From 46ce68a280f42a3690a4a2534feb8e38412f34bd Mon Sep 17 00:00:00 2001
From: schaudha <85546209+schaudha@users.noreply.github.com>
Date: Wed, 25 Oct 2023 18:38:05 +0530
Subject: [PATCH] Terraform Upgrade in Automate HA (#8253)

* Syntax changes related to 1.5

* Added comment

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Annotated the output value as sensitive

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Made custome changes in package

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Made custome changes to accomodate terraform

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Added a new terraform package

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Rewrote all Terraform configuration files to a canonical format

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Changed to the hab pinned version

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Reverted to its origin

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

* Sorted terraform variables

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>

---------

Signed-off-by: Sushil Chaudhari <sushil.chaudhari@progress.com>
---
 .../habitat/hooks/install                     |   2 +-
 .../habitat/plan.sh                           |   4 +-
 .../automate-cluster-ctl/habitat/plan.sh      |   2 +-
 terraform/a2ha-terraform/destroy/aws/main.tf  |   6 +-
 .../modules/airgap_bundle/inputs.tf           |   2 +-
 .../modules/airgap_bundle/main.tf             |  16 +--
 terraform/a2ha-terraform/modules/aws/main.tf  | 109 +++++++-----------
 .../aws/opensearch_snapshot_registry.tf       |  30 ++---
 .../a2ha-terraform/modules/aws/outputs.tf     |   3 +-
 .../a2ha-terraform/modules/aws/security.tf    |  36 +++---
 .../modules/aws_metadata/output.tf            |   2 +-
 .../a2ha-terraform/modules/aws_output/main.tf |  56 ++++-----
 terraform/a2ha-terraform/modules/efs/main.tf  |   4 +-
 .../modules/elasticsearch/main.tf             |   8 +-
 .../modules/opensearch/inputs.tf              |   2 +-
 .../a2ha-terraform/modules/opensearch/main.tf |   4 +-
 .../modules/postgresql/inputs.tf              |   2 +-
 .../a2ha-terraform/modules/postgresql/main.tf |   2 +-
 .../a2ha-terraform/modules/system/main.tf     |  12 +-
 .../a2ha-terraform/modules/vsphere/main.tf    |   4 +-
 .../reference_architectures/aws/outputs.tf    |   3 +-
 .../reference_architectures/aws/variables.tf  |   6 +-
 .../deployment/variables.tf                   |  10 +-
 23 files changed, 155 insertions(+), 170 deletions(-)

diff --git a/components/automate-backend-deployment/habitat/hooks/install b/components/automate-backend-deployment/habitat/hooks/install
index e532ae0b70d..f5cd2792a35 100644
--- a/components/automate-backend-deployment/habitat/hooks/install
+++ b/components/automate-backend-deployment/habitat/hooks/install
@@ -1,7 +1,7 @@
 #!{{pkgPathFor "core/bash"}}/bin/bash
 
 hab pkg binlink chef/inspec -f
-hab pkg binlink core/terraform -f
+hab pkg binlink core/terraform1 -f
 hab pkg binlink core/jq-static -f
 hab pkg binlink chef/automate-ha-cluster-ctl -f
 NEW_WORKSPACE="{{pkg.path}}/workspace"
diff --git a/components/automate-backend-deployment/habitat/plan.sh b/components/automate-backend-deployment/habitat/plan.sh
index f55152d67d4..24b2da1a53e 100644
--- a/components/automate-backend-deployment/habitat/plan.sh
+++ b/components/automate-backend-deployment/habitat/plan.sh
@@ -21,8 +21,8 @@ pkg_deps=(
   core/make
   core/curl
   core/rsync
-  core/terraform/0.14.8/20210826165930
-  core/busybox-static
+  core/terraform1
+  core/busybox-static  
   chef/automate-ha-cluster-ctl
 )
 
diff --git a/components/automate-cluster-ctl/habitat/plan.sh b/components/automate-cluster-ctl/habitat/plan.sh
index 6547f5c3775..79a492be786 100644
--- a/components/automate-cluster-ctl/habitat/plan.sh
+++ b/components/automate-cluster-ctl/habitat/plan.sh
@@ -22,7 +22,7 @@ pkg_deps=(
   core/make
   core/curl
   core/rsync
-  core/terraform/0.14.8/20210826165930
+  core/terraform1
   core/hab/1.6.521/20220603154827
 )
 
diff --git a/terraform/a2ha-terraform/destroy/aws/main.tf b/terraform/a2ha-terraform/destroy/aws/main.tf
index 1c798d826e3..f3e09ba3a3b 100644
--- a/terraform/a2ha-terraform/destroy/aws/main.tf
+++ b/terraform/a2ha-terraform/destroy/aws/main.tf
@@ -4,7 +4,7 @@ provider "aws" {
 }
 
 module "aws_metadata" {
-  source     = "../../modules/aws_metadata"
+  source = "../../modules/aws_metadata"
 }
 
