diff --git a/.tflint.hcl b/.tflint.hcl
index 062eb57c3..f29f8a6ad 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -10,3 +10,27 @@ rule "terraform_required_providers" {
 rule "terraform_required_version" {
   enabled = false
 }
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+
+  custom_formats = {
+    private_snake = {
+      description = "snake_case with leading _"
+      regex       = "^[_a-z][a-z0-9_]*$"
+    }
+    kebab = {
+      description = "lower kebab case"
+      regex       = "^[a-z][a-z0-9-]*$"
+    }
+  }
+
+  locals {
+    format = "private_snake"
+  }
+
+  module {
+    format = "kebab"
+  }
+}
diff --git a/fast/addons/2-networking-ngfw/README.md b/fast/addons/2-networking-ngfw/README.md
index 17cc71965..92444d29b 100644
--- a/fast/addons/2-networking-ngfw/README.md
+++ b/fast/addons/2-networking-ngfw/README.md
@@ -272,19 +272,19 @@ Security profiles group defined here are exported via output variable file, and
 
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
-| [automation](variables-fast.tf#L28) | Automation resources created by the bootstrap stage. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [automation](variables-fast.tf#L29) | Automation resources created by the bootstrap stage. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [ngfw_config](variables.tf#L113) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [organization](variables-fast.tf#L56) | Organization details. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-globals</code> |
+| [organization](variables-fast.tf#L57) | Organization details. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-globals</code> |
 | [project_id](variables.tf#L134) | Project where the network security resources will be created. | <code>string</code> | ✓ |  |  |
-| [_fast_debug](variables-fast.tf#L19) | Internal FAST variable used for testing and debugging. Do not use. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [_fast_debug](variables-fast.tf#L20) | Internal FAST variable used for testing and debugging. Do not use. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If host project ids is null identical pools and CAs are created in every host project. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [certificate_authority_pools](variables-fast.tf#L36) | Certificate authority pools. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-security</code> |
+| [certificate_authority_pools](variables-fast.tf#L37) | Certificate authority pools. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-security</code> |
 | [enable_services](variables.tf#L97) | Configure project by enabling services required for this add-on. | <code>bool</code> |  | <code>true</code> |  |
-| [host_project_ids](variables-fast.tf#L48) | Networking stage host project id aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [host_project_ids](variables-fast.tf#L49) | Networking stage host project id aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
 | [names](variables.tf#L104) | Configuration for names used for output files. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> |  | <code>null</code> |  |
 | [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#8230;&#125;</code> |  |
 | [tls_inspection_policies](variables.tf#L223) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [trust_configs](variables.tf#L265) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#8230;&#125;</code> |  |
-| [vpc_self_links](variables-fast.tf#L66) | VPC network self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [vpc_self_links](variables-fast.tf#L67) | VPC network self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
 <!-- END TFDOC -->
diff --git a/fast/addons/2-networking-ngfw/variables-fast.tf b/fast/addons/2-networking-ngfw/variables-fast.tf
index 607335296..1c0203cf0 100644
--- a/fast/addons/2-networking-ngfw/variables-fast.tf
+++ b/fast/addons/2-networking-ngfw/variables-fast.tf
@@ -16,6 +16,7 @@
 
 # tfdoc:file:description FAST stage interface.
 
+# tflint-ignore: terraform_naming_convention
 variable "_fast_debug" {
   description = "Internal FAST variable used for testing and debugging. Do not use."
   type = object({
diff --git a/fast/addons/2-networking-swp/README.md b/fast/addons/2-networking-swp/README.md
index 89ff9ce4f..6e5e41d1d 100644
--- a/fast/addons/2-networking-swp/README.md
+++ b/fast/addons/2-networking-swp/README.md
@@ -151,22 +151,22 @@ terraform apply
 
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
-| [automation](variables-fast.tf#L28) | Automation resources created by the bootstrap stage. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [automation](variables-fast.tf#L29) | Automation resources created by the bootstrap stage. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [certificate_authority](variables.tf#L17) | Optional Certificate Authority Service pool and CA used by SWP. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
 | [project_id](variables.tf#L143) | Project where the resources will be created. | <code>string</code> | ✓ |  |  |
-| [_fast_debug](variables-fast.tf#L19) | Internal FAST variable used for testing and debugging. Do not use. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [_fast_debug](variables-fast.tf#L20) | Internal FAST variable used for testing and debugging. Do not use. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [enable_services](variables.tf#L95) | Configure project by enabling services required for this add-on. | <code>bool</code> |  | <code>false</code> |  |
 | [factories_config](variables.tf#L102) | SWP factories configuration paths. Keys in the `swp_configs` variable will be appended to derive individual SWP factory paths. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [host_project_ids](variables-fast.tf#L36) | Networking stage host project id aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [host_project_ids](variables-fast.tf#L37) | Networking stage host project id aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
 | [locations](variables.tf#L112) | Regions where the resources will be created. Keys are used as short names appended to resource names. Interpolation with FAST region names is supported. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [name](variables.tf#L119) | Name used for resource names. | <code>string</code> |  | <code>&#34;swp&#34;</code> |  |
 | [outputs_location](variables.tf#L126) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> |  | <code>null</code> |  |
 | [policy_rules_contexts](variables.tf#L132) | Replacement contexts for policy rules matcher arguments. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [regions](variables-fast.tf#L44) | Networking stage region aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
-| [subnet_self_links](variables-fast.tf#L52) | VPC subnetwork self links. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [regions](variables-fast.tf#L45) | Networking stage region aliases. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [subnet_self_links](variables-fast.tf#L53) | VPC subnetwork self links. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
 | [swp_configs](variables.tf#L149) | Secure Web Proxy configuration, one per region. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [tls_inspection_policy](variables.tf#L179) | TLS inspection policy configuration. If a CA pool is not specified a local one must be created via the `certificate_authority` variable. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
-| [vpc_self_links](variables-fast.tf#L60) | VPC network self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
+| [vpc_self_links](variables-fast.tf#L61) | VPC network self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>2-networking</code> |
 
 ## Outputs
 
diff --git a/fast/addons/2-networking-swp/variables-fast.tf b/fast/addons/2-networking-swp/variables-fast.tf
index 6682d442f..4587eb52e 100644
--- a/fast/addons/2-networking-swp/variables-fast.tf
+++ b/fast/addons/2-networking-swp/variables-fast.tf
@@ -16,6 +16,7 @@
 
 # tfdoc:file:description FAST stage interface.
 
+# tflint-ignore: terraform_naming_convention
 variable "_fast_debug" {
   description = "Internal FAST variable used for testing and debugging. Do not use."
   type = object({
diff --git a/fast/stages/0-org-setup/cicd-workflows-preconditions.tf b/fast/stages/0-org-setup/cicd-workflows-preconditions.tf
index 56db023be..411bad0a1 100644
--- a/fast/stages/0-org-setup/cicd-workflows-preconditions.tf
+++ b/fast/stages/0-org-setup/cicd-workflows-preconditions.tf
@@ -14,7 +14,12 @@
  * limitations under the License.
  */
 
-resource "terraform_data" "precondition-cicd" {
+moved {
+  from = terraform_data.precondition-cicd
+  to   = terraform_data.precondition_cicd
+}
+
+resource "terraform_data" "precondition_cicd" {
   lifecycle {
     precondition {
       condition = alltrue([
diff --git a/fast/stages/2-networking/factory-firewall-policies.tf b/fast/stages/2-networking/factory-firewall-policies.tf
index d29bf2746..c62f1ca9a 100644
--- a/fast/stages/2-networking/factory-firewall-policies.tf
+++ b/fast/stages/2-networking/factory-firewall-policies.tf
@@ -35,7 +35,12 @@ locals {
   }
 }
 
-module "firewall_policies" {
+moved {
+  from = module.firewall_policies
+  to   = module.firewall-policies
+}
+
+module "firewall-policies" {
   source        = "../../../modules/net-firewall-policy"
   for_each      = local.firewall_policies
   attachments   = each.value.attachments
diff --git a/modules/ai-applications/chat_agent.tf b/modules/ai-applications/chat_agent.tf
index f4bed0bd4..660ba4c20 100644
--- a/modules/ai-applications/chat_agent.tf
+++ b/modules/ai-applications/chat_agent.tf
@@ -86,7 +86,12 @@ resource "google_dialogflow_cx_security_settings" "default" {
   }
 }
 
-module "audio_export_settings_bucket" {
+moved {
+  from = module.audio_export_settings_bucket
+  to   = module.audio-export-settings-bucket
+}
+
+module "audio-export-settings-bucket" {
   count = (
     var.chat_agent_security_configs.audio_export_settings == null
     || try(var.chat_agent_security_configs.audio_export_settings.id, null) != null
diff --git a/modules/api-gateway/recipe-multi-region/README.md b/modules/api-gateway/recipe-multi-region/README.md
index 6ced44732..7698dc3ff 100644
--- a/modules/api-gateway/recipe-multi-region/README.md
+++ b/modules/api-gateway/recipe-multi-region/README.md
@@ -18,9 +18,9 @@ Once deployed do the following to see that it works:
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L27) | Identifier of the project. | <code>string</code> | ✓ |  |
-| [regions](variables.tf#L32) | List of regions to deploy the proxy in. | <code>list&#40;string&#41;</code> | ✓ |  |
-| [_testing](variables.tf#L17) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [project_id](variables.tf#L28) | Identifier of the project. | <code>string</code> | ✓ |  |
+| [regions](variables.tf#L33) | List of regions to deploy the proxy in. | <code>list&#40;string&#41;</code> | ✓ |  |
+| [_testing](variables.tf#L18) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/api-gateway/recipe-multi-region/main.tf b/modules/api-gateway/recipe-multi-region/main.tf
index 25a813b32..d7e1a8903 100644
--- a/modules/api-gateway/recipe-multi-region/main.tf
+++ b/modules/api-gateway/recipe-multi-region/main.tf
@@ -27,7 +27,7 @@ locals {
   }
   backends = [
     for region in var.regions : {
-      backend = google_compute_region_network_endpoint_group.serverless-negs[region].id
+      backend = google_compute_region_network_endpoint_group.serverless_negs[region].id
     }
   ]
 }
@@ -136,7 +136,7 @@ module "glb" {
   }
 }
 
-resource "google_compute_region_network_endpoint_group" "serverless-negs" {
+resource "google_compute_region_network_endpoint_group" "serverless_negs" {
   for_each              = toset(var.regions)
   provider              = google-beta
   name                  = "serverless-neg-${module.gateways[each.value].gateway_id}"
diff --git a/modules/api-gateway/recipe-multi-region/variables.tf b/modules/api-gateway/recipe-multi-region/variables.tf
index 2ce1f0e98..e2f9ea6eb 100644
--- a/modules/api-gateway/recipe-multi-region/variables.tf
+++ b/modules/api-gateway/recipe-multi-region/variables.tf
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+# tflint-ignore: terraform_naming_convention
 variable "_testing" {
   description = "Populate this variable to avoid triggering the data source."
   type = object({
diff --git a/modules/apigee/recipe-apigee-swp/README.md b/modules/apigee/recipe-apigee-swp/README.md
index a16513f75..e6bb3bf86 100644
--- a/modules/apigee/recipe-apigee-swp/README.md
+++ b/modules/apigee/recipe-apigee-swp/README.md
@@ -24,11 +24,11 @@ Once the terraform configuration is applied you can verify that all is working b
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [analytics_region](variables.tf#L27) | Region. | <code>string</code> | ✓ |  |
-| [instance_region](variables.tf#L32) | Region. | <code>string</code> | ✓ |  |
-| [network_config](variables.tf#L37) | Network configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [project_id](variables.tf#L46) | Project ID. | <code>string</code> | ✓ |  |
-| [_testing](variables.tf#L17) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [analytics_region](variables.tf#L28) | Region. | <code>string</code> | ✓ |  |
+| [instance_region](variables.tf#L33) | Region. | <code>string</code> | ✓ |  |
+| [network_config](variables.tf#L38) | Network configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [project_id](variables.tf#L47) | Project ID. | <code>string</code> | ✓ |  |
+| [_testing](variables.tf#L18) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/apigee/recipe-apigee-swp/main.tf b/modules/apigee/recipe-apigee-swp/main.tf
index 962ba11e2..7c1389e22 100644
--- a/modules/apigee/recipe-apigee-swp/main.tf
+++ b/modules/apigee/recipe-apigee-swp/main.tf
@@ -120,7 +120,7 @@ module "apigee" {
   }
 }
 
