From c2a1401bcb01a3c08a18a685f5bcfb80cdac059a Mon Sep 17 00:00:00 2001
From: Bohdan Yurov <bohdan@yurov.me>
Date: Thu, 13 Jun 2019 20:14:06 +0300
Subject: [PATCH] Fixes #158: Add support for Terraform v0.12
 https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/158
 https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/75

Add support for TF 0.12.
- autogen
- root and private_cluster modules
- tests (including support for validation)
- examples
---
 CHANGELOG.md                                  |  11 +
 Gemfile                                       |   2 +-
 Makefile                                      |   2 +-
 README.md                                     |  78 +----
 auth.tf                                       |   6 +-
 autogen/README.md                             |   6 +-
 autogen/auth.tf                               |  10 +-
 autogen/cluster_regional.tf                   | 281 +++++++++++-----
 autogen/cluster_zonal.tf                      | 270 +++++++++++-----
 autogen/dns.tf                                |  58 +++-
 autogen/main.tf                               | 299 +++++++++++------
 autogen/masq.tf                               |  14 +-
 autogen/networks.tf                           |  24 +-
 autogen/outputs.tf                            |  44 +--
 autogen/sa.tf                                 |  37 ++-
 autogen/variables.tf                          |  65 +++-
 autogen/versions.tf                           |  19 ++
 cluster_regional.tf                           | 213 ++++++++----
 cluster_zonal.tf                              | 209 ++++++++----
 dns.tf                                        |  58 +++-
 examples/deploy_service/main.tf               |  35 +-
 examples/deploy_service/outputs.tf            |   9 +-
 examples/disable_client_cert/main.tf          |  24 +-
 examples/disable_client_cert/outputs.tf       |   9 +-
 examples/disable_client_cert/variables.tf     |   1 +
 examples/node_pool/main.tf                    |  53 ++-
 examples/node_pool/outputs.tf                 |   9 +-
 examples/node_pool/variables.tf               |   3 +-
 examples/shared_vpc/main.tf                   |  23 +-
 examples/shared_vpc/outputs.tf                |   9 +-
 examples/shared_vpc/variables.tf              |   1 +
 examples/simple_regional/main.tf              |  21 +-
 examples/simple_regional/outputs.tf           |   9 +-
 examples/simple_regional/variables.tf         |   1 +
 examples/simple_regional_beta/main.tf         |  34 +-
 examples/simple_regional_beta/outputs.tf      |   8 +-
 examples/simple_regional_beta/test_outputs.tf |  22 +-
 examples/simple_regional_beta/versions.tf     |  19 ++
 examples/simple_regional_private/main.tf      |  41 +--
 examples/simple_regional_private/outputs.tf   |   9 +-
 examples/simple_regional_private/variables.tf |   1 +
 examples/simple_regional_private_beta/main.tf |  50 +--
 .../simple_regional_private_beta/outputs.tf   |   9 +-
 .../test_outputs.tf                           |  23 +-
 .../simple_regional_private_beta/variables.tf |   1 +
 .../simple_regional_private_beta/versions.tf  |  19 ++
 examples/simple_zonal/main.tf                 |  21 +-
 examples/simple_zonal/outputs.tf              |   9 +-
 examples/simple_zonal/variables.tf            |   3 +-
 examples/simple_zonal_private/main.tf         |  43 +--
 examples/simple_zonal_private/outputs.tf      |   9 +-
 examples/simple_zonal_private/variables.tf    |   3 +-
 examples/stub_domains/main.tf                 |  24 +-
 examples/stub_domains/outputs.tf              |   9 +-
 examples/stub_domains/variables.tf            |   1 +
 examples/stub_domains_private/main.tf         |  52 +--
 examples/stub_domains_private/outputs.tf      |   9 +-
 examples/stub_domains_private/test_outputs.tf |  21 +-
 examples/stub_domains_private/variables.tf    |   1 +
 .../stub_domains_upstream_nameservers/main.tf |  24 +-
 .../outputs.tf                                |   9 +-
 .../test_outputs.tf                           |  21 +-
 .../variables.tf                              |   1 +
 .../versions.tf                               |  19 ++
 examples/upstream_nameservers/main.tf         |  23 +-
 examples/upstream_nameservers/outputs.tf      |   9 +-
 examples/upstream_nameservers/test_outputs.tf |  21 +-
 examples/upstream_nameservers/variables.tf    |   1 +
 examples/upstream_nameservers/versions.tf     |  19 ++
 examples/workload_metadata_config/main.tf     |  43 +--
 examples/workload_metadata_config/outputs.tf  |   9 +-
 .../workload_metadata_config/variables.tf     |   3 +-
 examples/workload_metadata_config/versions.tf |  19 ++
 main.tf                                       | 264 ++++++++++-----
 masq.tf                                       |  14 +-
 modules/beta-private-cluster/README.md        |  91 +-----
 modules/beta-private-cluster/auth.tf          |   6 +-
 .../beta-private-cluster/cluster_regional.tf  | 263 ++++++++++-----
 modules/beta-private-cluster/cluster_zonal.tf | 256 ++++++++++-----
 modules/beta-private-cluster/dns.tf           |  58 +++-
 modules/beta-private-cluster/main.tf          | 303 +++++++++++-------
 modules/beta-private-cluster/masq.tf          |  14 +-
 modules/beta-private-cluster/networks.tf      |  16 +-
 modules/beta-private-cluster/outputs.tf       |  44 +--
 modules/beta-private-cluster/sa.tf            |  37 ++-
 modules/beta-private-cluster/variables.tf     | 121 ++++---
 modules/beta-private-cluster/versions.tf      |  19 ++
 modules/beta-public-cluster/README.md         |  87 +----
 modules/beta-public-cluster/auth.tf           |   6 +-
 .../beta-public-cluster/cluster_regional.tf   | 258 +++++++++++----
 modules/beta-public-cluster/cluster_zonal.tf  | 251 +++++++++++----
 modules/beta-public-cluster/dns.tf            |  58 +++-
 modules/beta-public-cluster/main.tf           | 298 ++++++++++-------
 modules/beta-public-cluster/masq.tf           |  14 +-
 modules/beta-public-cluster/networks.tf       |  16 +-
 modules/beta-public-cluster/outputs.tf        |  44 +--
 modules/beta-public-cluster/sa.tf             |  37 ++-
 modules/beta-public-cluster/variables.tf      | 109 ++++---
 modules/beta-public-cluster/versions.tf       |  19 ++
 modules/private-cluster/README.md             |  82 +----
 modules/private-cluster/auth.tf               |   6 +-
 modules/private-cluster/cluster_regional.tf   | 218 +++++++++----
 modules/private-cluster/cluster_zonal.tf      | 214 +++++++++----
 modules/private-cluster/dns.tf                |  58 +++-
 modules/private-cluster/main.tf               | 273 ++++++++++------
 modules/private-cluster/masq.tf               |  14 +-
 modules/private-cluster/networks.tf           |  16 +-
 modules/private-cluster/outputs.tf            |  38 +--
 modules/private-cluster/sa.tf                 |  37 ++-
 modules/private-cluster/variables.tf          | 119 ++++---
 modules/private-cluster/versions.tf           |  19 ++
 networks.tf                                   |  16 +-
 outputs.tf                                    |  38 +--
 sa.tf                                         |  37 ++-
 test/fixtures/all_examples/test_outputs.tf    |  20 +-
 test/fixtures/deploy_service/example.tf       |  15 +-
 test/fixtures/deploy_service/network.tf       |   9 +-
 test/fixtures/disable_client_cert/example.tf  |  19 +-
 test/fixtures/disable_client_cert/network.tf  |  10 +-
 test/fixtures/node_pool/example.tf            |  17 +-
 test/fixtures/node_pool/network.tf            |   9 +-
 test/fixtures/shared/outputs.tf               |  29 +-
 test/fixtures/shared/variables.tf             |   3 +-
 test/fixtures/shared_vpc/example.tf           |  17 +-
 test/fixtures/shared_vpc/network.tf           |   9 +-
 test/fixtures/simple_regional/example.tf      |  15 +-
 test/fixtures/simple_regional/network.tf      |   9 +-
 .../simple_regional_private/example.tf        |  15 +-
 .../simple_regional_private/network.tf        |  13 +-
 test/fixtures/simple_zonal/example.tf         |  15 +-
 test/fixtures/simple_zonal/network.tf         |   9 +-
 test/fixtures/simple_zonal_private/example.tf |  17 +-
 test/fixtures/simple_zonal_private/network.tf |  13 +-
 test/fixtures/stub_domains/example.tf         |  15 +-
 test/fixtures/stub_domains/network.tf         |   9 +-
 test/fixtures/stub_domains_private/main.tf    |  25 +-
 .../example.tf                                |  15 +-
 .../network.tf                                |   7 +-
 .../versions.tf                               |   4 +
 test/fixtures/upstream_nameservers/example.tf |  15 +-
 test/fixtures/upstream_nameservers/network.tf |   7 +-
 .../fixtures/upstream_nameservers/versions.tf |   4 +
 .../workload_metadata_config/example.tf       |  16 +-
 .../workload_metadata_config/network.tf       |  10 +-
 .../workload_metadata_config/versions.tf      |  19 ++
 variables.tf                                  | 107 ++++---
 versions.tf                                   |  19 ++
 147 files changed, 4385 insertions(+), 2613 deletions(-)
 create mode 100644 autogen/versions.tf
 create mode 100644 examples/simple_regional_beta/versions.tf
 create mode 100644 examples/simple_regional_private_beta/versions.tf
 create mode 100644 examples/stub_domains_upstream_nameservers/versions.tf
 create mode 100644 examples/upstream_nameservers/versions.tf
 create mode 100644 examples/workload_metadata_config/versions.tf
 create mode 100644 modules/beta-private-cluster/versions.tf
 create mode 100644 modules/beta-public-cluster/versions.tf
 create mode 100644 modules/private-cluster/versions.tf
 create mode 100644 test/fixtures/stub_domains_upstream_nameservers/versions.tf
 create mode 100644 test/fixtures/upstream_nameservers/versions.tf
 create mode 100644 test/fixtures/workload_metadata_config/versions.tf
 create mode 100644 versions.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f1269c5f0..f0948c4ef1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+<<<<<<< HEAD
 ## [v3.0.0] - 2019-07-08
 
