diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31cb1f8d0f..e9467d2a27 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,8 +8,11 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
-### Added
+## [2.0.0] 2019-06-ZZ
+
+### Changed
 
+* Supported version of Terraform is 0.12. [#58]
 * Add configuration flag for enable BinAuthZ Admission controller [#160]
 * Add configuration flag for `pod_security_policy_config` [#163]
 * Support for a guest accelerator in node pool configuration. [#157]
diff --git a/Gemfile b/Gemfile
index 2fffe26f1f..a54d14ec29 100644
--- a/Gemfile
+++ b/Gemfile
@@ -15,7 +15,7 @@
 ruby "~> 2.5"
 
 source 'https://rubygems.org/' do
-  gem "kitchen-terraform", "~> 4.0"
+  gem "kitchen-terraform", "~> 4.9"
   gem "kubeclient", "~> 4.0"
   gem "rest-client", "~> 2.0"
 end
diff --git a/Makefile b/Makefile
index 6c481c10c2..adab2ec226 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ SHELL := /usr/bin/env bash
 # Docker build config variables
 CREDENTIALS_PATH ?= /cft/workdir/credentials.json
 DOCKER_ORG := gcr.io/cloud-foundation-cicd
-DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 1.3.0
+DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 2.0.0
 DOCKER_REPO_BASE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 DOCKER_TAG_KITCHEN_TERRAFORM ?= ${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 DOCKER_IMAGE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform_terraform-google-kubernetes-engine
diff --git a/README.md b/README.md
index e56d7db123..4f48a96b50 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -74,7 +74,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -109,75 +109,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -195,8 +126,8 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.3, v2.6, v2.7
+- [Terraform](https://www.terraform.io/downloads.html) 0.12.x
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.8
 
 ### Configure a Service Account
 In order to execute this module you must have a Service Account with the
diff --git a/auth.tf b/auth.tf
index 5ad4160145..48e7cc6a5f 100644
--- a/auth.tf
+++ b/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google"
+  provider = google
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/autogen/README.md b/autogen/README.md
index 778bfdb38e..1e3b4a44fa 100644
--- a/autogen/README.md
+++ b/autogen/README.md
@@ -66,7 +66,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -84,7 +84,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -136,11 +136,11 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
+- [Terraform](https://www.terraform.io/downloads.html) 0.12.x
 {% if private_cluster %}
-- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) v2.3, v2.6, v2.7
+- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) v2.8
 {% else %}
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.3, v2.6, v2.7
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.8
 {% endif %}
 
 ### Configure a Service Account
diff --git a/autogen/auth.tf b/autogen/auth.tf
index 3e961cd6b1..d480409119 100644
--- a/autogen/auth.tf
+++ b/autogen/auth.tf
@@ -20,7 +20,8 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
+  provider = {% if private_cluster %}google-beta{%else %}google{% endif %}
+
 }
 
 /******************************************
@@ -29,6 +30,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
index e055f639dd..130ca7b312 100644
--- a/autogen/cluster_regional.tf
+++ b/autogen/cluster_regional.tf
@@ -20,74 +20,99 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
-
-  region         = "${var.region}"
-  node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
-
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  {% if private_cluster %}
+  provider    = google-beta
+  {% else %}
+  provider    = google
+  {% endif %}
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
+
+  region = var.region
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
+
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
 
 {% if private_cluster %}
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
 {% endif %}
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -98,73 +123,127 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
-{% if private_cluster %}
 
+{% if private_cluster %}
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
-{% endif %}
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+{% endif %}
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -175,16 +254,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
index a1ae54b19f..590406023c 100644
--- a/autogen/cluster_zonal.tf
+++ b/autogen/cluster_zonal.tf
@@ -20,74 +20,96 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  {% if private_cluster %}
+  provider    = google-beta
+  {% else %}
+  provider    = google
+  {% endif %}
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  zone           = "${var.zones[0]}"
-  node_locations = ["${slice(var.zones,1,length(var.zones))}"]
+  zone           = var.zones[0]
+  node_locations = slice(var.zones, 1, length(var.zones))
 
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
-
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
 {% if private_cluster %}
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
 {% endif %}
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -98,73 +120,128 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
-{% if private_cluster %}
 
+{% if private_cluster %}
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 {% endif %}
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -175,16 +252,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/autogen/dns.tf b/autogen/dns.tf
index 1b0d83eb23..cdfbde7589 100644
--- a/autogen/dns.tf
+++ b/autogen/dns.tf
@@ -20,35 +20,48 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/autogen/main.tf b/autogen/main.tf
index ad07ed8ac3..c90a4cccc2 100644
--- a/autogen/main.tf
+++ b/autogen/main.tf
@@ -20,156 +20,244 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google
+  project  = var.project_id
+  region   = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
 
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
+  cluster_type = var.regional ? "regional" : "zonal"
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
 {% if private_cluster %}
   cluster_type_output_endpoint = {
-    regional = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
-    }"
-
-    zonal = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
-    }"
+    regional = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) : element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
+
+    zonal = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) : element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
   }
 {% else %}
   cluster_type_output_endpoint = {
-    regional = "${element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.endpoint, [""]),
+      0,
+    )
   }
 {% endif %}
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
 {% if private_cluster %}
   cluster_type_output_pod_security_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)
   }
 
 {% endif %}
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
 
   # cluster locals
-  cluster_name                = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location            = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region              = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones               = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint            = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate      = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version      = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version  = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service     = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service  = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names    = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                = local.cluster_type_output_name[local.cluster_type]
+  cluster_location            = local.cluster_type_output_location[local.cluster_type]
+  cluster_region              = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones               = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint            = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate      = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version      = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version  = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service     = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service  = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names    = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions = local.cluster_type_output_node_pools_versions[local.cluster_type]
+
+  cluster_network_policy_enabled             = !local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = !local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = !local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = !local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
 {% if private_cluster %}
-  cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
+  cluster_pod_security_policy_enabled        = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
 {% endif %}
 }
 
@@ -177,9 +265,9 @@ locals {
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -187,7 +275,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone     = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project  = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/autogen/masq.tf b/autogen/masq.tf
index e8856a8bf0..374f541ac8 100644
--- a/autogen/masq.tf
+++ b/autogen/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.network_policy ? 1 : 0}"
+  count = var.network_policy ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/autogen/networks.tf b/autogen/networks.tf
index 00d41aa4d0..10405b2029 100644
--- a/autogen/networks.tf
+++ b/autogen/networks.tf
@@ -18,13 +18,13 @@
 
 data "google_compute_network" "gke_network" {
   provider = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  name     = var.network
+  project  = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
   provider = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  name     = var.subnetwork
+  region   = var.region
+  project  = local.network_project_id
 }
diff --git a/autogen/outputs.tf b/autogen/outputs.tf
index 191e303bd1..116917ec7f 100644
--- a/autogen/outputs.tf
+++ b/autogen/outputs.tf
@@ -18,99 +18,99 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 
 {% if private_cluster %}
diff --git a/autogen/sa.tf b/autogen/sa.tf
index 56220640dd..4e9dd9690f 100644
--- a/autogen/sa.tf
+++ b/autogen/sa.tf
@@ -17,41 +17,46 @@
 {{ autogeneration_note }}
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/autogen/variables.tf b/autogen/variables.tf
index c169f85b65..be17c470f7 100644
--- a/autogen/variables.tf
+++ b/autogen/variables.tf
@@ -17,58 +17,68 @@
 {{ autogeneration_note }}
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({cidr_blocks=list(object({cidr_block=string,display_name=string}))}))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -93,6 +103,7 @@ variable "enable_binary_authorization" {
 }
 
 variable "pod_security_policy_config" {
+  type = list(object({enabled:bool}))
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
 
   default     = [{
@@ -102,60 +113,71 @@ variable "pod_security_policy_config" {
 
 {% endif %}
 variable "horizontal_pod_autoscaling" {
+  type        = bool
   description = "Enable horizontal pod autoscaling addon"
   default     = true
 }
 
 variable "http_load_balancing" {
+  type        = bool
   description = "Enable httpload balancer addon"
   default     = true
 }
 
 variable "kubernetes_dashboard" {
+  type        = bool
   description = "Enable kubernetes dashboard addon"
   default     = false
 }
 
 variable "network_policy" {
+  type        = bool
   description = "Enable network policy addon"
   default     = false
 }
 
 variable "network_policy_provider" {
+  type        = string
   description = "The network policy provider."
   default     = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type        = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
   default     = "05:00"
 }
 
 variable "ip_range_pods" {
+  type        = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type        = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type        = number
   description = "The number of nodes to create in this cluster's default node pool."
   default     = 0
 }
 
 variable "remove_default_node_pool" {
+  type        = bool
   description = "Remove default node pool while setting up the cluster"
   default     = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type        = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default     = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type        = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -166,7 +188,7 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type        = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
@@ -176,7 +198,7 @@ variable "node_pools_labels" {
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type        = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
@@ -186,7 +208,7 @@ variable "node_pools_metadata" {
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type        = map(list(object({key=string,value=string,effect=string})))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
@@ -196,7 +218,7 @@ variable "node_pools_taints" {
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
@@ -206,7 +228,7 @@ variable "node_pools_tags" {
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
@@ -216,75 +238,87 @@ variable "node_pools_oauth_scopes" {
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type        = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
   default     = {}
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type        = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
   default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type        = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
   default     = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type        = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default     = false
 }
 
 variable "logging_service" {
+  type        = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
   default     = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type        = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
   default     = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type        = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
   default     = "create"
 }
 {% if private_cluster %}
 
