diff --git a/README.md b/README.md
index e3dd8df..06d6d5f 100644
--- a/README.md
+++ b/README.md
@@ -87,7 +87,7 @@ create an input vars file (`terraform.tfvars`)
 app = "my-app"
 environment = "dev"
 
-internal = "true"
+internal = true
 container_port = "8080"
 replicas = "1"
 health_check = "/health"
diff --git a/base/ecr.tf b/base/ecr.tf
index 9569cab..c503cdf 100644
--- a/base/ecr.tf
+++ b/base/ecr.tf
@@ -6,15 +6,16 @@
 
 # create an ECR repo at the app/image level
 resource "aws_ecr_repository" "app" {
-  name = "${var.app}"
+  name = var.app
 }
 
-data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {
+}
 
 # grant access to saml users
 resource "aws_ecr_repository_policy" "app" {
-  repository = "${aws_ecr_repository.app.name}"
-  policy     = "${data.aws_iam_policy_document.ecr.json}"
+  repository = aws_ecr_repository.app.name
+  policy     = data.aws_iam_policy_document.ecr.json
 }
 
 data "aws_iam_policy_document" "ecr" {
diff --git a/base/main.tf b/base/main.tf
index aca9776..da275fd 100644
--- a/base/main.tf
+++ b/base/main.tf
@@ -1,3 +1,7 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
 /**
  * main.tf
  * The main entry point for Terraform run
@@ -9,8 +13,8 @@
 # Using the AWS Provider
 # https://www.terraform.io/docs/providers/
 provider "aws" {
-  region  = "${var.region}"
-  profile = "${var.aws_profile}"
+  region  = var.region
+  profile = var.aws_profile
 }
 
 /*
@@ -21,10 +25,10 @@ provider "aws" {
 
 # Returns the name of the ECR registry, this will be used later in various scripts
 output "docker_registry" {
-  value = "${aws_ecr_repository.app.repository_url}"
+  value = aws_ecr_repository.app.repository_url
 }
 
 # Returns the name of the S3 bucket that will be used in later Terraform files
 output "bucket" {
-  value = "${module.tf_remote_state.bucket}"
+  value = module.tf_remote_state.bucket
 }
diff --git a/base/state.tf b/base/state.tf
index c3146ba..86c5f6e 100644
--- a/base/state.tf
+++ b/base/state.tf
@@ -12,7 +12,7 @@
 module "tf_remote_state" {
   source = "github.com/turnerlabs/terraform-remote-state?ref=v2.2.0"
 
-  role        = "${var.saml_role}"
-  application = "${var.app}"
-  tags        = "${var.tags}"
+  role        = var.saml_role
+  application = var.app
+  tags        = var.tags
 }
diff --git a/base/variables.tf b/base/variables.tf
index 222a984..d7ef4d7 100644
--- a/base/variables.tf
+++ b/base/variables.tf
@@ -11,14 +11,17 @@ variable "region" {
 }
 
 # The AWS profile to use, this would be the same value used in AWS_PROFILE.
-variable "aws_profile" {}
+variable "aws_profile" {
+}
 
 # The role that will have access to the S3 bucket, this should be a role that all
 # members of the team have access to.
-variable "saml_role" {}
+variable "saml_role" {
+}
 
 # Name of the application. This value should usually match the application tag below.
-variable "app" {}
+variable "app" {
+}
 
 # A map of the tags to apply to various resources. The required tags are:
 # `application`, name of the app;
@@ -27,5 +30,5 @@ variable "app" {}
 # `contact-email`, contact email for the _team_;
 # and `customer`, who the application was create for.
 variable "tags" {
-  type = "map"
+  type = map(string)
 }
diff --git a/env/dev/autoscale-perf.tf b/env/dev/autoscale-perf.tf
index d177e66..52479e6 100644
--- a/env/dev/autoscale-perf.tf
+++ b/env/dev/autoscale-perf.tf
@@ -54,14 +54,14 @@ resource "aws_cloudwatch_metric_alarm" "cpu_utilization_high" {
   namespace           = "AWS/ECS"
   period              = "60"
   statistic           = "Average"
-  threshold           = "${var.ecs_as_cpu_high_threshold_per}"
+  threshold           = var.ecs_as_cpu_high_threshold_per
 
-  dimensions {
-    ClusterName = "${aws_ecs_cluster.app.name}"
-    ServiceName = "${aws_ecs_service.app.name}"
+  dimensions = {
+    ClusterName = aws_ecs_cluster.app.name
+    ServiceName = aws_ecs_service.app.name
   }
 
-  alarm_actions = ["${aws_appautoscaling_policy.app_up.arn}"]
+  alarm_actions = [aws_appautoscaling_policy.app_up.arn]
 }
 
 resource "aws_cloudwatch_metric_alarm" "cpu_utilization_low" {
@@ -72,21 +72,21 @@ resource "aws_cloudwatch_metric_alarm" "cpu_utilization_low" {
   namespace           = "AWS/ECS"
   period              = "60"
   statistic           = "Average"
-  threshold           = "${var.ecs_as_cpu_low_threshold_per}"
+  threshold           = var.ecs_as_cpu_low_threshold_per
 
-  dimensions {
-    ClusterName = "${aws_ecs_cluster.app.name}"
-    ServiceName = "${aws_ecs_service.app.name}"
+  dimensions = {
+    ClusterName = aws_ecs_cluster.app.name
+    ServiceName = aws_ecs_service.app.name
   }
 