-module "ext_lb" {
+module "ext-lb" {
   source     = "../../../modules/net-lb-app-ext"
   name       = "glb"
   project_id = module.project.id
@@ -178,7 +178,7 @@ module "swp" {
     allowed-hosts = {
       priority        = 1000
       allow           = true
-      session_matcher = "host() == '${module.nginx_vm.internal_ip}'"
+      session_matcher = "host() == '${module.nginx-vm.internal_ip}'"
     }
   }
 }
@@ -197,7 +197,7 @@ module "addresses" {
   }
 }
 
-module "nginx_vm" {
+module "nginx-vm" {
   source     = "../../../modules/compute-vm"
   project_id = module.project.project_id
   zone       = "${var.instance_region}-b"
@@ -223,7 +223,7 @@ module "nginx_vm" {
 
 resource "local_file" "target_endpoint_file" {
   content = templatefile("${path.module}/templates/targets/default.xml.tpl", {
-    ip_address = module.nginx_vm.internal_ip
+    ip_address = module.nginx-vm.internal_ip
   })
   filename        = "${path.module}/bundle/apiproxy/targets/default.xml"
   file_permission = "0644"
diff --git a/modules/apigee/recipe-apigee-swp/variables.tf b/modules/apigee/recipe-apigee-swp/variables.tf
index be4307a0f..efa76e3f5 100644
--- a/modules/apigee/recipe-apigee-swp/variables.tf
+++ b/modules/apigee/recipe-apigee-swp/variables.tf
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+# tflint-ignore: terraform_naming_convention
 variable "_testing" {
   description = "Populate this variable to avoid triggering the data source."
   type = object({
diff --git a/modules/billing-account/logging.tf b/modules/billing-account/logging.tf
index 300f3aa58..db9bfbf29 100644
--- a/modules/billing-account/logging.tf
+++ b/modules/billing-account/logging.tf
@@ -72,14 +72,24 @@ resource "google_logging_billing_account_sink" "sink" {
   }
 }
 
-resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
+moved {
+  from = google_storage_bucket_iam_member.gcs-sinks-binding
+  to   = google_storage_bucket_iam_member.gcs_sinks_binding
+}
+
+resource "google_storage_bucket_iam_member" "gcs_sinks_binding" {
   for_each = local.sink_bindings["storage"]
   bucket   = each.value.destination
   role     = "roles/storage.objectCreator"
   member   = google_logging_billing_account_sink.sink[each.key].writer_identity
 }
 
-resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
+moved {
+  from = google_bigquery_dataset_iam_member.bq-sinks-binding
+  to   = google_bigquery_dataset_iam_member.bq_sinks_binding
+}
+
+resource "google_bigquery_dataset_iam_member" "bq_sinks_binding" {
   for_each   = local.sink_bindings["bigquery"]
   project    = split("/", each.value.destination)[1]
   dataset_id = split("/", each.value.destination)[3]
@@ -87,7 +97,12 @@ resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
   member     = google_logging_billing_account_sink.sink[each.key].writer_identity
 }
 
-resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
+moved {
+  from = google_pubsub_topic_iam_member.pubsub-sinks-binding
+  to   = google_pubsub_topic_iam_member.pubsub_sinks_binding
+}
+
+resource "google_pubsub_topic_iam_member" "pubsub_sinks_binding" {
   for_each = local.sink_bindings["pubsub"]
   project  = split("/", each.value.destination)[1]
   topic    = split("/", each.value.destination)[3]
@@ -95,7 +110,12 @@ resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
   member   = google_logging_billing_account_sink.sink[each.key].writer_identity
 }
 
-resource "google_project_iam_member" "bucket-sinks-binding" {
+moved {
+  from = google_project_iam_member.bucket-sinks-binding
+  to   = google_project_iam_member.bucket_sinks_binding
+}
+
+resource "google_project_iam_member" "bucket_sinks_binding" {
   for_each = local.sink_bindings["logging"]
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
@@ -108,7 +128,12 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   }
 }
 
-resource "google_project_iam_member" "project-sinks-binding" {
+moved {
+  from = google_project_iam_member.project-sinks-binding
+  to   = google_project_iam_member.project_sinks_binding
+}
+
+resource "google_project_iam_member" "project_sinks_binding" {
   for_each = local.sink_bindings["project"]
   project  = each.value.destination
   role     = "roles/logging.logWriter"
diff --git a/modules/cloud-config-container/__need_fixing/onprem/main.tf b/modules/cloud-config-container/__need_fixing/onprem/main.tf
index 2e6165965..af90d71e3 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/main.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/main.tf
@@ -45,9 +45,9 @@ locals {
     vpn_dynamic_config = var.vpn_dynamic_config
   }
   netblocks = concat(
-    data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4,
-    data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4,
-    data.google_netblock_ip_ranges.restricted-googleapis.cidr_blocks_ipv4
+    data.google_netblock_ip_ranges.dns_forwarders.cidr_blocks_ipv4,
+    data.google_netblock_ip_ranges.private_googleapis.cidr_blocks_ipv4,
+    data.google_netblock_ip_ranges.restricted_googleapis.cidr_blocks_ipv4
   )
   vpn_config = merge(var.vpn_config, {
     peer_ip_wildcard  = "%${var.vpn_config.peer_ip}"
@@ -55,14 +55,14 @@ locals {
   })
 }
 
-data "google_netblock_ip_ranges" "dns-forwarders" {
+data "google_netblock_ip_ranges" "dns_forwarders" {
   range_type = "dns-forwarders"
 }
 
-data "google_netblock_ip_ranges" "private-googleapis" {
+data "google_netblock_ip_ranges" "private_googleapis" {
   range_type = "private-googleapis"
 }
 
-data "google_netblock_ip_ranges" "restricted-googleapis" {
+data "google_netblock_ip_ranges" "restricted_googleapis" {
   range_type = "restricted-googleapis"
 }
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index ea1c1f23d..43e8b9bc0 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -116,14 +116,24 @@ resource "google_logging_folder_sink" "sink" {
   ]
 }
 
-resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
+moved {
+  from = google_storage_bucket_iam_member.gcs-sinks-binding
+  to   = google_storage_bucket_iam_member.gcs_sinks_binding
+}
+
+resource "google_storage_bucket_iam_member" "gcs_sinks_binding" {
   for_each = local.sink_bindings["storage"]
   bucket   = each.value.destination
   role     = "roles/storage.objectCreator"
   member   = google_logging_folder_sink.sink[each.key].writer_identity
 }
 
-resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
+moved {
+  from = google_bigquery_dataset_iam_member.bq-sinks-binding
+  to   = google_bigquery_dataset_iam_member.bq_sinks_binding
+}
+
+resource "google_bigquery_dataset_iam_member" "bq_sinks_binding" {
   for_each   = local.sink_bindings["bigquery"]
   project    = split("/", each.value.destination)[1]
   dataset_id = split("/", each.value.destination)[3]
@@ -131,7 +141,12 @@ resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
   member     = google_logging_folder_sink.sink[each.key].writer_identity
 }
 
-resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
+moved {
+  from = google_pubsub_topic_iam_member.pubsub-sinks-binding
+  to   = google_pubsub_topic_iam_member.pubsub_sinks_binding
+}
+
+resource "google_pubsub_topic_iam_member" "pubsub_sinks_binding" {
   for_each = local.sink_bindings["pubsub"]
   project  = split("/", each.value.destination)[1]
   topic    = split("/", each.value.destination)[3]
@@ -139,7 +154,12 @@ resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
   member   = google_logging_folder_sink.sink[each.key].writer_identity
 }
 
-resource "google_project_iam_member" "bucket-sinks-binding" {
+moved {
+  from = google_project_iam_member.bucket-sinks-binding
+  to   = google_project_iam_member.bucket_sinks_binding
+}
+
+resource "google_project_iam_member" "bucket_sinks_binding" {
   for_each = local.sink_bindings["logging"]
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
@@ -151,14 +171,24 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   }
 }
 
-resource "google_project_iam_member" "project-sinks-binding" {
+moved {
+  from = google_project_iam_member.project-sinks-binding
+  to   = google_project_iam_member.project_sinks_binding
+}
+
+resource "google_project_iam_member" "project_sinks_binding" {
   for_each = local.sink_bindings["project"]
   project  = each.value.destination
   role     = "roles/logging.logWriter"
   member   = google_logging_folder_sink.sink[each.key].writer_identity
 }
 
-resource "google_logging_folder_exclusion" "logging-exclusion" {
+moved {
+  from = google_logging_folder_exclusion.logging-exclusion
+  to   = google_logging_folder_exclusion.logging_exclusion
+}
+
+resource "google_logging_folder_exclusion" "logging_exclusion" {
   for_each    = var.logging_exclusions
   name        = each.key
   folder      = local.folder_id
diff --git a/modules/iam-service-account/iam.tf b/modules/iam-service-account/iam.tf
index f3a452c17..fc176bb1d 100644
--- a/modules/iam-service-account/iam.tf
+++ b/modules/iam-service-account/iam.tf
@@ -146,7 +146,12 @@ resource "google_service_account_iam_member" "bindings" {
   }
 }
 
-resource "google_billing_account_iam_member" "billing-roles" {
+moved {
+  from = google_billing_account_iam_member.billing-roles
+  to   = google_billing_account_iam_member.billing_roles
+}
+
+resource "google_billing_account_iam_member" "billing_roles" {
   for_each = {
     for pair in local.iam_billing_pairs :
     "${pair.entity}-${pair.role}" => pair
@@ -158,7 +163,12 @@ resource "google_billing_account_iam_member" "billing-roles" {
   member = local.iam_email
 }
 
-resource "google_folder_iam_member" "folder-roles" {
+moved {
+  from = google_folder_iam_member.folder-roles
+  to   = google_folder_iam_member.folder_roles
+}
+
+resource "google_folder_iam_member" "folder_roles" {
   for_each = {
     for pair in local.iam_folder_pairs :
     "${pair.entity}-${pair.role}" => pair
@@ -170,7 +180,12 @@ resource "google_folder_iam_member" "folder-roles" {
   member = local.iam_email
 }
 
-resource "google_organization_iam_member" "organization-roles" {
+moved {
+  from = google_organization_iam_member.organization-roles
+  to   = google_organization_iam_member.organization_roles
+}
+
+resource "google_organization_iam_member" "organization_roles" {
   for_each = {
     for pair in local.iam_organization_pairs :
     "${pair.entity}-${pair.role}" => pair
@@ -182,7 +197,12 @@ resource "google_organization_iam_member" "organization-roles" {
   member = local.iam_email
 }
 
-resource "google_project_iam_member" "project-roles" {
+moved {
+  from = google_project_iam_member.project-roles
+  to   = google_project_iam_member.project_roles
+}
+
+resource "google_project_iam_member" "project_roles" {
   for_each = {
     for pair in local.iam_project_pairs :
     "${pair.entity}-${pair.role}" => pair
@@ -208,7 +228,12 @@ resource "google_service_account_iam_member" "additive" {
   member = local.iam_email
 }
 
-resource "google_storage_bucket_iam_member" "bucket-roles" {
+moved {
+  from = google_storage_bucket_iam_member.bucket-roles
+  to   = google_storage_bucket_iam_member.bucket_roles
+}
+
+resource "google_storage_bucket_iam_member" "bucket_roles" {
   for_each = {
     for pair in local.iam_storage_pairs :
     "${pair.entity}-${pair.role}" => pair
diff --git a/modules/ncc-spoke-ra/README.md b/modules/ncc-spoke-ra/README.md
index f0d0ade82..e52dc0a6f 100644
--- a/modules/ncc-spoke-ra/README.md
+++ b/modules/ncc-spoke-ra/README.md
@@ -159,7 +159,7 @@ module "spoke-ra" {
 | [hub](outputs.tf#L17) | NCC hub resource (only if auto-created). |  |
 | [id](outputs.tf#L22) | Fully qualified hub id. |  |
 | [router](outputs.tf#L27) | Cloud Router resource. |  |
-| [spoke-ra](outputs.tf#L32) | NCC spoke resource. |  |
+| [spoke_ra](outputs.tf#L32) | NCC spoke resource. |  |
 