 variable "deploy_using_private_endpoint" {
+  type        = bool
   description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment."
-  default     = "false"
+  default     = false
 }
 
 variable "enable_private_endpoint" {
+  type        = bool
   description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
   default     = false
 }
 
 variable "enable_private_nodes" {
+  type        = bool
   description = "(Beta) Whether nodes have internal IP addresses only"
   default     = false
 }
 
 variable "master_ipv4_cidr_block" {
+  type        = string
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
   default     = "10.0.0.0/28"
 }
 {% endif %}
 
 variable "basic_auth_username" {
+  type        = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
+  type        = string
   description = "The password to be used with Basic Authentication."
   default     = ""
 }
 
 variable "issue_client_certificate" {
+  type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default     = false
 }
diff --git a/autogen/versions.tf b/autogen/versions.tf
new file mode 100644
index 0000000000..ac97c6ac8e
--- /dev/null
+++ b/autogen/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/cluster_regional.tf b/cluster_regional.tf
index 518ef23a9c..70e122f733 100644
--- a/cluster_regional.tf
+++ b/cluster_regional.tf
@@ -20,70 +20,84 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider    = google
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  region         = "${var.region}"
-  node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
+  region = var.region
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
-
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
-
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -94,65 +108,119 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -163,16 +231,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/cluster_zonal.tf b/cluster_zonal.tf
index 9b214db43b..4295eb82ac 100644
--- a/cluster_zonal.tf
+++ b/cluster_zonal.tf
@@ -20,70 +20,82 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider    = google
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  zone           = "${var.zones[0]}"
-  node_locations = ["${slice(var.zones,1,length(var.zones))}"]
+  zone           = var.zones[0]
+  node_locations = slice(var.zones, 1, length(var.zones))
 
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
-
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -94,65 +106,121 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -163,16 +231,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/dns.tf b/dns.tf
index 25effe580a..4d37fcef0c 100644
--- a/dns.tf
+++ b/dns.tf
@@ -20,35 +20,48 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/docs/upgrading_to_v2.0.md b/docs/upgrading_to_v2.0.md
index 55604daec3..1863baccf2 100644
--- a/docs/upgrading_to_v2.0.md
+++ b/docs/upgrading_to_v2.0.md
@@ -75,7 +75,7 @@ module "enabling-basic-auth" {
   basic_auth_username = "admin"
   basic_auth_password = "s3crets!"
 
-  regional          = "true"
+  regional          = true
   region            = "${var.region}"
   network           = "${var.network}"
   subnetwork        = "${var.subnetwork}"
@@ -101,9 +101,9 @@ module "enabling-client-certificate" {
   project_id = "${var.project_id}"
   name       = "cluster-with-client-certificate"
 
-  issue_client_certificate = "true"
+  issue_client_certificate = true
 
-  regional          = "true"
+  regional          = true
   region            = "${var.region}"
   network           = "${var.network}"
   subnetwork        = "${var.subnetwork}"
diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
index 05a0acbd90..5c79ac2232 100644
--- a/examples/deploy_service/main.tf
+++ b/examples/deploy_service/main.tf
@@ -19,42 +19,43 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${module.gke.endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(module.gke.ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
 
 module "gke" {
   source     = "../../"
-  project_id = "${var.project_id}"
+  project_id = var.project_id
   name       = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region     = "${var.region}"
-  network    = "${var.network}"
-  subnetwork = "${var.subnetwork}"
+  region     = var.region
+  network    = var.network
+  subnetwork = var.subnetwork
 
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
+  service_account   = var.compute_engine_service_account
 }
 
 resource "kubernetes_pod" "nginx-example" {
   metadata {
     name = "nginx-example"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
       app           = "nginx-example"
     }
@@ -67,7 +68,7 @@ resource "kubernetes_pod" "nginx-example" {
     }
   }
 
-  depends_on = ["module.gke"]
+  depends_on = [module.gke]
 }
 
 resource "kubernetes_service" "nginx-example" {
@@ -76,8 +77,8 @@ resource "kubernetes_service" "nginx-example" {
   }
 
   spec {
-    selector {
-      app = "${kubernetes_pod.nginx-example.metadata.0.labels.app}"
+    selector = {
+      app = kubernetes_pod.nginx-example.metadata[0].labels.app
     }
 
     session_affinity = "ClientIP"
@@ -90,5 +91,6 @@ resource "kubernetes_service" "nginx-example" {
     type = "LoadBalancer"
   }
 
-  depends_on = ["module.gke"]
+  depends_on = [module.gke]
 }
+
diff --git a/examples/deploy_service/outputs.tf b/examples/deploy_service/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/deploy_service/outputs.tf
+++ b/examples/deploy_service/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/deploy_service/variables.tf b/examples/deploy_service/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/deploy_service/variables.tf
+++ b/examples/deploy_service/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
index 3f27c8a170..169c4b9bde 100644
--- a/examples/disable_client_cert/main.tf
+++ b/examples/disable_client_cert/main.tf
@@ -19,29 +19,30 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
-
 module "gke" {
   source = "../../"
 
-  project_id               = "${var.project_id}"
+  project_id               = var.project_id
   name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region                   = "${var.region}"
-  network                  = "${var.network}"
-  network_project_id       = "${var.network_project_id}"
-  subnetwork               = "${var.subnetwork}"
-  ip_range_pods            = "${var.ip_range_pods}"
-  ip_range_services        = "${var.ip_range_services}"
-  service_account          = "${var.compute_engine_service_account}"
+  region                   = var.region
+  network                  = var.network
+  network_project_id       = var.network_project_id
+  subnetwork               = var.subnetwork
+  ip_range_pods            = var.ip_range_pods
+  ip_range_services        = var.ip_range_services
+  service_account          = var.compute_engine_service_account
   issue_client_certificate = false
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
+
diff --git a/examples/disable_client_cert/outputs.tf b/examples/disable_client_cert/outputs.tf
index 4cb7de00ef..0d972dcd88 100644
--- a/examples/disable_client_cert/outputs.tf
+++ b/examples/disable_client_cert/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/disable_client_cert/variables.tf b/examples/disable_client_cert/variables.tf
index 645d2311a1..f1fdb25856 100644
--- a/examples/disable_client_cert/variables.tf
+++ b/examples/disable_client_cert/variables.tf
@@ -54,3 +54,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
index 9df06457d2..dcd8c52569 100644
--- a/examples/node_pool/main.tf
+++ b/examples/node_pool/main.tf
@@ -19,35 +19,35 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 module "gke" {
   source                            = "../../"
-  project_id                        = "${var.project_id}"
+  project_id                        = var.project_id
   name                              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional                          = "false"
-  region                            = "${var.region}"
-  zones                             = "${var.zones}"
-  network                           = "${var.network}"
-  subnetwork                        = "${var.subnetwork}"
-  ip_range_pods                     = "${var.ip_range_pods}"
-  ip_range_services                 = "${var.ip_range_services}"
-  remove_default_node_pool          = "true"
-  disable_legacy_metadata_endpoints = "false"
+  regional                          = false
+  region                            = var.region
+  zones                             = var.zones
+  network                           = var.network
+  subnetwork                        = var.subnetwork
+  ip_range_pods                     = var.ip_range_pods
+  ip_range_services                 = var.ip_range_services
+  remove_default_node_pool          = true
+  disable_legacy_metadata_endpoints = false
 
   node_pools = [
     {
       name            = "pool-01"
       min_count       = 1
       max_count       = 2
-      service_account = "${var.compute_engine_service_account}"
+      service_account = var.compute_engine_service_account
       auto_upgrade    = true
     },
     {
@@ -61,37 +61,31 @@ module "gke" {
       accelerator_type  = "nvidia-tesla-p4"
       image_type        = "COS"
       auto_repair       = false
-      service_account   = "${var.compute_engine_service_account}"
+      service_account   = var.compute_engine_service_account
     },
   ]
 
   node_pools_oauth_scopes = {
-    all = []
-
+    all     = []
     pool-01 = []
-
     pool-02 = []
   }
 
   node_pools_metadata = {
     all = {}
-
     pool-01 = {
-      shutdown-script = "${file("${path.module}/data/shutdown-script.sh")}"
+      shutdown-script = file("${path.module}/data/shutdown-script.sh")
     }
-
     pool-02 = {}
   }
 
   node_pools_labels = {
     all = {
-      all-pools-example = "true"
+      all-pools-example = true
     }
-
     pool-01 = {
-      pool-01-example = "true"
+      pool-01-example = true
     }
-
     pool-02 = {}
   }
 
@@ -99,19 +93,17 @@ module "gke" {
     all = [
       {
         key    = "all-pools-example"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
-
     pool-01 = [
       {
         key    = "pool-01-example"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
-
     pool-02 = []
   }
 