-  alarm_actions = ["${aws_appautoscaling_policy.app_down.arn}"]
+  alarm_actions = [aws_appautoscaling_policy.app_down.arn]
 }
 
 resource "aws_appautoscaling_policy" "app_up" {
   name               = "app-scale-up"
-  service_namespace  = "${aws_appautoscaling_target.app_scale_target.service_namespace}"
-  resource_id        = "${aws_appautoscaling_target.app_scale_target.resource_id}"
-  scalable_dimension = "${aws_appautoscaling_target.app_scale_target.scalable_dimension}"
+  service_namespace  = aws_appautoscaling_target.app_scale_target.service_namespace
+  resource_id        = aws_appautoscaling_target.app_scale_target.resource_id
+  scalable_dimension = aws_appautoscaling_target.app_scale_target.scalable_dimension
 
   step_scaling_policy_configuration {
     adjustment_type         = "ChangeInCapacity"
@@ -102,9 +102,9 @@ resource "aws_appautoscaling_policy" "app_up" {
 
 resource "aws_appautoscaling_policy" "app_down" {
   name               = "app-scale-down"
-  service_namespace  = "${aws_appautoscaling_target.app_scale_target.service_namespace}"
-  resource_id        = "${aws_appautoscaling_target.app_scale_target.resource_id}"
-  scalable_dimension = "${aws_appautoscaling_target.app_scale_target.scalable_dimension}"
+  service_namespace  = aws_appautoscaling_target.app_scale_target.service_namespace
+  resource_id        = aws_appautoscaling_target.app_scale_target.resource_id
+  scalable_dimension = aws_appautoscaling_target.app_scale_target.scalable_dimension
 
   step_scaling_policy_configuration {
     adjustment_type         = "ChangeInCapacity"
diff --git a/env/dev/autoscale-time.tf b/env/dev/autoscale-time.tf
index 494d124..084e6d0 100644
--- a/env/dev/autoscale-time.tf
+++ b/env/dev/autoscale-time.tf
@@ -30,14 +30,14 @@ variable "scale_down_max_capacity" {
 resource "aws_appautoscaling_scheduled_action" "app_autoscale_time_up" {
   name = "app-autoscale-time-up-${var.app}-${var.environment}"
 
-  service_namespace  = "${aws_appautoscaling_target.app_scale_target.service_namespace}"
-  resource_id        = "${aws_appautoscaling_target.app_scale_target.resource_id}"
-  scalable_dimension = "${aws_appautoscaling_target.app_scale_target.scalable_dimension}"
-  schedule           = "${var.scale_up_cron}"
+  service_namespace  = aws_appautoscaling_target.app_scale_target.service_namespace
+  resource_id        = aws_appautoscaling_target.app_scale_target.resource_id
+  scalable_dimension = aws_appautoscaling_target.app_scale_target.scalable_dimension
+  schedule           = var.scale_up_cron
 
   scalable_target_action {
-    min_capacity = "${aws_appautoscaling_target.app_scale_target.min_capacity}"
-    max_capacity = "${aws_appautoscaling_target.app_scale_target.max_capacity}"
+    min_capacity = aws_appautoscaling_target.app_scale_target.min_capacity
+    max_capacity = aws_appautoscaling_target.app_scale_target.max_capacity
   }
 }
 
@@ -46,13 +46,13 @@ resource "aws_appautoscaling_scheduled_action" "app_autoscale_time_up" {
 resource "aws_appautoscaling_scheduled_action" "app_autoscale_time_down" {
   name = "app-autoscale-time-down-${var.app}-${var.environment}"
 
-  service_namespace  = "${aws_appautoscaling_target.app_scale_target.service_namespace}"
-  resource_id        = "${aws_appautoscaling_target.app_scale_target.resource_id}"
-  scalable_dimension = "${aws_appautoscaling_target.app_scale_target.scalable_dimension}"
-  schedule           = "${var.scale_down_cron}"
+  service_namespace  = aws_appautoscaling_target.app_scale_target.service_namespace
+  resource_id        = aws_appautoscaling_target.app_scale_target.resource_id
+  scalable_dimension = aws_appautoscaling_target.app_scale_target.scalable_dimension
+  schedule           = var.scale_down_cron
 
   scalable_target_action {
-    min_capacity = "${var.scale_down_min_capacity}"
-    max_capacity = "${var.scale_down_max_capacity}"
+    min_capacity = var.scale_down_min_capacity
+    max_capacity = var.scale_down_max_capacity
   }
 }
diff --git a/env/dev/cicd.tf b/env/dev/cicd.tf
index 61c2db9..683b518 100644
--- a/env/dev/cicd.tf
+++ b/env/dev/cicd.tf
@@ -4,7 +4,7 @@ resource "aws_iam_user" "cicd" {
 }
 
 resource "aws_iam_access_key" "cicd_keys" {
-  user = "${aws_iam_user.cicd.name}"
+  user = aws_iam_user.cicd.name
 }
 
 # grant required permissions to deploy
@@ -24,7 +24,7 @@ data "aws_iam_policy_document" "cicd_policy" {
     ]
 
     resources = [
-      "${data.aws_ecr_repository.ecr.arn}",
+      data.aws_ecr_repository.ecr.arn,
     ]
   }
 