 ### Added
@@ -15,6 +16,16 @@ Extending the adopted spec, each change should have a link to its corresponding
 * Add configuration flag for enable BinAuthZ Admission controller [#160] [#188]
 * Add configuration flag for `pod_security_policy_config` [#163] [#188]
 * Support for a guest accelerator in node pool configuration. [#197]
+=======
+## [2.0.0] 2019-06-ZZ
+
+### Changed
+
+* Supported version of Terraform is 0.12. [#58]
+* Add configuration flag for enable BinAuthZ Admission controller [#160]
+* Add configuration flag for `pod_security_policy_config` [#163]
+* Support for a guest accelerator in node pool configuration. [#157]
+>>>>>>> Fixes #158: Add support for Terraform v0.12
 * Support to scale the default node cluster. [#149]
 * Support for configuring the network policy provider. [#159]
 * Support for database encryption. [#165]
diff --git a/Gemfile b/Gemfile
index 2fffe26f1f..a54d14ec29 100644
--- a/Gemfile
+++ b/Gemfile
@@ -15,7 +15,7 @@
 ruby "~> 2.5"
 
 source 'https://rubygems.org/' do
-  gem "kitchen-terraform", "~> 4.0"
+  gem "kitchen-terraform", "~> 4.9"
   gem "kubeclient", "~> 4.0"
   gem "rest-client", "~> 2.0"
 end
diff --git a/Makefile b/Makefile
index ccf08a8d6d..27ecbaf396 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ SHELL := /usr/bin/env bash
 # Docker build config variables
 CREDENTIALS_PATH ?= /cft/workdir/credentials.json
 DOCKER_ORG := gcr.io/cloud-foundation-cicd
-DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 1.3.0
+DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 2.0.0
 DOCKER_REPO_BASE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 DOCKER_TAG_KITCHEN_TERRAFORM ?= ${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 DOCKER_IMAGE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform_terraform-google-kubernetes-engine
diff --git a/README.md b/README.md
index f175e8d507..ec8cb68ce8 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -74,7 +74,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -114,78 +114,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -203,7 +131,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12
 - [Terraform Provider for GCP][terraform-provider-google] v2.9
 
 ### Configure a Service Account
diff --git a/auth.tf b/auth.tf
index 5ad4160145..48e7cc6a5f 100644
--- a/auth.tf
+++ b/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google"
+  provider = google
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/autogen/README.md b/autogen/README.md
index e43b896ede..e66c920a78 100644
--- a/autogen/README.md
+++ b/autogen/README.md
@@ -70,7 +70,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -88,7 +88,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -145,7 +145,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12
 {% if private_cluster or beta_cluster %}
 - [Terraform Provider for GCP Beta][terraform-provider-google-beta] v2.9
 {% else %}
diff --git a/autogen/auth.tf b/autogen/auth.tf
index a16136fccf..21275cd41e 100644
--- a/autogen/auth.tf
+++ b/autogen/auth.tf
@@ -20,7 +20,11 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "{% if private_cluster or beta_cluster %}google-beta{% else %}google{% endif %}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
+  {% endif %}
 }
 
 /******************************************
@@ -29,6 +33,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
index 6dcd2e01ed..c4354f92ca 100644
--- a/autogen/cluster_regional.tf
+++ b/autogen/cluster_regional.tf
@@ -20,78 +20,120 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "{% if private_cluster or beta_cluster %}google-beta{% else %}google{% endif %}"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
-
-  region            = "${var.region}"
-  node_locations    = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
-
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
-
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
-
-  {% if beta_cluster %}
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
   {% endif %}
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
+
+  region = var.region
+
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
+
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
+
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
+
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+{% if beta_cluster %}
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+{% endif %}
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
     {% if beta_cluster %}
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
     {% endif %}
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -102,28 +144,42 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
       {% if beta_cluster %}
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
+
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
       {% endif %}
     }
   }
-{% if private_cluster %}
 
+{% if private_cluster %}
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 {% endif %}
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 {% if beta_cluster %}
-  database_encryption      = ["${var.database_encryption}"]
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 {% endif %}
 }
 
@@ -131,55 +187,115 @@ resource "google_container_cluster" "primary" {
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
     {% if beta_cluster %}
 
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
+
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
+    }
     {% endif %}
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -190,16 +306,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
index 24ed5671e6..9f3d6c4273 100644
--- a/autogen/cluster_zonal.tf
+++ b/autogen/cluster_zonal.tf
@@ -20,79 +20,115 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "{% if private_cluster or beta_cluster %}google-beta{% else %}google{% endif %}"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
+  {% endif %}
 
-  zone              = "${var.zones[0]}"
-  node_locations    = ["${slice(var.zones,1,length(var.zones))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  zone              = var.zones[0]
+  node_locations    = slice(var.zones, 1, length(var.zones))
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
 
-  {% if beta_cluster %}
-  enable_binary_authorization = "${var.enable_binary_authorization}"
-  pod_security_policy_config  = "${var.pod_security_policy_config}"
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
 
-  {% endif %}
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+{% if beta_cluster %}
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+{% endif %}
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
     {% if beta_cluster %}
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
     {% endif %}
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -103,28 +139,42 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
       {% if beta_cluster %}
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
+
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
       {% endif %}
     }
   }
-{% if private_cluster %}
 
+{% if private_cluster %}
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 {% endif %}
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 {% if beta_cluster %}
-  database_encryption      = ["${var.database_encryption}"]
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 {% endif %}
 }
 
@@ -132,55 +182,116 @@ resource "google_container_cluster" "zonal_primary" {
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
     {% if beta_cluster %}
 
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
+
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
+    }
     {% endif %}
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -191,16 +302,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/autogen/dns.tf b/autogen/dns.tf
index 24a3f34844..65c8d99d65 100644
--- a/autogen/dns.tf
+++ b/autogen/dns.tf
@@ -20,73 +20,94 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && ! local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
-  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = ! local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
-    name      = "kube-dns"
+    name = "kube-dns"
+
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
-  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
@@ -96,5 +117,12 @@ ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
diff --git a/autogen/main.tf b/autogen/main.tf
index 54d836c615..59833e7e0c 100644
--- a/autogen/main.tf
+++ b/autogen/main.tf
@@ -20,185 +20,274 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "{% if private_cluster or beta_cluster %}google-beta{% else %}google{% endif %}"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
+  {% endif %}
+
+  project  = var.project_id
+  region   = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
-
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
-
-  cluster_network_policy = {
-    enabled = [{
-      enabled  = "true"
-      provider = "${var.network_policy_provider}"
-    }]
-    disabled = [{enabled = "false"}]
-  }
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  upstream_nameservers_config = length(var.upstream_nameservers) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
+
+  cluster_type = var.regional ? "regional" : "zonal"
+
+  cluster_network_policy = var.network_policy ? [{
+    enabled  = true
+    provider = var.network_policy_provider
+  }] : [{
+    enabled = false
+    provider = null
+  }]
 
-  cluster_cloudrun_config = {
-    enabled  = [{disabled = "false"}]
-    disabled = []
-  }
 {% if beta_cluster %}
+  cluster_cloudrun_config = var.cloudrun ? [{disabled = false}] : []
 
-  cluster_node_metadata_config = {
-    specified   = [{node_metadata = "${var.node_metadata}"}]
-    unspecified = []
-  }
+  cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
+    node_metadata = var.node_metadata
+  }]
 
 {% endif %}
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
 {% if private_cluster %}
   cluster_type_output_endpoint = {
-    regional = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
-    }"
-
-    zonal = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
-    }"
+    regional = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+
+    zonal = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.zonal_primary.*.endpoint, [""]), 0)
   }
 {% else %}
   cluster_type_output_endpoint = {
-    regional = "${element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.endpoint, [""]),
+      0,
+    )
   }
 {% endif %}
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   {% if beta_cluster %}
   # BETA features
   cluster_type_output_istio_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
   }
 
   cluster_type_output_pod_security_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, [""]), 0)
   }
   # /BETA features
   {% endif %}
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
   # cluster locals
-  cluster_name                               = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location                           = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region                             = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones                              = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint                           = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate                     = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version                     = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version                 = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service                    = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service                 = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names                   = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions                = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                               = local.cluster_type_output_name[local.cluster_type]
+  cluster_location                           = local.cluster_type_output_location[local.cluster_type]
+  cluster_region                             = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones                              = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint                           = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version                     = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version                 = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service                    = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service                 = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names                   = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions                = local.cluster_type_output_node_pools_versions[local.cluster_type]
+  cluster_network_policy_enabled             = !local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = !local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = !local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = !local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
 {% if beta_cluster %}
   # BETA features
-  cluster_istio_enabled                      = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}"
-  cluster_cloudrun_enabled                   = "${var.cloudrun}"
-  cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
+  cluster_istio_enabled               = !local.cluster_type_output_istio_enabled[local.cluster_type]
+  cluster_cloudrun_enabled            = var.cloudrun
+  cluster_pod_security_policy_enabled = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   # /BETA features
 {% endif %}
 }
@@ -207,9 +296,9 @@ locals {
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -217,7 +306,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone     = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project  = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/autogen/masq.tf b/autogen/masq.tf
index 83aa443a3e..afd34e148d 100644
--- a/autogen/masq.tf
+++ b/autogen/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.configure_ip_masq ? 1 : 0}"
+  count = var.configure_ip_masq ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/autogen/networks.tf b/autogen/networks.tf
index 8b1eed188d..19a9af5307 100644
--- a/autogen/networks.tf
+++ b/autogen/networks.tf
@@ -17,14 +17,24 @@
 {{ autogeneration_note }}
 
 data "google_compute_network" "gke_network" {
-  provider = "{% if private_cluster %}google-beta{% else %}google{% endif %}"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
+  {% endif %}
+
+  name    = var.network
+  project = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
-  provider = "{% if private_cluster %}google-beta{% else %}google{% endif %}"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  {% if private_cluster or beta_cluster %}
+  provider = google-beta
+  {% else %}
+  provider = google
+  {% endif %}
+
+  name    = var.subnetwork
+  region  = var.region
+  project = local.network_project_id
 }
diff --git a/autogen/outputs.tf b/autogen/outputs.tf
index fac9e0e67f..b88ee89593 100644
--- a/autogen/outputs.tf
+++ b/autogen/outputs.tf
@@ -18,114 +18,114 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 {% if beta_cluster %}
 
 output "istio_enabled" {
   description = "Whether Istio is enabled"
-  value       = "${local.cluster_istio_enabled}"
+  value       = local.cluster_istio_enabled
 }
 
 output "cloudrun_enabled" {
   description = "Whether CloudRun enabled"
-  value       = "${local.cluster_cloudrun_enabled}"
+  value       = local.cluster_cloudrun_enabled
 }
 