@@ -119,13 +111,13 @@ module "gke" {
     all = [
       "all-node-example",
     ]
-
     pool-01 = [
       "pool-01-example",
     ]
-
     pool-02 = []
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
+
diff --git a/examples/node_pool/outputs.tf b/examples/node_pool/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/node_pool/outputs.tf
+++ b/examples/node_pool/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/node_pool/variables.tf b/examples/node_pool/variables.tf
index 847277a5ba..040c78d2c4 100644
--- a/examples/node_pool/variables.tf
+++ b/examples/node_pool/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -51,3 +51,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
index b778f039ce..b4994c5bc7 100644
--- a/examples/shared_vpc/main.tf
+++ b/examples/shared_vpc/main.tf
@@ -19,26 +19,28 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 module "gke" {
   source             = "../../"
-  project_id         = "${var.project_id}"
+  project_id         = var.project_id
   name               = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region             = "${var.region}"
-  network            = "${var.network}"
-  network_project_id = "${var.network_project_id}"
-  subnetwork         = "${var.subnetwork}"
-  ip_range_pods      = "${var.ip_range_pods}"
-  ip_range_services  = "${var.ip_range_services}"
-  service_account    = "${var.compute_engine_service_account}"
+  region             = var.region
+  network            = var.network
+  network_project_id = var.network_project_id
+  subnetwork         = var.subnetwork
+  ip_range_pods      = var.ip_range_pods
+  ip_range_services  = var.ip_range_services
+  service_account    = var.compute_engine_service_account
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/shared_vpc/outputs.tf b/examples/shared_vpc/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/shared_vpc/outputs.tf
+++ b/examples/shared_vpc/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/shared_vpc/variables.tf b/examples/shared_vpc/variables.tf
index f8d1189671..6c918f2344 100644
--- a/examples/shared_vpc/variables.tf
+++ b/examples/shared_vpc/variables.tf
@@ -50,3 +50,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf
index 007f64d38d..851a76d694 100644
--- a/examples/simple_regional/main.tf
+++ b/examples/simple_regional/main.tf
@@ -19,26 +19,28 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional          = true
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
+  service_account   = var.compute_engine_service_account
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/simple_regional/outputs.tf b/examples/simple_regional/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_regional/outputs.tf
+++ b/examples/simple_regional/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_regional/variables.tf b/examples/simple_regional/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/simple_regional/variables.tf
+++ b/examples/simple_regional/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf
index 29ffe9528e..ea75e152b4 100644
--- a/examples/simple_regional_private/main.tf
+++ b/examples/simple_regional_private/main.tf
@@ -19,37 +19,43 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = true
-  region                  = "${var.region}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/simple_regional_private/outputs.tf b/examples/simple_regional_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_regional_private/outputs.tf
+++ b/examples/simple_regional_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_regional_private/variables.tf b/examples/simple_regional_private/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/simple_regional_private/variables.tf
+++ b/examples/simple_regional_private/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/simple_zonal/main.tf b/examples/simple_zonal/main.tf
index 734f3a6457..83bc7aa152 100644
--- a/examples/simple_zonal/main.tf
+++ b/examples/simple_zonal/main.tf
@@ -19,27 +19,29 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional          = false
-  region            = "${var.region}"
-  zones             = "${var.zones}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  zones             = var.zones
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   service_account   = "create"
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
+
diff --git a/examples/simple_zonal/outputs.tf b/examples/simple_zonal/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_zonal/outputs.tf
+++ b/examples/simple_zonal/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_zonal/variables.tf b/examples/simple_zonal/variables.tf
index 62547edfcd..516116557c 100644
--- a/examples/simple_zonal/variables.tf
+++ b/examples/simple_zonal/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -47,3 +47,4 @@ variable "ip_range_pods" {
 variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
+
diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf
index e5d643e9d3..4fd87cade9 100644
--- a/examples/simple_zonal_private/main.tf
+++ b/examples/simple_zonal_private/main.tf
@@ -19,38 +19,44 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source                  = "../../modules/private-cluster/"
-  project_id              = "${var.project_id}"
+  project_id              = var.project_id
   name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
   regional                = false
-  region                  = "${var.region}"
-  zones                   = "${var.zones}"
-  network                 = "${var.network}"
-  subnetwork              = "${var.subnetwork}"
-  ip_range_pods           = "${var.ip_range_pods}"
-  ip_range_services       = "${var.ip_range_services}"
-  service_account         = "${var.compute_engine_service_account}"
+  region                  = var.region
+  zones                   = var.zones
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  service_account         = var.compute_engine_service_account
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
+}
+
+data "google_client_config" "default" {
 }
 
-data "google_client_config" "default" {}
diff --git a/examples/simple_zonal_private/outputs.tf b/examples/simple_zonal_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/simple_zonal_private/outputs.tf
+++ b/examples/simple_zonal_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/simple_zonal_private/variables.tf b/examples/simple_zonal_private/variables.tf
index 847277a5ba..040c78d2c4 100644
--- a/examples/simple_zonal_private/variables.tf
+++ b/examples/simple_zonal_private/variables.tf
@@ -28,7 +28,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zone to host the cluster in (required if is a zonal cluster)"
 }
 
@@ -51,3 +51,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf
index 0129ecab4b..77b6639d08 100644
--- a/examples/stub_domains/main.tf
+++ b/examples/stub_domains/main.tf
@@ -19,33 +19,32 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.7.0"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 module "gke" {
   source            = "../../"
-  project_id        = "${var.project_id}"
+  project_id        = var.project_id
   name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  region            = var.region
+  network           = var.network
+  subnetwork        = var.subnetwork
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   network_policy    = true
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = var.compute_engine_service_account
 
-  stub_domains {
+  stub_domains = {
     "example.com" = [
       "10.254.154.11",
       "10.254.154.12",
     ]
-
     "example.net" = [
       "10.254.154.11",
       "10.254.154.12",
@@ -53,4 +52,6 @@ module "gke" {
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
+
diff --git a/examples/stub_domains/outputs.tf b/examples/stub_domains/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/stub_domains/outputs.tf
+++ b/examples/stub_domains/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/stub_domains/variables.tf b/examples/stub_domains/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/stub_domains/variables.tf
+++ b/examples/stub_domains/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf
index 9369a572d4..7c072b64a7 100644
--- a/examples/stub_domains_private/main.tf
+++ b/examples/stub_domains_private/main.tf
@@ -15,8 +15,8 @@
  */
 
 provider "google-beta" {
-  version = "~> 2.2"
-  region  = "${var.region}"
+  version = "~> 2.8.0"
+  region  = var.region
 }
 
 provider "random" {
@@ -24,44 +24,47 @@ provider "random" {
 }
 
 data "google_compute_subnetwork" "subnetwork" {
-  name    = "${var.subnetwork}"
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
 }
 
 module "gke" {
   source = "../../modules/private-cluster"
 
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  ip_range_pods     = var.ip_range_pods
+  ip_range_services = var.ip_range_services
   name              = "stub-domains-private-cluster${var.cluster_name_suffix}"
-  network           = "${var.network}"
-  project_id        = "${var.project_id}"
-  region            = "${var.region}"
-  subnetwork        = "${var.subnetwork}"
+  network           = var.network
+  project_id        = var.project_id
+  region            = var.region
+  subnetwork        = var.subnetwork
 
-  deploy_using_private_endpoint = "true"
-  enable_private_endpoint       = "false"
-  enable_private_nodes          = "true"
+  deploy_using_private_endpoint = true
+  enable_private_endpoint       = false
+  enable_private_nodes          = true
 
-  master_authorized_networks_config = [{
-    cidr_blocks = [{
-      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
-      display_name = "VPC"
-    }]
-  }]
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = data.google_compute_subnetwork.subnetwork.ip_cidr_range
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
 
   master_ipv4_cidr_block = "172.16.0.0/28"
 
-  network_policy  = "true"
-  service_account = "${var.compute_engine_service_account}"
+  network_policy  = true
+  service_account = var.compute_engine_service_account
 
-  stub_domains {
+  stub_domains = {
     "example.com" = [
       "10.254.154.11",
       "10.254.154.12",
     ]
-
     "example.net" = [
       "10.254.154.11",
       "10.254.154.12",
@@ -69,4 +72,6 @@ module "gke" {
   }
 }
 
-data "google_client_config" "default" {}
+data "google_client_config" "default" {
+}
+
diff --git a/examples/stub_domains_private/outputs.tf b/examples/stub_domains_private/outputs.tf
index 9881585a48..0d972dcd88 100644
--- a/examples/stub_domains_private/outputs.tf
+++ b/examples/stub_domains_private/outputs.tf
@@ -16,19 +16,20 @@
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.gke.endpoint}"
+  value     = module.gke.endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${base64encode(data.google_client_config.default.access_token)}"
+  value     = base64encode(data.google_client_config.default.access_token)
 }
 
 output "ca_certificate" {
-  value = "${module.gke.ca_certificate}"
+  value = module.gke.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account}"
+  value       = module.gke.service_account
 }
+
diff --git a/examples/stub_domains_private/test_outputs.tf b/examples/stub_domains_private/test_outputs.tf
index c1d4352219..53eab4ee12 100644
--- a/examples/stub_domains_private/test_outputs.tf
+++ b/examples/stub_domains_private/test_outputs.tf
@@ -18,46 +18,47 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/examples/stub_domains_private/variables.tf b/examples/stub_domains_private/variables.tf
index a4409795b7..6121eab9ea 100644
--- a/examples/stub_domains_private/variables.tf
+++ b/examples/stub_domains_private/variables.tf
@@ -46,3 +46,4 @@ variable "ip_range_services" {
 variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
+
diff --git a/main.tf b/main.tf
index e96d301c43..546262c646 100644
--- a/main.tf
+++ b/main.tf
@@ -20,140 +20,236 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google
+  project  = var.project_id
+  region   = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
 
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
+  cluster_type = var.regional ? "regional" : "zonal"
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.endpoint, [""]),
+      0,
+    )
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
 
   # cluster locals
-  cluster_name                = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location            = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region              = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones               = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint            = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate      = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version      = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version  = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service     = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service  = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names    = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_name                = local.cluster_type_output_name[local.cluster_type]
+  cluster_location            = local.cluster_type_output_location[local.cluster_type]
+  cluster_region              = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones               = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint            = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate      = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version      = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version  = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service     = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service  = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names    = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions = local.cluster_type_output_node_pools_versions[local.cluster_type]
+
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
 }
 