 module "aws" {
@@ -38,7 +38,7 @@ module "aws" {
   opensearch_ebs_volume_size      = var.opensearch_ebs_volume_size
   opensearch_ebs_volume_type      = var.opensearch_ebs_volume_type
   opensearch_instance_count       = var.opensearch_instance_count
-  opensearch_listen_port           = var.opensearch_listen_port
+  opensearch_listen_port          = var.opensearch_listen_port
   opensearch_server_instance_type = var.opensearch_server_instance_type
   pgleaderchk_listen_port         = var.pgleaderchk_listen_port
   postgresql_ebs_volume_iops      = var.postgresql_ebs_volume_iops
@@ -94,6 +94,6 @@ module "aws-output" {
   postgresql_private_ips  = module.aws.postgresql_private_ips
   opensearch_private_ips  = module.aws.opensearch_private_ips
   automate_fqdn           = module.aws.automate_fqdn
-  automate_frontend_url  = module.aws.automate_frontend_url
+  automate_frontend_url   = module.aws.automate_frontend_url
   bucket_name             = var.backup_config_s3 == "true" ? module.s3[0].bucket_name : ""
 }
diff --git a/terraform/a2ha-terraform/modules/airgap_bundle/inputs.tf b/terraform/a2ha-terraform/modules/airgap_bundle/inputs.tf
index 580e6ff14fa..5006f06aea2 100644
--- a/terraform/a2ha-terraform/modules/airgap_bundle/inputs.tf
+++ b/terraform/a2ha-terraform/modules/airgap_bundle/inputs.tf
@@ -2,7 +2,7 @@ variable "archive_disk_info" {
 }
 
 variable "bundle_files" {
-  default = []
+  default     = []
   description = "Array of hashs for bundle files, hash should have a source and destination key"
 }
 
diff --git a/terraform/a2ha-terraform/modules/airgap_bundle/main.tf b/terraform/a2ha-terraform/modules/airgap_bundle/main.tf
index 7e70f081549..64d4b544a32 100644
--- a/terraform/a2ha-terraform/modules/airgap_bundle/main.tf
+++ b/terraform/a2ha-terraform/modules/airgap_bundle/main.tf
@@ -1,21 +1,21 @@
 locals {
   checksum_info = [
-    for bundle in var.bundle_files:
+    for bundle in var.bundle_files :
     format("%s %s",
       element(split(" ", file("transfer_files/${bundle.source}.md5")), 0),
       bundle.destination
     )
   ]
   rsync_files = [
-    for bundle in var.bundle_files:
+    for bundle in var.bundle_files :
     format("%s,%s", bundle.source, bundle.destination)
   ]
   airgap_info = templatefile("${path.module}/templates/airgap.info.tpl", {
-    archive_disk_info      = var.archive_disk_info,
-    files                  = join(",", local.rsync_files),
-    instance_count         = var.instance_count,
-    tmp_path               = var.tmp_path,
-    checksums              = join("\n", local.checksum_info)
+    archive_disk_info = var.archive_disk_info,
+    files             = join(",", local.rsync_files),
+    instance_count    = var.instance_count,
+    tmp_path          = var.tmp_path,
+    checksums         = join("\n", local.checksum_info)
   })
 }
 
@@ -30,7 +30,7 @@ resource "null_resource" "rsync" {
   }
 
   triggers = {
-    template = local.airgap_info
+    template   = local.airgap_info
     always_run = timestamp()
   }
 
diff --git a/terraform/a2ha-terraform/modules/aws/main.tf b/terraform/a2ha-terraform/modules/aws/main.tf
index 5f6b0bb3071..07bf8632e26 100644
--- a/terraform/a2ha-terraform/modules/aws/main.tf
+++ b/terraform/a2ha-terraform/modules/aws/main.tf
@@ -9,23 +9,23 @@ data "aws_vpc" "default" {
   id = var.aws_vpc_id
 }
 
-locals {                                                            
+locals {
   private_subnet_ids_string = join(",", var.private_custom_subnets)
-  private_subnet_ids_list = split(",", local.private_subnet_ids_string)             
+  private_subnet_ids_list   = split(",", local.private_subnet_ids_string)
 }
 
-data "aws_subnet" "default" {                                  
-  count = length(var.private_custom_subnets) > 0 ? 3 : 0            
+data "aws_subnet" "default" {
+  count = length(var.private_custom_subnets) > 0 ? 3 : 0
   id    = local.private_subnet_ids_list[count.index]
 }
 
-locals {                                                            
+locals {
   public_subnet_ids_string = join(",", var.public_custom_subnets)
-  public_subnet_ids_list = split(",", local.public_subnet_ids_string)             
+  public_subnet_ids_list   = split(",", local.public_subnet_ids_string)
 }
 
-data "aws_subnet" "public" {                                  
-  count = length(var.public_custom_subnets) > 0 ? 3 : 0            
+data "aws_subnet" "public" {
+  count = length(var.public_custom_subnets) > 0 ? 3 : 0
   id    = local.public_subnet_ids_list[count.index]
 }
 
@@ -42,7 +42,7 @@ resource "aws_subnet" "default" {
   cidr_block        = cidrsubnet("${var.aws_cidr_block_addr}/18", 8, count.index + 1)
   availability_zone = data.aws_availability_zones.available.names[count.index]
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_${data.aws_availability_zones.available.names[count.index]}_private"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_${data.aws_availability_zones.available.names[count.index]}_private" }))
 }
 
 resource "aws_subnet" "public" {
@@ -52,96 +52,97 @@ resource "aws_subnet" "public" {
   availability_zone       = data.aws_availability_zones.available.names[count.index]
   map_public_ip_on_launch = true
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_${data.aws_availability_zones.available.names[count.index]}_public"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_${data.aws_availability_zones.available.names[count.index]}_public" }))
 }
 