 ## Fixtures
 
diff --git a/modules/ncc-spoke-ra/main.tf b/modules/ncc-spoke-ra/main.tf
index 2ecaae6b9..a53c2d58c 100644
--- a/modules/ncc-spoke-ra/main.tf
+++ b/modules/ncc-spoke-ra/main.tf
@@ -33,7 +33,12 @@ resource "google_network_connectivity_hub" "hub" {
   description = var.hub.description
 }
 
-resource "google_network_connectivity_spoke" "spoke-ra" {
+moved {
+  from = google_network_connectivity_spoke.spoke-ra
+  to   = google_network_connectivity_spoke.spoke_ra
+}
+
+resource "google_network_connectivity_spoke" "spoke_ra" {
   project  = var.project_id
   hub      = try(google_network_connectivity_hub.hub[0].id, var.hub.id)
   location = var.region
@@ -109,7 +114,7 @@ resource "google_compute_router_peer" "peer_0" {
   router_appliance_instance = each.value.vm
 
   depends_on = [
-    google_network_connectivity_spoke.spoke-ra
+    google_network_connectivity_spoke.spoke_ra
   ]
 }
 
@@ -128,6 +133,6 @@ resource "google_compute_router_peer" "peer_1" {
   router_appliance_instance = each.value.vm
 
   depends_on = [
-    google_network_connectivity_spoke.spoke-ra
+    google_network_connectivity_spoke.spoke_ra
   ]
 }
diff --git a/modules/ncc-spoke-ra/outputs.tf b/modules/ncc-spoke-ra/outputs.tf
index 59ebc213d..528a383db 100644
--- a/modules/ncc-spoke-ra/outputs.tf
+++ b/modules/ncc-spoke-ra/outputs.tf
@@ -29,7 +29,7 @@ output "router" {
   value       = google_compute_router.cr
 }
 
-output "spoke-ra" {
+output "spoke_ra" {
   description = "NCC spoke resource."
-  value       = google_network_connectivity_spoke.spoke-ra
+  value       = google_network_connectivity_spoke.spoke_ra
 }
diff --git a/modules/net-firewall-policy/net-global.tf b/modules/net-firewall-policy/net-global.tf
index bda47e2d2..d6ce523de 100644
--- a/modules/net-firewall-policy/net-global.tf
+++ b/modules/net-firewall-policy/net-global.tf
@@ -14,24 +14,39 @@
  * limitations under the License.
  */
 
-resource "google_compute_network_firewall_policy" "net-global" {
+moved {
+  from = google_compute_network_firewall_policy.net-global
+  to   = google_compute_network_firewall_policy.net_global
+}
+
+resource "google_compute_network_firewall_policy" "net_global" {
   count       = !local.use_hierarchical && !local.use_regional ? 1 : 0
   project     = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
   name        = var.name
   description = var.description
 }
 
-resource "google_compute_network_firewall_policy_association" "net-global" {
+moved {
+  from = google_compute_network_firewall_policy_association.net-global
+  to   = google_compute_network_firewall_policy_association.net_global
+}
+
+resource "google_compute_network_firewall_policy_association" "net_global" {
   for_each = (
     !local.use_hierarchical && !local.use_regional ? var.attachments : {}
   )
   project           = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
   name              = "${var.name}-${each.key}"
   attachment_target = lookup(local.ctx.networks, each.value, each.value)
-  firewall_policy   = google_compute_network_firewall_policy.net-global[0].name
+  firewall_policy   = google_compute_network_firewall_policy.net_global[0].name
 }
 
-resource "google_compute_network_firewall_policy_rule" "net-global" {
+moved {
+  from = google_compute_network_firewall_policy_rule.net-global
+  to   = google_compute_network_firewall_policy_rule.net_global
+}
+
+resource "google_compute_network_firewall_policy_rule" "net_global" {
   # Terraform's type system barfs in the condition if we use the locals map
   for_each = toset(
     !local.use_hierarchical && !local.use_regional
@@ -39,7 +54,7 @@ resource "google_compute_network_firewall_policy_rule" "net-global" {
     : []
   )
   project         = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
-  firewall_policy = google_compute_network_firewall_policy.net-global[0].name
+  firewall_policy = google_compute_network_firewall_policy.net_global[0].name
   rule_name       = local.rules[each.key].name
   action          = local.rules[each.key].action
   description     = local.rules[each.key].description
@@ -147,7 +162,12 @@ resource "google_compute_network_firewall_policy_rule" "net-global" {
   }
 }
 
-resource "google_compute_network_firewall_policy_packet_mirroring_rule" "net-global" {
+moved {
+  from = google_compute_network_firewall_policy_packet_mirroring_rule.net-global
+  to   = google_compute_network_firewall_policy_packet_mirroring_rule.net_global
+}
+
+resource "google_compute_network_firewall_policy_packet_mirroring_rule" "net_global" {
   provider = google-beta
   for_each = toset(
     !local.use_hierarchical && !local.use_regional
@@ -155,7 +175,7 @@ resource "google_compute_network_firewall_policy_packet_mirroring_rule" "net-glo
     : []
   )
   project         = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
-  firewall_policy = google_compute_network_firewall_policy.net-global[0].name
+  firewall_policy = google_compute_network_firewall_policy.net_global[0].name
   rule_name       = local.mirroring_rules[each.key].name
   action          = local.mirroring_rules[each.key].action
   description     = local.mirroring_rules[each.key].description
diff --git a/modules/net-firewall-policy/net-regional.tf b/modules/net-firewall-policy/net-regional.tf
index 9444b5786..20edd5a80 100644
--- a/modules/net-firewall-policy/net-regional.tf
+++ b/modules/net-firewall-policy/net-regional.tf
@@ -14,7 +14,12 @@
  * limitations under the License.
  */
 
-resource "google_compute_region_network_firewall_policy" "net-regional" {
+moved {
+  from = google_compute_region_network_firewall_policy.net-regional
+  to   = google_compute_region_network_firewall_policy.net_regional
+}
+
+resource "google_compute_region_network_firewall_policy" "net_regional" {
   count       = !local.use_hierarchical && local.use_regional ? 1 : 0
   project     = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
   name        = var.name
@@ -22,7 +27,12 @@ resource "google_compute_region_network_firewall_policy" "net-regional" {
   region      = lookup(local.ctx.locations, var.region, var.region)
 }
 
-resource "google_compute_region_network_firewall_policy_association" "net-regional" {
+moved {
+  from = google_compute_region_network_firewall_policy_association.net-regional
+  to   = google_compute_region_network_firewall_policy_association.net_regional
+}
+
+resource "google_compute_region_network_firewall_policy_association" "net_regional" {
   for_each = (
     !local.use_hierarchical && local.use_regional ? var.attachments : {}
   )
@@ -30,10 +40,15 @@ resource "google_compute_region_network_firewall_policy_association" "net-region
   region            = lookup(local.ctx.locations, var.region, var.region)
   name              = "${var.name}-${each.key}"
   attachment_target = lookup(local.ctx.networks, each.value, each.value)
-  firewall_policy   = google_compute_region_network_firewall_policy.net-regional[0].name
+  firewall_policy   = google_compute_region_network_firewall_policy.net_regional[0].name
 }
 
-resource "google_compute_region_network_firewall_policy_rule" "net-regional" {
+moved {
+  from = google_compute_region_network_firewall_policy_rule.net-regional
+  to   = google_compute_region_network_firewall_policy_rule.net_regional
+}
+
+resource "google_compute_region_network_firewall_policy_rule" "net_regional" {
   # Terraform's type system barfs in the condition if we use the locals map
   for_each = toset(
     !local.use_hierarchical && local.use_regional
@@ -42,7 +57,7 @@ resource "google_compute_region_network_firewall_policy_rule" "net-regional" {
   )
   project         = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
   region          = lookup(local.ctx.locations, var.region, var.region)
-  firewall_policy = google_compute_region_network_firewall_policy.net-regional[0].name
+  firewall_policy = google_compute_region_network_firewall_policy.net_regional[0].name
   rule_name       = local.rules[each.key].name
   action          = local.rules[each.key].action
   description     = local.rules[each.key].description
diff --git a/modules/net-firewall-policy/outputs.tf b/modules/net-firewall-policy/outputs.tf
index 589a06768..b373c7966 100644
--- a/modules/net-firewall-policy/outputs.tf
+++ b/modules/net-firewall-policy/outputs.tf
@@ -21,8 +21,8 @@ output "id" {
     ? google_compute_firewall_policy.hierarchical[0].id
     : (
       local.use_regional
-      ? google_compute_region_network_firewall_policy.net-regional[0].id
-      : google_compute_network_firewall_policy.net-global[0].id
+      ? google_compute_region_network_firewall_policy.net_regional[0].id
+      : google_compute_network_firewall_policy.net_global[0].id
     )
   )
 }
diff --git a/modules/net-lb-app-ext/recipe-cloud-run-iap/README.md b/modules/net-lb-app-ext/recipe-cloud-run-iap/README.md
index 0098f1b9c..099144575 100644
--- a/modules/net-lb-app-ext/recipe-cloud-run-iap/README.md
+++ b/modules/net-lb-app-ext/recipe-cloud-run-iap/README.md
@@ -29,12 +29,12 @@ This recipe addresses common requirements of backends protected by IAP:
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L39) | Project ID. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L44) | Region. | <code>string</code> | ✓ |  |
-| [support_email](variables.tf#L49) | Support email for IAP brand. | <code>string</code> | ✓ |  |
-| [_testing](variables.tf#L17) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [accessors](variables.tf#L27) | List of identities able to access the service via IAP (e.g. group:mygroup@myorg.com). | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [impersonators](variables.tf#L33) | List of identities able to impersonate the service account for programmatica access. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [project_id](variables.tf#L40) | Project ID. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L45) | Region. | <code>string</code> | ✓ |  |
+| [support_email](variables.tf#L50) | Support email for IAP brand. | <code>string</code> | ✓ |  |
+| [_testing](variables.tf#L18) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [accessors](variables.tf#L28) | List of identities able to access the service via IAP (e.g. group:mygroup@myorg.com). | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [impersonators](variables.tf#L34) | List of identities able to impersonate the service account for programmatica access. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 
 ## Outputs
 
diff --git a/modules/net-lb-app-ext/recipe-cloud-run-iap/main.tf b/modules/net-lb-app-ext/recipe-cloud-run-iap/main.tf
index 2f4eb8d37..b8fc8bd86 100644
--- a/modules/net-lb-app-ext/recipe-cloud-run-iap/main.tf
+++ b/modules/net-lb-app-ext/recipe-cloud-run-iap/main.tf
@@ -33,7 +33,7 @@ module "project" {
   ]
 }
 
-module "application_service_account" {
+module "application-service-account" {
   source     = "../../../modules/iam-service-account"
   project_id = var.project_id
   name       = "application"
@@ -53,7 +53,7 @@ resource "google_iap_client" "iap_client" {
   brand        = google_iap_brand.iap_brand.name
 }
 