 /******************************************
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -161,7 +257,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/masq.tf b/masq.tf
index a78d263cef..7475b904de 100644
--- a/masq.tf
+++ b/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.network_policy ? 1 : 0}"
+  count = var.network_policy ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 0f173c16d6..695e79346e 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -61,7 +61,7 @@ module "gke" {
     all = {}
 
     default-node-pool = {
-      default-node-pool = "true"
+      default-node-pool = true
     }
   }
 
@@ -79,7 +79,7 @@ module "gke" {
     default-node-pool = [
       {
         key    = "default-node-pool"
-        value  = "true"
+        value  = true
         effect = "PREFER_NO_SCHEDULE"
       },
     ]
@@ -114,82 +114,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l
 In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
 
 [^]: (autogen_docs_start)
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
-| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
-| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
-| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | string | `"false"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_pools | List of maps containing node pools | list | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (required) | string | n/a | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| zones | List of zones in which the cluster resides |
-
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -207,8 +131,8 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Kubectl
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
-- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) v2.3, v2.6, v2.7
+- [Terraform](https://www.terraform.io/downloads.html) 0.12.x
+- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) v2.8
 
 ### Configure a Service Account
 In order to execute this module you must have a Service Account with the
diff --git a/modules/private-cluster/auth.tf b/modules/private-cluster/auth.tf
index 0bbafaf4a2..c177eee5a7 100644
--- a/modules/private-cluster/auth.tf
+++ b/modules/private-cluster/auth.tf
@@ -20,7 +20,7 @@
   Retrieve authentication token
  *****************************************/
 data "google_client_config" "default" {
-  provider = "google-beta"
+  provider = google-beta
 }
 
 /******************************************
@@ -29,6 +29,6 @@ data "google_client_config" "default" {
 provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${local.cluster_endpoint}"
-  token                  = "${data.google_client_config.default.access_token}"
-  cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
 }
diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf
index dc22a7b912..4552e24166 100644
--- a/modules/private-cluster/cluster_regional.tf
+++ b/modules/private-cluster/cluster_regional.tf
@@ -20,72 +20,93 @@
   Create regional cluster
  *****************************************/
 resource "google_container_cluster" "primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 1 : 0}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider    = google-beta
+  count       = var.regional ? 1 : 0
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  region         = "${var.region}"
-  node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
+  region = var.region
+  node_locations = coalescelist(
+    compact(var.zones),
+    sort(random_shuffle.available_zones.result),
+  )
 
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_regional}"
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_regional
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -96,71 +117,125 @@ resource "google_container_cluster" "primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create regional node pools
  *****************************************/
 resource "google_container_node_pool" "pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? length(var.node_pools) : 0}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  region             = "${var.region}"
-  cluster            = "${google_container_cluster.primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? length(var.node_pools) : 0
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  region   = var.region
+  cluster  = google_container_cluster.primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_regional,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", true)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]]
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -171,16 +246,19 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_regional_cluster" {
-  count = "${var.regional ? 1 : 0}"
+  count = var.regional ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.primary", "google_container_node_pool.pools"]
+  depends_on = [
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+  ]
 }
diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf
index b451df9f7c..7a3fe7f76b 100644
--- a/modules/private-cluster/cluster_zonal.tf
+++ b/modules/private-cluster/cluster_zonal.tf
@@ -20,72 +20,90 @@
   Create zonal cluster
  *****************************************/
 resource "google_container_cluster" "zonal_primary" {
-  provider    = "google-beta"
-  count       = "${var.regional ? 0 : 1}"
-  name        = "${var.name}"
-  description = "${var.description}"
-  project     = "${var.project_id}"
+  provider    = google-beta
+  count       = var.regional ? 0 : 1
+  name        = var.name
+  description = var.description
+  project     = var.project_id
 
-  zone           = "${var.zones[0]}"
-  node_locations = ["${slice(var.zones,1,length(var.zones))}"]
+  zone           = var.zones[0]
+  node_locations = slice(var.zones, 1, length(var.zones))
 
-  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = data.google_compute_network.gke_network.self_link
 
   network_policy {
-    enabled  = "${var.network_policy}"
-    provider = "${var.network_policy_provider}"
+    enabled  = var.network_policy
+    provider = var.network_policy_provider
   }
 
-  subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version_zonal}"
+  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  min_master_version = local.kubernetes_version_zonal
+
+  logging_service    = var.logging_service
+  monitoring_service = var.monitoring_service
+
+  dynamic "master_authorized_networks_config" {
+    for_each = var.master_authorized_networks_config
+    content {
+      dynamic "cidr_blocks" {
+        for_each = master_authorized_networks_config.value.cidr_blocks
+        content {
+          cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
+          display_name = lookup(cidr_blocks.value, "display_name", "")
+        }
+      }
+    }
+  }
 
-  logging_service    = "${var.logging_service}"
-  monitoring_service = "${var.monitoring_service}"
+  enable_binary_authorization = var.enable_binary_authorization
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
-  master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
+  dynamic "pod_security_policy_config" {
+    for_each = var.pod_security_policy_config
+    content {
+      enabled = pod_security_policy_config.value.enabled
+    }
+  }
 
   master_auth {
-    username = "${var.basic_auth_username}"
-    password = "${var.basic_auth_password}"
+    username = var.basic_auth_username
+    password = var.basic_auth_password
 
     client_certificate_config {
-      issue_client_certificate = "${var.issue_client_certificate}"
+      issue_client_certificate = var.issue_client_certificate
     }
   }
 
   addons_config {
     http_load_balancing {
-      disabled = "${var.http_load_balancing ? 0 : 1}"
+      disabled = ! var.http_load_balancing
     }
 
     horizontal_pod_autoscaling {
-      disabled = "${var.horizontal_pod_autoscaling ? 0 : 1}"
+      disabled = ! var.horizontal_pod_autoscaling
     }
 
     kubernetes_dashboard {
-      disabled = "${var.kubernetes_dashboard ? 0 : 1}"
+      disabled = ! var.kubernetes_dashboard
     }
 
     network_policy_config {
-      disabled = "${var.network_policy ? 0 : 1}"
+      disabled = ! var.network_policy
     }
   }
 
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${var.ip_range_pods}"
-    services_secondary_range_name = "${var.ip_range_services}"
+    cluster_secondary_range_name  = var.ip_range_pods
+    services_secondary_range_name = var.ip_range_services
   }
 
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.maintenance_start_time}"
+      start_time = var.maintenance_start_time
     }
   }
 
   lifecycle {
-    ignore_changes = ["node_pool"]
+    ignore_changes = [node_pool]
   }
 
   timeouts {
@@ -96,71 +114,126 @@ resource "google_container_cluster" "zonal_primary" {
 
   node_pool {
     name               = "default-pool"
-    initial_node_count = "${var.initial_node_count}"
+    initial_node_count = var.initial_node_count
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
     }
   }
 
   private_cluster_config {
-    enable_private_endpoint = "${var.enable_private_endpoint}"
-    enable_private_nodes    = "${var.enable_private_nodes}"
-    master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
+    enable_private_endpoint = var.enable_private_endpoint
+    enable_private_nodes    = var.enable_private_nodes
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
   }
 
-  remove_default_node_pool = "${var.remove_default_node_pool}"
+  remove_default_node_pool = var.remove_default_node_pool
 }
 
 /******************************************
   Create zonal node pools
  *****************************************/
 resource "google_container_node_pool" "zonal_pools" {
-  provider           = "google-beta"
-  count              = "${var.regional ? 0 : length(var.node_pools)}"
-  name               = "${lookup(var.node_pools[count.index], "name")}"
-  project            = "${var.project_id}"
-  zone               = "${var.zones[0]}"
-  cluster            = "${google_container_cluster.zonal_primary.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
-  initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
+  provider = google-beta
+  count    = var.regional ? 0 : length(var.node_pools)
+  name     = var.node_pools[count.index]["name"]
+  project  = var.project_id
+  zone     = var.zones[0]
+  cluster  = google_container_cluster.zonal_primary[0].name
+  version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
+    var.node_pools[count.index],
+    "version",
+    local.node_version_zonal,
+  )
+  initial_node_count = lookup(
+    var.node_pools[count.index],
+    "initial_node_count",
+    lookup(var.node_pools[count.index], "min_count", 1),
+  )
 
   autoscaling {
-    min_node_count = "${lookup(var.node_pools[count.index], "min_count", 1)}"
-    max_node_count = "${lookup(var.node_pools[count.index], "max_count", 100)}"
+    min_node_count = lookup(var.node_pools[count.index], "min_count", 1)
+    max_node_count = lookup(var.node_pools[count.index], "max_count", 100)
   }
 
   management {
-    auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_repair  = lookup(var.node_pools[count.index], "auto_repair", true)
+    auto_upgrade = lookup(var.node_pools[count.index], "auto_upgrade", false)
   }
 