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
-  value       = "${local.cluster_pod_security_policy_enabled}"
+  value       = local.cluster_pod_security_policy_enabled
 }
 {% endif %}
diff --git a/autogen/sa.tf b/autogen/sa.tf
index 56220640dd..4e9dd9690f 100644
--- a/autogen/sa.tf
+++ b/autogen/sa.tf
@@ -17,41 +17,46 @@
 {{ autogeneration_note }}
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/autogen/variables.tf b/autogen/variables.tf
index 42d2c82312..7e47e7f7bd 100644
--- a/autogen/variables.tf
+++ b/autogen/variables.tf
@@ -17,58 +17,68 @@
 {{ autogeneration_note }}
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({cidr_blocks=list(object({cidr_block=string,display_name=string}))}))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type        = bool
   description = "Enable horizontal pod autoscaling addon"
   default     = true
 }
 
 variable "http_load_balancing" {
+  type        = bool
   description = "Enable httpload balancer addon"
   default     = true
 }
 
 variable "kubernetes_dashboard" {
+  type        = bool
   description = "Enable kubernetes dashboard addon"
   default     = false
 }
 
 variable "network_policy" {
+  type        = bool
   description = "Enable network policy addon"
   default     = false
 }
 
 variable "network_policy_provider" {
+  type        = string
   description = "The network policy provider."
   default     = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type        = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
   default     = "05:00"
 }
 
 variable "ip_range_pods" {
+  type        = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type        = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type        = number
   description = "The number of nodes to create in this cluster's default node pool."
   default     = 0
 }
 
 variable "remove_default_node_pool" {
+  type        = bool
   description = "Remove default node pool while setting up the cluster"
   default     = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type        = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default     = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type        = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,7 +172,7 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type        = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
@@ -161,7 +182,7 @@ variable "node_pools_labels" {
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type        = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
@@ -171,7 +192,7 @@ variable "node_pools_metadata" {
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type        = map(list(object({key=string,value=string,effect=string})))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
@@ -181,7 +202,7 @@ variable "node_pools_taints" {
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
@@ -191,7 +212,7 @@ variable "node_pools_tags" {
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
@@ -201,7 +222,7 @@ variable "node_pools_oauth_scopes" {
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
   default     = {}
 }
@@ -213,58 +234,67 @@ variable "upstream_nameservers" {
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type        = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
   default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type        = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
   default     = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type        = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default     = false
 }
 
 variable "configure_ip_masq" {
   description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
-  default     = "false"
+  default     = false
 }
 
 variable "logging_service" {
+  type        = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
   default     = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type        = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
   default     = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type        = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
   default     = "create"
 }
 {% if private_cluster %}
 
 variable "deploy_using_private_endpoint" {
+  type        = bool
   description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment."
-  default     = "false"
+  default     = false
 }
 
 variable "enable_private_endpoint" {
+  type        = bool
   description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
   default     = false
 }
 
 variable "enable_private_nodes" {
+  type        = bool
   description = "(Beta) Whether nodes have internal IP addresses only"
   default     = false
 }
 
 variable "master_ipv4_cidr_block" {
+  type        = string
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
   default     = "10.0.0.0/28"
 }
@@ -314,18 +344,21 @@ variable "node_metadata" {
 {% endif %}
 
 variable "basic_auth_username" {
+  type        = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
+  type        = string
   description = "The password to be used with Basic Authentication."
   default     = ""
 }
 
 variable "issue_client_certificate" {
+  type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default     = false
 }
 
 variable "cluster_ipv4_cidr" {
diff --git a/autogen/versions.tf b/autogen/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/autogen/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/cluster_regional.tf b/cluster_regional.tf
index 9194fbba17..06798fdd38 100644
--- a/cluster_regional.tf
+++ b/cluster_regional.tf
@@ -20,66 +20,91 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google
 
-  region            = "${var.region}"
-  node_locations    = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  region = var.region
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
+
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
+
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -90,65 +115,120 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -159,16 +239,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/cluster_zonal.tf b/cluster_zonal.tf
index 466b81634d..13cdb99ace 100644
--- a/cluster_zonal.tf
+++ b/cluster_zonal.tf
@@ -20,66 +20,86 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google
 
-  zone              = "${var.zones[0]}"
-  node_locations    = ["${slice(var.zones,1,length(var.zones))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  zone              = var.zones[0]
+  node_locations    = slice(var.zones, 1, length(var.zones))
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -90,65 +110,121 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -159,16 +235,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/dns.tf b/dns.tf
index 91b41efac4..7138473ded 100644
--- a/dns.tf
+++ b/dns.tf
@@ -20,73 +20,94 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && ! local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
-  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = ! local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
-    name      = "kube-dns"
+    name = "kube-dns"
+
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
-  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
@@ -96,5 +117,12 @@ ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
index f11e5b197d..eaa64ebe4c 100644
--- a/examples/deploy_service/main.tf
+++ b/examples/deploy_service/main.tf
@@ -20,41 +20,42 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${module.gke.endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(module.gke.ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
 
 module "gke" {
   source     = "../../"
-  project_id = "${var.project_id}"
+  project_id = var.project_id
   name       = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region     = "${var.region}"
-  network    = "${var.network}"
-  subnetwork = "${var.subnetwork}"
+  region     = var.region
+  network    = var.network
+  subnetwork = var.subnetwork
 
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
+  service_account   = var.compute_engine_service_account
 }
 
 resource "kubernetes_pod" "nginx-example" {
   metadata {
     name = "nginx-example"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
       app           = "nginx-example"
     }
@@ -67,7 +68,7 @@ resource "kubernetes_pod" "nginx-example" {
     }
   }
 
-  depends_on = ["module.gke"]
+  depends_on = [module.gke]
 }
 
 resource "kubernetes_service" "nginx-example" {
@@ -76,8 +77,8 @@ resource "kubernetes_service" "nginx-example" {
   }
 
   spec {
-    selector {
-      app = "${kubernetes_pod.nginx-example.metadata.0.labels.app}"
+    selector = {
+      app = kubernetes_pod.nginx-example.metadata[0].labels.app
     }
 
     session_affinity = "ClientIP"
@@ -90,5 +91,5 @@ resource "kubernetes_service" "nginx-example" {
     type = "LoadBalancer"
   }
 
-  depends_on = ["module.gke"]
+  depends_on = [module.gke]
 }
diff --git a/examples/deploy_service/outputs.tf b/examples/deploy_service/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/deploy_service/outputs.tf
+++ b/examples/deploy_service/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
index b73b2989f0..e44b51142a 100644
--- a/examples/disable_client_cert/main.tf
+++ b/examples/disable_client_cert/main.tf
@@ -20,28 +20,28 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
-
 module "gke" {
   source = "../../"
 
-  project_id               = "${var.project_id}"
+  project_id               = var.project_id
   name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region                   = "${var.region}"
-  network                  = "${var.network}"
-  network_project_id       = "${var.network_project_id}"
-  subnetwork               = "${var.subnetwork}"
-  ip_range_pods            = "${var.ip_range_pods}"
-  ip_range_services        = "${var.ip_range_services}"
-  service_account          = "${var.compute_engine_service_account}"
+  region                   = var.region
+  network                  = var.network
+  network_project_id       = var.network_project_id
+  subnetwork               = var.subnetwork
+  ip_range_pods            = var.ip_range_pods
+  ip_range_services        = var.ip_range_services
+  service_account          = var.compute_engine_service_account
   issue_client_certificate = false
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/disable_client_cert/outputs.tf b/examples/disable_client_cert/outputs.tf
index 4cb7de00ef..0d972dcd88 100644
--- a/examples/disable_client_cert/outputs.tf
+++ b/examples/disable_client_cert/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/disable_client_cert/variables.tf b/examples/disable_client_cert/variables.tf
index 645d2311a1..f1fdb25856 100644
--- a/examples/disable_client_cert/variables.tf
+++ b/examples/disable_client_cert/variables.tf
@@ -54,3 +54,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
index 4aae6ae42a..307185642d 100644
--- a/examples/node_pool/main.tf
+++ b/examples/node_pool/main.tf
@@ -20,34 +20,34 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source                            = "../../"
-  project_id                        = "${var.project_id}"
+  project_id                        = var.project_id
   name                              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional                          = "false"
-  region                            = "${var.region}"
-  zones                             = "${var.zones}"
-  network                           = "${var.network}"
-  subnetwork                        = "${var.subnetwork}"
-  ip_range_pods                     = "${var.ip_range_pods}"
-  ip_range_services                 = "${var.ip_range_services}"
-  remove_default_node_pool          = "true"
-  disable_legacy_metadata_endpoints = "false"
+  regional                          = false
+  region                            = var.region
+  zones                             = var.zones
+  network                           = var.network
+  subnetwork                        = var.subnetwork
+  ip_range_pods                     = var.ip_range_pods
+  ip_range_services                 = var.ip_range_services
+  remove_default_node_pool          = true
+  disable_legacy_metadata_endpoints = false
 
   node_pools = [
     {
       name            = "pool-01"
       min_count       = 1
       max_count       = 2
-      service_account = "${var.compute_engine_service_account}"
+      service_account = var.compute_engine_service_account
       auto_upgrade    = true
     },
     {
@@ -61,37 +61,31 @@ module "gke" {
       accelerator_type  = "nvidia-tesla-p4"
       image_type        = "COS"
       auto_repair       = false
-      service_account   = "${var.compute_engine_service_account}"
+      service_account   = var.compute_engine_service_account
     },
   ]
 
   node_pools_oauth_scopes = {
-    all = []
-
+    all     = []
     pool-01 = []
-
     pool-02 = []
   }
 
   node_pools_metadata = {
     all = {}
-
     pool-01 = {
-      shutdown-script = "${file("${path.module}/data/shutdown-script.sh")}"
+      shutdown-script = file("${path.module}/data/shutdown-script.sh")
     }
-
     pool-02 = {}
   }
 
   node_pools_labels = {
     all = {
-      all-pools-example = "true"
+      all-pools-example = true
     }
-
     pool-01 = {
-      pool-01-example = "true"
+      pool-01-example = true
     }
-
     pool-02 = {}
   }
 
@@ -99,19 +93,17 @@ module "gke" {
     all = [
       {
         key    = "all-pools-example"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
-
     pool-01 = [
       {
         key    = "pool-01-example"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
-
     pool-02 = []
   }
 
