild_splunk_apps_role.arn
-  encryption_key        = aws_kms_key.s3_codebuild_splunk_apps_artifacts.arn
-  badge_enabled         = var.badge_enabled
+  name                   = "splunk_apps_${var.splunk_prefix}_${each.value}_${var.repository}"
+  description            = "Splunk Application build for ${each.value} from ${var.repository} repository"
+  service_role           = aws_iam_role.codebuild_splunk_apps_role.arn
+  encryption_key         = aws_kms_key.s3_codebuild_splunk_apps_artifacts.arn
+  badge_enabled          = var.badge_enabled
   concurrent_build_limit = 1
   build_timeout          = 60
 
@@ -27,37 +27,37 @@ resource "aws_codebuild_project" "this" {
   source_version = var.source_version
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = "${var.common_services_account}.dkr.ecr.us-gov-east-1.amazonaws.com/content_generator:latest"
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${var.common_services_account}.dkr.ecr.us-gov-east-1.amazonaws.com/content_generator:latest"
     image_pull_credentials_type = "SERVICE_ROLE"
-    type                = "LINUX_CONTAINER"
+    type                        = "LINUX_CONTAINER"
     environment_variable {
-      name = "TAG"
-      type = "PLAINTEXT"
+      name  = "TAG"
+      type  = "PLAINTEXT"
       value = "${var.splunk_prefix}:${each.value}"
     }
     environment_variable {
-      name = "ARTIFACTS_PATH"
-      type = "PLAINTEXT"
-      value = "s3://xdr-${var.splunk_prefix}-${var.environment}-splunk-apps/${ each.value }/${var.repository}/"
+      name  = "ARTIFACTS_PATH"
+      type  = "PLAINTEXT"
+      value = "s3://xdr-${var.splunk_prefix}-${var.environment}-splunk-apps/${each.value}/${var.repository}/"
     }
   }
 
   # Example: s3://xdr-moose-test-splunk-apps/sh-es/content_source/
   artifacts {
-    type                = "S3"
-    location            = "xdr-${var.splunk_prefix}-${var.environment}-splunk-apps"
-    name                = var.repository
-    path                = "/${ each.value }/"
-    namespace_type      = "NONE"
-    packaging           = "NONE"
+    type           = "S3"
+    location       = "xdr-${var.splunk_prefix}-${var.environment}-splunk-apps"
+    name           = var.repository
+    path           = "/${each.value}/"
+    namespace_type = "NONE"
+    packaging      = "NONE"
   }
 
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
 
 locals {

base/codebuild_splunk_apps/vars.tf

@@ -11,27 +11,27 @@ locals {
 
 variable "repository" {
   description = "Name of the repository. Must be part of the provider in the terragrunt.hcl. This will determine both the name of the repository and the folder in S3 where application artifacts are stored."
-  type = string
+  type        = string
 }
 
 variable "source_version" {
   description = "Tag or branch for the git repository."
-  type = string
-  default = "master"
+  type        = string
+  default     = "master"
 }
 
 variable "enable_webhooks" {
   description = "Build on changes?"
-  type = bool
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
@@ -41,11 +41,11 @@ variable "common_services_account" { type = string }
 variable "splunk_prefix" { type = string }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_branch_filter" {
-    type = string
-    default = "^(master|develop)$"
+  type    = string
+  default = "^(master|develop)$"
 }

base/codebuild_splunk_docs/cloudwatch.tf

@@ -2,7 +2,7 @@
 # 
 # Being polite aws users, we randomize the schedule over the hours of the early morning
 resource "random_integer" "hour" {
-  min = 5 # Midnight ET
+  min = 5  # Midnight ET
   max = 11 # 6am ET
 }
 
@@ -12,7 +12,7 @@ resource "random_integer" "minute" {
 }
 
 resource "aws_cloudwatch_event_rule" "schedule_rule" {
-  name = "scheduled_build_docs_${var.repository}"
+  name                = "scheduled_build_docs_${var.repository}"
   schedule_expression = "cron(${random_integer.minute.result} ${random_integer.hour.result} * * ? *)"
 }
 
@@ -79,15 +79,15 @@ POLICY
 }
 
 resource "aws_iam_policy_attachment" "service_role_attachment" {
-  name = "splunk_docs_policy_attachment"
-  policy_arn = "${aws_iam_policy.codebuild_policy.arn}"
-  roles = ["${aws_iam_role.codebuild_role.id}"]
+  name       = "splunk_docs_policy_attachment"
+  policy_arn = aws_iam_policy.codebuild_policy.arn
+  roles      = ["${aws_iam_role.codebuild_role.id}"]
 }
 
 resource "aws_cloudwatch_event_target" "trigger_build" {
   target_id = "trigger_build_docs_${var.repository}"
-  rule = aws_cloudwatch_event_rule.schedule_rule.name
-  arn = aws_codebuild_project.this.id
+  rule      = aws_cloudwatch_event_rule.schedule_rule.name
+  arn       = aws_codebuild_project.this.id
 
   role_arn = aws_iam_role.codebuild_role.arn
 }

base/codebuild_splunk_docs/ghe-key.tf

@@ -1,11 +1,11 @@
 data "aws_secretsmanager_secret" "ghe-key" {
-  name = "GHE/mdr-aws-codebuild/key"
+  name     = "GHE/mdr-aws-codebuild/key"
   provider = aws.c2
 }
 
 data "aws_secretsmanager_secret_version" "ghe-key" {
   secret_id = data.aws_secretsmanager_secret.ghe-key.id
-  provider = aws.c2
+  provider  = aws.c2
 }
 