   node_config {
-    image_type   = "${lookup(var.node_pools[count.index], "image_type", "COS")}"
-    machine_type = "${lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")}"
-    labels       = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_labels["all"], var.node_pools_labels[lookup(var.node_pools[count.index], "name")])}"
-    metadata     = "${merge(map("cluster_name", var.name), map("node_pool", lookup(var.node_pools[count.index], "name")), var.node_pools_metadata["all"], var.node_pools_metadata[lookup(var.node_pools[count.index], "name")], map("disable-legacy-endpoints", var.disable_legacy_metadata_endpoints))}"
-    taint        = "${concat(var.node_pools_taints["all"], var.node_pools_taints[lookup(var.node_pools[count.index], "name")])}"
-    tags         = ["${concat(list("gke-${var.name}"), list("gke-${var.name}-${lookup(var.node_pools[count.index], "name")}"), var.node_pools_tags["all"], var.node_pools_tags[lookup(var.node_pools[count.index], "name")])}"]
-
-    disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
-    disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
-    preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
-
-    oauth_scopes = [
-      "${concat(var.node_pools_oauth_scopes["all"],
-      var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}",
-    ]
-
-    guest_accelerator {
-      type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
-      count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
+    image_type   = lookup(var.node_pools[count.index], "image_type", "COS")
+    machine_type = lookup(var.node_pools[count.index], "machine_type", "n1-standard-2")
+    labels = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_labels["all"],
+      var.node_pools_labels[var.node_pools[count.index]["name"]],
+    )
+    metadata = merge(
+      {
+        "cluster_name" = var.name
+      },
+      {
+        "node_pool" = var.node_pools[count.index]["name"]
+      },
+      var.node_pools_metadata["all"],
+      var.node_pools_metadata[var.node_pools[count.index]["name"]],
+      {
+        "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints
+      },
+    )
+    dynamic "taint" {
+      for_each = concat(
+        var.node_pools_taints["all"],
+        var.node_pools_taints[var.node_pools[count.index]["name"]],
+      )
+      content {
+        effect = taint.value.effect
+        key    = taint.value.key
+        value  = taint.value.value
+      }
+    }
+
+    tags = concat(
+      ["gke-${var.name}"],
+      ["gke-${var.name}-${var.node_pools[count.index]["name"]}"],
+      var.node_pools_tags["all"],
+      var.node_pools_tags[var.node_pools[count.index]["name"]],
+    )
+
+    disk_size_gb = lookup(var.node_pools[count.index], "disk_size_gb", 100)
+    disk_type    = lookup(var.node_pools[count.index], "disk_type", "pd-standard")
+    service_account = lookup(
+      var.node_pools[count.index],
+      "service_account",
+      local.service_account,
+    )
+    preemptible = lookup(var.node_pools[count.index], "preemptible", false)
+
+    oauth_scopes = concat(
+      var.node_pools_oauth_scopes["all"],
+      var.node_pools_oauth_scopes[var.node_pools[count.index]["name"]],
+    )
+
+    dynamic "guest_accelerator" {
+      for_each = lookup(var.node_pools[count.index], "accelerator_count", 0) > 0 ? [{
+        type  = lookup(var.node_pools[count.index], "accelerator_type", "")
+        count = lookup(var.node_pools[count.index], "accelerator_count", 0)
+      }] : []
+      content {
+        type  = guest_accelerator.value.type
+        count = guest_accelerator.value.count
+      }
     }
   }
 
   lifecycle {
-    ignore_changes = ["initial_node_count"]
+    ignore_changes = [initial_node_count]
   }
 
   timeouts {
@@ -171,16 +244,19 @@ resource "google_container_node_pool" "zonal_pools" {
 }
 
 resource "null_resource" "wait_for_zonal_cluster" {
-  count = "${var.regional ? 0 : 1}"
+  count = var.regional ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
   provisioner "local-exec" {
-    when    = "destroy"
+    when    = destroy
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"
   }
 
-  depends_on = ["google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
index 25effe580a..4d37fcef0c 100644
--- a/modules/private-cluster/dns.tf
+++ b/modules/private-cluster/dns.tf
@@ -20,35 +20,48 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
 
 /******************************************
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = local.custom_kube_dns_config ? 1 : 0
 
   metadata {
     name      = "kube-dns"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     stubDomains = <<EOF
 ${jsonencode(var.stub_domains)}
 EOF
   }
 
-  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    null_resource.delete_default_kube_dns_configmap,
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index 7dd05dac04..04b14dd94d 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -20,155 +20,240 @@
   Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
-  provider = "google-beta"
-  project  = "${var.project_id}"
-  region   = "${var.region}"
+  provider = google
+  project  = var.project_id
+  region   = var.region
 }
 
 resource "random_shuffle" "available_zones" {
-  input        = ["${data.google_compute_zones.available.names}"]
+  input        = data.google_compute_zones.available.names
   result_count = 3
 }
 
 locals {
-  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
-  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
-  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
-  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
-  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
+  kubernetes_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
+  kubernetes_version_zonal    = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
+  node_version_regional       = var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional
+  node_version_zonal          = var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal
+  custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
+  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
 
-  cluster_type = "${var.regional ? "regional" : "zonal"}"
+  cluster_type = var.regional ? "regional" : "zonal"
 
   cluster_type_output_name = {
-    regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.name, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.name, [""]),
+      0,
+    )
   }
 
   cluster_type_output_location = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.zone, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal = element(
+      concat(google_container_cluster.zonal_primary.*.zone, [""]),
+      0,
+    )
   }
 
   cluster_type_output_region = {
-    regional = "${element(concat(google_container_cluster.primary.*.region, list("")), 0)}"
-    zonal    = "${var.region}"
+    regional = element(concat(google_container_cluster.primary.*.region, [""]), 0)
+    zonal    = var.region
   }
 
-  cluster_type_output_regional_zones = "${flatten(google_container_cluster.primary.*.node_locations)}"
-  cluster_type_output_zonal_zones    = "${slice(var.zones, 1, length(var.zones))}"
+  cluster_type_output_regional_zones = flatten(google_container_cluster.primary.*.node_locations)
+  cluster_type_output_zonal_zones    = slice(var.zones, 1, length(var.zones))
 
   cluster_type_output_zones = {
-    regional = "${local.cluster_type_output_regional_zones}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.zone, local.cluster_type_output_zonal_zones)}"
+    regional = local.cluster_type_output_regional_zones
+    zonal = concat(
+      google_container_cluster.zonal_primary.*.zone,
+      local.cluster_type_output_zonal_zones,
+    )
   }
 
   cluster_type_output_endpoint = {
-    regional = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
-    }"
+    regional = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.primary.*.private_cluster_config.0.private_endpoint, list("")), 0) : element(concat(google_container_cluster.primary.*.endpoint, list("")), 0)
 
-    zonal = "${
-      var.deploy_using_private_endpoint ?
-      element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) :
-      element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
-    }"
+    zonal = var.deploy_using_private_endpoint ? element(concat(google_container_cluster.zonal_primary.*.private_cluster_config.0.private_endpoint, list("")), 0) : element(concat(google_container_cluster.zonal_primary.*.endpoint, list("")), 0)
   }
 
   cluster_type_output_master_auth = {
-    regional = "${concat(google_container_cluster.primary.*.master_auth, list())}"
-    zonal    = "${concat(google_container_cluster.zonal_primary.*.master_auth, list())}"
+    regional = concat(google_container_cluster.primary.*.master_auth, [])
+    zonal    = concat(google_container_cluster.zonal_primary.*.master_auth, [])
   }
 
   cluster_type_output_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_min_master_version = {
-    regional = "${element(concat(google_container_cluster.primary.*.min_master_version, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.min_master_version, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.min_master_version,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_logging_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.logging_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.logging_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.logging_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.logging_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_monitoring_service = {
-    regional = "${element(concat(google_container_cluster.primary.*.monitoring_service, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.monitoring_service, list("")), 0)}"
+    regional = element(
+      concat(google_container_cluster.primary.*.monitoring_service, [""]),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.monitoring_service,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_network_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_http_load_balancing_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.http_load_balancing.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_horizontal_pod_autoscaling_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.horizontal_pod_autoscaling.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_kubernetes_dashboard_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled, list("")), 0)}"
+    regional = element(
+      concat(
+        google_container_cluster.primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
+    zonal = element(
+      concat(
+        google_container_cluster.zonal_primary.*.addons_config.0.kubernetes_dashboard.0.disabled,
+        [""],
+      ),
+      0,
+    )
   }
 
   cluster_type_output_node_pools_names = {
-    regional = "${concat(google_container_node_pool.pools.*.name, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.name, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.name, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.name, [""])
   }
 
   cluster_type_output_node_pools_versions = {
-    regional = "${concat(google_container_node_pool.pools.*.version, list(""))}"
-    zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
+    regional = concat(google_container_node_pool.pools.*.version, [""])
+    zonal    = concat(google_container_node_pool.zonal_pools.*.version, [""])
   }
 
   cluster_type_output_pod_security_policy_enabled = {
-    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
-    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    regional = element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)
   }
 
-  cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
-  cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
-  cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
+  cluster_master_auth_list_layer1 = local.cluster_type_output_master_auth[local.cluster_type]
+  cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
+  cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
 
   # cluster locals
-  cluster_name                = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location            = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region              = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones               = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint            = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate      = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version      = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version  = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_logging_service     = "${local.cluster_type_output_logging_service[local.cluster_type]}"
-  cluster_monitoring_service  = "${local.cluster_type_output_monitoring_service[local.cluster_type]}"
-  cluster_node_pools_names    = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
-
-  cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
-  cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
-  cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
-  cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
-  cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? false : true}"
+  cluster_name                = local.cluster_type_output_name[local.cluster_type]
+  cluster_location            = local.cluster_type_output_location[local.cluster_type]
+  cluster_region              = local.cluster_type_output_region[local.cluster_type]
+  cluster_zones               = sort(local.cluster_type_output_zones[local.cluster_type])
+  cluster_endpoint            = local.cluster_type_output_endpoint[local.cluster_type]
+  cluster_ca_certificate      = local.cluster_master_auth_map["cluster_ca_certificate"]
+  cluster_master_version      = local.cluster_type_output_master_version[local.cluster_type]
+  cluster_min_master_version  = local.cluster_type_output_min_master_version[local.cluster_type]
+  cluster_logging_service     = local.cluster_type_output_logging_service[local.cluster_type]
+  cluster_monitoring_service  = local.cluster_type_output_monitoring_service[local.cluster_type]
+  cluster_node_pools_names    = local.cluster_type_output_node_pools_names[local.cluster_type]
+  cluster_node_pools_versions = local.cluster_type_output_node_pools_versions[local.cluster_type]
+
+  cluster_network_policy_enabled             = ! local.cluster_type_output_network_policy_enabled[local.cluster_type]
+  cluster_http_load_balancing_enabled        = ! local.cluster_type_output_http_load_balancing_enabled[local.cluster_type]
+  cluster_horizontal_pod_autoscaling_enabled = ! local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type]
+  cluster_kubernetes_dashboard_enabled       = ! local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type]
+  cluster_pod_security_policy_enabled        = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
 }
 