+
 resource "aws_eip" "eip1" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
-  vpc              = true
+  count            = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  domain           = "vpc" # changed in new version
   public_ipv4_pool = "amazon"
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_eip"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_eip" }))
 }
 
 resource "aws_eip" "eip2" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
-  vpc              = true
+  count            = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  domain           = "vpc"
   public_ipv4_pool = "amazon"
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_eip"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_eip" }))
 }
 
 resource "aws_eip" "eip3" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
-  vpc              = true
+  count            = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  domain           = "vpc"
   public_ipv4_pool = "amazon"
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_eip"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_eip" }))
 }
 
 resource "aws_nat_gateway" "nat1" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count         = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   allocation_id = aws_eip.eip1[0].id
   subnet_id     = aws_subnet.public[0].id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_nat_gw"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_nat_gw" }))
 
   depends_on = [data.aws_internet_gateway.default]
 }
 
 resource "aws_nat_gateway" "nat2" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count         = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   allocation_id = aws_eip.eip2[0].id
   subnet_id     = aws_subnet.public[1].id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_nat_gw"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_nat_gw" }))
 
   depends_on = [data.aws_internet_gateway.default]
 }
 
 resource "aws_nat_gateway" "nat3" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count         = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   allocation_id = aws_eip.eip3[0].id
   subnet_id     = aws_subnet.public[2].id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_nat_gw"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_nat_gw" }))
 
   depends_on = [data.aws_internet_gateway.default]
 }
 
 resource "aws_route_table" "route1" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count  = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   vpc_id = data.aws_vpc.default.id
   route {
     cidr_block     = "0.0.0.0/0"
     nat_gateway_id = aws_nat_gateway.nat1[0].id
   }
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_route_table"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_route_table" }))
 
 }
 
 resource "aws_route_table" "route2" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count  = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   vpc_id = data.aws_vpc.default.id
   route {
     cidr_block     = "0.0.0.0/0"
     nat_gateway_id = aws_nat_gateway.nat2[0].id
   }
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_route_table"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_route_table" }))
 
 }
 
 resource "aws_route_table" "route3" {
-  count                   = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
+  count  = (length(var.public_custom_subnets) == 0 && var.aws_cidr_block_addr != "") ? 1 : 0
   vpc_id = data.aws_vpc.default.id
   route {
     cidr_block     = "0.0.0.0/0"
     nat_gateway_id = aws_nat_gateway.nat3[0].id
   }
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_route_table"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_route_table" }))
 
 }
 
@@ -193,17 +194,10 @@ resource "aws_instance" "chef_automate_postgresql" {
     iops                  = var.postgresql_ebs_volume_type == "io1" ? var.postgresql_ebs_volume_iops : 0
     volume_size           = var.postgresql_ebs_volume_size
     volume_type           = var.postgresql_ebs_volume_type
-    tags = merge(var.tags,map("Name",format("${var.tag_name}_${random_id.random.hex}_chef_automate_postgresql_%02d", count.index + 1)))
+    tags                  = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_postgresql_%02d", count.index + 1) }))
   }
 
-  tags = merge(var.tags,
-    map("Name",
-      format(
-        "${var.tag_name}_${random_id.random.hex}_chef_automate_postgresql_%02d",
-        count.index + 1
-      )
-    )
-  )
+  tags = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_postgresql_%02d", count.index + 1) }))
   lifecycle {
     ignore_changes = [
       tags,
@@ -217,7 +211,7 @@ resource "aws_instance" "chef_automate_postgresql" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  depends_on = [aws_route_table.route1,aws_route_table.route2,aws_route_table.route3]
+  depends_on = [aws_route_table.route1, aws_route_table.route2, aws_route_table.route3]
 
 }
 resource "aws_instance" "chef_automate_opensearch" {
@@ -237,15 +231,10 @@ resource "aws_instance" "chef_automate_opensearch" {
     iops                  = var.opensearch_ebs_volume_type == "io1" ? var.opensearch_ebs_volume_iops : 0
     volume_size           = var.opensearch_ebs_volume_size
     volume_type           = var.opensearch_ebs_volume_type
-    tags = merge(var.tags,map("Name",format("${var.tag_name}_${random_id.random.hex}_chef_automate_opensearch_%02d", count.index + 1)))
+    tags                  = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_opensearch_%02d", count.index + 1) }))
   }
 
-  tags = merge(
-    var.tags,
-    map("Name",
-      format("${var.tag_name}_${random_id.random.hex}_chef_automate_opensearch_%02d", count.index + 1)
-    )
-  )
+  tags = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_opensearch_%02d", count.index + 1) }))
   lifecycle {
     ignore_changes = [
       tags,
@@ -259,7 +248,7 @@ resource "aws_instance" "chef_automate_opensearch" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  depends_on = [aws_route_table.route1,aws_route_table.route2,aws_route_table.route3]
+  depends_on = [aws_route_table.route1, aws_route_table.route2, aws_route_table.route3]
 
 }
 
@@ -280,15 +269,10 @@ resource "aws_instance" "chef_automate" {
     iops                  = var.automate_ebs_volume_type == "io1" ? var.automate_ebs_volume_iops : 0
     volume_size           = var.automate_ebs_volume_size
     volume_type           = var.automate_ebs_volume_type
-    tags = merge(var.tags,map("Name",format("${var.tag_name}_${random_id.random.hex}_chef_automate_%02d", count.index + 1)))
+    tags                  = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_%02d", count.index + 1) }))
   }
 