@@ -54,20 +54,20 @@ data "aws_iam_policy_document" "cicd_policy" {
     ]
 
     resources = [
-      "${aws_iam_role.app_role.arn}",
-      "${aws_iam_role.ecsTaskExecutionRole.arn}",
+      aws_iam_role.app_role.arn,
+      aws_iam_role.ecsTaskExecutionRole.arn,
     ]
   }
 }
 
 resource "aws_iam_user_policy" "cicd_user_policy" {
   name   = "${var.app}_${var.environment}_cicd"
-  user   = "${aws_iam_user.cicd.name}"
-  policy = "${data.aws_iam_policy_document.cicd_policy.json}"
+  user   = aws_iam_user.cicd.name
+  policy = data.aws_iam_policy_document.cicd_policy.json
 }
 
 data "aws_ecr_repository" "ecr" {
-  name = "${var.app}"
+  name = var.app
 }
 
 # The AWS keys for the CICD user to use in a build system
@@ -77,5 +77,5 @@ output "cicd_keys" {
 
 # The URL for the docker image repo in ECR
 output "docker_registry" {
-  value = "${data.aws_ecr_repository.ecr.repository_url}"
+  value = data.aws_ecr_repository.ecr.repository_url
 }
diff --git a/env/dev/ecs-event-stream.tf b/env/dev/ecs-event-stream.tf
index 1d7fd5f..0d2d2ec 100644
--- a/env/dev/ecs-event-stream.tf
+++ b/env/dev/ecs-event-stream.tf
@@ -18,12 +18,14 @@ resource "aws_cloudwatch_event_rule" "ecs_event_stream" {
       "clusterArn": ["${aws_ecs_cluster.app.arn}"]
     }
   }
-  PATTERN
+  
+PATTERN
+
 }
 
 resource "aws_cloudwatch_event_target" "ecs_event_stream" {
-  rule = "${aws_cloudwatch_event_rule.ecs_event_stream.name}"
-  arn  = "${aws_lambda_function.ecs_event_stream.arn}"
+  rule = aws_cloudwatch_event_rule.ecs_event_stream.name
+  arn = aws_lambda_function.ecs_event_stream.arn
 }
 
 data "template_file" "lambda_source" {
@@ -32,44 +34,45 @@ exports.handler = (event, context, callback) => {
   console.log(JSON.stringify(event));
 }
 EOF
+
 }
 
 data "archive_file" "lambda_zip" {
-  type                    = "zip"
-  source_content          = "${data.template_file.lambda_source.rendered}"
-  source_content_filename = "index.js"
-  output_path             = "lambda-${var.app}.zip"
+type                    = "zip"
+source_content          = data.template_file.lambda_source.rendered
+source_content_filename = "index.js"
+output_path             = "lambda-${var.app}.zip"
 }
 
 resource "aws_lambda_permission" "ecs_event_stream" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.ecs_event_stream.arn}"
-  principal     = "events.amazonaws.com"
-  source_arn    = "${aws_cloudwatch_event_rule.ecs_event_stream.arn}"
+statement_id  = "AllowExecutionFromCloudWatch"
+action        = "lambda:InvokeFunction"
+function_name = aws_lambda_function.ecs_event_stream.arn
+principal     = "events.amazonaws.com"
+source_arn    = aws_cloudwatch_event_rule.ecs_event_stream.arn
 }
 
 resource "aws_lambda_function" "ecs_event_stream" {
-  function_name    = "${var.app}-${var.environment}-ecs-event-stream"
-  role             = "${aws_iam_role.ecs_event_stream.arn}"
-  filename         = "${data.archive_file.lambda_zip.output_path}"
-  source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
-  handler          = "index.handler"
-  runtime          = "nodejs8.10"
-  tags             = "${var.tags}"
+function_name    = "${var.app}-${var.environment}-ecs-event-stream"
+role             = aws_iam_role.ecs_event_stream.arn
+filename         = data.archive_file.lambda_zip.output_path
+source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+handler          = "index.handler"
+runtime          = "nodejs8.10"
+tags             = var.tags
 }
 
 resource "aws_lambda_alias" "ecs_event_stream" {
-  name             = "${aws_lambda_function.ecs_event_stream.function_name}"
-  description      = "latest"
-  function_name    = "${aws_lambda_function.ecs_event_stream.function_name}"
-  function_version = "$LATEST"
+name             = aws_lambda_function.ecs_event_stream.function_name
+description      = "latest"
+function_name    = aws_lambda_function.ecs_event_stream.function_name
+function_version = "$LATEST"
 }
 
 resource "aws_iam_role" "ecs_event_stream" {
-  name = "${aws_cloudwatch_event_rule.ecs_event_stream.name}"
+name = aws_cloudwatch_event_rule.ecs_event_stream.name
 
-  assume_role_policy = <<EOF
+assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -84,18 +87,19 @@ resource "aws_iam_role" "ecs_event_stream" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_event_stream" {
-  role       = "${aws_iam_role.ecs_event_stream.name}"
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+role = aws_iam_role.ecs_event_stream.name
+policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
 # cloudwatch dashboard with logs insights query
 resource "aws_cloudwatch_dashboard" "ecs-event-stream" {
-  dashboard_name = "${var.app}-${var.environment}-ecs-event-stream"
+dashboard_name = "${var.app}-${var.environment}-ecs-event-stream"
 