-module "backend_service" {
+module "backend-service" {
   source     = "../../../modules/cloud-run-v2"
   project_id = module.project.id
   name       = "backend"
@@ -132,7 +132,7 @@ resource "google_iap_web_backend_service_iam_binding" "iam_bindings" {
   members = concat(
     var.accessors,
     [
-      module.application_service_account.iam_email
+      module.application-service-account.iam_email
   ])
 }
 
diff --git a/modules/net-lb-app-ext/recipe-cloud-run-iap/outputs.tf b/modules/net-lb-app-ext/recipe-cloud-run-iap/outputs.tf
index 274a12c06..1055119f1 100644
--- a/modules/net-lb-app-ext/recipe-cloud-run-iap/outputs.tf
+++ b/modules/net-lb-app-ext/recipe-cloud-run-iap/outputs.tf
@@ -25,14 +25,14 @@ EOT
 
 output "application_service_account_email" {
   description = "Application service account email."
-  value       = module.application_service_account.email
+  value       = module.application-service-account.email
 }
 
 output "command" {
   description = "Command."
   value = templatestring(local.command_tpl, {
     aud = google_iap_client.iap_client.client_id
-    sa  = module.application_service_account.email
+    sa  = module.application-service-account.email
     url = local.url
   })
 }
diff --git a/modules/net-lb-app-ext/recipe-cloud-run-iap/variables.tf b/modules/net-lb-app-ext/recipe-cloud-run-iap/variables.tf
index 2e7b40e56..2a87e98d1 100644
--- a/modules/net-lb-app-ext/recipe-cloud-run-iap/variables.tf
+++ b/modules/net-lb-app-ext/recipe-cloud-run-iap/variables.tf
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+# tflint-ignore: terraform_naming_convention
 variable "_testing" {
   description = "Populate this variable to avoid triggering the data source."
   type = object({
diff --git a/modules/net-lb-int/recipe-ilb-next-hop/README.md b/modules/net-lb-int/recipe-ilb-next-hop/README.md
index 54688d7f2..66eaacfe7 100644
--- a/modules/net-lb-int/recipe-ilb-next-hop/README.md
+++ b/modules/net-lb-int/recipe-ilb-next-hop/README.md
@@ -64,14 +64,14 @@ A sample testing session using `tmux`:
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [prefix](variables.tf#L48) | Prefix used for resource names. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L57) | Existing project id. | <code>string</code> | ✓ |  |
-| [_testing](variables.tf#L17) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [ilb_right_enable](variables.tf#L27) | Route right to left traffic through ILB. | <code>bool</code> |  | <code>false</code> |
-| [ilb_session_affinity](variables.tf#L33) | Session affinity configuration for ILBs. | <code>string</code> |  | <code>&#34;CLIENT_IP&#34;</code> |
-| [ip_ranges](variables.tf#L39) | IP CIDR ranges used for VPC subnets. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#8230;&#125;</code> |
-| [region](variables.tf#L62) | Region used for resources. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
-| [zones](variables.tf#L68) | Zone suffixes used for instances. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#34;b&#34;, &#34;c&#34;&#93;</code> |
+| [prefix](variables.tf#L49) | Prefix used for resource names. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L58) | Existing project id. | <code>string</code> | ✓ |  |
+| [_testing](variables.tf#L18) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [ilb_right_enable](variables.tf#L28) | Route right to left traffic through ILB. | <code>bool</code> |  | <code>false</code> |
+| [ilb_session_affinity](variables.tf#L34) | Session affinity configuration for ILBs. | <code>string</code> |  | <code>&#34;CLIENT_IP&#34;</code> |
+| [ip_ranges](variables.tf#L40) | IP CIDR ranges used for VPC subnets. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#8230;&#125;</code> |
+| [region](variables.tf#L63) | Region used for resources. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
+| [zones](variables.tf#L69) | Zone suffixes used for instances. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#34;b&#34;, &#34;c&#34;&#93;</code> |
 
 ## Outputs
 
diff --git a/modules/net-lb-int/recipe-ilb-next-hop/variables.tf b/modules/net-lb-int/recipe-ilb-next-hop/variables.tf
index f9c314c6d..820dd0a3c 100644
--- a/modules/net-lb-int/recipe-ilb-next-hop/variables.tf
+++ b/modules/net-lb-int/recipe-ilb-next-hop/variables.tf
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+# tflint-ignore: terraform_naming_convention
 variable "_testing" {
   description = "Populate this variable to avoid triggering the data source."
   type = object({
diff --git a/modules/net-vpc-firewall/default-rules.tf b/modules/net-vpc-firewall/default-rules.tf
index a0f38ab70..96acab840 100644
--- a/modules/net-vpc-firewall/default-rules.tf
+++ b/modules/net-vpc-firewall/default-rules.tf
@@ -24,7 +24,12 @@ locals {
   }
 }
 
-resource "google_compute_firewall" "allow-admins" {
+moved {
+  from = google_compute_firewall.allow-admins
+  to   = google_compute_firewall.allow_admins
+}
+
+resource "google_compute_firewall" "allow_admins" {
   count       = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
   project     = local.project_id
   network     = local.network
@@ -36,7 +41,12 @@ resource "google_compute_firewall" "allow-admins" {
   allow { protocol = "all" }
 }
 
-resource "google_compute_firewall" "allow-tag-http" {
+moved {
+  from = google_compute_firewall.allow-tag-http
+  to   = google_compute_firewall.allow_tag_http
+}
+
+resource "google_compute_firewall" "allow_tag_http" {
   count       = length(local.default_rules.http_ranges) > 0 ? 1 : 0
   project     = local.project_id
   network     = local.network
@@ -52,7 +62,12 @@ resource "google_compute_firewall" "allow-tag-http" {
   }
 }
 
-resource "google_compute_firewall" "allow-tag-https" {
+moved {
+  from = google_compute_firewall.allow-tag-https
+  to   = google_compute_firewall.allow_tag_https
+}
+
+resource "google_compute_firewall" "allow_tag_https" {
   count       = length(local.default_rules.https_ranges) > 0 ? 1 : 0
   project     = local.project_id
   network     = local.network
@@ -68,7 +83,12 @@ resource "google_compute_firewall" "allow-tag-https" {
   }
 }
 
-resource "google_compute_firewall" "allow-tag-ssh" {
+moved {
+  from = google_compute_firewall.allow-tag-ssh
+  to   = google_compute_firewall.allow_tag_ssh
+}
+
+resource "google_compute_firewall" "allow_tag_ssh" {
   count       = length(local.default_rules.ssh_ranges) > 0 ? 1 : 0
   project     = local.project_id
   network     = local.network
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index 6bcc7ede5..887b4d32f 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -108,7 +108,12 @@ locals {
   }
 }
 
-resource "google_compute_firewall" "custom-rules" {
+moved {
+  from = google_compute_firewall.custom-rules
+  to   = google_compute_firewall.custom_rules
+}
+
+resource "google_compute_firewall" "custom_rules" {
   for_each    = local.rules
   project     = local.project_id
   network     = local.network
diff --git a/modules/net-vpc-firewall/outputs.tf b/modules/net-vpc-firewall/outputs.tf
index 9206ab546..904852a41 100644
--- a/modules/net-vpc-firewall/outputs.tf
+++ b/modules/net-vpc-firewall/outputs.tf
@@ -17,14 +17,14 @@
 output "default_rules" {
   description = "Default rule resources."
   value = {
-    admin = try(google_compute_firewall.allow-admins, null)
-    http  = try(google_compute_firewall.allow-tag-http, null)
-    https = try(google_compute_firewall.allow-tag-https, null)
-    ssh   = try(google_compute_firewall.allow-tag-ssh, null)
+    admin = try(google_compute_firewall.allow_admins, null)
+    http  = try(google_compute_firewall.allow_tag_http, null)
+    https = try(google_compute_firewall.allow_tag_https, null)
+    ssh   = try(google_compute_firewall.allow_tag_ssh, null)
   }
 }
 
 output "rules" {
   description = "Custom rule resources."
-  value       = google_compute_firewall.custom-rules
+  value       = google_compute_firewall.custom_rules
 }
diff --git a/modules/net-vpn-dynamic/main.tf b/modules/net-vpn-dynamic/main.tf
index 14c88b2d5..ee542b627 100644
--- a/modules/net-vpn-dynamic/main.tf
+++ b/modules/net-vpn-dynamic/main.tf
@@ -44,7 +44,12 @@ resource "google_compute_forwarding_rule" "esp" {
   ip_protocol = "ESP"
 }
 
-resource "google_compute_forwarding_rule" "udp-500" {
+moved {
+  from = google_compute_forwarding_rule.udp-500
+  to   = google_compute_forwarding_rule.udp_500
+}
+
+resource "google_compute_forwarding_rule" "udp_500" {
   name        = "vpn-${var.name}-udp-500"
   project     = var.project_id
   region      = var.region
@@ -54,7 +59,12 @@ resource "google_compute_forwarding_rule" "udp-500" {
   port_range  = "500"
 }
 
-resource "google_compute_forwarding_rule" "udp-4500" {
+moved {
+  from = google_compute_forwarding_rule.udp-4500
+  to   = google_compute_forwarding_rule.udp_4500
+}
+
+resource "google_compute_forwarding_rule" "udp_4500" {
   name        = "vpn-${var.name}-udp-4500"
   project     = var.project_id
   region      = var.region
diff --git a/modules/net-vpn-ha/recipe-vpn-aws-gcp/README.md b/modules/net-vpn-ha/recipe-vpn-aws-gcp/README.md
index f2c4ec16d..742aa9fd7 100644
--- a/modules/net-vpn-ha/recipe-vpn-aws-gcp/README.md
+++ b/modules/net-vpn-ha/recipe-vpn-aws-gcp/README.md
@@ -10,15 +10,15 @@ The architecture deployed by this recipe is the one depicted below:
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [aws_asn](variables.tf#L27) | AWS ASN. | <code>string</code> | ✓ |  |
-| [aws_region](variables.tf#L32) | AWS Region. | <code>string</code> | ✓ |  |
-| [aws_vpc_cidr_block](variables.tf#L37) | CIDR block. | <code>string</code> | ✓ |  |
-| [gcp_asn](variables.tf#L42) | Google ASN. | <code>string</code> | ✓ |  |
-| [gcp_region](variables.tf#L47) | GCP Region. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L52) | Project ID. | <code>string</code> | ✓ |  |
-| [shared_secret](variables.tf#L63) | Shared secret. | <code>string</code> | ✓ |  |
-| [_testing](variables.tf#L17) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [propagate_routes](variables.tf#L57) | Flag indicating whether routed received by AWS's Virtual Private Gateway should be propagated to main route table. | <code>bool</code> |  | <code>false</code> |
+| [aws_asn](variables.tf#L28) | AWS ASN. | <code>string</code> | ✓ |  |
+| [aws_region](variables.tf#L33) | AWS Region. | <code>string</code> | ✓ |  |
+| [aws_vpc_cidr_block](variables.tf#L38) | CIDR block. | <code>string</code> | ✓ |  |
+| [gcp_asn](variables.tf#L43) | Google ASN. | <code>string</code> | ✓ |  |
+| [gcp_region](variables.tf#L48) | GCP Region. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L53) | Project ID. | <code>string</code> | ✓ |  |
+| [shared_secret](variables.tf#L64) | Shared secret. | <code>string</code> | ✓ |  |
+| [_testing](variables.tf#L18) | Populate this variable to avoid triggering the data source. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [propagate_routes](variables.tf#L58) | Flag indicating whether routed received by AWS's Virtual Private Gateway should be propagated to main route table. | <code>bool</code> |  | <code>false</code> |
 
 ## Outputs
 
diff --git a/modules/net-vpn-ha/recipe-vpn-aws-gcp/aws.tf b/modules/net-vpn-ha/recipe-vpn-aws-gcp/aws.tf
index c72f1d496..a629444b0 100644
--- a/modules/net-vpn-ha/recipe-vpn-aws-gcp/aws.tf
+++ b/modules/net-vpn-ha/recipe-vpn-aws-gcp/aws.tf
@@ -29,7 +29,7 @@ resource "aws_vpn_gateway" "vpn_gateway" {
 resource "aws_customer_gateway" "customer_gateways" {
   count      = 2
   bgp_asn    = var.gcp_asn
-  ip_address = module.gcp_vpn.gateway.vpn_interfaces[count.index].ip_address
+  ip_address = module.gcp-vpn.gateway.vpn_interfaces[count.index].ip_address
   type       = "ipsec.1"
 
   tags = {
diff --git a/modules/net-vpn-ha/recipe-vpn-aws-gcp/gcp.tf b/modules/net-vpn-ha/recipe-vpn-aws-gcp/gcp.tf
index 1a837a248..4dc1b790f 100644
--- a/modules/net-vpn-ha/recipe-vpn-aws-gcp/gcp.tf
+++ b/modules/net-vpn-ha/recipe-vpn-aws-gcp/gcp.tf
@@ -33,7 +33,7 @@ module "vpc" {
   name       = "vpc"
 }
 