 #locals {

base/codebuild_splunk_docs/iam.tf

@@ -33,7 +33,7 @@ resource "aws_iam_role_policy_attachment" "codebuild_splunk_docs_role_policy_att
 resource "aws_iam_policy" "codebuild_splunk_docs_policy" {
   name_prefix = "codebuild_splunk_docs_policy"
   description = "Policy for AWS codebuild to build and store artifacts"
-  path     = "/aws_services/"
+  path        = "/aws_services/"
 
   policy = <<EOF
 {

base/codebuild_splunk_docs/kms.tf

@@ -1,9 +1,9 @@
 #Codebuild artifacts by rule must be encrypted by a KMS key
 # using the default aws/s3 key doesn't work with cross-account access
 resource "aws_kms_key" "s3_codebuild_splunk_docs_artifacts" {
-  description             = "Codebuild Artifacts S3 bucket for Documentation - ${var.repository}"
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.codebuild_splunk_docs_kms_key_encryption_policy.json
+  description         = "Codebuild Artifacts S3 bucket for Documentation - ${var.repository}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.codebuild_splunk_docs_kms_key_encryption_policy.json
 }
 
 resource "aws_kms_alias" "codebuilt-artifacts" {
@@ -14,21 +14,21 @@ resource "aws_kms_alias" "codebuilt-artifacts" {
 data "aws_iam_policy_document" "codebuild_splunk_docs_kms_key_encryption_policy" {
   #policy_id = "key-consolepolicy-3"
   statement {
-    sid = "Enable IAM User Permissions"
+    sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [ 
+      identifiers = [
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-        ]
+      ]
     }
-    actions   = [ "kms:*" ]
-    resources = [ "*" ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid = "Allow access for Key Administrators"
+    sid    = "Allow access for Key Administrators"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -53,11 +53,11 @@ data "aws_iam_policy_document" "codebuild_splunk_docs_kms_key_encryption_policy"
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
   statement {
-    sid =  "Allow use of the key"
+    sid    = "Allow use of the key"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -72,45 +72,45 @@ data "aws_iam_policy_document" "codebuild_splunk_docs_kms_key_encryption_policy"
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
 
-  statement  {
-    sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
+  statement {
+    sid    = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [ "*" ]
+      type        = "AWS"
+      identifiers = ["*"]
     }
     actions = [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.ViaService"
-      values = [ "s3.${var.aws_region}.amazonaws.com" ]
+      values   = ["s3.${var.aws_region}.amazonaws.com"]
     }
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "kms.CallerAccount"
-      values = [ var.aws_account_id ]
+      values   = [var.aws_account_id]
     }
   }
 
-  statement  {
-    sid = "Allow access from the codebuild role"
+  statement {
+    sid    = "Allow access from the codebuild role"
     effect = "Allow"
     principals {
       type = "AWS"
-    
-      identifiers = [ 
+
+      identifiers = [
         aws_iam_role.codebuild_splunk_docs_role.arn
       ]
     }
@@ -121,11 +121,11 @@ data "aws_iam_policy_document" "codebuild_splunk_docs_kms_key_encryption_policy"
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
   }
-  
+
   statement {
-    sid = "Allow attachment of persistent resources"
+    sid    = "Allow attachment of persistent resources"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -139,11 +139,11 @@ data "aws_iam_policy_document" "codebuild_splunk_docs_kms_key_encryption_policy"
       "kms:ListGrants",
       "kms:RevokeGrant"
     ]
-    resources = [ "*" ]
+    resources = ["*"]
     condition {
-      test = "Bool"
-      variable =  "kms:GrantIsForAWSResource"
-      values = [ "true" ]
-      }
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
     }
+  }
 }

base/codebuild_splunk_docs/main.tf

@@ -1,13 +1,13 @@
 data "github_repository" "this" {
-    name    = var.repository
+  name = var.repository
 }
 
 resource "aws_codebuild_project" "this" {
-  name                  = "splunk_docs_${var.repository}"
-  description           = "Splunk Documentation build from ${var.repository} repository"
-  service_role          = aws_iam_role.codebuild_splunk_docs_role.arn
-  encryption_key        = aws_kms_key.s3_codebuild_splunk_docs_artifacts.arn
-  badge_enabled         = var.badge_enabled
+  name                   = "splunk_docs_${var.repository}"
+  description            = "Splunk Documentation build from ${var.repository} repository"
+  service_role           = aws_iam_role.codebuild_splunk_docs_role.arn
+  encryption_key         = aws_kms_key.s3_codebuild_splunk_docs_artifacts.arn
+  badge_enabled          = var.badge_enabled
   concurrent_build_limit = 1
   build_timeout          = 60
 