@@ -119,13 +111,12 @@ module "gke" {
     all = [
       "all-node-example",
     ]
-
     pool-01 = [
       "pool-01-example",
     ]
-
     pool-02 = []
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/node_pool/outputs.tf b/examples/node_pool/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/node_pool/outputs.tf
+++ b/examples/node_pool/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/node_pool/variables.tf b/examples/node_pool/variables.tf
index 847277a5ba..040c78d2c4 100644
--- a/examples/node_pool/variables.tf
+++ b/examples/node_pool/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -51,3 +51,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
index 41ff5166be..6a31165277 100644
--- a/examples/shared_vpc/main.tf
+++ b/examples/shared_vpc/main.tf
@@ -20,25 +20,26 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source             = "../../"
-  project_id         = "${var.project_id}"
+  project_id         = var.project_id
   name               = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region             = "${var.region}"
-  network            = "${var.network}"
-  network_project_id = "${var.network_project_id}"
-  subnetwork         = "${var.subnetwork}"
-  ip_range_pods      = "${var.ip_range_pods}"
-  ip_range_services  = "${var.ip_range_services}"
-  service_account    = "${var.compute_engine_service_account}"
+  region             = var.region
+  network            = var.network
+  network_project_id = var.network_project_id
+  subnetwork         = var.subnetwork
+  ip_range_pods      = var.ip_range_pods
+  ip_range_services  = var.ip_range_services
+  service_account    = var.compute_engine_service_account
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/shared_vpc/outputs.tf b/examples/shared_vpc/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/shared_vpc/outputs.tf
+++ b/examples/shared_vpc/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/shared_vpc/variables.tf b/examples/shared_vpc/variables.tf
index f8d1189671..6c918f2344 100644
--- a/examples/shared_vpc/variables.tf
+++ b/examples/shared_vpc/variables.tf
@@ -50,3 +50,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf
index a560a771d5..5d7eb7329b 100644
--- a/examples/simple_regional/main.tf
+++ b/examples/simple_regional/main.tf
@@ -20,25 +20,26 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional          = true
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
+  service_account   = var.compute_engine_service_account
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/simple_regional/outputs.tf b/examples/simple_regional/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_regional/outputs.tf
+++ b/examples/simple_regional/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_regional/variables.tf b/examples/simple_regional/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/simple_regional/variables.tf
+++ b/examples/simple_regional/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
index d045ad8bcd..090d5be1e1 100644
--- a/examples/simple_regional_beta/main.tf
+++ b/examples/simple_regional_beta/main.tf
@@ -19,30 +19,32 @@ locals {
 }
 
 provider "google" {
-  version     = "2.3"
-  credentials = "${file(var.credentials_path)}"
-  region      = "${var.region}"
+  version     = "~> 2.9.0"
+  credentials = file(var.credentials_path)
+  region      = var.region
 }
 
 provider "google-beta" {
-  version     = "2.3"
-  credentials = "${file(var.credentials_path)}"
-  region      = "${var.region}"
+  version     = "~> 2.9.0"
+  credentials = file(var.credentials_path)
+  region      = var.region
 }
 
 module "gke" {
   source            = "../../modules/beta-public-cluster/"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional          = true
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
-  istio             = "${var.istio}"
-  cloudrun          = "${var.cloudrun}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
+  service_account   = var.compute_engine_service_account
+  istio             = var.istio
+  cloudrun          = var.cloudrun
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/simple_regional_beta/outputs.tf b/examples/simple_regional_beta/outputs.tf
index 9881585a48..ad152e186c 100644
--- a/examples/simple_regional_beta/outputs.tf
+++ b/examples/simple_regional_beta/outputs.tf
@@ -16,19 +16,19 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
diff --git a/examples/simple_regional_beta/test_outputs.tf b/examples/simple_regional_beta/test_outputs.tf
index 4d1361b7eb..f250fef192 100644
--- a/examples/simple_regional_beta/test_outputs.tf
+++ b/examples/simple_regional_beta/test_outputs.tf
@@ -18,50 +18,50 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "credentials_path" {
-  value = "${var.credentials_path}"
+  value = var.credentials_path
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
diff --git a/examples/simple_regional_beta/versions.tf b/examples/simple_regional_beta/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/examples/simple_regional_beta/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf
index af88586552..bac5727581 100644
--- a/examples/simple_regional_private/main.tf
+++ b/examples/simple_regional_private/main.tf
@@ -20,36 +20,41 @@ locals {
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = true
-  region                  = "${var.region}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/simple_regional_private/outputs.tf b/examples/simple_regional_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_regional_private/outputs.tf
+++ b/examples/simple_regional_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_regional_private/variables.tf b/examples/simple_regional_private/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/simple_regional_private/variables.tf
+++ b/examples/simple_regional_private/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf
index 293951501c..406228a1a9 100644
--- a/examples/simple_regional_private_beta/main.tf
+++ b/examples/simple_regional_private_beta/main.tf
@@ -19,41 +19,47 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "2.3"
-  credentials = "${file(var.credentials_path)}"
-  region      = "${var.region}"
+  version     = "~> 2.9.0"
+  credentials = file(var.credentials_path)
+  region      = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/beta-private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = true
-  region                  = "${var.region}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 
-  istio    = "${var.istio}"
-  cloudrun = "${var.cloudrun}"
+  istio    = var.istio
+  cloudrun = var.cloudrun
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/simple_regional_private_beta/outputs.tf b/examples/simple_regional_private_beta/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_regional_private_beta/outputs.tf
+++ b/examples/simple_regional_private_beta/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_regional_private_beta/test_outputs.tf b/examples/simple_regional_private_beta/test_outputs.tf
index 4d1361b7eb..033c4beac1 100644
--- a/examples/simple_regional_private_beta/test_outputs.tf
+++ b/examples/simple_regional_private_beta/test_outputs.tf
@@ -18,50 +18,51 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "credentials_path" {
-  value = "${var.credentials_path}"
+  value = var.credentials_path
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/examples/simple_regional_private_beta/variables.tf b/examples/simple_regional_private_beta/variables.tf
index 1da408a790..3fb7d8bab1 100644
--- a/examples/simple_regional_private_beta/variables.tf
+++ b/examples/simple_regional_private_beta/variables.tf
@@ -60,3 +60,4 @@ variable "cloudrun" {
   description = "Boolean to enable / disable CloudRun"
   default     = true
 }
+
diff --git a/examples/simple_regional_private_beta/versions.tf b/examples/simple_regional_private_beta/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/examples/simple_regional_private_beta/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/examples/simple_zonal/main.tf b/examples/simple_zonal/main.tf
index 984152d803..0d44fabcd9 100644
--- a/examples/simple_zonal/main.tf
+++ b/examples/simple_zonal/main.tf
@@ -20,26 +20,27 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional          = false
-  region            = "${var.region}"
-  zones             = "${var.zones}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  zones             = var.zones
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   service_account   = "create"
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/simple_zonal/outputs.tf b/examples/simple_zonal/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_zonal/outputs.tf
+++ b/examples/simple_zonal/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_zonal/variables.tf b/examples/simple_zonal/variables.tf
index 62547edfcd..516116557c 100644
--- a/examples/simple_zonal/variables.tf
+++ b/examples/simple_zonal/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -47,3 +47,4 @@ variable "ip_range_pods" {
 variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
+
diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf
index 4edcdb384a..b63938c966 100644
--- a/examples/simple_zonal_private/main.tf
+++ b/examples/simple_zonal_private/main.tf
@@ -20,37 +20,42 @@ locals {
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = false
-  region                  = "${var.region}"
-  zones                   = "${var.zones}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  zones                   = var.zones
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/simple_zonal_private/outputs.tf b/examples/simple_zonal_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_zonal_private/outputs.tf
+++ b/examples/simple_zonal_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_zonal_private/variables.tf b/examples/simple_zonal_private/variables.tf
index 847277a5ba..040c78d2c4 100644
--- a/examples/simple_zonal_private/variables.tf
+++ b/examples/simple_zonal_private/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -51,3 +51,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf
index d4d91fffb5..5752b7b3b9 100644
--- a/examples/stub_domains/main.tf
+++ b/examples/stub_domains/main.tf
@@ -20,34 +20,33 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   network_policy    = true
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = var.compute_engine_service_account
 
   configure_ip_masq = true
 
-  stub_domains {
+  stub_domains = {
     "example.com" = [
       "10.254.154.11",
       "10.254.154.12",
     ]
-
     "example.net" = [
       "10.254.154.11",
       "10.254.154.12",
@@ -55,4 +54,5 @@ module "gke" {
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/stub_domains/outputs.tf b/examples/stub_domains/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/stub_domains/outputs.tf
+++ b/examples/stub_domains/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/stub_domains/variables.tf b/examples/stub_domains/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/stub_domains/variables.tf
+++ b/examples/stub_domains/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf
index 54fe5b35ca..dc3e18149f 100644
--- a/examples/stub_domains_private/main.tf
+++ b/examples/stub_domains_private/main.tf
@@ -16,7 +16,7 @@
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "random" {
@@ -24,44 +24,47 @@ provider "random" {
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source = "../../modules/private-cluster"
 
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   name              = "stub-domains-private-cluster${var.cluster_name_suffix}"
-  network           = "${var.network}"
-  project_id        = "${var.project_id}"
-  region            = "${var.region}"
-  subnetwork        = "${var.subnetwork}"
+  network           = var.network
+  project_id        = var.project_id
+  region            = var.region
+  subnetwork        = var.subnetwork
 
-  deploy_using_private_endpoint = "true"
-  enable_private_endpoint       = "false"
-  enable_private_nodes          = "true"
+  deploy_using_private_endpoint = true
+  enable_private_endpoint       = false
+  enable_private_nodes          = true
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 
   master_ipv4_cidr_block = "172.16.0.0/28"
 
-  network_policy  = "true"
-  service_account = "${var.compute_engine_service_account}"
+  network_policy  = true
+  service_account = var.compute_engine_service_account
 
-  stub_domains {
+  stub_domains = {
     "example.com" = [
       "10.254.154.11",
       "10.254.154.12",
     ]
-
     "example.net" = [
       "10.254.154.11",
       "10.254.154.12",
@@ -69,4 +72,5 @@ module "gke" {
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/stub_domains_private/outputs.tf b/examples/stub_domains_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/stub_domains_private/outputs.tf
+++ b/examples/stub_domains_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/stub_domains_private/test_outputs.tf b/examples/stub_domains_private/test_outputs.tf
index c1d4352219..53eab4ee12 100644
--- a/examples/stub_domains_private/test_outputs.tf
+++ b/examples/stub_domains_private/test_outputs.tf
@@ -18,46 +18,47 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/examples/stub_domains_private/variables.tf b/examples/stub_domains_private/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/stub_domains_private/variables.tf
+++ b/examples/stub_domains_private/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf
index 3915ee45e7..1c490f7066 100644
--- a/examples/stub_domains_upstream_nameservers/main.tf
+++ b/examples/stub_domains_upstream_nameservers/main.tf
@@ -20,34 +20,33 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   network_policy    = true
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = var.compute_engine_service_account
 
   configure_ip_masq = true
 
-  stub_domains {
+  stub_domains = {
     "example.com" = [
       "10.254.154.11",
       "10.254.154.12",
     ]
-
     "example.net" = [
       "10.254.154.11",
       "10.254.154.12",
@@ -57,4 +56,5 @@ module "gke" {
   upstream_nameservers = ["8.8.8.8", "8.8.4.4"]
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/stub_domains_upstream_nameservers/outputs.tf b/examples/stub_domains_upstream_nameservers/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/stub_domains_upstream_nameservers/outputs.tf
+++ b/examples/stub_domains_upstream_nameservers/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/stub_domains_upstream_nameservers/test_outputs.tf b/examples/stub_domains_upstream_nameservers/test_outputs.tf
index c1d4352219..53eab4ee12 100644
--- a/examples/stub_domains_upstream_nameservers/test_outputs.tf
+++ b/examples/stub_domains_upstream_nameservers/test_outputs.tf
@@ -18,46 +18,47 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/examples/stub_domains_upstream_nameservers/variables.tf b/examples/stub_domains_upstream_nameservers/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/stub_domains_upstream_nameservers/variables.tf
+++ b/examples/stub_domains_upstream_nameservers/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains_upstream_nameservers/versions.tf b/examples/stub_domains_upstream_nameservers/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/examples/stub_domains_upstream_nameservers/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf
index 1956ec0497..096c57eceb 100644
--- a/examples/upstream_nameservers/main.tf
+++ b/examples/upstream_nameservers/main.tf
@@ -20,28 +20,29 @@ locals {
 
 provider "google" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   network_policy    = true
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = var.compute_engine_service_account
 