-  dashboard_body = <<EOF
+dashboard_body = <<EOF
 {
   "widgets": [
     {
diff --git a/env/dev/ecs.tf b/env/dev/ecs.tf
index de75613..d5d8eb4 100644
--- a/env/dev/ecs.tf
+++ b/env/dev/ecs.tf
@@ -38,7 +38,7 @@ variable "ecs_autoscale_max_instances" {
 
 resource "aws_ecs_cluster" "app" {
   name = "${var.app}-${var.environment}"
-  tags = "${var.tags}"
+  tags = var.tags
 }
 
 # The default docker image to deploy with the infrastructure.
@@ -56,8 +56,8 @@ resource "aws_appautoscaling_target" "app_scale_target" {
   service_namespace  = "ecs"
   resource_id        = "service/${aws_ecs_cluster.app.name}/${aws_ecs_service.app.name}"
   scalable_dimension = "ecs:service:DesiredCount"
-  max_capacity       = "${var.ecs_autoscale_max_instances}"
-  min_capacity       = "${var.ecs_autoscale_min_instances}"
+  max_capacity       = var.ecs_autoscale_max_instances
+  min_capacity       = var.ecs_autoscale_min_instances
 }
 
 resource "aws_ecs_task_definition" "app" {
@@ -66,10 +66,10 @@ resource "aws_ecs_task_definition" "app" {
   network_mode             = "awsvpc"
   cpu                      = "256"
   memory                   = "512"
-  execution_role_arn       = "${aws_iam_role.ecsTaskExecutionRole.arn}"
+  execution_role_arn       = aws_iam_role.ecsTaskExecutionRole.arn
 
   # defined in role.tf
-  task_role_arn = "${aws_iam_role.app_role.arn}"
+  task_role_arn = aws_iam_role.app_role.arn
 
   container_definitions = <<DEFINITION
 [
@@ -118,47 +118,46 @@ resource "aws_ecs_task_definition" "app" {
 ]
 DEFINITION
 
-  tags = "${var.tags}"
+
+  tags = var.tags
 }
 
 resource "aws_ecs_service" "app" {
-  name            = "${var.app}-${var.environment}"
-  cluster         = "${aws_ecs_cluster.app.id}"
-  launch_type     = "FARGATE"
-  task_definition = "${aws_ecs_task_definition.app.arn}"
-  desired_count   = "${var.replicas}"
+  name = "${var.app}-${var.environment}"
+  cluster = aws_ecs_cluster.app.id
+  launch_type = "FARGATE"
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count = var.replicas
 
   network_configuration {
-    security_groups = ["${aws_security_group.nsg_task.id}"]
-    subnets         = ["${split(",", var.private_subnets)}"]
+    security_groups = [aws_security_group.nsg_task.id]
+    subnets = split(",", var.private_subnets)
   }
 
   load_balancer {
-    target_group_arn = "${aws_alb_target_group.main.id}"
-    container_name   = "${var.container_name}"
-    container_port   = "${var.container_port}"
+    target_group_arn = aws_alb_target_group.main.id
+    container_name = var.container_name
+    container_port = var.container_port
   }
 
-  tags                    = "${var.tags}"
+  tags = var.tags
   enable_ecs_managed_tags = true
-  propagate_tags          = "SERVICE"
+  propagate_tags = "SERVICE"
 
   # workaround for https://github.com/hashicorp/terraform/issues/12634
-  depends_on = [
-    "aws_alb_listener.http",
-  ]
+  depends_on = [aws_alb_listener.http]
 
   # [after initial apply] don't override changes made to task_definition
   # from outside of terrraform (i.e.; fargate cli)
   lifecycle {
-    ignore_changes = ["task_definition"]
+    ignore_changes = [task_definition]
   }
 }
 
 # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
 resource "aws_iam_role" "ecsTaskExecutionRole" {
-  name               = "${var.app}-${var.environment}-ecs"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
+  name = "${var.app}-${var.environment}-ecs"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -166,19 +165,19 @@ data "aws_iam_policy_document" "assume_role_policy" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = ["ecs-tasks.amazonaws.com"]
     }
   }
 }
 
 resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
-  role       = "${aws_iam_role.ecsTaskExecutionRole.name}"
+  role = aws_iam_role.ecsTaskExecutionRole.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_cloudwatch_log_group" "logs" {
-  name              = "/fargate/service/${var.app}-${var.environment}"
+  name = "/fargate/service/${var.app}-${var.environment}"
   retention_in_days = "14"
-  tags              = "${var.tags}"
+  tags = var.tags
 }
diff --git a/env/dev/lb-http.tf b/env/dev/lb-http.tf
index d79203f..b638eb6 100644
--- a/env/dev/lb-http.tf
+++ b/env/dev/lb-http.tf
@@ -2,22 +2,22 @@
 # (delete this file if you only want https)
 
 resource "aws_alb_listener" "http" {
-  load_balancer_arn = "${aws_alb.main.id}"
-  port              = "${var.lb_port}"
-  protocol          = "${var.lb_protocol}"
+  load_balancer_arn = aws_alb.main.id
+  port              = var.lb_port
+  protocol          = var.lb_protocol
 
   default_action {
-    target_group_arn = "${aws_alb_target_group.main.id}"
+    target_group_arn = aws_alb_target_group.main.id
     type             = "forward"
   }
 }
 
 resource "aws_security_group_rule" "ingress_lb_http" {
   type              = "ingress"
-  description       = "${var.lb_protocol}"
-  from_port         = "${var.lb_port}"
-  to_port           = "${var.lb_port}"
+  description       = var.lb_protocol
+  from_port         = var.lb_port
+  to_port           = var.lb_port
   protocol          = "tcp"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.nsg_lb.id}"
+  security_group_id = aws_security_group.nsg_lb.id
 }
diff --git a/env/dev/lb.tf b/env/dev/lb.tf
index 5b35c70..ff0d1bb 100644
--- a/env/dev/lb.tf
+++ b/env/dev/lb.tf
@@ -6,7 +6,7 @@
 # Whether the application is available on the public internet,
 # also will determine which subnets will be used (public or private)
 variable "internal" {
-  default = "true"
+  default = true
 }
 