@@ -26,32 +26,32 @@ resource "aws_codebuild_project" "this" {
   source_version = var.source_version
 
   environment {
-    compute_type        = "BUILD_GENERAL1_SMALL"
-    image               = "${var.common_services_account}.dkr.ecr.us-gov-east-1.amazonaws.com/content_generator:latest"
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${var.common_services_account}.dkr.ecr.us-gov-east-1.amazonaws.com/content_generator:latest"
     image_pull_credentials_type = "SERVICE_ROLE"
-    type                = "LINUX_CONTAINER"
+    type                        = "LINUX_CONTAINER"
     environment_variable {
-      name = "ARTIFACTS_PATH"
-      type = "PLAINTEXT"
+      name  = "ARTIFACTS_PATH"
+      type  = "PLAINTEXT"
       value = "s3://xdr-${var.environment}-portal-shared-artifacts/splunk-search-docs/${var.repository}/"
     }
   }
 
   # Example: s3://xdr-moose-test-splunk-docs/sh-es/content_source/
   artifacts {
-    type                = "S3"
-    location            = "xdr-${var.environment}-portal-shared-artifacts"
-    name                = var.repository
-    path                = "/splunk-search-docs/"
-    namespace_type      = "NONE"
-    packaging           = "NONE"
+    type           = "S3"
+    location       = "xdr-${var.environment}-portal-shared-artifacts"
+    name           = var.repository
+    path           = "/splunk-search-docs/"
+    namespace_type = "NONE"
+    packaging      = "NONE"
   }
 
   tags = merge(var.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
-  lifecycle { ignore_changes = [ project_visibility ] }
+  lifecycle { ignore_changes = [project_visibility] }
 }
 
 resource "aws_codebuild_webhook" "this" {

base/codebuild_splunk_docs/vars.tf

@@ -11,27 +11,27 @@ locals {
 
 variable "repository" {
   description = "Name of the repository. Must be part of the provider in the terragrunt.hcl. This will determine both the name of the repository and the folder in S3 where application artifacts are stored."
-  type = string
+  type        = string
 }
 
 variable "source_version" {
   description = "Tag or branch for the git repository."
-  type = string
-  default = "master"
+  type        = string
+  default     = "master"
 }
 
 variable "enable_webhooks" {
   description = "Build on changes?"
-  type = bool
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "tags" {
   description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
+  type        = map(any)
+  default     = {}
 }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
@@ -41,11 +41,11 @@ variable "common_services_account" { type = string }
 variable "splunk_prefix" { type = string }
 
 variable "badge_enabled" {
-    type = string
-    default = "false"
+  type    = string
+  default = "false"
 }
 
 variable "webhook_branch_filter" {
-    type = string
-    default = "^(master|develop)$"
+  type    = string
+  default = "^(master|develop)$"
 }

base/customer_portal/certificate.tf

@@ -12,7 +12,7 @@ resource "aws_acm_certificate" "cert" {
 
 resource "aws_acm_certificate_validation" "cert" {
   certificate_arn         = aws_acm_certificate.cert.arn
-  validation_record_fqdns = [for record in aws_route53_record.cert_validation: record.fqdn]
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
 }
 
 resource "aws_route53_record" "cert_validation" {

base/customer_portal/ecr.tf

@@ -1,7 +1,7 @@
 locals {
   registries = [
     "portal_server",
-    "django_nginx", 
+    "django_nginx",
   ]
 }
 
@@ -14,12 +14,12 @@ data "aws_vpc_endpoint_service" "ecr_dkr_endpoint" {
 }
 
 resource "aws_iam_instance_profile" "portal_server_instance_profile" {
-  name     = "portal_server-instance-profile"
-  role     = aws_iam_role.portal_server.name
+  name = "portal_server-instance-profile"
+  role = aws_iam_role.portal_server.name
 }
 
 resource "aws_iam_role" "portal_server" {
-  name     = "portal-instance-role"
+  name = "portal-instance-role"
 
   assume_role_policy = <<EOF
 {   
@@ -55,17 +55,17 @@ data "aws_iam_policy_document" "portal_server_ecr_policy" {
     effect = "Allow"
 
     actions = [
-			"ecr:BatchCheckLayerAvailability",
-			"ecr:GetDownloadUrlForLayer",
-			"ecr:GetRepositoryPolicy",
-			"ecr:DescribeRepositories",
-			"ecr:ListImages",
-			"ecr:DescribeImages",
-			"ecr:BatchGetImage",
-			"ecr:InitiateLayerUpload",
-			"ecr:UploadLayerPart",
-			"ecr:CompleteLayerUpload",
-			"ecr:PutImage"
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:PutImage"
     ]
 