-module "gcp_vpn" {
+module "gcp-vpn" {
   source     = "../../../modules/net-vpn-ha"
   project_id = module.project.project_id
   region     = var.gcp_region
diff --git a/modules/net-vpn-ha/recipe-vpn-aws-gcp/outputs.tf b/modules/net-vpn-ha/recipe-vpn-aws-gcp/outputs.tf
index 216d05f9f..8db3ca495 100644
--- a/modules/net-vpn-ha/recipe-vpn-aws-gcp/outputs.tf
+++ b/modules/net-vpn-ha/recipe-vpn-aws-gcp/outputs.tf
@@ -16,15 +16,15 @@
 
 output "external_gateway" {
   description = "External VPN gateway resource."
-  value       = module.gcp_vpn.external_gateway
+  value       = module.gcp-vpn.external_gateway
 }
 
 output "gateway" {
   description = "VPN gateway resource (only if auto-created)."
-  value       = module.gcp_vpn.gateway
+  value       = module.gcp-vpn.gateway
 }
 
 output "id" {
   description = "Fully qualified VPN gateway id."
-  value       = module.gcp_vpn.id
+  value       = module.gcp-vpn.id
 }
diff --git a/modules/net-vpn-ha/recipe-vpn-aws-gcp/variables.tf b/modules/net-vpn-ha/recipe-vpn-aws-gcp/variables.tf
index 67fc703a2..865662d42 100644
--- a/modules/net-vpn-ha/recipe-vpn-aws-gcp/variables.tf
+++ b/modules/net-vpn-ha/recipe-vpn-aws-gcp/variables.tf
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+# tflint-ignore: terraform_naming_convention
 variable "_testing" {
   description = "Populate this variable to avoid triggering the data source."
   type = object({
diff --git a/modules/net-vpn-static/main.tf b/modules/net-vpn-static/main.tf
index 547eea873..5aa98bcd3 100644
--- a/modules/net-vpn-static/main.tf
+++ b/modules/net-vpn-static/main.tf
@@ -45,7 +45,12 @@ resource "google_compute_forwarding_rule" "esp" {
   ip_protocol = "ESP"
 }
 
-resource "google_compute_forwarding_rule" "udp-500" {
+moved {
+  from = google_compute_forwarding_rule.udp-500
+  to   = google_compute_forwarding_rule.udp_500
+}
+
+resource "google_compute_forwarding_rule" "udp_500" {
   name        = "vpn-${var.name}-udp-500"
   project     = var.project_id
   region      = var.region
@@ -55,7 +60,12 @@ resource "google_compute_forwarding_rule" "udp-500" {
   port_range  = "500"
 }
 
-resource "google_compute_forwarding_rule" "udp-4500" {
+moved {
+  from = google_compute_forwarding_rule.udp-4500
+  to   = google_compute_forwarding_rule.udp_4500
+}
+
+resource "google_compute_forwarding_rule" "udp_4500" {
   name        = "vpn-${var.name}-udp-4500"
   project     = var.project_id
   region      = var.region
diff --git a/modules/organization/logging.tf b/modules/organization/logging.tf
index 4aa0113c0..5003549cc 100644
--- a/modules/organization/logging.tf
+++ b/modules/organization/logging.tf
@@ -119,14 +119,24 @@ resource "google_logging_organization_sink" "sink" {
   ]
 }
 
-resource "google_storage_bucket_iam_member" "storage-sinks-binding" {
+moved {
+  from = google_storage_bucket_iam_member.storage-sinks-binding
+  to   = google_storage_bucket_iam_member.storage_sinks_binding
+}
+
+resource "google_storage_bucket_iam_member" "storage_sinks_binding" {
   for_each = local.sink_bindings["storage"]
   bucket   = each.value.destination
   role     = "roles/storage.objectCreator"
   member   = google_logging_organization_sink.sink[each.key].writer_identity
 }
 
-resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
+moved {
+  from = google_bigquery_dataset_iam_member.bq-sinks-binding
+  to   = google_bigquery_dataset_iam_member.bq_sinks_binding
+}
+
+resource "google_bigquery_dataset_iam_member" "bq_sinks_binding" {
   for_each   = local.sink_bindings["bigquery"]
   project    = split("/", each.value.destination)[1]
   dataset_id = split("/", each.value.destination)[3]
@@ -134,7 +144,12 @@ resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
   member     = google_logging_organization_sink.sink[each.key].writer_identity
 }
 
-resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
+moved {
+  from = google_pubsub_topic_iam_member.pubsub-sinks-binding
+  to   = google_pubsub_topic_iam_member.pubsub_sinks_binding
+}
+
+resource "google_pubsub_topic_iam_member" "pubsub_sinks_binding" {
   for_each = local.sink_bindings["pubsub"]
   project  = split("/", each.value.destination)[1]
   topic    = split("/", each.value.destination)[3]
@@ -142,7 +157,12 @@ resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
   member   = google_logging_organization_sink.sink[each.key].writer_identity
 }
 
-resource "google_project_iam_member" "bucket-sinks-binding" {
+moved {
+  from = google_project_iam_member.bucket-sinks-binding
+  to   = google_project_iam_member.bucket_sinks_binding
+}
+
+resource "google_project_iam_member" "bucket_sinks_binding" {
   for_each = local.sink_bindings["logging"]
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
@@ -154,14 +174,24 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   }
 }
 
-resource "google_project_iam_member" "project-sinks-binding" {
+moved {
+  from = google_project_iam_member.project-sinks-binding
+  to   = google_project_iam_member.project_sinks_binding
+}
+
+resource "google_project_iam_member" "project_sinks_binding" {
   for_each = local.sink_bindings["project"]
   project  = each.value.destination
   role     = "roles/logging.logWriter"
   member   = google_logging_organization_sink.sink[each.key].writer_identity
 }
 
-resource "google_logging_organization_exclusion" "logging-exclusion" {
+moved {
+  from = google_logging_organization_exclusion.logging-exclusion
+  to   = google_logging_organization_exclusion.logging_exclusion
+}
+
+resource "google_logging_organization_exclusion" "logging_exclusion" {
   for_each    = var.logging_exclusions
   name        = each.key
   org_id      = local.organization_id_numeric
diff --git a/modules/project-factory/projects-service-accounts.tf b/modules/project-factory/projects-service-accounts.tf
index b24b8a899..17f1c4de4 100644
--- a/modules/project-factory/projects-service-accounts.tf
+++ b/modules/project-factory/projects-service-accounts.tf
@@ -101,7 +101,12 @@ module "service-accounts" {
   tag_bindings = each.value.tag_bindings
 }
 
-module "service_accounts-iam" {
+moved {
+  from = module.service_accounts-iam
+  to   = module.service-accounts-iam
+}
+
+module "service-accounts-iam" {
   source = "../iam-service-account"
   for_each = {
     for k in local.projects_service_accounts :
diff --git a/modules/project-factory/projects.tf b/modules/project-factory/projects.tf
index 0a7ebb85e..ff9ee842c 100644
--- a/modules/project-factory/projects.tf
+++ b/modules/project-factory/projects.tf
@@ -95,7 +95,12 @@ locals {
   ]...)
 }
 
-resource "terraform_data" "project-preconditions" {
+moved {
+  from = terraform_data.project-preconditions
+  to   = terraform_data.project_preconditions
+}
+
+resource "terraform_data" "project_preconditions" {
   lifecycle {
     precondition {
       condition = alltrue([
diff --git a/modules/project/logging.tf b/modules/project/logging.tf
index fea740125..3de14a3b4 100644
--- a/modules/project/logging.tf
+++ b/modules/project/logging.tf
@@ -117,14 +117,24 @@ resource "google_logging_project_sink" "sink" {
   ]
 }
 
-resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
+moved {
+  from = google_storage_bucket_iam_member.gcs-sinks-binding
+  to   = google_storage_bucket_iam_member.gcs_sinks_binding
+}
+
+resource "google_storage_bucket_iam_member" "gcs_sinks_binding" {
   for_each = local.sink_bindings["storage"]
   bucket   = each.value.destination
   role     = "roles/storage.objectCreator"
   member   = google_logging_project_sink.sink[each.key].writer_identity
 }
 
-resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
+moved {
+  from = google_bigquery_dataset_iam_member.bq-sinks-binding
+  to   = google_bigquery_dataset_iam_member.bq_sinks_binding
+}
+
+resource "google_bigquery_dataset_iam_member" "bq_sinks_binding" {
   for_each   = local.sink_bindings["bigquery"]
   project    = split("/", each.value.destination)[1]
   dataset_id = split("/", each.value.destination)[3]
@@ -132,7 +142,12 @@ resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
   member     = google_logging_project_sink.sink[each.key].writer_identity
 }
 
-resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
+moved {
+  from = google_pubsub_topic_iam_member.pubsub-sinks-binding
+  to   = google_pubsub_topic_iam_member.pubsub_sinks_binding
+}
+
+resource "google_pubsub_topic_iam_member" "pubsub_sinks_binding" {
   for_each = local.sink_bindings["pubsub"]
   project  = split("/", each.value.destination)[1]
   topic    = split("/", each.value.destination)[3]
@@ -140,7 +155,12 @@ resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
   member   = google_logging_project_sink.sink[each.key].writer_identity
 }
 
-resource "google_project_iam_member" "bucket-sinks-binding" {
+moved {
+  from = google_project_iam_member.bucket-sinks-binding
+  to   = google_project_iam_member.bucket_sinks_binding
+}
+
+resource "google_project_iam_member" "bucket_sinks_binding" {
   for_each = local.sink_bindings["logging"]
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
@@ -153,14 +173,24 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   }
 }
 
-resource "google_project_iam_member" "project-sinks-binding" {
+moved {
+  from = google_project_iam_member.project-sinks-binding
+  to   = google_project_iam_member.project_sinks_binding
+}
+
+resource "google_project_iam_member" "project_sinks_binding" {
   for_each = local.sink_bindings["project"]
   project  = each.value.destination
   role     = "roles/logging.logWriter"
   member   = google_logging_project_sink.sink[each.key].writer_identity
 }
 
-resource "google_logging_project_exclusion" "logging-exclusion" {
+moved {
+  from = google_logging_project_exclusion.logging-exclusion
+  to   = google_logging_project_exclusion.logging_exclusion
+}
+
+resource "google_logging_project_exclusion" "logging_exclusion" {
   for_each    = var.logging_exclusions
   name        = each.key
   project     = local.project.project_id
@@ -168,7 +198,12 @@ resource "google_logging_project_exclusion" "logging-exclusion" {
   filter      = each.value
 }
 