 # The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused
@@ -15,7 +15,8 @@ variable "deregistration_delay" {
 }
 
 # The path to the health check for the load balancer to know if the container(s) are ready
-variable "health_check" {}
+variable "health_check" {
+}
 
 # How often to check the liveliness of the container
 variable "health_check_interval" {
@@ -40,45 +41,49 @@ resource "aws_alb" "main" {
   name = "${var.app}-${var.environment}"
 
   # launch lbs in public or private subnets based on "internal" variable
-  internal        = "${var.internal}"
-  subnets         = "${split(",", var.internal == true ? var.private_subnets : var.public_subnets)}"
-  security_groups = ["${aws_security_group.nsg_lb.id}"]
-  tags            = "${var.tags}"
+  internal = var.internal
+  subnets = split(
+    ",",
+    var.internal == true ? var.private_subnets : var.public_subnets,
+  )
+  security_groups = [aws_security_group.nsg_lb.id]
+  tags            = var.tags
 
   # enable access logs in order to get support from aws
   access_logs {
     enabled = true
-    bucket  = "${aws_s3_bucket.lb_access_logs.bucket}"
+    bucket  = aws_s3_bucket.lb_access_logs.bucket
   }
 }
 
 resource "aws_alb_target_group" "main" {
   name                 = "${var.app}-${var.environment}"
-  port                 = "${var.lb_port}"
-  protocol             = "${var.lb_protocol}"
-  vpc_id               = "${var.vpc}"
+  port                 = var.lb_port
+  protocol             = var.lb_protocol
+  vpc_id               = var.vpc
   target_type          = "ip"
-  deregistration_delay = "${var.deregistration_delay}"
+  deregistration_delay = var.deregistration_delay
 
   health_check {
-    path                = "${var.health_check}"
-    matcher             = "${var.health_check_matcher}"
-    interval            = "${var.health_check_interval}"
-    timeout             = "${var.health_check_timeout}"
+    path                = var.health_check
+    matcher             = var.health_check_matcher
+    interval            = var.health_check_interval
+    timeout             = var.health_check_timeout
     healthy_threshold   = 5
     unhealthy_threshold = 5
   }
 
-  tags = "${var.tags}"
+  tags = var.tags
 }
 
-data "aws_elb_service_account" "main" {}
+data "aws_elb_service_account" "main" {
+}
 
 # bucket for storing ALB access logs
 resource "aws_s3_bucket" "lb_access_logs" {
   bucket        = "${var.app}-${var.environment}-lb-access-logs"
   acl           = "private"
-  tags          = "${var.tags}"
+  tags          = var.tags
   force_destroy = true
 
   lifecycle_rule {
@@ -88,7 +93,7 @@ resource "aws_s3_bucket" "lb_access_logs" {
     prefix                                 = ""
 
     expiration {
-      days = "${var.lb_access_logs_expiration_days}"
+      days = var.lb_access_logs_expiration_days
     }
   }
 
@@ -103,7 +108,7 @@ resource "aws_s3_bucket" "lb_access_logs" {
 
 # give load balancing service access to the bucket
 resource "aws_s3_bucket_policy" "lb_access_logs" {
-  bucket = "${aws_s3_bucket.lb_access_logs.id}"
+  bucket = aws_s3_bucket.lb_access_logs.id
 
   policy = <<POLICY
 {
@@ -130,5 +135,5 @@ POLICY
 
 # The load balancer DNS name
 output "lb_dns" {
-  value = "${aws_alb.main.dns_name}"
+  value = aws_alb.main.dns_name
 }
diff --git a/env/dev/logs-logzio.tf b/env/dev/logs-logzio.tf
index 2533909..482af53 100644
--- a/env/dev/logs-logzio.tf
+++ b/env/dev/logs-logzio.tf
@@ -1,5 +1,6 @@
 # The auth token to use for sending logs to Logz.io
-variable "logz_token" {}
+variable "logz_token" {
+}
 
 # The endpoint to use for sending logs to Logz.io
 variable "logz_url" {
@@ -24,11 +25,12 @@ resource "aws_iam_role" "iam_for_lambda_logz" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_role_policy" "lambda_policy_logs_logz" {
   name = "${var.app}-${var.environment}-logz-role"
-  role = "${aws_iam_role.iam_for_lambda_logz.id}"
+  role = aws_iam_role.iam_for_lambda_logz.id
 
   policy = <<EOF
 {
@@ -48,27 +50,28 @@ resource "aws_iam_role_policy" "lambda_policy_logs_logz" {
   ]
 }
 EOF
+
 }
 