 /******************************************
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "google-beta"
-  region   = "${var.region}"
-  project  = "${var.project_id}"
+  provider = google-beta
+  region   = var.region
+  project  = var.project_id
 }
 
 data "google_container_engine_versions" "zone" {
@@ -176,7 +261,7 @@ data "google_container_engine_versions" "zone" {
   //
   //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
   //
-  zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
+  zone = var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]
 
-  project = "${var.project_id}"
+  project = var.project_id
 }
diff --git a/modules/private-cluster/masq.tf b/modules/private-cluster/masq.tf
index a78d263cef..7475b904de 100644
--- a/modules/private-cluster/masq.tf
+++ b/modules/private-cluster/masq.tf
@@ -20,18 +20,18 @@
   Create ip-masq-agent confimap
  *****************************************/
 resource "kubernetes_config_map" "ip-masq-agent" {
-  count = "${var.network_policy ? 1 : 0}"
+  count = var.network_policy ? 1 : 0
 
   metadata {
     name      = "ip-masq-agent"
     namespace = "kube-system"
 
-    labels {
+    labels = {
       maintained_by = "terraform"
     }
   }
 
-  data {
+  data = {
     config = <<EOF
 nonMasqueradeCIDRs:
   - ${join("\n  - ", var.non_masquerade_cidrs)}
@@ -40,5 +40,11 @@ masqLinkLocal: ${var.ip_masq_link_local}
 EOF
   }
 
-  depends_on = ["data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+  depends_on = [
+    data.google_client_config.default,
+    google_container_cluster.primary,
+    google_container_node_pool.pools,
+    google_container_cluster.zonal_primary,
+    google_container_node_pool.zonal_pools,
+  ]
 }
diff --git a/modules/private-cluster/networks.tf b/modules/private-cluster/networks.tf
index aeb1a99aba..e80ab0966e 100644
--- a/modules/private-cluster/networks.tf
+++ b/modules/private-cluster/networks.tf
@@ -18,13 +18,13 @@
 
 data "google_compute_network" "gke_network" {
   provider = "google-beta"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  name     = var.network
+  project  = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
   provider = "google-beta"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  name     = var.subnetwork
+  region   = var.region
+  project  = local.network_project_id
 }
diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf
index f4f5676fa5..81494994b7 100644
--- a/modules/private-cluster/outputs.tf
+++ b/modules/private-cluster/outputs.tf
@@ -18,99 +18,99 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 
 output "pod_security_policy_enabled" {
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/modules/private-cluster/sa.tf
+++ b/modules/private-cluster/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 9d6b123ac8..226360d51e 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -88,10 +98,11 @@ variable "master_authorized_networks_config" {
 
 variable "enable_binary_authorization" {
   description = "Enable BinAuthZ Admission controller"
-  default     = false
+  default = false
 }
 
 variable "pod_security_policy_config" {
+  type = list(object({ enabled : bool }))
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
 
   default = [{
@@ -100,60 +111,71 @@ variable "pod_security_policy_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -164,123 +186,135 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
 
 variable "deploy_using_private_endpoint" {
+  type = bool
   description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment."
-  default     = "false"
+  default = false
 }
 
 variable "enable_private_endpoint" {
+  type = bool
   description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
-  default     = false
+  default = false
 }
 
 variable "enable_private_nodes" {
+  type = bool
   description = "(Beta) Whether nodes have internal IP addresses only"
-  default     = false
+  default = false
 }
 
 variable "master_ipv4_cidr_block" {
+  type = string
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
-  default     = "10.0.0.0/28"
+  default = "10.0.0.0/28"
 }
 
 variable "basic_auth_username" {
+  type = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
-  default     = ""
+  default = ""
 }
 
 variable "basic_auth_password" {
+  type = string
   description = "The password to be used with Basic Authentication."
-  default     = ""
+  default = ""
 }
 
 variable "issue_client_certificate" {
+  type = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default = false
 }
diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf
new file mode 100644
index 0000000000..ac97c6ac8e
--- /dev/null
+++ b/modules/private-cluster/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/networks.tf b/networks.tf
index f6c26d9e77..eadd1eee5b 100644
--- a/networks.tf
+++ b/networks.tf
@@ -18,13 +18,13 @@
 
 data "google_compute_network" "gke_network" {
   provider = "google"
-  name     = "${var.network}"
-  project  = "${local.network_project_id}"
+  name     = var.network
+  project  = local.network_project_id
 }
 
 data "google_compute_subnetwork" "gke_subnetwork" {
   provider = "google"
-  name     = "${var.subnetwork}"
-  region   = "${var.region}"
-  project  = "${local.network_project_id}"
+  name     = var.subnetwork
+  region   = var.region
+  project  = local.network_project_id
 }
diff --git a/outputs.tf b/outputs.tf
index 38552c4f89..f42cc0b207 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -18,98 +18,98 @@
 
 output "name" {
   description = "Cluster name"
-  value       = "${local.cluster_name}"
+  value       = local.cluster_name
 }
 
 output "type" {
   description = "Cluster type (regional / zonal)"
-  value       = "${local.cluster_type}"
+  value       = local.cluster_type
 }
 
 output "location" {
   description = "Cluster location (region if regional cluster, zone if zonal cluster)"
-  value       = "${local.cluster_location}"
+  value       = local.cluster_location
 }
 
 output "region" {
   description = "Cluster region"
-  value       = "${local.cluster_region}"
+  value       = local.cluster_region
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${local.cluster_zones}"
+  value       = local.cluster_zones
 }
 
 output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
-  value       = "${local.cluster_endpoint}"
+  value       = local.cluster_endpoint
 }
 
 output "min_master_version" {
   description = "Minimum master kubernetes version"
-  value       = "${local.cluster_min_master_version}"
+  value       = local.cluster_min_master_version
 }
 
 output "logging_service" {
   description = "Logging service used"
-  value       = "${local.cluster_logging_service}"
+  value       = local.cluster_logging_service
 }
 
 output "monitoring_service" {
   description = "Monitoring service used"
-  value       = "${local.cluster_monitoring_service}"
+  value       = local.cluster_monitoring_service
 }
 
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
-  value       = "${var.master_authorized_networks_config}"
+  value       = var.master_authorized_networks_config
 }
 
 output "master_version" {
   description = "Current master kubernetes version"
-  value       = "${local.cluster_master_version}"
+  value       = local.cluster_master_version
 }
 
 output "ca_certificate" {
   sensitive   = true
   description = "Cluster ca certificate (base64 encoded)"
-  value       = "${local.cluster_ca_certificate}"
+  value       = local.cluster_ca_certificate
 }
 
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
-  value       = "${local.cluster_network_policy_enabled}"
+  value       = local.cluster_network_policy_enabled
 }
 
 output "http_load_balancing_enabled" {
   description = "Whether http load balancing enabled"
-  value       = "${local.cluster_http_load_balancing_enabled}"
+  value       = local.cluster_http_load_balancing_enabled
 }
 
 output "horizontal_pod_autoscaling_enabled" {
   description = "Whether horizontal pod autoscaling enabled"
-  value       = "${local.cluster_horizontal_pod_autoscaling_enabled}"
+  value       = local.cluster_horizontal_pod_autoscaling_enabled
 }
 
 output "kubernetes_dashboard_enabled" {
   description = "Whether kubernetes dashboard enabled"
-  value       = "${local.cluster_kubernetes_dashboard_enabled}"
+  value       = local.cluster_kubernetes_dashboard_enabled
 }
 
 output "node_pools_names" {
   description = "List of node pools names"
-  value       = "${local.cluster_node_pools_names}"
+  value       = local.cluster_node_pools_names
 }
 
 output "node_pools_versions" {
   description = "List of node pools versions"
-  value       = "${local.cluster_node_pools_versions}"
+  value       = local.cluster_node_pools_versions
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${local.service_account}"
+  value       = local.service_account
 }
 
diff --git a/sa.tf b/sa.tf
index 5a08b8885d..dfa515848f 100644
--- a/sa.tf
+++ b/sa.tf
@@ -17,41 +17,46 @@
 // This file was automatically generated from a template in ./autogen
 
 locals {
-  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account_list = compact(
+    concat(
+      google_service_account.cluster_service_account.*.email,
+      ["dummy"],
+    ),
+  )
+  service_account = var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account
 }
 
 resource "random_string" "cluster_service_account_suffix" {
-  upper   = "false"
-  lower   = "true"
-  special = "false"
+  upper   = false
+  lower   = true
+  special = false
   length  = 4
 }
 