-resource "google_logging_log_scope" "log-scopes" {
+moved {
+  from = google_logging_log_scope.log-scopes
+  to   = google_logging_log_scope.log_scopes
+}
+
+resource "google_logging_log_scope" "log_scopes" {
   for_each       = local.log_scopes
   parent         = "projects/${local.project.project_id}"
   location       = "global"
diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml
index d0f42687a..1d2774dfc 100644
--- a/tests/fast/stages/s0_org_setup/hardened.yaml
+++ b/tests/fast/stages/s0_org_setup/hardened.yaml
@@ -2240,19 +2240,19 @@ values:
     member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
     project: ft0-prod-iac-core-0
     timeouts: null
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
   : condition: []
     role: roles/iam.serviceAccountTokenCreator
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
   : condition: []
     role: roles/iam.workloadIdentityUser
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
   : condition: []
     role: roles/iam.serviceAccountTokenCreator
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
   : condition: []
     role: roles/iam.workloadIdentityUser
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
@@ -2260,7 +2260,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.factory.terraform_data.project-preconditions:
+  module.factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
@@ -6740,15 +6740,15 @@ values:
     - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '1234567890'
     role: roles/orgpolicy.policyViewer
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["audit-logs"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]:
     condition:
     - title: audit-logs bucket writer
     role: roles/logging.bucketWriter
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["iam"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["iam"]:
     condition:
     - title: iam bucket writer
     role: roles/logging.bucketWriter
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["vpc-sc"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["vpc-sc"]:
     condition:
     - title: vpc-sc bucket writer
     role: roles/logging.bucketWriter
@@ -8368,7 +8368,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  terraform_data.precondition-cicd:
+  terraform_data.precondition_cicd:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/fast/stages/s0_org_setup/simple.yaml b/tests/fast/stages/s0_org_setup/simple.yaml
index cccc58bc1..6f9578086 100644
--- a/tests/fast/stages/s0_org_setup/simple.yaml
+++ b/tests/fast/stages/s0_org_setup/simple.yaml
@@ -1607,19 +1607,19 @@ values:
     member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
     project: ft0-prod-iac-core-0
     timeouts: null
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
   : condition: []
     role: roles/iam.serviceAccountTokenCreator
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
   : condition: []
     role: roles/iam.workloadIdentityUser
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
   : condition: []
     role: roles/iam.serviceAccountTokenCreator
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
-  ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
+  ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
   : condition: []
     role: roles/iam.workloadIdentityUser
     service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
@@ -1627,7 +1627,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.factory.terraform_data.project-preconditions:
+  module.factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
@@ -2558,15 +2558,15 @@ values:
     - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '1234567890'
     role: roles/orgpolicy.policyViewer
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["audit-logs"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]:
     condition:
     - title: audit-logs bucket writer
     role: roles/logging.bucketWriter
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["iam"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["iam"]:
     condition:
     - title: iam bucket writer
     role: roles/logging.bucketWriter
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["vpc-sc"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["vpc-sc"]:
     condition:
     - title: vpc-sc bucket writer
     role: roles/logging.bucketWriter
@@ -2826,7 +2826,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  terraform_data.precondition-cicd:
+  terraform_data.precondition_cicd:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/fast/stages/s0_org_setup/starter-gcd.yaml b/tests/fast/stages/s0_org_setup/starter-gcd.yaml
index d776eddae..2a277d39a 100644
--- a/tests/fast/stages/s0_org_setup/starter-gcd.yaml
+++ b/tests/fast/stages/s0_org_setup/starter-gcd.yaml
@@ -835,7 +835,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.factory.terraform_data.project-preconditions:
+  module.factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
@@ -987,7 +987,7 @@ values:
     - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '1234567890'
     role: roles/resourcemanager.tagUser
-  module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["audit-logs"]:
+  module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]:
     condition:
     - title: audit-logs bucket writer
     role: roles/logging.bucketWriter
@@ -1038,7 +1038,7 @@ values:
     description: Production.
     short_name: production
     timeouts: null
-  module.vpcs.module.firewall["dev"].google_compute_firewall.custom-rules["ingress-default-allow-healthchecks"]:
+  module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-healthchecks"]:
     allow:
     - ports: []
       protocol: all
@@ -1062,7 +1062,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  module.vpcs.module.firewall["dev"].google_compute_firewall.custom-rules["ingress-default-allow-iap"]:
+  module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-iap"]:
     allow:
     - ports: []
       protocol: all
@@ -1083,7 +1083,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  module.vpcs.module.firewall["dev"].google_compute_firewall.custom-rules["ingress-default-allow-icmp"]:
+  module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-icmp"]:
     allow:
     - ports: []
       protocol: icmp
@@ -1104,7 +1104,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  module.vpcs.module.firewall["prod"].google_compute_firewall.custom-rules["ingress-default-allow-healthchecks"]:
+  module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-healthchecks"]:
     allow:
     - ports: []
       protocol: all
@@ -1128,7 +1128,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  module.vpcs.module.firewall["prod"].google_compute_firewall.custom-rules["ingress-default-allow-iap"]:
+  module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-iap"]:
     allow:
     - ports: []
       protocol: all
@@ -1149,7 +1149,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  module.vpcs.module.firewall["prod"].google_compute_firewall.custom-rules["ingress-default-allow-icmp"]:
+  module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-icmp"]:
     allow:
     - ports: []
       protocol: icmp
@@ -1320,7 +1320,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  terraform_data.precondition-cicd:
+  terraform_data.precondition_cicd:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/fast/stages/s2_networking/vlan_attachments.yaml b/tests/fast/stages/s2_networking/vlan_attachments.yaml
index 7b17afeab..a014db5fd 100644
--- a/tests/fast/stages/s2_networking/vlan_attachments.yaml
+++ b/tests/fast/stages/s2_networking/vlan_attachments.yaml
@@ -313,7 +313,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.projects.terraform_data.project-preconditions:
+  module.projects.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml
index 3335c1040..37da844db 100644
--- a/tests/fast/stages/s2_security/simple.yaml
+++ b/tests/fast/stages/s2_security/simple.yaml
@@ -310,7 +310,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.factory.terraform_data.project-preconditions:
+  module.factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/modules/billing_account/examples/logging.yaml b/tests/modules/billing_account/examples/logging.yaml
index 4496f01ac..6b6c16375 100644
--- a/tests/modules/billing_account/examples/logging.yaml
+++ b/tests/modules/billing_account/examples/logging.yaml
@@ -20,7 +20,7 @@ values:
     exclusions: []
     filter: null
     name: all
-  module.billing-account.google_project_iam_member.bucket-sinks-binding["all"]:
+  module.billing-account.google_project_iam_member.bucket_sinks_binding["all"]:
     condition:
     - title: all bucket writer
     role: roles/logging.bucketWriter
diff --git a/tests/modules/cloud_run_v2/recipes/cloudsql_iam_auth_proxy/examples/recipe-cloudsql-iam-auth-proxy.yaml b/tests/modules/cloud_run_v2/recipes/cloudsql_iam_auth_proxy/examples/recipe-cloudsql-iam-auth-proxy.yaml
index c5f781cf7..e3c4d778f 100644
--- a/tests/modules/cloud_run_v2/recipes/cloudsql_iam_auth_proxy/examples/recipe-cloudsql-iam-auth-proxy.yaml
+++ b/tests/modules/cloud_run_v2/recipes/cloudsql_iam_auth_proxy/examples/recipe-cloudsql-iam-auth-proxy.yaml
@@ -152,19 +152,19 @@ values:
     project: project-id
     timeouts: null
     type: CLOUD_IAM_SERVICE_ACCOUNT
-  module.run-sa.google_project_iam_member.project-roles["project-id-roles/cloudsql.client"]:
+  module.run-sa.google_project_iam_member.project_roles["project-id-roles/cloudsql.client"]:
     condition: []
     project: project-id
     role: roles/cloudsql.client
-  module.run-sa.google_project_iam_member.project-roles["project-id-roles/cloudsql.instanceUser"]:
+  module.run-sa.google_project_iam_member.project_roles["project-id-roles/cloudsql.instanceUser"]:
     condition: []
     project: project-id
     role: roles/cloudsql.instanceUser
-  module.run-sa.google_project_iam_member.project-roles["project-id-roles/logging.logWriter"]:
+  module.run-sa.google_project_iam_member.project_roles["project-id-roles/logging.logWriter"]:
     condition: []
     project: project-id
     role: roles/logging.logWriter
-  module.run-sa.google_project_iam_member.project-roles["project-id-roles/storage.objectViewer"]:
+  module.run-sa.google_project_iam_member.project_roles["project-id-roles/storage.objectViewer"]:
     condition: []
     project: project-id
     role: roles/storage.objectViewer
diff --git a/tests/modules/folder/context.yaml b/tests/modules/folder/context.yaml
index f5c640da2..ee98034e7 100644
--- a/tests/modules/folder/context.yaml
+++ b/tests/modules/folder/context.yaml
@@ -140,7 +140,7 @@ values:
       unstructured:
       - {}
     timeouts: null
-  google_pubsub_topic_iam_member.pubsub-sinks-binding["test-pubsub"]:
+  google_pubsub_topic_iam_member.pubsub_sinks_binding["test-pubsub"]:
     condition: []
     project: test-prod-audit-logs-0
     role: roles/pubsub.publisher
diff --git a/tests/modules/folder/examples/logging.yaml b/tests/modules/folder/examples/logging.yaml
index acb508e69..2f75e3b58 100644
--- a/tests/modules/folder/examples/logging.yaml
+++ b/tests/modules/folder/examples/logging.yaml
@@ -65,7 +65,7 @@ values:
     project: test-dest-prj
     service: logging.googleapis.com
     timeouts: null
-  module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
+  module.folder-sink.google_bigquery_dataset_iam_member.bq_sinks_binding["info"]:
     condition: []
     role: roles/bigquery.dataEditor
   module.folder-sink.google_folder.folder[0]:
@@ -74,7 +74,7 @@ values:
     parent: folders/1122334455
     tags: null
     timeouts: null
-  module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]:
+  module.folder-sink.google_logging_folder_exclusion.logging_exclusion["no-gce-instances"]:
     description: no-gce-instances (Terraform-managed).
     disabled: null
     filter: resource.type=gce_instance
@@ -128,20 +128,20 @@ values:
     include_children: true
     intercept_children: false
     name: warnings
-  module.folder-sink.google_project_iam_member.bucket-sinks-binding["debug"]:
+  module.folder-sink.google_project_iam_member.bucket_sinks_binding["debug"]:
     condition:
     - title: debug bucket writer
     role: roles/logging.bucketWriter
-  module.folder-sink.google_project_iam_member.project-sinks-binding["alert"]:
+  module.folder-sink.google_project_iam_member.project_sinks_binding["alert"]:
     condition: []
     project: projects/test-dest-prj
     role: roles/logging.logWriter
-  module.folder-sink.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
+  module.folder-sink.google_pubsub_topic_iam_member.pubsub_sinks_binding["notice"]:
     condition: []
     project: project-id
     role: roles/pubsub.publisher
     topic: pubsub_sink
-  module.folder-sink.google_storage_bucket_iam_member.gcs-sinks-binding["warnings"]:
+  module.folder-sink.google_storage_bucket_iam_member.gcs_sinks_binding["warnings"]:
     bucket: test-gcs_sink
     condition: []
     role: roles/storage.objectCreator
diff --git a/tests/modules/iam_service_account/context.yaml b/tests/modules/iam_service_account/context.yaml
index a0856f8e5..1c332ad12 100644
--- a/tests/modules/iam_service_account/context.yaml
+++ b/tests/modules/iam_service_account/context.yaml
@@ -13,11 +13,11 @@
 # limitations under the License.
 
 values:
-  google_folder_iam_member.folder-roles["$folder_ids:test-roles/resourcemanager.folderViewer"]:
+  google_folder_iam_member.folder_roles["$folder_ids:test-roles/resourcemanager.folderViewer"]:
     condition: []
     folder: folders/1234567890
     role: roles/resourcemanager.folderViewer
-  google_project_iam_member.project-roles["$project_ids:test-roles/viewer"]:
+  google_project_iam_member.project_roles["$project_ids:test-roles/viewer"]:
     condition: []
     project: prj-test-0
     role: roles/viewer
@@ -63,7 +63,7 @@ values:
     condition: []
     member: user:test-user@example.com
     role: organizations/366118655033/roles/myRoleTwo
-  google_storage_bucket_iam_member.bucket-roles["$storage_buckets:test-roles/storage.admin"]:
+  google_storage_bucket_iam_member.bucket_roles["$storage_buckets:test-roles/storage.admin"]:
     bucket: gcs-test-0
     condition: []
     role: roles/storage.admin
diff --git a/tests/modules/iam_service_account/examples/basic.yaml b/tests/modules/iam_service_account/examples/basic.yaml
index 165ca4f3f..04029785a 100644
--- a/tests/modules/iam_service_account/examples/basic.yaml
+++ b/tests/modules/iam_service_account/examples/basic.yaml
@@ -12,11 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 values:
-  module.myproject-default-service-accounts.google_project_iam_member.project-roles["project-id-roles/logging.logWriter"]:
+  module.myproject-default-service-accounts.google_project_iam_member.project_roles["project-id-roles/logging.logWriter"]:
     condition: []
     project: project-id
     role: roles/logging.logWriter
-  module.myproject-default-service-accounts.google_project_iam_member.project-roles["project-id-roles/monitoring.metricWriter"]:
+  module.myproject-default-service-accounts.google_project_iam_member.project_roles["project-id-roles/monitoring.metricWriter"]:
     condition: []
     project: project-id
     role: roles/monitoring.metricWriter
diff --git a/tests/modules/iam_service_account/examples/iam.yaml b/tests/modules/iam_service_account/examples/iam.yaml
index cbf6bb039..441be4f64 100644
--- a/tests/modules/iam_service_account/examples/iam.yaml
+++ b/tests/modules/iam_service_account/examples/iam.yaml
@@ -14,11 +14,11 @@
 