-  tags = merge(
-    var.tags,
-    map("Name",
-      format("${var.tag_name}_${random_id.random.hex}_chef_automate_%02d", count.index + 1)
-    )
-  )
+  tags = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_automate_%02d", count.index + 1) }))
 
   lifecycle {
     ignore_changes = [
@@ -303,7 +287,7 @@ resource "aws_instance" "chef_automate" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  depends_on = [aws_route_table.route1,aws_route_table.route2,aws_route_table.route3]
+  depends_on = [aws_route_table.route1, aws_route_table.route2, aws_route_table.route3]
 
 }
 
@@ -325,15 +309,10 @@ resource "aws_instance" "chef_server" {
     iops                  = var.chef_ebs_volume_type == "io1" ? var.chef_ebs_volume_iops : 0
     volume_size           = var.chef_ebs_volume_size
     volume_type           = var.chef_ebs_volume_type
-    tags = merge(var.tags,map("Name",format("${var.tag_name}_${random_id.random.hex}_chef_server_%02d", count.index + 1)))
+    tags                  = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_server_%02d", count.index + 1) }))
   }
 
-  tags = merge(
-    var.tags,
-    map("Name",
-      format("${var.tag_name}_${random_id.random.hex}_chef_server_%02d", count.index + 1)
-    )
-  )
+  tags = merge(var.tags, tomap({ "Name" = format("${var.tag_name}_${random_id.random.hex}_chef_server_%02d", count.index + 1) }))
 
   lifecycle {
     ignore_changes = [
@@ -348,6 +327,6 @@ resource "aws_instance" "chef_server" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  depends_on = [aws_route_table.route1,aws_route_table.route2,aws_route_table.route3]
+  depends_on = [aws_route_table.route1, aws_route_table.route2, aws_route_table.route3]
 
 }
diff --git a/terraform/a2ha-terraform/modules/aws/opensearch_snapshot_registry.tf b/terraform/a2ha-terraform/modules/aws/opensearch_snapshot_registry.tf
index 70a4b281e50..ad171f961a0 100644
--- a/terraform/a2ha-terraform/modules/aws/opensearch_snapshot_registry.tf
+++ b/terraform/a2ha-terraform/modules/aws/opensearch_snapshot_registry.tf
@@ -1,5 +1,5 @@
 resource "aws_iam_policy" "s3_access_policy" {
-  count       =  var.aws_os_snapshot_role_arn != "" ? 0 : 1 
+  count       = var.aws_os_snapshot_role_arn != "" ? 0 : 1
   name        = "automate-os-snapshot-access-policy-${random_id.random.hex}"
   path        = "/"
   description = "Policy to provide s3 access for AWS OS snapshots"
@@ -20,12 +20,12 @@ resource "aws_iam_policy" "s3_access_policy" {
 POLICY
 
   tags = merge(var.tags,
-    map("X-Application", "automate-opensearch")
+    tomap({ "X-Application" = "automate-opensearch" })
   )
 }
 
 resource "aws_iam_role" "pass_es_role" {
-  count               =  var.aws_os_snapshot_role_arn != "" ? 0 : 1
+  count               = var.aws_os_snapshot_role_arn != "" ? 0 : 1
   name                = "automate-pass-es-role-${random_id.random.hex}"
   assume_role_policy  = <<TRUSTPOLICY
 {
@@ -46,13 +46,13 @@ resource "aws_iam_role" "pass_es_role" {
 TRUSTPOLICY
   managed_policy_arns = [aws_iam_policy.s3_access_policy[0].arn]
   tags = merge(var.tags,
-    map("X-Application", "automate-opensearch")
+    tomap({ "X-Application" = "automate-opensearch" })
   )
 
 }
 
 resource "aws_iam_policy" "pass_es_role_policy" {
-  count       =  var.aws_os_snapshot_role_arn != "" ? 0 : 1
+  count       = var.aws_os_snapshot_role_arn != "" ? 0 : 1
   name        = "pass-es-role-policy-${random_id.random.hex}"
   path        = "/"
   description = "Policy to pass ES access for Snapshot registry"
@@ -74,44 +74,44 @@ resource "aws_iam_policy" "pass_es_role_policy" {
 }
 POLICY
   tags = merge(var.tags,
-    map("X-Application", "automate-opensearch")
+    tomap({ "X-Application" = "automate-opensearch" })
   )
 