 #function code from logzio: https://github.com/logzio/cloudwatch-logs-shipper-lambda
 resource "aws_lambda_function" "lambda_logz" {
-  function_name    = "${var.app}-${var.environment}-logz"
-  description      = "Sends Cloudwatch logs to logz."
-  runtime          = "python2.7"
-  timeout          = 60
-  memory_size      = 512
-  role             = "${aws_iam_role.iam_for_lambda_logz.arn}"
-  handler          = "lambda_function.lambda_handler"
-  filename         = "logs-logzio.zip"
-  source_code_hash = "${base64sha256(file("logs-logzio.zip"))}"
+function_name    = "${var.app}-${var.environment}-logz"
+description      = "Sends Cloudwatch logs to logz."
+runtime          = "python2.7"
+timeout          = 60
+memory_size      = 512
+role             = aws_iam_role.iam_for_lambda_logz.arn
+handler          = "lambda_function.lambda_handler"
+filename         = "logs-logzio.zip"
+source_code_hash = filebase64sha256("logs-logzio.zip")
 
-  tags = "${var.tags}"
+tags = var.tags
 
-  environment {
-    variables = {
-      TOKEN = "${var.logz_token}"
-      URL   = "${var.logz_url}"
-      TYPE  = "elb"
+environment {
+  variables = {
+    TOKEN = var.logz_token
+    URL   = var.logz_url
+    TYPE  = "elb"
     }
   }
 }
@@ -76,15 +79,15 @@ resource "aws_lambda_function" "lambda_logz" {
 resource "aws_lambda_permission" "allow_cloudwatch" {
   statement_id  = "${var.app}-${var.environment}-logz"
   action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.lambda_logz.arn}"
+  function_name = aws_lambda_function.lambda_logz.arn
   principal     = "logs.${var.region}.amazonaws.com"
-  source_arn    = "${aws_cloudwatch_log_group.logs.arn}"
+  source_arn    = aws_cloudwatch_log_group.logs.arn
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_lambda_subscription" {
-  depends_on      = ["aws_lambda_permission.allow_cloudwatch"]
+  depends_on      = [aws_lambda_permission.allow_cloudwatch]
   name            = "${var.app}-${var.environment}-logz"
-  log_group_name  = "${aws_cloudwatch_log_group.logs.name}"
+  log_group_name  = aws_cloudwatch_log_group.logs.name
   filter_pattern  = ""
-  destination_arn = "${aws_lambda_function.lambda_logz.arn}"
+  destination_arn = aws_lambda_function.lambda_logz.arn
 }
diff --git a/env/dev/main.tf b/env/dev/main.tf
index db592f0..2c7438b 100644
--- a/env/dev/main.tf
+++ b/env/dev/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.11.0"
+  required_version = ">= 0.12"
 
   backend "s3" {
     region  = "us-east-1"
@@ -10,12 +10,13 @@ terraform {
 }
 
 # The AWS Profile to use
-variable "aws_profile" {}
+variable "aws_profile" {
+}
 
 provider "aws" {
   version = ">= 1.53.0"
-  region  = "${var.region}"
-  profile = "${var.aws_profile}"
+  region  = var.region
+  profile = var.aws_profile
 }
 
 # output
@@ -42,5 +43,5 @@ output "scale_out" {
 
 # Command to set the AWS_PROFILE
 output "aws_profile" {
-  value = "${var.aws_profile}"
+  value = var.aws_profile
 }
diff --git a/env/dev/nsg.tf b/env/dev/nsg.tf
index 0852280..7c9af96 100644
--- a/env/dev/nsg.tf
+++ b/env/dev/nsg.tf
@@ -1,17 +1,17 @@
 resource "aws_security_group" "nsg_lb" {
   name        = "${var.app}-${var.environment}-lb"
   description = "Allow connections from external resources while limiting connections from ${var.app}-${var.environment}-lb to internal resources"
-  vpc_id      = "${var.vpc}"
+  vpc_id      = var.vpc
 
-  tags = "${var.tags}"
+  tags = var.tags
 }
 
 resource "aws_security_group" "nsg_task" {
   name        = "${var.app}-${var.environment}-task"
   description = "Limit connections from internal resources while allowing ${var.app}-${var.environment}-task to connect to all external resources"
-  vpc_id      = "${var.vpc}"
+  vpc_id      = var.vpc
 
-  tags = "${var.tags}"
+  tags = var.tags
 }
 
 # Rules for the LB (Targets the task SG)
@@ -19,24 +19,24 @@ resource "aws_security_group" "nsg_task" {
 resource "aws_security_group_rule" "nsg_lb_egress_rule" {
   description              = "Only allow SG ${var.app}-${var.environment}-lb to connect to ${var.app}-${var.environment}-task on port ${var.container_port}"
   type                     = "egress"
-  from_port                = "${var.container_port}"
-  to_port                  = "${var.container_port}"
+  from_port                = var.container_port
+  to_port                  = var.container_port
   protocol                 = "tcp"
-  source_security_group_id = "${aws_security_group.nsg_task.id}"
+  source_security_group_id = aws_security_group.nsg_task.id
 
-  security_group_id = "${aws_security_group.nsg_lb.id}"
+  security_group_id = aws_security_group.nsg_lb.id
 }
 