-  configure_ip_masq = true
+  configure_ip_masq    = true
   upstream_nameservers = ["8.8.8.8", "8.8.4.4"]
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/upstream_nameservers/outputs.tf b/examples/upstream_nameservers/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/upstream_nameservers/outputs.tf
+++ b/examples/upstream_nameservers/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/upstream_nameservers/test_outputs.tf b/examples/upstream_nameservers/test_outputs.tf
index c1d4352219..53eab4ee12 100644
--- a/examples/upstream_nameservers/test_outputs.tf
+++ b/examples/upstream_nameservers/test_outputs.tf
@@ -18,46 +18,47 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/examples/upstream_nameservers/variables.tf b/examples/upstream_nameservers/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/upstream_nameservers/variables.tf
+++ b/examples/upstream_nameservers/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/upstream_nameservers/versions.tf b/examples/upstream_nameservers/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/examples/upstream_nameservers/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf
index 09df6fbe6d..c0194f7cac 100644
--- a/examples/workload_metadata_config/main.tf
+++ b/examples/workload_metadata_config/main.tf
@@ -20,38 +20,43 @@ locals {
 
 provider "google-beta" {
   version = "~> 2.9.0"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/beta-private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = false
-  region                  = "${var.region}"
-  zones                   = "${var.zones}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  zones                   = var.zones
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
   node_metadata           = "SECURE"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
diff --git a/examples/workload_metadata_config/outputs.tf b/examples/workload_metadata_config/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/workload_metadata_config/outputs.tf
+++ b/examples/workload_metadata_config/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/workload_metadata_config/variables.tf b/examples/workload_metadata_config/variables.tf
index 847277a5ba..040c78d2c4 100644
--- a/examples/workload_metadata_config/variables.tf
+++ b/examples/workload_metadata_config/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -51,3 +51,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/workload_metadata_config/versions.tf b/examples/workload_metadata_config/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/examples/workload_metadata_config/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/main.tf b/main.tf
index 15d5650cbf..371cb4c2ea 100644
--- a/main.tf
+++ b/main.tf
@@ -20,159 +20,245 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google
+
+  project = var.project_id
+  region  = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
-
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
-
-  cluster_network_policy = {
-    enabled = [{
-      enabled  = "true"
-      provider = "${var.network_policy_provider}"
-    }]
-
-    disabled = [{
-      enabled = "false"
-    }]
-  }
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  upstream_nameservers_config = length(var.upstream_nameservers) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
 
-  cluster_cloudrun_config = {
-    enabled = [{
-      disabled = "false"
-    }]
+  cluster_type = var.regional ? "regional" : "zonal"
 
-    disabled = []
-  }
+  cluster_network_policy = var.network_policy ? [{
+    enabled  = true
+    provider = var.network_policy_provider
+    }] : [{
+    enabled  = false
+    provider = null
+  }]
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.endpoint, [""]),
+      0,
+    )
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
+
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
-
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
   # cluster locals
-  cluster_name                               = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location                           = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region                             = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones                              = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint                           = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate                     = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version                     = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version                 = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service                    = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service                 = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names                   = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions                = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                               = local.cluster_type_output_name[local.cluster_type]
+  cluster_location                           = local.cluster_type_output_location[local.cluster_type]
+  cluster_region                             = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones                              = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint                           = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version                     = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version                 = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service                    = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service                 = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names                   = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions                = local.cluster_type_output_node_pools_versions[local.cluster_type]
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
 }
 
 /******************************************
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -180,7 +266,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/masq.tf b/masq.tf
index 3006578627..1e9dc7791d 100644
--- a/masq.tf
+++ b/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.configure_ip_masq ? 1 : 0}"
+  count = var.configure_ip_masq ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 8027d6da2b..af6b19b1f7 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -63,7 +63,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -81,7 +81,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -121,91 +121,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| database\_encryption | Application-layer Secrets Encryption settings. Example:   database_encryption = [{     state = "ENCRYPTED",     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"   }] | list | `<list>` | no |
-| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
-| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| cloudrun\_enabled | Whether CloudRun enabled |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| istio\_enabled | Whether Istio is enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -223,7 +138,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12
 - [Terraform Provider for GCP Beta][terraform-provider-google-beta] v2.9
 
 ### Configure a Service Account
diff --git a/modules/beta-private-cluster/auth.tf b/modules/beta-private-cluster/auth.tf
index 0bbafaf4a2..c177eee5a7 100644
--- a/modules/beta-private-cluster/auth.tf
+++ b/modules/beta-private-cluster/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google-beta"
+  provider = google-beta
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf
index 4142486488..d26d9d9df9 100644
--- a/modules/beta-private-cluster/cluster_regional.tf
+++ b/modules/beta-private-cluster/cluster_regional.tf
@@ -20,74 +20,112 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  region            = "${var.region}"
-  node_locations    = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  region = var.region
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
+
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
+
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -98,76 +136,150 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
+
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
-  database_encryption      = ["${var.database_encryption}"]
+  remove_default_node_pool = var.remove_default_node_pool
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
+    }
 
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
 
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
     }
-
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -178,16 +290,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf
index 9df66bfbc1..afbc294f0a 100644
--- a/modules/beta-private-cluster/cluster_zonal.tf
+++ b/modules/beta-private-cluster/cluster_zonal.tf
@@ -20,75 +20,107 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  zone              = "${var.zones[0]}"
-  node_locations    = ["${slice(var.zones,1,length(var.zones))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  zone              = var.zones[0]
+  node_locations    = slice(var.zones, 1, length(var.zones))
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
 
-  enable_binary_authorization = "${var.enable_binary_authorization}"
-  pod_security_policy_config  = "${var.pod_security_policy_config}"
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  enable_binary_authorization = var.enable_binary_authorization
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -99,76 +131,151 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
+
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
-  database_encryption      = ["${var.database_encryption}"]
+  remove_default_node_pool = var.remove_default_node_pool
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
 
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
+    }
 
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
 
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
     }
-
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -179,16 +286,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf
index 91b41efac4..7138473ded 100644
--- a/modules/beta-private-cluster/dns.tf
+++ b/modules/beta-private-cluster/dns.tf
@@ -20,73 +20,94 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && ! local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
-  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = ! local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
-    name      = "kube-dns"
+    name = "kube-dns"
+
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
-  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
@@ -96,5 +117,12 @@ ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index da81eb19e0..4120899f43 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -20,182 +20,255 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google-beta"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google-beta
+
+  project = var.project_id
+  region  = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
-
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
-
-  cluster_network_policy = {
-    enabled = [{
-      enabled  = "true"
-      provider = "${var.network_policy_provider}"
-    }]
-
-    disabled = [{
-      enabled = "false"
-    }]
-  }
-
-  cluster_cloudrun_config = {
-    enabled = [{
-      disabled = "false"
-    }]
-
-    disabled = []
-  }
-
-  cluster_node_metadata_config = {
-    specified = [{
-      node_metadata = "${var.node_metadata}"
-    }]
-
-    unspecified = []
-  }
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  upstream_nameservers_config = length(var.upstream_nameservers) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
+
+  cluster_type = var.regional ? "regional" : "zonal"
+
+  cluster_network_policy = var.network_policy ? [{
+    enabled  = true
+    provider = var.network_policy_provider
+    }] : [{
+    enabled  = false
+    provider = null
+  }]
+
+  cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
+
+  cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
+    node_metadata = var.node_metadata
+  }]
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
-    }"
+    regional = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
 
-    zonal = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
-    }"
+    zonal = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.zonal_primary.*.endpoint, [""]), 0)
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   # BETA features
   cluster_type_output_istio_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
   }
 
   cluster_type_output_pod_security_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, [""]), 0)
   }
-
   # /BETA features
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
+
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
   # cluster locals
-  cluster_name                               = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location                           = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region                             = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones                              = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint                           = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate                     = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version                     = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version                 = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service                    = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service                 = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names                   = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions                = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                               = local.cluster_type_output_name[local.cluster_type]
+  cluster_location                           = local.cluster_type_output_location[local.cluster_type]
+  cluster_region                             = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones                              = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint                           = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version                     = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version                 = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service                    = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service                 = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names                   = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions                = local.cluster_type_output_node_pools_versions[local.cluster_type]
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
   # BETA features
-  cluster_istio_enabled               = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}"
-  cluster_cloudrun_enabled            = "${var.cloudrun}"
-  cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
-
+  cluster_istio_enabled               = ! local.cluster_type_output_istio_enabled[local.cluster_type]
+  cluster_cloudrun_enabled            = var.cloudrun
+  cluster_pod_security_policy_enabled = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   # /BETA features
 }
 
@@ -203,9 +276,9 @@ locals {
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -213,7 +286,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/modules/beta-private-cluster/masq.tf b/modules/beta-private-cluster/masq.tf
index 3006578627..1e9dc7791d 100644
--- a/modules/beta-private-cluster/masq.tf
+++ b/modules/beta-private-cluster/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.configure_ip_masq ? 1 : 0}"
+  count = var.configure_ip_masq ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/beta-private-cluster/networks.tf b/modules/beta-private-cluster/networks.tf
index aeb1a99aba..14ea500e03 100644
--- a/modules/beta-private-cluster/networks.tf
+++ b/modules/beta-private-cluster/networks.tf
@@ -17,14 +17,16 @@
 // This file was automatically generated from a template in ./autogen
 
 data "google_compute_network" "gke_network" {
-  provider = "google-beta"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.network
+  project = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
-  provider = "google-beta"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.subnetwork
+  region  = var.region
+  project = local.network_project_id
 }
diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf
index acc7d1b7bc..3f5c5b10c9 100644
--- a/modules/beta-private-cluster/outputs.tf
+++ b/modules/beta-private-cluster/outputs.tf
@@ -18,112 +18,112 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 
 output "istio_enabled" {
   description = "Whether Istio is enabled"
-  value       = "${local.cluster_istio_enabled}"
+  value       = local.cluster_istio_enabled
 }
 
 output "cloudrun_enabled" {
   description = "Whether CloudRun enabled"
-  value       = "${local.cluster_cloudrun_enabled}"
+  value       = local.cluster_cloudrun_enabled
 }
 