     resources = [
@@ -89,9 +89,9 @@ data "aws_iam_policy_document" "portal_server_ecr_policy" {
 }
 
 resource "aws_iam_policy" "portal_server_ecr_policy" {
-  name     = "portal_server_ecr"
-  path     = "/"
-  policy   = data.aws_iam_policy_document.portal_server_ecr_policy.json
+  name   = "portal_server_ecr"
+  path   = "/"
+  policy = data.aws_iam_policy_document.portal_server_ecr_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "portal_server_ecr" {
@@ -124,9 +124,9 @@ data "aws_iam_policy_document" "portal_server_assumerole" {
 }
 
 resource "aws_iam_policy" "portal_server_assumerole_policy" {
-  name     = "portal_server_assumerole"
-  path     = "/launchroles/"
-  policy   = data.aws_iam_policy_document.portal_server_assumerole.json
+  name   = "portal_server_assumerole"
+  path   = "/launchroles/"
+  policy = data.aws_iam_policy_document.portal_server_assumerole.json
 }
 
 resource "aws_iam_role_policy_attachment" "portal_server_assumerole" {

base/customer_portal/elb.tf

@@ -4,42 +4,42 @@
 # ---------------------------------------------------------------------------------------------------------------------
 resource "aws_alb" "portal" {
   name            = "portal-alb-${var.environment}"
-  security_groups = [ aws_security_group.customer_portal_alb.id, ]
-  internal        = false 
+  security_groups = [aws_security_group.customer_portal_alb.id, ]
+  internal        = false
   subnets         = var.public_subnets
 
-  tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })
+  tags = merge(var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })
 
   access_logs {
-    bucket = "xdr-elb-${ var.environment }"
-    prefix = ""
+    bucket  = "xdr-elb-${var.environment}"
+    prefix  = ""
     enabled = true
   }
 }
 
 # Create a new target group
 resource "aws_alb_target_group" "portal" {
-  name                 = "portal-alb-targets-${var.environment}"
-  port                 = 443 
-  protocol             = "HTTPS"
-  vpc_id               = var.vpc_id
+  name     = "portal-alb-targets-${var.environment}"
+  port     = 443
+  protocol = "HTTPS"
+  vpc_id   = var.vpc_id
 
   health_check {
-    protocol = "HTTPS"
-    path    = "/api/health/"
-    matcher = "200-400"
-    timeout  = "4"
-    interval = "15"
+    protocol            = "HTTPS"
+    path                = "/api/health/"
+    matcher             = "200-400"
+    timeout             = "4"
+    interval            = "15"
     unhealthy_threshold = 2
     healthy_threshold   = 2
   }
 
   stickiness {
     type    = "lb_cookie"
-    enabled = false 
+    enabled = false
   }
 
-  tags = merge( var.standard_tags, var.tags, )
+  tags = merge(var.standard_tags, var.tags, )
 }
 
 # Create a new alb listener ( certificate_arn wait for DNS cut over )
@@ -75,7 +75,7 @@ resource "aws_lb_listener" "portal_https_redirect" {
 
 # Attach the instances to the ELB
 resource "aws_autoscaling_attachment" "customer_portal_asg_attachment" {
-  lb_target_group_arn = aws_alb_target_group.portal.arn
+  lb_target_group_arn    = aws_alb_target_group.portal.arn
   autoscaling_group_name = aws_autoscaling_group.customer_portal.name
 }
 
@@ -85,10 +85,10 @@ resource "aws_autoscaling_attachment" "customer_portal_asg_attachment" {
 module "public_dns_record" {
   source = "../../submodules/dns/public_ALIAS_record"
 
-  name = "portal"
+  name            = "portal"
   target_dns_name = aws_alb.portal.dns_name
   target_zone_id  = aws_alb.portal.zone_id
-  dns_info = var.dns_info
+  dns_info        = var.dns_info
 
   providers = {
     aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
@@ -111,7 +111,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https" {
   from_port         = 443
   to_port           = 443
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0",  ]
+  cidr_blocks       = [var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
 }
 
 #Allow viewing of test portal from home. We don't want world to view test portal.
@@ -121,7 +121,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https_test" {
   from_port         = 443
   to_port           = 443
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = flatten(concat(var.portal_test_whitelist, formatlist("%s/32",var.nat_public_ips)))
+  cidr_blocks       = flatten(concat(var.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips)))
 }
 
 ## Needed for HTTPs redirect
@@ -131,18 +131,18 @@ resource "aws_security_group_rule" "customer_portal_alb_http" {
   from_port         = 80
   to_port           = 80
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
+  cidr_blocks       = [var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
 }
 