 # Rules for the TASK (Targets the LB SG)
 resource "aws_security_group_rule" "nsg_task_ingress_rule" {
   description              = "Only allow connections from SG ${var.app}-${var.environment}-lb on port ${var.container_port}"
   type                     = "ingress"
-  from_port                = "${var.container_port}"
-  to_port                  = "${var.container_port}"
+  from_port                = var.container_port
+  to_port                  = var.container_port
   protocol                 = "tcp"
-  source_security_group_id = "${aws_security_group.nsg_lb.id}"
+  source_security_group_id = aws_security_group.nsg_lb.id
 
-  security_group_id = "${aws_security_group.nsg_task.id}"
+  security_group_id = aws_security_group.nsg_task.id
 }
 
 resource "aws_security_group_rule" "nsg_task_egress_rule" {
@@ -47,5 +47,5 @@ resource "aws_security_group_rule" "nsg_task_egress_rule" {
   protocol    = "-1"
   cidr_blocks = ["0.0.0.0/0"]
 
-  security_group_id = "${aws_security_group.nsg_task.id}"
+  security_group_id = aws_security_group.nsg_task.id
 }
diff --git a/env/dev/role.tf b/env/dev/role.tf
index c708983..a179bcd 100644
--- a/env/dev/role.tf
+++ b/env/dev/role.tf
@@ -1,17 +1,18 @@
 # The SAML role to use for adding users to the ECR policy
-variable "saml_role" {}
+variable "saml_role" {
+}
 
 # creates an application role that the container/task runs as
 resource "aws_iam_role" "app_role" {
   name               = "${var.app}-${var.environment}"
-  assume_role_policy = "${data.aws_iam_policy_document.app_role_assume_role_policy.json}"
+  assume_role_policy = data.aws_iam_policy_document.app_role_assume_role_policy.json
 }
 
 # assigns the app policy
 resource "aws_iam_role_policy" "app_policy" {
   name   = "${var.app}-${var.environment}"
-  role   = "${aws_iam_role.app_role.id}"
-  policy = "${data.aws_iam_policy_document.app_policy.json}"
+  role   = aws_iam_role.app_role.id
+  policy = data.aws_iam_policy_document.app_policy.json
 }
 
 # TODO: fill out custom policy
@@ -22,12 +23,13 @@ data "aws_iam_policy_document" "app_policy" {
     ]
 
     resources = [
-      "${aws_ecs_cluster.app.arn}",
+      aws_ecs_cluster.app.arn,
     ]
   }
 }
 
-data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {
+}
 
 # allow role to be assumed by ecs and local saml users (for development)
 data "aws_iam_policy_document" "app_role_assume_role_policy" {
diff --git a/env/dev/secretsmanager.tf b/env/dev/secretsmanager.tf
index 2cefabc..7209f4a 100644
--- a/env/dev/secretsmanager.tf
+++ b/env/dev/secretsmanager.tf
@@ -62,17 +62,21 @@ locals {
   ]
 
   # list of saml users for policies
-  saml_user_ids = [
-    "${data.aws_caller_identity.current.user_id}",
-    "${data.aws_caller_identity.current.account_id}",
-    "${formatlist("%s:%s", data.aws_iam_role.saml_role.unique_id, var.secrets_saml_users)}",
-  ]
+  saml_user_ids = flatten([
+    data.aws_caller_identity.current.user_id,
+    data.aws_caller_identity.current.account_id,
+    formatlist(
+      "%s:%s",
+      data.aws_iam_role.saml_role.unique_id,
+      var.secrets_saml_users,
+    ),
+  ])
 
   # list of role users and saml users for policies
-  role_and_saml_ids = [
+  role_and_saml_ids = flatten([
     "${aws_iam_role.app_role.unique_id}:*",
-    "${local.saml_user_ids}",
-  ]
+    local.saml_user_ids,
+  ])
 
   sm_arn = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:${var.app}-${var.environment}-??????"
 }
@@ -80,91 +84,96 @@ locals {
 # create the KMS key for this secret
 resource "aws_kms_key" "sm_kms_key" {
   description = "${var.app}-${var.environment}"
-  policy      = "${data.aws_iam_policy_document.kms_resource_policy_doc.json}"
-  tags        = "${merge(var.tags, map("Name", format("%s-%s", var.app, var.environment)))}"
+  policy      = data.aws_iam_policy_document.kms_resource_policy_doc.json
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s-%s", var.app, var.environment)
+    },
+  )
 }
 
 # alias for the key
 resource "aws_kms_alias" "sm_kms_alias" {
   name          = "alias/${var.app}-${var.environment}"
-  target_key_id = "${aws_kms_key.sm_kms_key.key_id}"
+  target_key_id = aws_kms_key.sm_kms_key.key_id
 }
 
 # the kms key policy
 data "aws_iam_policy_document" "kms_resource_policy_doc" {
-  statement = {
+  statement {
     sid    = "DenyWriteToAllExceptSAMLUsers"
     effect = "Deny"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.kms_write_actions}"]
+    actions   = local.kms_write_actions
     resources = ["*"]
 
-    condition = {
+    condition {
       test     = "StringNotLike"
       variable = "aws:userId"
-      values   = ["${local.saml_user_ids}"]
+      values   = local.saml_user_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
     effect = "Deny"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.kms_read_actions}"]
+    actions   = local.kms_read_actions
     resources = ["*"]
 