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
-  value       = "${local.cluster_pod_security_policy_enabled}"
+  value       = local.cluster_pod_security_policy_enabled
 }
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/modules/beta-private-cluster/sa.tf
+++ b/modules/beta-private-cluster/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index a917f9301c..05e380de6f 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,131 +172,139 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "upstream_nameservers" {
-  type        = "list"
+  type = "list"
   description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
-  default     = []
+  default = []
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "configure_ip_masq" {
   description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
 
 variable "deploy_using_private_endpoint" {
+  type = bool
   description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment."
-  default     = "false"
+  default = false
 }
 
 variable "enable_private_endpoint" {
+  type = bool
   description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
-  default     = false
+  default = false
 }
 
 variable "enable_private_nodes" {
+  type = bool
   description = "(Beta) Whether nodes have internal IP addresses only"
-  default     = false
+  default = false
 }
 
 variable "master_ipv4_cidr_block" {
+  type = string
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
-  default     = "10.0.0.0/28"
+  default = "10.0.0.0/28"
 }
-
 variable "istio" {
   description = "(Beta) Enable Istio addon"
-  default     = false
+  default = false
 }
 
 variable "cloudrun" {
   description = "(Beta) Enable CloudRun addon"
-  default     = false
+  default = false
 }
 
 variable "database_encryption" {
@@ -286,9 +315,7 @@ variable "database_encryption" {
     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
   }]
   EOF
-
   type = "list"
-
   default = [{
     state    = "DECRYPTED"
     key_name = ""
@@ -302,7 +329,6 @@ variable "enable_binary_authorization" {
 
 variable "pod_security_policy_config" {
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
   default = [{
     "enabled" = false
   }]
@@ -314,18 +340,21 @@ variable "node_metadata" {
 }
 
 variable "basic_auth_username" {
+  type        = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
+  type        = string
   description = "The password to be used with Basic Authentication."
   default     = ""
 }
 
 variable "issue_client_certificate" {
+  type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default     = false
 }
 
 variable "cluster_ipv4_cidr" {
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/modules/beta-private-cluster/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 913caf418a..51dd8cd74e 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -58,7 +58,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -76,7 +76,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -116,87 +116,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| database\_encryption | Application-layer Secrets Encryption settings. Example:   database_encryption = [{     state = "ENCRYPTED",     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"   }] | list | `<list>` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| cloudrun\_enabled | Whether CloudRun enabled |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| istio\_enabled | Whether Istio is enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -214,7 +133,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12
 - [Terraform Provider for GCP Beta][terraform-provider-google-beta] v2.9
 
 ### Configure a Service Account
diff --git a/modules/beta-public-cluster/auth.tf b/modules/beta-public-cluster/auth.tf
index 0bbafaf4a2..c177eee5a7 100644
--- a/modules/beta-public-cluster/auth.tf
+++ b/modules/beta-public-cluster/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google-beta"
+  provider = google-beta
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf
index b651323baf..af21dc605a 100644
--- a/modules/beta-public-cluster/cluster_regional.tf
+++ b/modules/beta-public-cluster/cluster_regional.tf
@@ -20,74 +20,112 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  region            = "${var.region}"
-  node_locations    = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  region = var.region
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
+
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
+
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -98,70 +136,145 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
+
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
-  database_encryption      = ["${var.database_encryption}"]
+
+  remove_default_node_pool = var.remove_default_node_pool
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
+    }
 
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
 
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
     }
-
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -172,16 +285,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf
index dca12fd9ce..c35f11818e 100644
--- a/modules/beta-public-cluster/cluster_zonal.tf
+++ b/modules/beta-public-cluster/cluster_zonal.tf
@@ -20,75 +20,107 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  zone              = "${var.zones[0]}"
-  node_locations    = ["${slice(var.zones,1,length(var.zones))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  zone              = var.zones[0]
+  node_locations    = slice(var.zones, 1, length(var.zones))
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
 
-  enable_binary_authorization = "${var.enable_binary_authorization}"
-  pod_security_policy_config  = "${var.pod_security_policy_config}"
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
 
     istio_config {
-      disabled = "${var.istio ? 0 : 1}"
+      disabled = ! var.istio
     }
 
-    cloudrun_config = "${local.cluster_cloudrun_config["${var.cloudrun ? "enabled" : "disabled"}"]}"
+    dynamic "cloudrun_config" {
+      for_each = local.cluster_cloudrun_config
+
+      content {
+        disabled = cloudrun_config.value.disabled
+      }
+    }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -99,70 +131,146 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
+
+      dynamic "workload_metadata_config" {
+        for_each = local.cluster_node_metadata_config
 
-      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+        content {
+          node_metadata = workload_metadata_config.value.node_metadata
+        }
+      }
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
-  database_encryption      = ["${var.database_encryption}"]
+
+  remove_default_node_pool = var.remove_default_node_pool
+
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
 
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
+    }
 
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
+    dynamic "workload_metadata_config" {
+      for_each = local.cluster_node_metadata_config
 
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+      content {
+        node_metadata = workload_metadata_config.value.node_metadata
+      }
     }
-
-    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -173,16 +281,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf
index 91b41efac4..7138473ded 100644
--- a/modules/beta-public-cluster/dns.tf
+++ b/modules/beta-public-cluster/dns.tf
@@ -20,73 +20,94 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && ! local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
-  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = ! local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
-    name      = "kube-dns"
+    name = "kube-dns"
+
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
-  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
@@ -96,5 +117,12 @@ ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
index a5ee918b2d..f4f27751fb 100644
--- a/modules/beta-public-cluster/main.tf
+++ b/modules/beta-public-cluster/main.tf
@@ -20,173 +20,257 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google-beta"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google-beta
+
+  project = var.project_id
+  region  = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
-
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
-
-  cluster_network_policy = {
-    enabled = [{
-      enabled  = "true"
-      provider = "${var.network_policy_provider}"
-    }]
-
-    disabled = [{
-      enabled = "false"
-    }]
-  }
-
-  cluster_cloudrun_config = {
-    enabled = [{
-      disabled = "false"
-    }]
-
-    disabled = []
-  }
-
-  cluster_node_metadata_config = {
-    specified = [{
-      node_metadata = "${var.node_metadata}"
-    }]
-
-    unspecified = []
-  }
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  upstream_nameservers_config = length(var.upstream_nameservers) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
+
+  cluster_type = var.regional ? "regional" : "zonal"
+
+  cluster_network_policy = var.network_policy ? [{
+    enabled  = true
+    provider = var.network_policy_provider
+    }] : [{
+    enabled  = false
+    provider = null
+  }]
+
+  cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
+
+  cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
+    node_metadata = var.node_metadata
+  }]
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.endpoint, [""]),
+      0,
+    )
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   # BETA features
   cluster_type_output_istio_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.addons_config.0.istio_config.0.disabled, [""]), 0)
   }
 
   cluster_type_output_pod_security_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, [""]), 0)
   }
-
   # /BETA features
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
+
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
   # cluster locals
-  cluster_name                               = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location                           = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region                             = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones                              = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint                           = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate                     = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version                     = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version                 = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service                    = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service                 = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names                   = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions                = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                               = local.cluster_type_output_name[local.cluster_type]
+  cluster_location                           = local.cluster_type_output_location[local.cluster_type]
+  cluster_region                             = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones                              = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint                           = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version                     = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version                 = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service                    = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service                 = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names                   = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions                = local.cluster_type_output_node_pools_versions[local.cluster_type]
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
   # BETA features
-  cluster_istio_enabled               = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}"
-  cluster_cloudrun_enabled            = "${var.cloudrun}"
-  cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
-
+  cluster_istio_enabled               = ! local.cluster_type_output_istio_enabled[local.cluster_type]
+  cluster_cloudrun_enabled            = var.cloudrun
+  cluster_pod_security_policy_enabled = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   # /BETA features
 }
 
@@ -194,9 +278,9 @@ locals {
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -204,7 +288,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/modules/beta-public-cluster/masq.tf b/modules/beta-public-cluster/masq.tf
index 3006578627..1e9dc7791d 100644
--- a/modules/beta-public-cluster/masq.tf
+++ b/modules/beta-public-cluster/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.configure_ip_masq ? 1 : 0}"
+  count = var.configure_ip_masq ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/beta-public-cluster/networks.tf b/modules/beta-public-cluster/networks.tf
index f6c26d9e77..14ea500e03 100644
--- a/modules/beta-public-cluster/networks.tf
+++ b/modules/beta-public-cluster/networks.tf
@@ -17,14 +17,16 @@
 // This file was automatically generated from a template in ./autogen
 
 data "google_compute_network" "gke_network" {
-  provider = "google"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.network
+  project = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
-  provider = "google"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.subnetwork
+  region  = var.region
+  project = local.network_project_id
 }
diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf
index acc7d1b7bc..3f5c5b10c9 100644
--- a/modules/beta-public-cluster/outputs.tf
+++ b/modules/beta-public-cluster/outputs.tf
@@ -18,112 +18,112 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 
 output "istio_enabled" {
   description = "Whether Istio is enabled"
-  value       = "${local.cluster_istio_enabled}"
+  value       = local.cluster_istio_enabled
 }
 
 output "cloudrun_enabled" {
   description = "Whether CloudRun enabled"
-  value       = "${local.cluster_cloudrun_enabled}"
+  value       = local.cluster_cloudrun_enabled
 }
 