 # Needed for Sensu Check from the proxy in test
 resource "aws_security_group_rule" "customer_portal_sensu_check" {
-  count = var.environment == "test" ? 1 : 0
+  count             = var.environment == "test" ? 1 : 0
   protocol          = "tcp"
   type              = "ingress"
   from_port         = 443
   to_port           = 443
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = [ "${var.proxy_public_ip}/32", ]
+  cidr_blocks       = ["${var.proxy_public_ip}/32", ]
 }
 
 resource "aws_security_group_rule" "customer_portal_alb" {

base/customer_portal/main.tf

@@ -1,6 +1,6 @@
 # Some instance variables
 locals {
-  ami_selection       = "minion" # master, minion, ...
+  ami_selection = "minion" # master, minion, ...
 }
 
 # Rather than pass in the aws security group, we just look it up. This will
@@ -34,18 +34,18 @@ resource "aws_launch_template" "customer_portal" {
   network_interfaces {
     delete_on_termination       = true
     associate_public_ip_address = false
-    security_groups             = [ data.aws_security_group.typical-host.id, aws_security_group.customer_portal.id ]
+    security_groups             = [data.aws_security_group.typical-host.id, aws_security_group.customer_portal.id]
   }
 
   block_device_mappings {
     device_name = "/dev/sda1"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "100"
+      volume_type           = "gp3"
+      volume_size           = "100"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
     }
   }
   block_device_mappings {
@@ -53,11 +53,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdm"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "8"
+      volume_type           = "gp3"
+      volume_size           = "8"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
       # This may prompt replacement when the AMI is updated.
       # See:
@@ -71,11 +71,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdn"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "4"
+      volume_type           = "gp3"
+      volume_size           = "4"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
     }
   }
@@ -84,11 +84,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdo"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "15"
+      volume_type           = "gp3"
+      volume_size           = "15"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
     }
   }
@@ -97,11 +97,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdp"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "4"
+      volume_type           = "gp3"
+      volume_size           = "4"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
     }
   }
@@ -110,11 +110,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdq"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "8"
+      volume_type           = "gp3"
+      volume_size           = "8"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
     }
   }
@@ -123,11 +123,11 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvdr"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "8"
+      volume_type           = "gp3"
+      volume_size           = "8"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
     }
   }
@@ -136,23 +136,23 @@ resource "aws_launch_template" "customer_portal" {
     device_name = "/dev/xvds"
 
     ebs {
-      volume_type = "gp3"
-      volume_size = "4"
+      volume_type           = "gp3"
+      volume_size           = "4"
       delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
+      encrypted             = true
+      kms_key_id            = data.aws_kms_key.ebs-key.arn
       #snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
     }
   }
 
   tag_specifications {
     resource_type = "instance"
-    tags = merge(var.tags, var.instance_tags, { "Name": var.instance_name }) # This may have no effect?
+    tags          = merge(var.tags, var.instance_tags, { "Name" : var.instance_name }) # This may have no effect?
   }
 
   tag_specifications {
     resource_type = "volume"
-    tags = merge(var.tags, { "Name": var.instance_name }) # This may have no effect
+    tags          = merge(var.tags, { "Name" : var.instance_name }) # This may have no effect
   }
 
   lifecycle {
@@ -163,24 +163,24 @@ resource "aws_launch_template" "customer_portal" {
 resource "aws_autoscaling_group" "customer_portal" {
   name = "customer-portal-asg"
   launch_template {
-    id = aws_launch_template.customer_portal.id
+    id      = aws_launch_template.customer_portal.id
     version = "$Latest"
   }
-  vpc_zone_identifier = var.private_subnets
+  vpc_zone_identifier       = var.private_subnets
   min_size                  = 1
   max_size                  = 2
   desired_capacity          = 2
   wait_for_capacity_timeout = 0
   health_check_type         = "EC2"
   tag {
-    key = "Name"
-    value = var.instance_name
+    key                 = "Name"
+    value               = var.instance_name
     propagate_at_launch = true
-    }
-  
+  }
+
   # Must ignore changes to attachments, or tf will flip flop
   lifecycle {
-    ignore_changes = [ load_balancers, target_group_arns ]
+    ignore_changes = [load_balancers, target_group_arns]
   }
 }
 
@@ -194,15 +194,15 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
       {
-        zone = var.dns_info["private"]["zone"]
-        environment = var.environment
-        salt_master  = var.salt_master
-        proxy = var.proxy
-        aws_partition = var.aws_partition
+        zone                = var.dns_info["private"]["zone"]
+        environment         = var.environment
+        salt_master         = var.salt_master
+        proxy               = var.proxy
+        aws_partition       = var.aws_partition
         aws_partition_alias = var.aws_partition_alias
-        aws_region = var.aws_region
+        aws_region          = var.aws_region
       }
     )
   }
@@ -250,34 +250,34 @@ resource "aws_security_group_rule" "customer_portal_postgres_outbound" {
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
-  security_group_id = aws_security_group.customer_portal.id
+  security_group_id        = aws_security_group.customer_portal.id
   source_security_group_id = aws_security_group.postgres.id
 }
 