 }
 
 resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
-  count      =  var.aws_os_snapshot_role_arn != "" ? 0 : 1
+  count      = var.aws_os_snapshot_role_arn != "" ? 0 : 1
   role       = aws_iam_role.pass_es_role[0].name
   policy_arn = aws_iam_policy.s3_access_policy[0].arn
 }
 
 resource "aws_iam_role_policy_attachment" "assume_role_policy_attachment" {
-  count      =  var.aws_os_snapshot_role_arn != "" ? 0 : 1
+  count      = var.aws_os_snapshot_role_arn != "" ? 0 : 1
   role       = aws_iam_role.pass_es_role[0].name
   policy_arn = aws_iam_policy.pass_es_role_policy[0].arn
 }
 
 resource "aws_iam_user" "snap_reg_user" {
-  count  =  var.os_snapshot_user_access_key_id != "" ? 0 : 1
-  name = "automate-os-snapshot-user-${random_id.random.hex}"
+  count = var.os_snapshot_user_access_key_id != "" ? 0 : 1
+  name  = "automate-os-snapshot-user-${random_id.random.hex}"
   tags = merge(var.tags,
-    map("X-Application", "automate-opensearch")
+    tomap({ "X-Application" = "automate-opensearch" })
   )
 }
 
 resource "aws_iam_user_policy_attachment" "snap_reg_user_policy_attachment" {
-  count      =  var.os_snapshot_user_access_key_id != "" ? 0 : 1
+  count      = var.os_snapshot_user_access_key_id != "" ? 0 : 1
   user       = aws_iam_user.snap_reg_user[0].name
   policy_arn = aws_iam_policy.s3_access_policy[0].arn
 }
 
 resource "aws_iam_user_policy_attachment" "assume_role_policy_attachment" {
-  count      =  var.os_snapshot_user_access_key_id != "" ? 0 : 1
+  count      = var.os_snapshot_user_access_key_id != "" ? 0 : 1
   user       = aws_iam_user.snap_reg_user[0].name
   policy_arn = aws_iam_policy.pass_es_role_policy[0].arn
 }
 
 resource "aws_iam_access_key" "snap_reg_user_key" {
-  count  =  var.os_snapshot_user_access_key_id != "" ? 0 : 1
-  user   = aws_iam_user.snap_reg_user[0].name
+  count = var.os_snapshot_user_access_key_id != "" ? 0 : 1
+  user  = aws_iam_user.snap_reg_user[0].name
 }
diff --git a/terraform/a2ha-terraform/modules/aws/outputs.tf b/terraform/a2ha-terraform/modules/aws/outputs.tf
index d722dc28d55..6034af207c9 100644
--- a/terraform/a2ha-terraform/modules/aws/outputs.tf
+++ b/terraform/a2ha-terraform/modules/aws/outputs.tf
@@ -58,7 +58,8 @@ output "os_snapshot_user_access_key_id" {
 }
 
 output "os_snapshot_user_access_key_secret" {
-  value = var.os_snapshot_user_access_key_id != "" ? var.os_snapshot_user_access_key_secret : aws_iam_access_key.snap_reg_user_key[0].secret
+  sensitive = true
+  value     = var.os_snapshot_user_access_key_id != "" ? var.os_snapshot_user_access_key_secret : aws_iam_access_key.snap_reg_user_key[0].secret
 }
 
 output "random_id" {
diff --git a/terraform/a2ha-terraform/modules/aws/security.tf b/terraform/a2ha-terraform/modules/aws/security.tf
index c3c1fb59285..5ad0964f1a2 100644
--- a/terraform/a2ha-terraform/modules/aws/security.tf
+++ b/terraform/a2ha-terraform/modules/aws/security.tf
@@ -3,7 +3,7 @@ resource "aws_security_group" "base_linux" {
   description = "base security rules for all linux nodes"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_linux_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_linux_security_group" }))
 }
 
 resource "aws_security_group" "habitat_supervisor" {
@@ -11,7 +11,7 @@ resource "aws_security_group" "habitat_supervisor" {
   description = "Security rules for the Habitat supervisor"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_habsup_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_habsup_security_group" }))
 }
 
 resource "aws_security_group" "chef_automate" {
@@ -19,7 +19,7 @@ resource "aws_security_group" "chef_automate" {
   description = "Chef Automate Server"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_automate_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_automate_security_group" }))
 }
 
 resource "aws_security_group" "chef_automate_ui" {
@@ -27,7 +27,7 @@ resource "aws_security_group" "chef_automate_ui" {
   description = "Chef Automate Server protocol"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_automate_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_automate_security_group" }))
 }
 
 resource "aws_security_group" "efs_mount" {
@@ -35,7 +35,7 @@ resource "aws_security_group" "efs_mount" {
   description = "NFS for EFS"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_efs_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_efs_security_group" }))
 }
 
 resource "aws_security_group" "load_balancer" {
@@ -43,7 +43,7 @@ resource "aws_security_group" "load_balancer" {
   description = "load_balancer rules for all linux nodes"
   vpc_id      = data.aws_vpc.default.id
 
-  tags = merge(var.tags, map("Name", "${var.tag_name}_${random_id.random.hex}_linux_security_group"))
+  tags = merge(var.tags, tomap({ "Name" = "${var.tag_name}_${random_id.random.hex}_linux_security_group" }))
 }
 
 //////////////////////////
@@ -173,12 +173,12 @@ resource "aws_security_group_rule" "ingress_chef_automate_allow_proxy_tcp" {
 
 # Allow custom SSH connections
 resource "aws_security_group_rule" "ingress_chef_automate_allow_custom_ssh" {
-  type                     = "ingress"
-  from_port                = var.aws_ssh_port
-  to_port                  = var.aws_ssh_port
-  protocol                 = "tcp"
-  cidr_blocks              = ["0.0.0.0/0"]
-  security_group_id        = aws_security_group.chef_automate.id
+  type              = "ingress"
+  from_port         = var.aws_ssh_port
+  to_port           = var.aws_ssh_port
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.chef_automate.id
 }
 