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
-  value       = "${local.cluster_pod_security_policy_enabled}"
+  value       = local.cluster_pod_security_policy_enabled
 }
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/modules/beta-public-cluster/sa.tf
+++ b/modules/beta-public-cluster/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index a7831d89cf..5f58962d88 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,111 +172,115 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "upstream_nameservers" {
-  type        = "list"
+  type = "list"
   description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
-  default     = []
+  default = []
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "configure_ip_masq" {
   description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
-
 variable "istio" {
   description = "(Beta) Enable Istio addon"
-  default     = false
+  default = false
 }
 
 variable "cloudrun" {
   description = "(Beta) Enable CloudRun addon"
-  default     = false
+  default = false
 }
 
 variable "database_encryption" {
@@ -266,9 +291,7 @@ variable "database_encryption" {
     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
   }]
   EOF
-
   type = "list"
-
   default = [{
     state    = "DECRYPTED"
     key_name = ""
@@ -282,7 +305,6 @@ variable "enable_binary_authorization" {
 
 variable "pod_security_policy_config" {
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
   default = [{
     "enabled" = false
   }]
@@ -294,18 +316,21 @@ variable "node_metadata" {
 }
 
 variable "basic_auth_username" {
+  type        = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
+  type        = string
   description = "The password to be used with Basic Authentication."
   default     = ""
 }
 
 variable "issue_client_certificate" {
+  type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default     = false
 }
 
 variable "cluster_ipv4_cidr" {
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/modules/beta-public-cluster/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 1a77f749d1..542c510569 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -61,7 +61,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -79,7 +79,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -119,82 +119,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
-| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -212,7 +136,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12
 - [Terraform Provider for GCP Beta][terraform-provider-google-beta] v2.9
 
 ### Configure a Service Account
diff --git a/modules/private-cluster/auth.tf b/modules/private-cluster/auth.tf
index 0bbafaf4a2..c177eee5a7 100644
--- a/modules/private-cluster/auth.tf
+++ b/modules/private-cluster/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google-beta"
+  provider = google-beta
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf
index 141c9b9445..f42ab76dab 100644
--- a/modules/private-cluster/cluster_regional.tf
+++ b/modules/private-cluster/cluster_regional.tf
@@ -20,66 +20,91 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  region            = "${var.region}"
-  node_locations    = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  region = var.region
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
+
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
+
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -90,71 +115,125 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -165,16 +244,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf
index 1ee89f7e93..9b44c6d478 100644
--- a/modules/private-cluster/cluster_zonal.tf
+++ b/modules/private-cluster/cluster_zonal.tf
@@ -20,66 +20,86 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider = google-beta
 
-  zone              = "${var.zones[0]}"
-  node_locations    = ["${slice(var.zones,1,length(var.zones))}"]
-  cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}"
-  network           = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  network_policy    = "${local.cluster_network_policy["${var.network_policy ? "enabled" : "disabled"}"]}"
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  zone              = var.zones[0]
+  node_locations    = slice(var.zones, 1, length(var.zones))
+  cluster_ipv4_cidr = var.cluster_ipv4_cidr
+  network           = data.google_compute_network.gke_network.self_link
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  dynamic "network_policy" {
+    for_each = local.cluster_network_policy
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+    content {
+      enabled  = network_policy.value.enabled
+      provider = network_policy.value.provider
+    }
+  }
+
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -90,71 +110,126 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -165,16 +240,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
index 91b41efac4..7138473ded 100644
--- a/modules/private-cluster/dns.tf
+++ b/modules/private-cluster/dns.tf
@@ -20,73 +20,94 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && ! local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
-  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = ! local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
-    name      = "kube-dns"
+    name = "kube-dns"
+
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
 
 resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
-  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+  count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     upstreamNameservers = <<EOF
 ${jsonencode(var.upstream_nameservers)}
 EOF
@@ -96,5 +117,12 @@ ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools
+  ]
 }
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index 68280084b0..b71b79b18a 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -20,168 +20,243 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google-beta"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google-beta
+
+  project = var.project_id
+  region  = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
-
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
-
-  cluster_network_policy = {
-    enabled = [{
-      enabled  = "true"
-      provider = "${var.network_policy_provider}"
-    }]
-
-    disabled = [{
-      enabled = "false"
-    }]
-  }
-
-  cluster_cloudrun_config = {
-    enabled = [{
-      disabled = "false"
-    }]
-
-    disabled = []
-  }
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  upstream_nameservers_config = length(var.upstream_nameservers) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
+
+  cluster_type = var.regional ? "regional" : "zonal"
+
+  cluster_network_policy = var.network_policy ? [{
+    enabled  = true
+    provider = var.network_policy_provider
+    }] : [{
+    enabled  = false
+    provider = null
+  }]
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
-    }"
+    regional = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
 
-    zonal = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
-    }"
+    zonal = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, [""]), 0) : element(concat(google_container_cluster.zonal_primary.*.endpoint, [""]), 0)
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
+
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
-
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
   # cluster locals
-  cluster_name                               = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location                           = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region                             = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones                              = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint                           = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate                     = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version                     = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version                 = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service                    = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service                 = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names                   = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions                = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                               = local.cluster_type_output_name[local.cluster_type]
+  cluster_location                           = local.cluster_type_output_location[local.cluster_type]
+  cluster_region                             = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones                              = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint                           = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version                     = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version                 = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service                    = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service                 = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names                   = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions                = local.cluster_type_output_node_pools_versions[local.cluster_type]
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
 }
 
 /******************************************
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -189,7 +264,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/modules/private-cluster/masq.tf b/modules/private-cluster/masq.tf
index 3006578627..1e9dc7791d 100644
--- a/modules/private-cluster/masq.tf
+++ b/modules/private-cluster/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.configure_ip_masq ? 1 : 0}"
+  count = var.configure_ip_masq ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/networks.tf b/modules/private-cluster/networks.tf
index aeb1a99aba..14ea500e03 100644
--- a/modules/private-cluster/networks.tf
+++ b/modules/private-cluster/networks.tf
@@ -17,14 +17,16 @@
 // This file was automatically generated from a template in ./autogen
 
 data "google_compute_network" "gke_network" {
-  provider = "google-beta"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.network
+  project = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
-  provider = "google-beta"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  provider = google-beta
+
+  name    = var.subnetwork
+  region  = var.region
+  project = local.network_project_id
 }
diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf
index 6b9d5895ab..433c2195ac 100644
--- a/modules/private-cluster/outputs.tf
+++ b/modules/private-cluster/outputs.tf
@@ -18,97 +18,97 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/modules/private-cluster/sa.tf
+++ b/modules/private-cluster/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 69d6956a5c..5b86da9e6e 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,139 +172,151 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "upstream_nameservers" {
-  type        = "list"
+  type = "list"
   description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
-  default     = []
+  default = []
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "configure_ip_masq" {
   description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
 
 variable "deploy_using_private_endpoint" {
+  type = bool
   description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment."
-  default     = "false"
+  default = false
 }
 
 variable "enable_private_endpoint" {
+  type = bool
   description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
-  default     = false
+  default = false
 }
 
 variable "enable_private_nodes" {
+  type = bool
   description = "(Beta) Whether nodes have internal IP addresses only"
-  default     = false
+  default = false
 }
 
 variable "master_ipv4_cidr_block" {
+  type = string
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
-  default     = "10.0.0.0/28"
+  default = "10.0.0.0/28"
 }
 
 variable "basic_auth_username" {
+  type = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
-  default     = ""
+  default = ""
 }
 
 variable "basic_auth_password" {
+  type = string
   description = "The password to be used with Basic Authentication."
-  default     = ""
+  default = ""
 }
 
 variable "issue_client_certificate" {
+  type = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default = false
 }
 
 variable "cluster_ipv4_cidr" {
-  default     = ""
+  default = ""
   description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR."
 }
diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/modules/private-cluster/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/networks.tf b/networks.tf
index f6c26d9e77..a382073dc0 100644
--- a/networks.tf
+++ b/networks.tf
@@ -17,14 +17,16 @@
 // This file was automatically generated from a template in ./autogen
 
 data "google_compute_network" "gke_network" {
-  provider = "google"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  provider = google
+
+  name    = var.network
+  project = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
-  provider = "google"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  provider = google
+
+  name    = var.subnetwork
+  region  = var.region
+  project = local.network_project_id
 }
diff --git a/outputs.tf b/outputs.tf
index 6b9d5895ab..433c2195ac 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -18,97 +18,97 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
diff --git a/sa.tf b/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/sa.tf
+++ b/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/test/fixtures/all_examples/test_outputs.tf b/test/fixtures/all_examples/test_outputs.tf
index c1d4352219..e64c40e477 100644
--- a/test/fixtures/all_examples/test_outputs.tf
+++ b/test/fixtures/all_examples/test_outputs.tf
@@ -18,46 +18,46 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
diff --git a/test/fixtures/deploy_service/example.tf b/test/fixtures/deploy_service/example.tf
index 7cc5178569..421c551489 100644
--- a/test/fixtures/deploy_service/example.tf
+++ b/test/fixtures/deploy_service/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/deploy_service"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/deploy_service/network.tf b/test/fixtures/deploy_service/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/deploy_service/network.tf
+++ b/test/fixtures/deploy_service/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/disable_client_cert/example.tf b/test/fixtures/disable_client_cert/example.tf
index 4f9c4d1292..c1baed7c36 100644
--- a/test/fixtures/disable_client_cert/example.tf
+++ b/test/fixtures/disable_client_cert/example.tf
@@ -17,14 +17,15 @@
 module "example" {
   source = "../../../examples/disable_client_cert"
 
-  project_id                     = "${var.project_id}"
-  credentials_path               = "${local.credentials_path}"
+  project_id                     = var.project_id
+  credentials_path               = ""
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  network_project_id             = "${var.project_id}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  network_project_id             = var.project_id
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/disable_client_cert/network.tf b/test/fixtures/disable_client_cert/network.tf
index ea0f71481a..e1292eae3b 100644
--- a/test/fixtures/disable_client_cert/network.tf
+++ b/test/fixtures/disable_client_cert/network.tf
@@ -14,7 +14,6 @@
  * limitations under the License.
  */
 