 resource "google_service_account" "cluster_service_account" {
-  count        = "${var.service_account == "create" ? 1 : 0}"
-  project      = "${var.project_id}"
+  count        = var.service_account == "create" ? 1 : 0
+  project      = var.project_id
   account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-log_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_service_account.cluster_service_account.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-log_writer[0].project
   role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
 resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = "${var.service_account == "create" ? 1 : 0}"
-  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  count   = var.service_account == "create" ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
   role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
diff --git a/test/fixtures/all_examples/test_outputs.tf b/test/fixtures/all_examples/test_outputs.tf
index c1d4352219..53eab4ee12 100644
--- a/test/fixtures/all_examples/test_outputs.tf
+++ b/test/fixtures/all_examples/test_outputs.tf
@@ -18,46 +18,47 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.gke.region}"
+  value = module.gke.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.gke.name}"
+  value       = module.gke.name
 }
 
 output "network" {
-  value = "${var.network}"
+  value = var.network
 }
 
 output "subnetwork" {
-  value = "${var.subnetwork}"
+  value = var.subnetwork
 }
 
 output "location" {
-  value = "${module.gke.location}"
+  value = module.gke.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${var.ip_range_pods}"
+  value       = var.ip_range_pods
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${var.ip_range_services}"
+  value       = var.ip_range_services
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.gke.zones}"
+  value       = module.gke.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.gke.master_version}"
+  value       = module.gke.master_version
 }
+
diff --git a/test/fixtures/deploy_service/example.tf b/test/fixtures/deploy_service/example.tf
index 7cc5178569..421c551489 100644
--- a/test/fixtures/deploy_service/example.tf
+++ b/test/fixtures/deploy_service/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/deploy_service"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/deploy_service/network.tf b/test/fixtures/deploy_service/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/deploy_service/network.tf
+++ b/test/fixtures/deploy_service/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/disable_client_cert/example.tf b/test/fixtures/disable_client_cert/example.tf
index 4f9c4d1292..c1baed7c36 100644
--- a/test/fixtures/disable_client_cert/example.tf
+++ b/test/fixtures/disable_client_cert/example.tf
@@ -17,14 +17,15 @@
 module "example" {
   source = "../../../examples/disable_client_cert"
 
-  project_id                     = "${var.project_id}"
-  credentials_path               = "${local.credentials_path}"
+  project_id                     = var.project_id
+  credentials_path               = ""
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  network_project_id             = "${var.project_id}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  network_project_id             = var.project_id
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/disable_client_cert/network.tf b/test/fixtures/disable_client_cert/network.tf
index ea0f71481a..e1292eae3b 100644
--- a/test/fixtures/disable_client_cert/network.tf
+++ b/test/fixtures/disable_client_cert/network.tf
@@ -14,7 +14,6 @@
  * limitations under the License.
  */
 
-
 resource "random_string" "suffix" {
   length  = 4
   special = false
@@ -22,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -46,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/node_pool/example.tf b/test/fixtures/node_pool/example.tf
index 097c9e3bcf..28d51f2357 100644
--- a/test/fixtures/node_pool/example.tf
+++ b/test/fixtures/node_pool/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/node_pool"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  zones                          = slice(var.zones, 0, 1)
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/node_pool/network.tf b/test/fixtures/node_pool/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/node_pool/network.tf
+++ b/test/fixtures/node_pool/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/shared/outputs.tf b/test/fixtures/shared/outputs.tf
index 229dc82689..1c2eb5e9ba 100644
--- a/test/fixtures/shared/outputs.tf
+++ b/test/fixtures/shared/outputs.tf
@@ -15,66 +15,67 @@
  */
 
 output "project_id" {
-  value = "${var.project_id}"
+  value = var.project_id
 }
 
 output "region" {
-  value = "${module.example.region}"
+  value = module.example.region
 }
 
 output "cluster_name" {
   description = "Cluster name"
-  value       = "${module.example.cluster_name}"
+  value       = module.example.cluster_name
 }
 
 output "network" {
-  value = "${google_compute_network.main.name}"
+  value = google_compute_network.main.name
 }
 
 output "subnetwork" {
-  value = "${google_compute_subnetwork.main.name}"
+  value = google_compute_subnetwork.main.name
 }
 
 output "location" {
-  value = "${module.example.location}"
+  value = module.example.location
 }
 
 output "ip_range_pods" {
   description = "The secondary IP range used for pods"
-  value       = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
+  value       = google_compute_subnetwork.main.secondary_ip_range[0].range_name
 }
 
 output "ip_range_services" {
   description = "The secondary IP range used for services"
-  value       = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  value       = google_compute_subnetwork.main.secondary_ip_range[1].range_name
 }
 
 output "zones" {
   description = "List of zones in which the cluster resides"
-  value       = "${module.example.zones}"
+  value       = module.example.zones
 }
 
 output "master_kubernetes_version" {
   description = "The master Kubernetes version"
-  value       = "${module.example.master_kubernetes_version}"
+  value       = module.example.master_kubernetes_version
 }
 
 output "kubernetes_endpoint" {
   sensitive = true
-  value     = "${module.example.kubernetes_endpoint}"
+  value     = module.example.kubernetes_endpoint
 }
 
 output "client_token" {
   sensitive = true
-  value     = "${module.example.client_token}"
+  value     = module.example.client_token
 }
 
 output "ca_certificate" {
   description = "The cluster CA certificate"
-  value       = "${module.example.ca_certificate}"
+  value       = module.example.ca_certificate
 }
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.example.service_account}"
+  value       = module.example.service_account
 }
+
diff --git a/test/fixtures/shared/variables.tf b/test/fixtures/shared/variables.tf
index 28b827b0d5..f8e3d6dfa4 100644
--- a/test/fixtures/shared/variables.tf
+++ b/test/fixtures/shared/variables.tf
@@ -23,7 +23,7 @@ variable "region" {
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The GCP zones to create and test resources in, for applicable tests"
   default     = []
 }
@@ -31,3 +31,4 @@ variable "zones" {
 variable "compute_engine_service_account" {
   description = "The email address of the service account to associate with the GKE cluster"
 }
+
diff --git a/test/fixtures/shared_vpc/example.tf b/test/fixtures/shared_vpc/example.tf
index 276e8f9dd7..051d9155c9 100644
--- a/test/fixtures/shared_vpc/example.tf
+++ b/test/fixtures/shared_vpc/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/shared_vpc"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  network_project_id             = "${var.project_id}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  network_project_id             = var.project_id
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/shared_vpc/network.tf b/test/fixtures/shared_vpc/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/shared_vpc/network.tf
+++ b/test/fixtures/shared_vpc/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_regional/example.tf b/test/fixtures/simple_regional/example.tf
index ea14fbc3f8..cb37e43427 100644
--- a/test/fixtures/simple_regional/example.tf
+++ b/test/fixtures/simple_regional/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_regional"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_regional/network.tf b/test/fixtures/simple_regional/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/simple_regional/network.tf
+++ b/test/fixtures/simple_regional/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_regional_private/example.tf b/test/fixtures/simple_regional_private/example.tf
index beefece56c..c06f080ac4 100644
--- a/test/fixtures/simple_regional_private/example.tf
+++ b/test/fixtures/simple_regional_private/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_regional_private"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_regional_private/network.tf b/test/fixtures/simple_regional_private/network.tf
index 0f7492d884..c50c2d12d1 100644
--- a/test/fixtures/simple_regional_private/network.tf
+++ b/test/fixtures/simple_regional_private/network.tf
@@ -21,21 +21,21 @@ resource "random_string" "suffix" {
 }
 
 provider "google-beta" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
-  project                 = "${var.project_id}"
+  project                 = var.project_id
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = "${var.project_id}"
+  project       = var.project_id
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -47,3 +47,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_zonal/example.tf b/test/fixtures/simple_zonal/example.tf
index e85f1818ba..c0edb35e2b 100644
--- a/test/fixtures/simple_zonal/example.tf
+++ b/test/fixtures/simple_zonal/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/simple_zonal"
 
-  project_id          = "${var.project_id}"
+  project_id          = var.project_id
   cluster_name_suffix = "-${random_string.suffix.result}"
-  region              = "${var.region}"
-  zones               = ["${slice(var.zones,0,1)}"]
-  network             = "${google_compute_network.main.name}"
-  subnetwork          = "${google_compute_subnetwork.main.name}"
-  ip_range_pods       = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services   = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  region              = var.region
+  zones               = slice(var.zones, 0, 1)
+  network             = google_compute_network.main.name
+  subnetwork          = google_compute_subnetwork.main.name
+  ip_range_pods       = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services   = google_compute_subnetwork.main.secondary_ip_range[1].range_name
 }
+
diff --git a/test/fixtures/simple_zonal/network.tf b/test/fixtures/simple_zonal/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/simple_zonal/network.tf
+++ b/test/fixtures/simple_zonal/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/simple_zonal_private/example.tf b/test/fixtures/simple_zonal_private/example.tf
index 6fd14c4c4c..0f8a4fc478 100644
--- a/test/fixtures/simple_zonal_private/example.tf
+++ b/test/fixtures/simple_zonal_private/example.tf
@@ -17,13 +17,14 @@
 module "example" {
   source = "../../../examples/simple_zonal_private"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  zones                          = slice(var.zones, 0, 1)
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/simple_zonal_private/network.tf b/test/fixtures/simple_zonal_private/network.tf
index 0f7492d884..c50c2d12d1 100644
--- a/test/fixtures/simple_zonal_private/network.tf
+++ b/test/fixtures/simple_zonal_private/network.tf
@@ -21,21 +21,21 @@ resource "random_string" "suffix" {
 }
 
 provider "google-beta" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
-  project                 = "${var.project_id}"
+  project                 = var.project_id
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = "${var.project_id}"
+  project       = var.project_id
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -47,3 +47,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/stub_domains/example.tf b/test/fixtures/stub_domains/example.tf
index 1072411867..32cb31460e 100644
--- a/test/fixtures/stub_domains/example.tf
+++ b/test/fixtures/stub_domains/example.tf
@@ -17,12 +17,13 @@
 module "example" {
   source = "../../../examples/stub_domains"
 