 //////////////////////////
@@ -311,12 +311,12 @@ resource "aws_security_group_rule" "egress_allow_5432_tcp_all" {
 }
 
 resource "aws_security_group_rule" "egress_efs_nfs_2049" {
-  type                     = "egress"
-  from_port                = 2049
-  to_port                  = 2049
-  protocol                 = "tcp"
-  cidr_blocks              = ["0.0.0.0/0"]
-  security_group_id        = aws_security_group.base_linux.id
+  type              = "egress"
+  from_port         = 2049
+  to_port           = 2049
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.base_linux.id
 }
 
 resource "aws_security_group_rule" "egress_allow_22_tcp_all" {
diff --git a/terraform/a2ha-terraform/modules/aws_metadata/output.tf b/terraform/a2ha-terraform/modules/aws_metadata/output.tf
index e606c7b8c12..7ced5fe736a 100644
--- a/terraform/a2ha-terraform/modules/aws_metadata/output.tf
+++ b/terraform/a2ha-terraform/modules/aws_metadata/output.tf
@@ -3,5 +3,5 @@ output "json_data" {
 }
 
 output "bastion_role" {
-  value = "${data.http.getBastionRole.status_code}"
+  value = data.http.getBastionRole.status_code
 }
diff --git a/terraform/a2ha-terraform/modules/aws_output/main.tf b/terraform/a2ha-terraform/modules/aws_output/main.tf
index 1f962a6b77f..f4169e357e2 100644
--- a/terraform/a2ha-terraform/modules/aws_output/main.tf
+++ b/terraform/a2ha-terraform/modules/aws_output/main.tf
@@ -1,48 +1,48 @@
 locals {
-  output_tfvars = templatefile("${path.module}/files/output.tfvars.tpl",{
-      automate_private_ips      = join(", ", formatlist("\"%s\"", var.automate_private_ips)),
-      chef_server_private_ips   = join(", ", formatlist("\"%s\"", var.chef_server_private_ips)),
-      opensearch_private_ips = join(", ", formatlist("\"%s\"", var.opensearch_private_ips)),
-      postgresql_private_ips    = join(", ", formatlist("\"%s\"", var.postgresql_private_ips)),
-      aws_os_snapshot_role_arn  = var.aws_os_snapshot_role_arn,
-      os_snapshot_user_access_key_id = var.os_snapshot_user_access_key_id,
-      os_snapshot_user_access_key_secret = var.os_snapshot_user_access_key_secret,
-      automate_fqdn             = var.automate_fqdn
-      automate_frontend_url    = var.automate_frontend_url
-      bucket_name               = var.bucket_name
-    })
-
-    copy_terraform_files_for_destroy = [
+  output_tfvars = templatefile("${path.module}/files/output.tfvars.tpl", {
+    automate_private_ips               = join(", ", formatlist("\"%s\"", var.automate_private_ips)),
+    chef_server_private_ips            = join(", ", formatlist("\"%s\"", var.chef_server_private_ips)),
+    opensearch_private_ips             = join(", ", formatlist("\"%s\"", var.opensearch_private_ips)),
+    postgresql_private_ips             = join(", ", formatlist("\"%s\"", var.postgresql_private_ips)),
+    aws_os_snapshot_role_arn           = var.aws_os_snapshot_role_arn,
+    os_snapshot_user_access_key_id     = var.os_snapshot_user_access_key_id,
+    os_snapshot_user_access_key_secret = var.os_snapshot_user_access_key_secret,
+    automate_fqdn                      = var.automate_fqdn
+    automate_frontend_url              = var.automate_frontend_url
+    bucket_name                        = var.bucket_name
+  })
+
+  copy_terraform_files_for_destroy = [
     "/hab/a2_deploy_workspace/terraform/reference_architectures/aws/variables.tf",
     "/hab/a2_deploy_workspace/terraform/a2ha_habitat.auto.tfvars",
     "/hab/a2_deploy_workspace/terraform/aws.auto.tfvars",
     "/hab/a2_deploy_workspace/terraform/variables_common.tf"
-    ]
+  ]
+
+  destination_path = "/hab/a2_deploy_workspace/terraform/destroy/aws"
 
-    destination_path = "/hab/a2_deploy_workspace/terraform/destroy/aws"
- 
 }
 
 #This will create auto.tfvars with using aws's content. Because dusing deployment time we will need some aws info like public and private ips.
 resource "local_file" "output" {
-    filename = "${path.root}/reference_architectures/deployment/output.auto.tfvars"
-    content  = local.output_tfvars
+  filename = "${path.root}/reference_architectures/deployment/output.auto.tfvars"
+  content  = local.output_tfvars
 }
 
 #This will convert tfvars to auto.tfvars because after the provisioning cluter, deployment will be started so at that time we will need current tfvars file. So if we convert it into auto.tfvars then we don't need to load this file. It will be automatically loaded.
 #For starting deployment process after provisioning, we have to set deployment flag in tfvars and tf_arch file.
 resource "null_resource" "output" {
-    count = 1
+  count = 1
 
-    triggers = {
-      always_run = timestamp()
-    }
-    
-    provisioner "local-exec" {
-        command = "mv ${path.root}/terraform.tfvars ${path.root}/aws.auto.tfvars;sed  -i 's/aws/deployment/' ${path.root}/.tf_arch;sed  -i 's/architecture \"aws\"/architecture \"deployment\"/' ${path.root}/../a2ha.rb"
-    }
+  triggers = {
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command = "mv ${path.root}/terraform.tfvars ${path.root}/aws.auto.tfvars;sed  -i 's/aws/deployment/' ${path.root}/.tf_arch;sed  -i 's/architecture \"aws\"/architecture \"deployment\"/' ${path.root}/../a2ha.rb"
+  }
 