-
 resource "random_string" "suffix" {
   length  = 4
   special = false
@@ -22,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -46,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/node_pool/example.tf b/test/fixtures/node_pool/example.tf
index 097c9e3bcf..28d51f2357 100644
--- a/test/fixtures/node_pool/example.tf
+++ b/test/fixtures/node_pool/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/node_pool"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  zones                          = slice(var.zones, 0, 1)
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/node_pool/network.tf b/test/fixtures/node_pool/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/node_pool/network.tf
+++ b/test/fixtures/node_pool/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/shared/outputs.tf b/test/fixtures/shared/outputs.tf
index 229dc82689..1c2eb5e9ba 100644
--- a/test/fixtures/shared/outputs.tf
+++ b/test/fixtures/shared/outputs.tf
@@ -15,66 +15,67 @@
  */
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.example.region}"
+  value = module.example.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.example.cluster_name}"
+  value       = module.example.cluster_name
 }
 
 output "network" {
-  value = "${google_compute_network.main.name}"
+  value = google_compute_network.main.name
 }
 
 output "subnetwork" {
-  value = "${google_compute_subnetwork.main.name}"
+  value = google_compute_subnetwork.main.name
 }
 
 output "location" {
-  value = "${module.example.location}"
+  value = module.example.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
+  value       = google_compute_subnetwork.main.secondary_ip_range[0].range_name
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  value       = google_compute_subnetwork.main.secondary_ip_range[1].range_name
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.example.zones}"
+  value       = module.example.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.example.master_kubernetes_version}"
+  value       = module.example.master_kubernetes_version
 }
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.example.kubernetes_endpoint}"
+  value     = module.example.kubernetes_endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${module.example.client_token}"
+  value     = module.example.client_token
 }
 
 output "ca_certificate" {
   description = "The cluster CA certificate"
-  value       = "${module.example.ca_certificate}"
+  value       = module.example.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.example.service_account}"
+  value       = module.example.service_account
 }
+
diff --git a/test/fixtures/shared/variables.tf b/test/fixtures/shared/variables.tf
index 28b827b0d5..f8e3d6dfa4 100644
--- a/test/fixtures/shared/variables.tf
+++ b/test/fixtures/shared/variables.tf
@@ -23,7 +23,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The GCP zones to create and test resources in, for applicable tests"
   default     = []
 }
@@ -31,3 +31,4 @@ variable "zones" {
 variable "compute_engine_service_account" {
   description = "The email address of the service account to associate with the GKE cluster"
 }
+
diff --git a/test/fixtures/shared_vpc/example.tf b/test/fixtures/shared_vpc/example.tf
index 276e8f9dd7..051d9155c9 100644
--- a/test/fixtures/shared_vpc/example.tf
+++ b/test/fixtures/shared_vpc/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/shared_vpc"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  network_project_id             = "${var.project_id}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  network_project_id             = var.project_id
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/shared_vpc/network.tf b/test/fixtures/shared_vpc/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/shared_vpc/network.tf
+++ b/test/fixtures/shared_vpc/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_regional/example.tf b/test/fixtures/simple_regional/example.tf
index ea14fbc3f8..cb37e43427 100644
--- a/test/fixtures/simple_regional/example.tf
+++ b/test/fixtures/simple_regional/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_regional"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_regional/network.tf b/test/fixtures/simple_regional/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/simple_regional/network.tf
+++ b/test/fixtures/simple_regional/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_regional_private/example.tf b/test/fixtures/simple_regional_private/example.tf
index beefece56c..c06f080ac4 100644
--- a/test/fixtures/simple_regional_private/example.tf
+++ b/test/fixtures/simple_regional_private/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_regional_private"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_regional_private/network.tf b/test/fixtures/simple_regional_private/network.tf
index 0f7492d884..c50c2d12d1 100644
--- a/test/fixtures/simple_regional_private/network.tf
+++ b/test/fixtures/simple_regional_private/network.tf
@@ -21,21 +21,21 @@ resource "random_string" "suffix" {
 }
 
 provider "google-beta" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
-  project                 = "${var.project_id}"
+  project                 = var.project_id
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = "${var.project_id}"
+  project       = var.project_id
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -47,3 +47,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_zonal/example.tf b/test/fixtures/simple_zonal/example.tf
index e85f1818ba..c0edb35e2b 100644
--- a/test/fixtures/simple_zonal/example.tf
+++ b/test/fixtures/simple_zonal/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_zonal"
 
-  project_id          = "${var.project_id}"
+  project_id          = var.project_id
   cluster_name_suffix = "-${random_string.suffix.result}"
-  region              = "${var.region}"
-  zones               = ["${slice(var.zones,0,1)}"]
-  network             = "${google_compute_network.main.name}"
-  subnetwork          = "${google_compute_subnetwork.main.name}"
-  ip_range_pods       = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services   = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  region              = var.region
+  zones               = slice(var.zones, 0, 1)
+  network             = google_compute_network.main.name
+  subnetwork          = google_compute_subnetwork.main.name
+  ip_range_pods       = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services   = google_compute_subnetwork.main.secondary_ip_range[1].range_name
 }
+
diff --git a/test/fixtures/simple_zonal/network.tf b/test/fixtures/simple_zonal/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/simple_zonal/network.tf
+++ b/test/fixtures/simple_zonal/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_zonal_private/example.tf b/test/fixtures/simple_zonal_private/example.tf
index 6fd14c4c4c..0f8a4fc478 100644
--- a/test/fixtures/simple_zonal_private/example.tf
+++ b/test/fixtures/simple_zonal_private/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/simple_zonal_private"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  zones                          = slice(var.zones, 0, 1)
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_zonal_private/network.tf b/test/fixtures/simple_zonal_private/network.tf
index 0f7492d884..c50c2d12d1 100644
--- a/test/fixtures/simple_zonal_private/network.tf
+++ b/test/fixtures/simple_zonal_private/network.tf
@@ -21,21 +21,21 @@ resource "random_string" "suffix" {
 }
 
 provider "google-beta" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
-  project                 = "${var.project_id}"
+  project                 = var.project_id
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = "${var.project_id}"
+  project       = var.project_id
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -47,3 +47,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/stub_domains/example.tf b/test/fixtures/stub_domains/example.tf
index 1072411867..32cb31460e 100644
--- a/test/fixtures/stub_domains/example.tf
+++ b/test/fixtures/stub_domains/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/stub_domains"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/stub_domains/network.tf b/test/fixtures/stub_domains/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/stub_domains/network.tf
+++ b/test/fixtures/stub_domains/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/stub_domains_private/main.tf b/test/fixtures/stub_domains_private/main.tf
index 291e77fe71..101aac220a 100644
--- a/test/fixtures/stub_domains_private/main.tf
+++ b/test/fixtures/stub_domains_private/main.tf
@@ -23,17 +23,17 @@ resource "random_string" "suffix" {
 resource "google_compute_network" "main" {
   name = "cft-gke-test-${random_string.suffix.result}"
 
-  auto_create_subnetworks = "false"
-  project                 = "${var.project_id}"
+  auto_create_subnetworks = false
+  project                 = var.project_id
 }
 
 resource "google_compute_subnetwork" "main" {
   ip_cidr_range = "10.0.0.0/17"
   name          = "cft-gke-test-${random_string.suffix.result}"
-  network       = "${google_compute_network.main.self_link}"
+  network       = google_compute_network.main.self_link
 
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  project = var.project_id
+  region  = var.region
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -49,12 +49,13 @@ resource "google_compute_subnetwork" "main" {
 module "example" {
   source = "../../../examples/stub_domains_private"
 
-  compute_engine_service_account = "${var.compute_engine_service_account}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  network                        = "${google_compute_network.main.name}"
-  project_id                     = "${var.project_id}"
+  compute_engine_service_account = var.compute_engine_service_account
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  network                        = google_compute_network.main.name
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
+  region                         = var.region
+  subnetwork                     = google_compute_subnetwork.main.name
 }
+
diff --git a/test/fixtures/stub_domains_upstream_nameservers/example.tf b/test/fixtures/stub_domains_upstream_nameservers/example.tf
index 77af226437..a066994219 100644
--- a/test/fixtures/stub_domains_upstream_nameservers/example.tf
+++ b/test/fixtures/stub_domains_upstream_nameservers/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/stub_domains_upstream_nameservers"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/stub_domains_upstream_nameservers/network.tf b/test/fixtures/stub_domains_upstream_nameservers/network.tf
index 2dfbf2d9b2..ee202615ea 100644
--- a/test/fixtures/stub_domains_upstream_nameservers/network.tf
+++ b/test/fixtures/stub_domains_upstream_nameservers/network.tf
@@ -21,7 +21,7 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
@@ -32,8 +32,8 @@ resource "google_compute_network" "main" {
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/stub_domains_upstream_nameservers/versions.tf b/test/fixtures/stub_domains_upstream_nameservers/versions.tf
new file mode 100644
index 0000000000..ac97c6ac8e
--- /dev/null
+++ b/test/fixtures/stub_domains_upstream_nameservers/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/test/fixtures/upstream_nameservers/example.tf b/test/fixtures/upstream_nameservers/example.tf
index 50f1aadfac..72e6307fb1 100644
--- a/test/fixtures/upstream_nameservers/example.tf
+++ b/test/fixtures/upstream_nameservers/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/upstream_nameservers"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/upstream_nameservers/network.tf b/test/fixtures/upstream_nameservers/network.tf
index 2dfbf2d9b2..ee202615ea 100644
--- a/test/fixtures/upstream_nameservers/network.tf
+++ b/test/fixtures/upstream_nameservers/network.tf
@@ -21,7 +21,7 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
@@ -32,8 +32,8 @@ resource "google_compute_network" "main" {
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/upstream_nameservers/versions.tf b/test/fixtures/upstream_nameservers/versions.tf
new file mode 100644
index 0000000000..ac97c6ac8e
--- /dev/null
+++ b/test/fixtures/upstream_nameservers/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/test/fixtures/workload_metadata_config/example.tf b/test/fixtures/workload_metadata_config/example.tf
index 3007ba4163..4d4a98e119 100644
--- a/test/fixtures/workload_metadata_config/example.tf
+++ b/test/fixtures/workload_metadata_config/example.tf
@@ -17,13 +17,13 @@
 module "example" {
   source = "../../../examples/workload_metadata_config"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  zones                          = slice(var.zones, 0, 1)
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
diff --git a/test/fixtures/workload_metadata_config/network.tf b/test/fixtures/workload_metadata_config/network.tf
index 0f7492d884..f163eb7730 100644
--- a/test/fixtures/workload_metadata_config/network.tf
+++ b/test/fixtures/workload_metadata_config/network.tf
@@ -21,21 +21,21 @@ resource "random_string" "suffix" {
 }
 
 provider "google-beta" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
-  project                 = "${var.project_id}"
+  project                 = var.project_id
   name                    = "cft-gke-test-${random_string.suffix.result}"
   auto_create_subnetworks = "false"
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = "${var.project_id}"
+  project       = var.project_id
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
diff --git a/test/fixtures/workload_metadata_config/versions.tf b/test/fixtures/workload_metadata_config/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/test/fixtures/workload_metadata_config/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/variables.tf b/variables.tf
index acf9e8e006..8252ecb1aa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,119 +172,127 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "upstream_nameservers" {
-  type        = "list"
+  type = "list"
   description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
-  default     = []
+  default = []
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "configure_ip_masq" {
   description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
 
 variable "basic_auth_username" {
+  type = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
-  default     = ""
+  default = ""
 }
 
 variable "basic_auth_password" {
+  type = string
   description = "The password to be used with Basic Authentication."
-  default     = ""
+  default = ""
 }
 
 variable "issue_client_certificate" {
+  type = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default = false
 }
 
 variable "cluster_ipv4_cidr" {
-  default     = ""
+  default = ""
   description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR."
 }
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000000..832ec1df39
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}