-    condition = {
+    condition {
       test     = "StringNotLike"
       variable = "aws:userId"
-      values   = ["${local.role_and_saml_ids}"]
+      values   = local.role_and_saml_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "AllowWriteToSAMLUsers"
     effect = "Allow"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.kms_write_actions}"]
+    actions   = local.kms_write_actions
     resources = ["*"]
 
-    condition = {
+    condition {
       test     = "StringLike"
       variable = "aws:userId"
-      values   = ["${local.saml_user_ids}"]
+      values   = local.saml_user_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "AllowReadRoleAndSAMLUsers"
     effect = "Allow"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.kms_read_actions}"]
+    actions   = local.kms_read_actions
     resources = ["*"]
 
-    condition = {
+    condition {
       test     = "StringLike"
       variable = "aws:userId"
-      values   = ["${local.role_and_saml_ids}"]
+      values   = local.role_and_saml_ids
     }
   }
 }
@@ -172,102 +181,102 @@ data "aws_iam_policy_document" "kms_resource_policy_doc" {
 # create the secretsmanager secret
 resource "aws_secretsmanager_secret" "sm_secret" {
   name       = "${var.app}-${var.environment}"
-  kms_key_id = "${aws_kms_key.sm_kms_key.key_id}"
-  tags       = "${var.tags}"
-  policy     = "${data.aws_iam_policy_document.sm_resource_policy_doc.json}"
+  kms_key_id = aws_kms_key.sm_kms_key.key_id
+  tags       = var.tags
+  policy     = data.aws_iam_policy_document.sm_resource_policy_doc.json
 }
 
 # create the placeholder secret json
 resource "aws_secretsmanager_secret_version" "initial" {
-  secret_id     = "${aws_secretsmanager_secret.sm_secret.id}"
+  secret_id     = aws_secretsmanager_secret.sm_secret.id
   secret_string = "{}"
 }
 
 # get the saml user info so we can get the unique_id
 data "aws_iam_role" "saml_role" {
-  name = "${var.saml_role}"
+  name = var.saml_role
 }
 
 # resource policy doc that limits access to secret
 data "aws_iam_policy_document" "sm_resource_policy_doc" {
-  statement = {
+  statement {
     sid    = "DenyWriteToAllExceptSAMLUsers"
     effect = "Deny"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.sm_write_actions}"]
-    resources = ["${local.sm_arn}"]
+    actions   = local.sm_write_actions
+    resources = [local.sm_arn]
 
-    condition = {
+    condition {
       test     = "StringNotLike"
       variable = "aws:userId"
-      values   = ["${local.saml_user_ids}"]
+      values   = local.saml_user_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
     effect = "Deny"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.sm_read_actions}"]
-    resources = ["${local.sm_arn}"]
+    actions   = local.sm_read_actions
+    resources = [local.sm_arn]
 
-    condition = {
+    condition {
       test     = "StringNotLike"
       variable = "aws:userId"
-      values   = ["${local.role_and_saml_ids}"]
+      values   = local.role_and_saml_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "AllowWriteToSAMLUsers"
     effect = "Allow"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.sm_write_actions}"]
-    resources = ["${local.sm_arn}"]
+    actions   = local.sm_write_actions
+    resources = [local.sm_arn]
 
-    condition = {
+    condition {
       test     = "StringLike"
       variable = "aws:userId"
-      values   = ["${local.saml_user_ids}"]
+      values   = local.saml_user_ids
     }
   }
 
-  statement = {
+  statement {
     sid    = "AllowReadRoleAndSAMLUsers"
     effect = "Allow"
 
-    principals = {
+    principals {
       type        = "AWS"
       identifiers = ["*"]
     }
 
-    actions   = ["${local.sm_read_actions}"]
-    resources = ["${local.sm_arn}"]
+    actions   = local.sm_read_actions
+    resources = [local.sm_arn]
 
-    condition = {
+    condition {
       test     = "StringLike"
       variable = "aws:userId"
-      values   = ["${local.role_and_saml_ids}"]
+      values   = local.role_and_saml_ids
     }
   }
 }
 
 # The users (email addresses) from the saml role to give access
 variable "secrets_saml_users" {
-  type = "list"
+  type = list(string)
 }
diff --git a/env/dev/variables.tf b/env/dev/variables.tf
index 0614ba6..7aef0a6 100644
--- a/env/dev/variables.tf
+++ b/env/dev/variables.tf
@@ -11,19 +11,22 @@ variable "region" {
 
 # Tags for the infrastructure
 variable "tags" {
-  type = "map"
+  type = map(string)
 }
 
 # The application's name
-variable "app" {}
+variable "app" {
+}
 
 # The environment that is being built
-variable "environment" {}
+variable "environment" {
+}
 
 # The port the container will listen on, used for load balancer health check
 # Best practice is that this value is higher than 1024 so the container processes
 # isn't running at root.
-variable "container_port" {}
+variable "container_port" {
+}
 
 # The port the load balancer will listen on
 variable "lb_port" {
@@ -38,10 +41,13 @@ variable "lb_protocol" {
 # Network configuration
 
 # The VPC to use for the Fargate cluster
-variable "vpc" {}
+variable "vpc" {
+}
 
 # The private subnets, minimum of 2, that are a part of the VPC(s)
-variable "private_subnets" {}
+variable "private_subnets" {
+}
 
 # The public subnets, minimum of 2, that are a part of the VPC(s)
-variable "public_subnets" {}
+variable "public_subnets" {
+}