 resource "aws_security_group_rule" "customer_portal_http_outbound" {
-  type        = "egress"
-  from_port   = 80
-  to_port     = 80
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.customer_portal.id
 }
 
 resource "aws_security_group_rule" "customer_portal_https_outbound" {
-  type        = "egress"
-  from_port   = 443
-  to_port     = 443
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.customer_portal.id
 }
 
 resource "aws_security_group_rule" "customer_portal_smtps_outbound" {
-  type        = "egress"
-  from_port   = 465
-  to_port     = 465
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  type              = "egress"
+  from_port         = 465
+  to_port           = 465
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.customer_portal.id
 }
 

base/customer_portal/rds.tf

@@ -2,7 +2,7 @@
 # RDS Cluster
 #------------------------------------
 resource "aws_kms_key" "customer_portal_kms" {
-  description = "RDS KMS Key"
+  description         = "RDS KMS Key"
   enable_key_rotation = true
 }
 
@@ -14,31 +14,31 @@ resource "aws_db_subnet_group" "customer_portal_rds_subnets" {
 
 # yeah, I alphabatized it. Don't you alphabatized your config files? 
 resource "aws_db_instance" "postgres" {
-  allocated_storage           = 20
-  apply_immediately           = "true"
-  auto_minor_version_upgrade  = "true"
-  db_subnet_group_name        = aws_db_subnet_group.customer_portal_rds_subnets.name
-  backup_window               = "03:00-06:00"
-  backup_retention_period     = 7
-  ca_cert_identifier          = "rds-ca-rsa4096-g1"
-  deletion_protection         = var.environment == "test" ? "false" : "true"
-  delete_automated_backups    = "true"
-  engine                      = "postgres"
-  engine_version              = var.environment == "test" ? "12" : "12.8"
-  final_snapshot_identifier   = "customerportal"
-  instance_class              = "db.t2.small"
-  identifier                  = "customerportal"
-  kms_key_id                  = aws_kms_key.customer_portal_kms.arn
-  maintenance_window          = "Mon:00:00-Mon:03:00"
-  db_name                     = "customerportal"
-  password                    = var.environment == "test" ? "foobarbaz" : "050ff734-fb33-9248-13e4-7d8ad2e899a0"
-  port                        = 5432
-  skip_final_snapshot         = var.environment == "test" ? "true" : "false"
-  storage_type                = "gp2"
-  storage_encrypted           = "true"
-  tags                        = merge( var.standard_tags, var.tags )
-  username                    = "portal"
-  vpc_security_group_ids      = [ aws_security_group.postgres.id, ]
+  allocated_storage          = 20
+  apply_immediately          = "true"
+  auto_minor_version_upgrade = "true"
+  db_subnet_group_name       = aws_db_subnet_group.customer_portal_rds_subnets.name
+  backup_window              = "03:00-06:00"
+  backup_retention_period    = 7
+  ca_cert_identifier         = "rds-ca-rsa4096-g1"
+  deletion_protection        = var.environment == "test" ? "false" : "true"
+  delete_automated_backups   = "true"
+  engine                     = "postgres"
+  engine_version             = var.environment == "test" ? "12" : "12.8"
+  final_snapshot_identifier  = "customerportal"
+  instance_class             = "db.t2.small"
+  identifier                 = "customerportal"
+  kms_key_id                 = aws_kms_key.customer_portal_kms.arn
+  maintenance_window         = "Mon:00:00-Mon:03:00"
+  db_name                    = "customerportal"
+  password                   = var.environment == "test" ? "foobarbaz" : "050ff734-fb33-9248-13e4-7d8ad2e899a0"
+  port                       = 5432
+  skip_final_snapshot        = var.environment == "test" ? "true" : "false"
+  storage_type               = "gp2"
+  storage_encrypted          = "true"
+  tags                       = merge(var.standard_tags, var.tags)
+  username                   = "portal"
+  vpc_security_group_ids     = [aws_security_group.postgres.id, ]
 }
 
 #------------------------------------

base/customer_portal/vars.tf

@@ -1,10 +1,10 @@
-variable "tags" { type = map }
-variable "dns_info" { type = map }
-variable "cidr_map" { type = map }
+variable "tags" { type = map(any) }
+variable "dns_info" { type = map(any) }
+variable "cidr_map" { type = map(any) }
 variable "instance_termination_protection" { type = bool }
-variable "standard_tags" { type = map }
+variable "standard_tags" { type = map(any) }
 variable "environment" { type = string }
-variable "trusted_ips" { type = list }
+variable "trusted_ips" { type = list(any) }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_partition_alias" { type = string }
@@ -12,20 +12,20 @@ variable "aws_account_id" { type = string }
 variable "common_services_account" { type = string }
 variable "proxy" { type = string }
 variable "salt_master" { type = string }
-variable "portal_test_whitelist" { type = list }
+variable "portal_test_whitelist" { type = list(any) }
 