 # yamllint disable rule:line-length
 values:
-  module.service-account-with-tags.google_billing_account_iam_member.billing-roles["ABCDE-12345-ABCDE-roles/billing.user"]:
+  module.service-account-with-tags.google_billing_account_iam_member.billing_roles["ABCDE-12345-ABCDE-roles/billing.user"]:
     billing_account_id: ABCDE-12345-ABCDE
     condition: []
     role: roles/billing.user
-  ? module.service-account-with-tags.google_folder_iam_member.folder-roles["$folder_ids:test-roles/resourcemanager.folderAdmin"]
+  ? module.service-account-with-tags.google_folder_iam_member.folder_roles["$folder_ids:test-roles/resourcemanager.folderAdmin"]
   : condition: []
     folder: folders/1234567890
     role: roles/resourcemanager.folderAdmin
diff --git a/tests/modules/iam_service_account/examples/reuse-0.yaml b/tests/modules/iam_service_account/examples/reuse-0.yaml
index 8e27dfdf3..961ff8bc0 100644
--- a/tests/modules/iam_service_account/examples/reuse-0.yaml
+++ b/tests/modules/iam_service_account/examples/reuse-0.yaml
@@ -13,11 +13,11 @@
 # limitations under the License.
 
 values:
-  module.service-account.google_billing_account_iam_member.billing-roles["ABCDE-12345-ABCDE-roles/billing.user"]:
+  module.service-account.google_billing_account_iam_member.billing_roles["ABCDE-12345-ABCDE-roles/billing.user"]:
     billing_account_id: ABCDE-12345-ABCDE
     condition: []
     role: roles/billing.user
-  module.service-account.google_folder_iam_member.folder-roles["$folder_ids:test-roles/resourcemanager.folderAdmin"]:
+  module.service-account.google_folder_iam_member.folder_roles["$folder_ids:test-roles/resourcemanager.folderAdmin"]:
     condition: []
     folder: folders/1234567890
     role: roles/resourcemanager.folderAdmin
diff --git a/tests/modules/net_firewall_policy/context-g.yaml b/tests/modules/net_firewall_policy/context-g.yaml
index 6928c8730..01b588324 100644
--- a/tests/modules/net_firewall_policy/context-g.yaml
+++ b/tests/modules/net_firewall_policy/context-g.yaml
@@ -13,18 +13,18 @@
 # limitations under the License.
 
 values:
-  google_compute_network_firewall_policy.net-global[0]:
+  google_compute_network_firewall_policy.net_global[0]:
     description: null
     name: test-1
     project: foo-test-0
     timeouts: null
-  google_compute_network_firewall_policy_association.net-global["test"]:
+  google_compute_network_firewall_policy_association.net_global["test"]:
     attachment_target: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
     firewall_policy: test-1
     name: test-1-test
     project: foo-test-0
     timeouts: null
-  google_compute_network_firewall_policy_rule.net-global["egress/smtp"]:
+  google_compute_network_firewall_policy_rule.net_global["egress/smtp"]:
     action: deny
     description: null
     direction: EGRESS
@@ -62,7 +62,7 @@ values:
     - serviceAccount:test@test-project.iam.gserviceaccount.com
     timeouts: null
     tls_inspect: null
-  google_compute_network_firewall_policy_rule.net-global["ingress/icmp"]:
+  google_compute_network_firewall_policy_rule.net_global["ingress/icmp"]:
     action: allow
     description: null
     direction: INGRESS
diff --git a/tests/modules/net_firewall_policy/context-r.yaml b/tests/modules/net_firewall_policy/context-r.yaml
index b65de4cb3..4c511c575 100644
--- a/tests/modules/net_firewall_policy/context-r.yaml
+++ b/tests/modules/net_firewall_policy/context-r.yaml
@@ -13,20 +13,20 @@
 # limitations under the License.
 
 values:
-  google_compute_region_network_firewall_policy.net-regional[0]:
+  google_compute_region_network_firewall_policy.net_regional[0]:
     description: null
     name: test-1
     project: foo-test-0
     region: europe-west8
     timeouts: null
-  google_compute_region_network_firewall_policy_association.net-regional["test"]:
+  google_compute_region_network_firewall_policy_association.net_regional["test"]:
     attachment_target: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
     firewall_policy: test-1
     name: test-1-test
     project: foo-test-0
     region: europe-west8
     timeouts: null
-  google_compute_region_network_firewall_policy_rule.net-regional["egress/smtp"]:
+  google_compute_region_network_firewall_policy_rule.net_regional["egress/smtp"]:
     action: deny
     description: null
     direction: EGRESS
@@ -65,7 +65,7 @@ values:
     - serviceAccount:test@test-project.iam.gserviceaccount.com
     timeouts: null
     tls_inspect: null
-  google_compute_region_network_firewall_policy_rule.net-regional["ingress/icmp"]:
+  google_compute_region_network_firewall_policy_rule.net_regional["ingress/icmp"]:
     action: allow
     description: null
     direction: INGRESS
diff --git a/tests/modules/net_firewall_policy/examples/global-net.yaml b/tests/modules/net_firewall_policy/examples/global-net.yaml
index 7fa7d6803..508c06b41 100644
--- a/tests/modules/net_firewall_policy/examples/global-net.yaml
+++ b/tests/modules/net_firewall_policy/examples/global-net.yaml
@@ -13,14 +13,14 @@
 # limitations under the License.
 
 values:
-  module.firewall-policy.google_compute_network_firewall_policy.net-global[0]:
+  module.firewall-policy.google_compute_network_firewall_policy.net_global[0]:
     name: test-1
     project: my-project
-  module.firewall-policy.google_compute_network_firewall_policy_association.net-global["my-vpc"]:
+  module.firewall-policy.google_compute_network_firewall_policy_association.net_global["my-vpc"]:
     firewall_policy: test-1
     name: test-1-my-vpc
     project: my-project
-  module.firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/smtp"]:
+  module.firewall-policy.google_compute_network_firewall_policy_rule.net_global["egress/smtp"]:
     action: deny
     direction: EGRESS
     disabled: false
@@ -48,7 +48,7 @@ values:
     rule_name: smtp
     target_secure_tags: []
     target_service_accounts: null
-  module.firewall-policy.google_compute_network_firewall_policy_rule.net-global["ingress/icmp"]:
+  module.firewall-policy.google_compute_network_firewall_policy_rule.net_global["ingress/icmp"]:
     action: allow
     direction: INGRESS
     disabled: false
@@ -75,7 +75,7 @@ values:
     rule_name: icmp
     target_secure_tags: []
     target_service_accounts: null
-  module.firewall-policy.google_compute_network_firewall_policy_rule.net-global["ingress/mgmt"]:
+  module.firewall-policy.google_compute_network_firewall_policy_rule.net_global["ingress/mgmt"]:
     action: allow
     direction: INGRESS
     disabled: false
@@ -102,7 +102,7 @@ values:
     rule_name: mgmt
     target_secure_tags: []
     target_service_accounts: null
-  module.firewall-policy.google_compute_network_firewall_policy_rule.net-global["ingress/ssh"]:
+  module.firewall-policy.google_compute_network_firewall_policy_rule.net_global["ingress/ssh"]:
     action: allow
     direction: INGRESS
     disabled: false
diff --git a/tests/modules/net_firewall_policy/examples/mirroring.yaml b/tests/modules/net_firewall_policy/examples/mirroring.yaml
index 96b9d4fcc..aaa9cc81c 100644
--- a/tests/modules/net_firewall_policy/examples/mirroring.yaml
+++ b/tests/modules/net_firewall_policy/examples/mirroring.yaml
@@ -45,18 +45,18 @@ values:
     threat_prevention_profile: null
     timeouts: null
     url_filtering_profile: null
-  module.firewall-policy.google_compute_network_firewall_policy.net-global[0]:
+  module.firewall-policy.google_compute_network_firewall_policy.net_global[0]:
     description: null
     name: test-mirroring
     project: my-project
     timeouts: null
-  module.firewall-policy.google_compute_network_firewall_policy_association.net-global["my-vpc"]:
+  module.firewall-policy.google_compute_network_firewall_policy_association.net_global["my-vpc"]:
     attachment_target: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
     firewall_policy: test-mirroring
     name: test-mirroring-my-vpc
     project: my-project
     timeouts: null
-  module.firewall-policy.google_compute_network_firewall_policy_packet_mirroring_rule.net-global["mirror/ingress/rule-1"]:
+  module.firewall-policy.google_compute_network_firewall_policy_packet_mirroring_rule.net_global["mirror/ingress/rule-1"]:
     action: mirror
     description: Mirror all traffic
     direction: INGRESS
diff --git a/tests/modules/net_firewall_policy/examples/regional-net.yaml b/tests/modules/net_firewall_policy/examples/regional-net.yaml
index 326973ba8..0c9f2ccee 100644
--- a/tests/modules/net_firewall_policy/examples/regional-net.yaml
+++ b/tests/modules/net_firewall_policy/examples/regional-net.yaml
@@ -13,16 +13,16 @@
 # limitations under the License.
 
 values:
-  module.firewall-policy.google_compute_region_network_firewall_policy.net-regional[0]:
+  module.firewall-policy.google_compute_region_network_firewall_policy.net_regional[0]:
     name: test-1
     project: my-project
     region: europe-west8
-  module.firewall-policy.google_compute_region_network_firewall_policy_association.net-regional["my-vpc"]:
+  module.firewall-policy.google_compute_region_network_firewall_policy_association.net_regional["my-vpc"]:
     firewall_policy: test-1
     name: test-1-my-vpc
     project: my-project
     region: europe-west8
-  module.firewall-policy.google_compute_region_network_firewall_policy_rule.net-regional["egress/smtp"]:
+  module.firewall-policy.google_compute_region_network_firewall_policy_rule.net_regional["egress/smtp"]:
     action: deny
     direction: EGRESS
     disabled: false
@@ -51,7 +51,7 @@ values:
     rule_name: smtp
     target_secure_tags: []
     target_service_accounts: null
-  module.firewall-policy.google_compute_region_network_firewall_policy_rule.net-regional["ingress/icmp"]:
+  module.firewall-policy.google_compute_region_network_firewall_policy_rule.net_regional["ingress/icmp"]:
     action: allow
     direction: INGRESS
     disabled: false
diff --git a/tests/modules/net_vpc_factory/examples/example.yaml b/tests/modules/net_vpc_factory/examples/example.yaml
index 8e42cb1e8..541c2f59e 100644
--- a/tests/modules/net_vpc_factory/examples/example.yaml
+++ b/tests/modules/net_vpc_factory/examples/example.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.net-vpc-factory.module.firewall["data-vpc-0"].google_compute_firewall.custom-rules["allow-iap"]:
+  module.net-vpc-factory.module.firewall["data-vpc-0"].google_compute_firewall.custom_rules["allow-iap"]:
     allow:
     - ports:
       - '22'
diff --git a/tests/modules/net_vpc_firewall/context.yaml b/tests/modules/net_vpc_firewall/context.yaml
index e2e16f234..064bd1336 100644
--- a/tests/modules/net_vpc_firewall/context.yaml
+++ b/tests/modules/net_vpc_firewall/context.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  google_compute_firewall.allow-admins[0]:
+  google_compute_firewall.allow_admins[0]:
     allow:
     - ports: []
       protocol: all
@@ -33,7 +33,7 @@ values:
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  google_compute_firewall.allow-tag-http[0]:
+  google_compute_firewall.allow_tag_http[0]:
     allow:
     - ports:
       - '80'
@@ -55,7 +55,7 @@ values:
     target_tags:
     - http-server
     timeouts: null
-  google_compute_firewall.allow-tag-https[0]:
+  google_compute_firewall.allow_tag_https[0]:
     allow:
     - ports:
       - '443'
@@ -77,7 +77,7 @@ values:
     target_tags:
     - https-server
     timeouts: null
-  google_compute_firewall.allow-tag-ssh[0]:
+  google_compute_firewall.allow_tag_ssh[0]:
     allow:
     - ports:
       - '22'
@@ -99,7 +99,7 @@ values:
     target_tags:
     - ssh
     timeouts: null
-  google_compute_firewall.custom-rules["egress-test"]:
+  google_compute_firewall.custom_rules["egress-test"]:
     allow:
     - ports: []
       protocol: all
@@ -131,7 +131,7 @@ values:
     - serviceAccount:test@test-project.iam.gserviceaccount.com
     target_tags: null
     timeouts: null
-  google_compute_firewall.custom-rules["ingress-test"]:
+  google_compute_firewall.custom_rules["ingress-test"]:
     allow:
     - ports: []
       protocol: all
diff --git a/tests/modules/net_vpc_firewall/examples/basic.yaml b/tests/modules/net_vpc_firewall/examples/basic.yaml
index e27e9dc4e..db9bcb7f9 100644
--- a/tests/modules/net_vpc_firewall/examples/basic.yaml
+++ b/tests/modules/net_vpc_firewall/examples/basic.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.firewall.google_compute_firewall.allow-admins[0]:
+  module.firewall.google_compute_firewall.allow_admins[0]:
     allow:
     - ports: []
       protocol: all
@@ -30,7 +30,7 @@ values:
     source_tags: null
     target_service_accounts: null
     target_tags: null
-  module.firewall.google_compute_firewall.allow-tag-http[0]:
+  module.firewall.google_compute_firewall.allow_tag_http[0]:
     allow:
     - ports:
       - '80'
@@ -52,7 +52,7 @@ values:
     target_service_accounts: null
     target_tags:
     - http-server
-  module.firewall.google_compute_firewall.allow-tag-https[0]:
+  module.firewall.google_compute_firewall.allow_tag_https[0]:
     allow:
     - ports:
       - '443'
@@ -74,7 +74,7 @@ values:
     target_service_accounts: null
     target_tags:
     - https-server
-  module.firewall.google_compute_firewall.allow-tag-ssh[0]:
+  module.firewall.google_compute_firewall.allow_tag_ssh[0]:
     allow:
     - ports:
       - '22'
diff --git a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml
index e3c50b552..022ff9a7a 100644
--- a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml
+++ b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml
@@ -14,11 +14,11 @@
 