-    depends_on = [local_file.output]
+  depends_on = [local_file.output]
 }
 
 resource "null_resource" "setup_destroy_directory" {
diff --git a/terraform/a2ha-terraform/modules/efs/main.tf b/terraform/a2ha-terraform/modules/efs/main.tf
index d75ae44d011..bb8bd8a0fd0 100644
--- a/terraform/a2ha-terraform/modules/efs/main.tf
+++ b/terraform/a2ha-terraform/modules/efs/main.tf
@@ -17,7 +17,7 @@ locals {
     efs_region    = var.aws_region,
     mount_path    = var.nfs_mount_path
   })
-  
+
   ip_list = concat(var.automate_private_ips, var.chef_server_private_ips, var.postgresql_private_ips, var.opensearch_private_ips)
 
 }
@@ -25,7 +25,7 @@ locals {
 resource "null_resource" "mount_efs" {
   count = length(local.ip_list)
   connection {
-    host        =  local.ip_list[count.index]
+    host        = local.ip_list[count.index]
     type        = "ssh"
     user        = var.aws_ssh_user
     port        = var.aws_ssh_port
diff --git a/terraform/a2ha-terraform/modules/elasticsearch/main.tf b/terraform/a2ha-terraform/modules/elasticsearch/main.tf
index 4ca52cc55f1..2878cc3ebc8 100644
--- a/terraform/a2ha-terraform/modules/elasticsearch/main.tf
+++ b/terraform/a2ha-terraform/modules/elasticsearch/main.tf
@@ -28,7 +28,7 @@ resource "null_resource" "elasticsearch" {
 
   triggers = {
     es_user_toml_sha = sha1(local.elasticsearch_user_toml[count.index])
-    template = local.provision
+    template         = local.provision
   }
 
   connection {
@@ -76,10 +76,10 @@ resource "null_resource" "backup_configuration" {
     host        = var.private_ips[0]
     script_path = "${var.tmp_path}/tf_inline_script_system_elasticsearch.sh"
   }
-  
+
   provisioner "file" {
     destination = "${var.tmp_path}/efs_backup.sh"
-    source = "${path.module}/templates/efs_backup.sh"
+    source      = "${path.module}/templates/efs_backup.sh"
   }
 
   provisioner "remote-exec" {
@@ -88,7 +88,7 @@ resource "null_resource" "backup_configuration" {
       "echo '${var.ssh_user_sudo_password}' | ${var.sudo_cmd} -S ${var.tmp_path}/efs_backup.sh",
     ]
   }
-  
+
   depends_on = [
     null_resource.elasticsearch
   ]
diff --git a/terraform/a2ha-terraform/modules/opensearch/inputs.tf b/terraform/a2ha-terraform/modules/opensearch/inputs.tf
index afb7e40840a..94b6e47c81a 100644
--- a/terraform/a2ha-terraform/modules/opensearch/inputs.tf
+++ b/terraform/a2ha-terraform/modules/opensearch/inputs.tf
@@ -55,7 +55,7 @@ variable "opensearch_admin_key" {
 }
 
 variable "opensearch_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }
 
diff --git a/terraform/a2ha-terraform/modules/opensearch/main.tf b/terraform/a2ha-terraform/modules/opensearch/main.tf
index c937c5af720..fc324628f7b 100644
--- a/terraform/a2ha-terraform/modules/opensearch/main.tf
+++ b/terraform/a2ha-terraform/modules/opensearch/main.tf
@@ -44,7 +44,7 @@ locals {
   })
 
   efs_backup = templatefile("${path.module}/templates/efs_backup.sh.tpl", {
-    nfs_mount_path        = var.nfs_mount_path
+    nfs_mount_path = var.nfs_mount_path
   })
 }
 
@@ -104,7 +104,7 @@ resource "null_resource" "backup_configuration" {
 
   provisioner "file" {
     destination = "${var.tmp_path}/efs_backup.sh"
-    content      = local.efs_backup
+    content     = local.efs_backup
   }
 
   provisioner "remote-exec" {
diff --git a/terraform/a2ha-terraform/modules/postgresql/inputs.tf b/terraform/a2ha-terraform/modules/postgresql/inputs.tf
index d22b062c8d2..f00fe7e9824 100644
--- a/terraform/a2ha-terraform/modules/postgresql/inputs.tf
+++ b/terraform/a2ha-terraform/modules/postgresql/inputs.tf
@@ -46,7 +46,7 @@ variable "postgresql_archive_disk_fs_path" {
 }
 
 variable "postgresql_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }
 
diff --git a/terraform/a2ha-terraform/modules/postgresql/main.tf b/terraform/a2ha-terraform/modules/postgresql/main.tf
index af71627cdae..b718d064c73 100644
--- a/terraform/a2ha-terraform/modules/postgresql/main.tf
+++ b/terraform/a2ha-terraform/modules/postgresql/main.tf
@@ -37,7 +37,7 @@ locals {
     tmp_path                  = var.tmp_path
   })
   premount = templatefile("${path.module}/templates/pre_mount.tpl", {
-    nfs_mount_path  = var.nfs_mount_path
+    nfs_mount_path = var.nfs_mount_path
   })
 }
 