-  project_id                     = "${var.project_id}"
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
 }
+
diff --git a/test/fixtures/stub_domains/network.tf b/test/fixtures/stub_domains/network.tf
index 2dfbf2d9b2..e1292eae3b 100644
--- a/test/fixtures/stub_domains/network.tf
+++ b/test/fixtures/stub_domains/network.tf
@@ -21,19 +21,19 @@ resource "random_string" "suffix" {
 }
 
 provider "google" {
-  project     = "${var.project_id}"
+  project = var.project_id
 }
 
 resource "google_compute_network" "main" {
   name                    = "cft-gke-test-${random_string.suffix.result}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
   name          = "cft-gke-test-${random_string.suffix.result}"
   ip_cidr_range = "10.0.0.0/17"
-  region        = "${var.region}"
-  network       = "${google_compute_network.main.self_link}"
+  region        = var.region
+  network       = google_compute_network.main.self_link
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -45,3 +45,4 @@ resource "google_compute_subnetwork" "main" {
     ip_cidr_range = "192.168.64.0/18"
   }
 }
+
diff --git a/test/fixtures/stub_domains_private/main.tf b/test/fixtures/stub_domains_private/main.tf
index 291e77fe71..101aac220a 100644
--- a/test/fixtures/stub_domains_private/main.tf
+++ b/test/fixtures/stub_domains_private/main.tf
@@ -23,17 +23,17 @@ resource "random_string" "suffix" {
 resource "google_compute_network" "main" {
   name = "cft-gke-test-${random_string.suffix.result}"
 
-  auto_create_subnetworks = "false"
-  project                 = "${var.project_id}"
+  auto_create_subnetworks = false
+  project                 = var.project_id
 }
 
 resource "google_compute_subnetwork" "main" {
   ip_cidr_range = "10.0.0.0/17"
   name          = "cft-gke-test-${random_string.suffix.result}"
-  network       = "${google_compute_network.main.self_link}"
+  network       = google_compute_network.main.self_link
 
-  project = "${var.project_id}"
-  region  = "${var.region}"
+  project = var.project_id
+  region  = var.region
 
   secondary_ip_range {
     range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
@@ -49,12 +49,13 @@ resource "google_compute_subnetwork" "main" {
 module "example" {
   source = "../../../examples/stub_domains_private"
 
-  compute_engine_service_account = "${var.compute_engine_service_account}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  network                        = "${google_compute_network.main.name}"
-  project_id                     = "${var.project_id}"
+  compute_engine_service_account = var.compute_engine_service_account
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  network                        = google_compute_network.main.name
+  project_id                     = var.project_id
   cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
+  region                         = var.region
+  subnetwork                     = google_compute_subnetwork.main.name
 }
+
diff --git a/test/make.sh b/test/make.sh
index 0336b71467..749bafb927 100755
--- a/test/make.sh
+++ b/test/make.sh
@@ -45,11 +45,12 @@ function docker() {
 # files ending in '.tf'
 function check_terraform() {
   echo "Running terraform validate"
-  #shellcheck disable=SC2156
-  find . -name "*.tf" -not -path "./autogen/*" -not -path "./test/fixtures/shared/*" -not -path "./test/fixtures/all_examples/*" -exec bash -c 'terraform validate --check-variables=false $(dirname "{}")' \;
-  echo "Running terraform fmt"
-  #shellcheck disable=SC2156
-  find . -name "*.tf" -not -path "./autogen/*" -not -path "./test/fixtures/shared/*" -not -path "./test/fixtures/all_examples/*" -exec bash -c 'terraform fmt -check=true -write=false "{}"' \;
+  find . -name "*.tf" \
+    -not -path "./autogen/*" \
+    -not -path "./test/fixtures/all_examples/*" \
+    -not -path "./test/fixtures/shared/*" \
+    -print0 \
+    | xargs -0 dirname | sort | uniq | xargs -L 1 -i{} bash -c 'terraform init "{}" > /dev/null && terraform validate "{}" && terraform fmt -check=true -write=false "{}"'
 }
 
 # This function runs 'go fmt' and 'go vet' on every file
diff --git a/variables.tf b/variables.tf
index 2723a39df5..087227c0d1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -17,58 +17,68 @@
 // This file was automatically generated from a template in ./autogen
 
 variable "project_id" {
+  type        = string
   description = "The project ID to host the cluster in (required)"
 }
 
 variable "name" {
+  type        = string
   description = "The name of the cluster (required)"
 }
 
 variable "description" {
+  type        = string
   description = "The description of the cluster"
   default     = ""
 }
 
 variable "regional" {
+  type        = bool
   description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
   default     = true
 }
 
 variable "region" {
+  type        = string
   description = "The region to host the cluster in (required)"
 }
 
 variable "zones" {
-  type        = "list"
+  type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
-  default     = [""]
+  default     = []
 }
 
 variable "network" {
+  type        = string
   description = "The VPC network to host the cluster in (required)"
 }
 
 variable "network_project_id" {
+  type        = string
   description = "The project ID of the shared VPC's host (for shared vpc support)"
   default     = ""
 }
 
 variable "subnetwork" {
+  type        = string
   description = "The subnetwork to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {
+  type        = string
   description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
   default     = "latest"
 }
 
 variable "node_version" {
+  type        = string
   description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation."
   default     = ""
 }
 
 variable "master_authorized_networks_config" {
-  type = "list"
+  type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) }))
 
   description = <<EOF
   The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)
@@ -87,60 +97,71 @@ variable "master_authorized_networks_config" {
 }
 
 variable "horizontal_pod_autoscaling" {
+  type = bool
   description = "Enable horizontal pod autoscaling addon"
-  default     = true
+  default = true
 }
 
 variable "http_load_balancing" {
+  type = bool
   description = "Enable httpload balancer addon"
-  default     = true
+  default = true
 }
 
 variable "kubernetes_dashboard" {
+  type = bool
   description = "Enable kubernetes dashboard addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy" {
+  type = bool
   description = "Enable network policy addon"
-  default     = false
+  default = false
 }
 
 variable "network_policy_provider" {
+  type = string
   description = "The network policy provider."
-  default     = "CALICO"
+  default = "CALICO"
 }
 
 variable "maintenance_start_time" {
+  type = string
   description = "Time window specified for daily maintenance operations in RFC3339 format"
-  default     = "05:00"
+  default = "05:00"
 }
 
 variable "ip_range_pods" {
+  type = string
   description = "The _name_ of the secondary subnet ip range to use for pods"
 }
 
 variable "ip_range_services" {
+  type = string
   description = "The _name_ of the secondary subnet range to use for services"
 }
 
 variable "initial_node_count" {
+  type = number
   description = "The number of nodes to create in this cluster's default node pool."
-  default     = 0
+  default = 0
 }
 
 variable "remove_default_node_pool" {
+  type = bool
   description = "Remove default node pool while setting up the cluster"
-  default     = false
+  default = false
 }
 
 variable "disable_legacy_metadata_endpoints" {
+  type = bool
   description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
-  default     = "true"
+  default = true
 }
 
 variable "node_pools" {
-  type        = "list"
+  type = list(map(string))
   description = "List of maps containing node pools"
 
   default = [
@@ -151,103 +172,111 @@ variable "node_pools" {
 }
 
 variable "node_pools_labels" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node labels by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_metadata" {
-  type        = "map"
+  type = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
 
   default = {
-    all               = {}
+    all = {}
     default-node-pool = {}
   }
 }
 
 variable "node_pools_taints" {
-  type        = "map"
+  type = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_tags" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node network tags by node-pool name"
 
   default = {
-    all               = []
+    all = []
     default-node-pool = []
   }
 }
 
 variable "node_pools_oauth_scopes" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of lists containing node oauth scopes by node-pool name"
 
   default = {
-    all               = ["https://www.googleapis.com/auth/cloud-platform"]
+    all = ["https://www.googleapis.com/auth/cloud-platform"]
     default-node-pool = []
   }
 }
 
 variable "stub_domains" {
-  type        = "map"
+  type = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
-  default     = {}
+  default = {}
 }
 
 variable "non_masquerade_cidrs" {
-  type        = "list"
+  type = list(string)
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
-  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
 }
 
 variable "ip_masq_resync_interval" {
+  type = string
   description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
-  default     = "60s"
+  default = "60s"
 }
 
 variable "ip_masq_link_local" {
+  type = bool
   description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
-  default     = "false"
+  default = false
 }
 
 variable "logging_service" {
+  type = string
   description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
-  default     = "logging.googleapis.com"
+  default = "logging.googleapis.com"
 }
 
 variable "monitoring_service" {
+  type = string
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
-  default     = "monitoring.googleapis.com"
+  default = "monitoring.googleapis.com"
 }
 
 variable "service_account" {
+  type = string
   description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
-  default     = "create"
+  default = "create"
 }
 
 variable "basic_auth_username" {
+  type = string
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
-  default     = ""
+  default = ""
 }
 
 variable "basic_auth_password" {
+  type = string
   description = "The password to be used with Basic Authentication."
-  default     = ""
+  default = ""
 }
 
 variable "issue_client_certificate" {
+  type = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
-  default     = "false"
+  default = false
 }
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000000..ac97c6ac8e
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}