-variable "nat_public_ips" { type = list }
+variable "nat_public_ips" { type = list(any) }
 
 variable "admin_ips" { type = list(string) }
 variable "zscalar_ips" { type = list(string) }
 
 variable "instance_name" {
   description = "Hostname, DNS entry, etc."
-  type = string
+  type        = string
 }
 
-variable "instance_type" { 
-  type = string
+variable "instance_type" {
+  type    = string
   default = "t3a.micro"
 }
 
@@ -43,11 +43,11 @@ variable "public_subnets" {
 
 variable "proxy_public_ip" {
   type = string
-  
+
 }
 
 variable "instance_tags" {
   description = "Tags for the instance only."
-  type = map(string)
-  default = { }
+  type        = map(string)
+  default     = {}
 }

base/customer_portal/waf.tf

@@ -2,17 +2,17 @@ module "waf" {
   source = "../../submodules/wafv2"
 
   # Custom to resource
-  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
-  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
-  admin_ips = concat(var.zscalar_ips, var.admin_ips)
-  resource_arn = aws_alb.portal.arn
-  fqdns = module.public_dns_record.forward # first entry in list will be the WAF name
+  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
+  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
+  admin_ips              = concat(var.zscalar_ips, var.admin_ips)
+  resource_arn           = aws_alb.portal.arn
+  fqdns                  = module.public_dns_record.forward # first entry in list will be the WAF name
 
   excluded_rules_AWSManagedRulesCommonRuleSet = [
     "SizeRestrictions_BODY",
-    "GenericRFI_BODY",              # Blocks portal lambda MSOCI-2060
-    "CrossSiteScripting_BODY",      # Blocks portal API MSOCI-2121
-    "EC2MetaDataSSRF_BODY",         # Blocks portal API MSOCI-2121
+    "GenericRFI_BODY",         # Blocks portal lambda MSOCI-2060
+    "CrossSiteScripting_BODY", # Blocks portal API MSOCI-2121
+    "EC2MetaDataSSRF_BODY",    # Blocks portal API MSOCI-2121
   ]
 
   excluded_rules_AWSManagedRulesUnixRuleSet = [
@@ -20,8 +20,8 @@ module "waf" {
   ]
 
   # These are passed through and should be the same for module
-  tags = merge(var.standard_tags, var.tags)
-  aws_partition = var.aws_partition
-  aws_region = var.aws_region
+  tags           = merge(var.standard_tags, var.tags)
+  aws_partition  = var.aws_partition
+  aws_region     = var.aws_region
   aws_account_id = var.aws_account_id
 }

base/customer_portal_lambda/cloudwatch.tf

@@ -1,13 +1,13 @@
 resource "aws_cloudwatch_log_group" "function_scheduler" {
   name              = "/aws/lambda/${aws_lambda_function.portal_scheduler.function_name}"
   retention_in_days = 14
-  tags = merge(var.standard_tags, var.tags)
+  tags              = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_log_group" "function_customer_sync" {
   name              = "/aws/lambda/${aws_lambda_function.portal_customer_sync.function_name}"
   retention_in_days = 14
-  tags = merge(var.standard_tags, var.tags)
+  tags              = merge(var.standard_tags, var.tags)
 }
 
 ###
@@ -16,124 +16,124 @@ resource "aws_cloudwatch_log_group" "function_customer_sync" {
 
 ### Time-based rules for portal sync:
 resource "aws_cloudwatch_event_rule" "portal_scheduler_quarter_hourly_rule" {
-  name = "aws-portal-lambda-scheduler-quarter-hourly"
-  description = "Rule for portal scheduler lambda function - every 15 minutes"
+  name                = "aws-portal-lambda-scheduler-quarter-hourly"
+  description         = "Rule for portal scheduler lambda function - every 15 minutes"
   schedule_expression = "rate(15 minutes)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_third_hourly_rule" {
-  name = "aws-portal-lambda-scheduler-third-hourly"
-  description = "Rule for portal scheduler lambda function - every 20th minute"
+  name                = "aws-portal-lambda-scheduler-third-hourly"
+  description         = "Rule for portal scheduler lambda function - every 20th minute"
   schedule_expression = "cron(0/20 * * * ? *)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_half_hourly_rule" {
-  name = "aws-portal-lambda-scheduler-half-hourly"
-  description = "Rule for portal scheduler lambda function - every 30 minutes"
+  name                = "aws-portal-lambda-scheduler-half-hourly"
+  description         = "Rule for portal scheduler lambda function - every 30 minutes"
   schedule_expression = "rate(30 minutes)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_hourly_rule" {
-  name = "aws-portal-lambda-scheduler-hourly"
-  description = "Rule for portal scheduler lambda function - every hour"
+  name                = "aws-portal-lambda-scheduler-hourly"
+  description         = "Rule for portal scheduler lambda function - every hour"
   schedule_expression = "rate(1 hour)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_four_hourly_rule" {
-  name = "aws-portal-lambda-scheduler-four-hourly"
-  description = "Rule for portal scheduler lambda function - every 4 hours"
+  name                = "aws-portal-lambda-scheduler-four-hourly"
+  description         = "Rule for portal scheduler lambda function - every 4 hours"
   schedule_expression = "rate(4 hours)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_daily_rule" {
-  name = "aws-portal-lambda-scheduler-daily"
-  description = "Rule for portal scheduler lambda function - every day"
+  name                = "aws-portal-lambda-scheduler-daily"
+  description         = "Rule for portal scheduler lambda function - every day"
   schedule_expression = "cron(5 5 * * ? *)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_weekly_rule" {
-  name = "aws-portal-lambda-scheduler-weekly"
-  description = "Rule for portal scheduler lambda function - every week"
+  name                = "aws-portal-lambda-scheduler-weekly"
+  description         = "Rule for portal scheduler lambda function - every week"
   schedule_expression = "rate(7 days)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_event_rule" "portal_scheduler_monthly_rule" {
-  name = "aws-portal-lambda-scheduler-monthly"
-  description = "Rule for portal scheduler lambda function - every month"
+  name                = "aws-portal-lambda-scheduler-monthly"
+  description         = "Rule for portal scheduler lambda function - every month"
   schedule_expression = "cron(0 17 1 * ? *)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
+  is_enabled          = var.environment == "test" ? false : true
+  tags                = merge(var.standard_tags, var.tags)
 }
 