diff --git a/terraform/a2ha-terraform/modules/system/main.tf b/terraform/a2ha-terraform/modules/system/main.tf
index 4ad0ad66c35..f1448235d31 100644
--- a/terraform/a2ha-terraform/modules/system/main.tf
+++ b/terraform/a2ha-terraform/modules/system/main.tf
@@ -20,12 +20,12 @@ resource "null_resource" "create_temp_path" {
   }
 
   provisioner "remote-exec" {
-    inline = [ 
-      "echo tmp_path: ${var.tmp_path}", 
-      "echo '${var.ssh_user_sudo_password}' | ${var.sudo_cmd} -S mkdir -p ${var.tmp_path}", 
-      "echo '${var.ssh_user_sudo_password}' | ${var.sudo_cmd} -S chown -R ${var.ssh_user} ${var.tmp_path}" 
-      ]
-   }
+    inline = [
+      "echo tmp_path: ${var.tmp_path}",
+      "echo '${var.ssh_user_sudo_password}' | ${var.sudo_cmd} -S mkdir -p ${var.tmp_path}",
+      "echo '${var.ssh_user_sudo_password}' | ${var.sudo_cmd} -S chown -R ${var.ssh_user} ${var.tmp_path}"
+    ]
+  }
 }
 
 resource "null_resource" "system_base_provisioning" {
diff --git a/terraform/a2ha-terraform/modules/vsphere/main.tf b/terraform/a2ha-terraform/modules/vsphere/main.tf
index 5a272d5e5f8..6c95341ca41 100644
--- a/terraform/a2ha-terraform/modules/vsphere/main.tf
+++ b/terraform/a2ha-terraform/modules/vsphere/main.tf
@@ -37,13 +37,13 @@ data "vsphere_virtual_machine" "template" {
 
 
 locals {
-# This script is meant to be run once at VM provision time only
+  # This script is meant to be run once at VM provision time only
   mount_data_disk = templatefile("${path.module}/mount_data_disk.tpl", {
     disk_dev                = var.vsphere_linux_datadisk_dev,
     lvm_volume_allocate_pct = var.vsphere_linux_lvm_allocate_pct,
     tmp_path                = var.tmp_path
   })
-# This script is meant to be run once at VM provision time only
+  # This script is meant to be run once at VM provision time only
   mount_nfs_share = templatefile("${path.module}/mount_nfs_share.tpl", {
     mount_point = var.nfs_mount_path
   })
diff --git a/terraform/a2ha-terraform/reference_architectures/aws/outputs.tf b/terraform/a2ha-terraform/reference_architectures/aws/outputs.tf
index 1984c0c15a8..0955bf4c654 100644
--- a/terraform/a2ha-terraform/reference_architectures/aws/outputs.tf
+++ b/terraform/a2ha-terraform/reference_architectures/aws/outputs.tf
@@ -35,7 +35,8 @@ output "os_snapshot_user_access_key_id" {
 }
 
 output "os_snapshot_user_access_key_secret" {
-  value = module.aws.os_snapshot_user_access_key_secret
+  sensitive = true
+  value     = module.aws.os_snapshot_user_access_key_secret
 }
 
 output "postgresql_private_ips" {
diff --git a/terraform/a2ha-terraform/reference_architectures/aws/variables.tf b/terraform/a2ha-terraform/reference_architectures/aws/variables.tf
index 880942e6d91..03bfbb334e1 100644
--- a/terraform/a2ha-terraform/reference_architectures/aws/variables.tf
+++ b/terraform/a2ha-terraform/reference_architectures/aws/variables.tf
@@ -221,6 +221,10 @@ variable "setup_managed_services" {
   default = false
 }
 
+variable "ssh_group_name" {
+  default = "centos"
+}
+
 variable "ssh_key_file" {
 }
 
@@ -234,4 +238,4 @@ variable "ssh_user" {
 
 variable "sudo_cmd" {
   default = "sudo"
-}
+}
\ No newline at end of file
diff --git a/terraform/a2ha-terraform/reference_architectures/deployment/variables.tf b/terraform/a2ha-terraform/reference_architectures/deployment/variables.tf
index 2c667eaec82..a27e7f59e0c 100644
--- a/terraform/a2ha-terraform/reference_architectures/deployment/variables.tf
+++ b/terraform/a2ha-terraform/reference_architectures/deployment/variables.tf
@@ -11,7 +11,7 @@ variable "ami_filter_virt_type" {
 }
 
 variable "automate_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }
 
@@ -98,7 +98,7 @@ variable "bucket_name" {
 }
 
 variable "chef_server_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }
 
@@ -217,7 +217,7 @@ variable "managed_rds_superuser_username_deployment" {
 }
 
 variable "opensearch_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }
 
@@ -238,7 +238,7 @@ variable "opensearch_private_ips" {
 }
 
 variable "opensearch_root_cert" {
-    default = ""
+  default = ""
 }
 
 variable "opensearch_server_instance_type" {
@@ -262,7 +262,7 @@ variable "os_snapshot_user_access_key_secret_deployment" {
 }
 
 variable "postgresql_certs_by_ip" {
-  type = map(map(string))
+  type    = map(map(string))
   default = {}
 }