 ### Time-based targets for portal scheduler:
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_quarter_hourly" {
   target_id = "PortalSchedulerQuarterHourly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_quarter_hourly_rule.name
-  input = "{\"frequency_identifier\":\"quarter-hourly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_quarter_hourly_rule.name
+  input     = "{\"frequency_identifier\":\"quarter-hourly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_third_hourly" {
   target_id = "PortalSchedulerThirdHourly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_third_hourly_rule.name
-  input = "{\"frequency_identifier\":\"threat-q-twenty-minute\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_third_hourly_rule.name
+  input     = "{\"frequency_identifier\":\"threat-q-twenty-minute\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_half_hourly" {
   target_id = "PortalSchedulerHalfHourly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_half_hourly_rule.name
-  input = "{\"frequency_identifier\":\"half-hourly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_half_hourly_rule.name
+  input     = "{\"frequency_identifier\":\"half-hourly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_hourly" {
   target_id = "PortalSchedulerHourly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_hourly_rule.name
-  input = "{\"frequency_identifier\":\"hourly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_hourly_rule.name
+  input     = "{\"frequency_identifier\":\"hourly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_four_hourly" {
   target_id = "PortalSchedulerFourHourly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_four_hourly_rule.name
-  input = "{\"frequency_identifier\":\"four-hourly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_four_hourly_rule.name
+  input     = "{\"frequency_identifier\":\"four-hourly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_daily" {
   target_id = "PortalSchedulerDaily"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_daily_rule.name
-  input = "{\"frequency_identifier\":\"daily\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_daily_rule.name
+  input     = "{\"frequency_identifier\":\"daily\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_weekly" {
   target_id = "PortalSchedulerWeekly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_weekly_rule.name
-  input = "{\"frequency_identifier\":\"weekly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_weekly_rule.name
+  input     = "{\"frequency_identifier\":\"weekly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 resource "aws_cloudwatch_event_target" "portal_scheduler_cloudwatch_target_monthly" {
   target_id = "PortalSchedulerMonthly"
-  rule = aws_cloudwatch_event_rule.portal_scheduler_monthly_rule.name
-  input = "{\"frequency_identifier\":\"monthly\"}"
-  arn  = aws_lambda_function.portal_scheduler.arn
+  rule      = aws_cloudwatch_event_rule.portal_scheduler_monthly_rule.name
+  input     = "{\"frequency_identifier\":\"monthly\"}"
+  arn       = aws_lambda_function.portal_scheduler.arn
 }
 
 

base/customer_portal_lambda/iam.tf

@@ -18,11 +18,11 @@ data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
   statement {
     effect = "Allow"
     actions = [
-        "sqs:*",
+      "sqs:*",
     ]
-    resources = [ 
-        aws_sqs_queue.sqs_queue.arn,
-        aws_sqs_queue.sqs_queue_dlq.arn
+    resources = [
+      aws_sqs_queue.sqs_queue.arn,
+      aws_sqs_queue.sqs_queue_dlq.arn
     ]
   }
 
@@ -32,8 +32,8 @@ data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
-    resources = [ 
-        aws_kms_key.sqs_key.arn
+    resources = [
+      aws_kms_key.sqs_key.arn
     ]
   }
 }
@@ -46,7 +46,7 @@ resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
 }
 
 resource "aws_iam_role" "portal_lambda_role" {
-  name     = "portal-data-sync-lambda-role"
+  name               = "portal-data-sync-lambda-role"
   assume_role_policy = <<EOF
 {
 "Version": "2012-10-17",