 values:
   # the following 4 rules are already tested by simple.yaml
-  module.firewall.google_compute_firewall.allow-admins[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-http[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-https[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-ssh[0]: {}
-  module.firewall.google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
+  module.firewall.google_compute_firewall.allow_admins[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_http[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_https[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_ssh[0]: {}
+  module.firewall.google_compute_firewall.custom_rules["allow-egress-rfc1918"]:
     allow:
     - ports: []
       protocol: all
@@ -40,7 +40,7 @@ values:
     source_tags: null
     target_service_accounts: null
     target_tags: null
-  module.firewall.google_compute_firewall.custom-rules["allow-egress-tag"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-egress-tag"]:
     allow:
     - ports: []
       protocol: all
@@ -61,7 +61,7 @@ values:
     target_service_accounts: null
     target_tags:
     - target-tag
-  module.firewall.google_compute_firewall.custom-rules["allow-ingress-ntp"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-ingress-ntp"]:
     allow:
     - ports:
       - '123'
@@ -82,7 +82,7 @@ values:
     target_service_accounts: null
     target_tags:
     - ntp-svc
-  module.firewall.google_compute_firewall.custom-rules["allow-ingress-tag"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-ingress-tag"]:
     allow:
     - ports: []
       protocol: all
@@ -102,7 +102,7 @@ values:
     target_service_accounts: null
     target_tags:
     - target-tag
-  module.firewall.google_compute_firewall.custom-rules["deny-egress-all"]:
+  module.firewall.google_compute_firewall.custom_rules["deny-egress-all"]:
     allow: []
     deny:
     - ports: []
diff --git a/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml
index 0fce7be0e..d98bd21ac 100644
--- a/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml
+++ b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml
@@ -13,9 +13,9 @@
 # limitations under the License.
 
 values:
-  module.firewall.google_compute_firewall.allow-tag-http[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-https[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-ssh[0]:
+  module.firewall.google_compute_firewall.allow_tag_http[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_https[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_ssh[0]:
     allow:
     - ports:
       - '22'
diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml
index e933dabb8..2c9c94c1c 100644
--- a/tests/modules/net_vpc_firewall/examples/factory.yaml
+++ b/tests/modules/net_vpc_firewall/examples/factory.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.firewall.google_compute_firewall.custom-rules["allow-healthchecks"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-healthchecks"]:
     allow:
     - ports:
       - '80'
@@ -38,7 +38,7 @@ values:
     target_service_accounts: null
     target_tags:
     - lb-backends
-  module.firewall.google_compute_firewall.custom-rules["allow-service-1-to-service-2"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-service-1-to-service-2"]:
     allow:
     - ports:
       - '80'
@@ -59,7 +59,7 @@ values:
     target_service_accounts:
     - service-2
     target_tags: null
-  module.firewall.google_compute_firewall.custom-rules["block-telnet"]:
+  module.firewall.google_compute_firewall.custom_rules["block-telnet"]:
     allow: []
     deny:
     - ports:
diff --git a/tests/modules/net_vpc_firewall/examples/local-ranges.yaml b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml
index 106a7ba7b..7f316cae8 100644
--- a/tests/modules/net_vpc_firewall/examples/local-ranges.yaml
+++ b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.firewall.google_compute_firewall.custom-rules["allow-ingress-source-destination-ranges"]:
+  module.firewall.google_compute_firewall.custom_rules["allow-ingress-source-destination-ranges"]:
     allow:
     - ports: []
       protocol: all
@@ -35,7 +35,7 @@ values:
     source_tags: null
     target_service_accounts: null
     target_tags: null
-  module.firewall.google_compute_firewall.custom-rules["deny-egress-source-destination-ranges"]:
+  module.firewall.google_compute_firewall.custom_rules["deny-egress-source-destination-ranges"]:
     allow: []
     deny:
     - ports: []
diff --git a/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml b/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml
index 46b1d04d5..a2e4c4402 100644
--- a/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml
+++ b/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml
@@ -13,8 +13,8 @@
 # limitations under the License.
 
 values:
-  module.firewall.google_compute_firewall.allow-tag-http[0]: {}
-  module.firewall.google_compute_firewall.allow-tag-https[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_http[0]: {}
+  module.firewall.google_compute_firewall.allow_tag_https[0]: {}
 
 counts:
   google_compute_firewall: 2
diff --git a/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel-custom-ciphers.yaml b/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel-custom-ciphers.yaml
index 74ae471af..638454ca6 100644
--- a/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel-custom-ciphers.yaml
+++ b/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel-custom-ciphers.yaml
@@ -139,7 +139,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn-dynamic.google_compute_forwarding_rule.udp-4500:
+  module.vpn-dynamic.google_compute_forwarding_rule.udp_4500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
@@ -160,7 +160,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn-dynamic.google_compute_forwarding_rule.udp-500:
+  module.vpn-dynamic.google_compute_forwarding_rule.udp_500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
diff --git a/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel.yaml b/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel.yaml
index 7c85629f7..fe23140a4 100644
--- a/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel.yaml
+++ b/tests/modules/net_vpn_dynamic/examples/vpn-single-tunnel.yaml
@@ -139,7 +139,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn-dynamic.google_compute_forwarding_rule.udp-4500:
+  module.vpn-dynamic.google_compute_forwarding_rule.udp_4500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
@@ -160,7 +160,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn-dynamic.google_compute_forwarding_rule.udp-500:
+  module.vpn-dynamic.google_compute_forwarding_rule.udp_500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
diff --git a/tests/modules/net_vpn_static/examples/vpn-single-tunnel-custom-ciphers.yaml b/tests/modules/net_vpn_static/examples/vpn-single-tunnel-custom-ciphers.yaml
index 6ecc7f140..29e6d2f5d 100644
--- a/tests/modules/net_vpn_static/examples/vpn-single-tunnel-custom-ciphers.yaml
+++ b/tests/modules/net_vpn_static/examples/vpn-single-tunnel-custom-ciphers.yaml
@@ -49,7 +49,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn.google_compute_forwarding_rule.udp-4500:
+  module.vpn.google_compute_forwarding_rule.udp_4500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
@@ -70,7 +70,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn.google_compute_forwarding_rule.udp-500:
+  module.vpn.google_compute_forwarding_rule.udp_500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
diff --git a/tests/modules/net_vpn_static/examples/vpn-single-tunnel.yaml b/tests/modules/net_vpn_static/examples/vpn-single-tunnel.yaml
index 58e56c3a3..fd5fe43fa 100644
--- a/tests/modules/net_vpn_static/examples/vpn-single-tunnel.yaml
+++ b/tests/modules/net_vpn_static/examples/vpn-single-tunnel.yaml
@@ -49,7 +49,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn.google_compute_forwarding_rule.udp-4500:
+  module.vpn.google_compute_forwarding_rule.udp_4500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
@@ -70,7 +70,7 @@ values:
     service_label: null
     source_ip_ranges: null
     timeouts: null
-  module.vpn.google_compute_forwarding_rule.udp-500:
+  module.vpn.google_compute_forwarding_rule.udp_500:
     all_ports: null
     allow_global_access: null
     allow_psc_global_access: null
diff --git a/tests/modules/organization/context.yaml b/tests/modules/organization/context.yaml
index edca95d7a..cc259a189 100644
--- a/tests/modules/organization/context.yaml
+++ b/tests/modules/organization/context.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  google_bigquery_dataset_iam_member.bq-sinks-binding["test-bq"]:
+  google_bigquery_dataset_iam_member.bq_sinks_binding["test-bq"]:
     condition: []
     dataset_id: logs
     project: test-prod-audit-logs-0
@@ -203,22 +203,22 @@ values:
       unstructured:
       - {}
     timeouts: null
-  google_project_iam_member.bucket-sinks-binding["test-logging"]:
+  google_project_iam_member.bucket_sinks_binding["test-logging"]:
     condition:
     - expression: resource.name.endsWith('projects/test-prod-audit-logs-0/locations/europe-west8/buckets/audit-logs')
       title: test-logging bucket writer
     project: test-prod-audit-logs-0
     role: roles/logging.bucketWriter
-  google_project_iam_member.project-sinks-binding["test-project"]:
+  google_project_iam_member.project_sinks_binding["test-project"]:
     condition: []
     project: projects/test-prod-audit-logs-0
     role: roles/logging.logWriter
-  google_pubsub_topic_iam_member.pubsub-sinks-binding["test-pubsub"]:
+  google_pubsub_topic_iam_member.pubsub_sinks_binding["test-pubsub"]:
     condition: []
     project: test-prod-audit-logs-0
     role: roles/pubsub.publisher
     topic: audit-logs
-  google_storage_bucket_iam_member.storage-sinks-binding["test-storage"]:
+  google_storage_bucket_iam_member.storage_sinks_binding["test-storage"]:
     bucket: test-prod-logs-audit-0
     condition: []
     role: roles/storage.objectCreator
diff --git a/tests/modules/organization/examples/logging.yaml b/tests/modules/organization/examples/logging.yaml
index 1cc061cfd..bc67fee9a 100644
--- a/tests/modules/organization/examples/logging.yaml
+++ b/tests/modules/organization/examples/logging.yaml
@@ -90,10 +90,10 @@ values:
       goog-terraform-provisioned: 'true'
     timeouts: null
     uniform_bucket_level_access: true
-  module.org.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
+  module.org.google_bigquery_dataset_iam_member.bq_sinks_binding["info"]:
     condition: []
     role: roles/bigquery.dataEditor
-  module.org.google_logging_organization_exclusion.logging-exclusion["no-gce-instances"]:
+  module.org.google_logging_organization_exclusion.logging_exclusion["no-gce-instances"]:
     description: no-gce-instances (Terraform-managed).
     disabled: null
     filter: resource.type=gce_instance
@@ -163,24 +163,24 @@ values:
     intercept_children: false
     name: warnings
     org_id: '1122334455'
-  module.org.google_project_iam_member.bucket-sinks-binding["debug"]:
+  module.org.google_project_iam_member.bucket_sinks_binding["debug"]:
     condition:
     - title: debug bucket writer
     role: roles/logging.bucketWriter
-  module.org.google_project_iam_member.project-sinks-binding["alert"]:
+  module.org.google_project_iam_member.project_sinks_binding["alert"]:
     condition: []
     project: projects/test-dest-prj
     role: roles/logging.logWriter
-  module.org.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
+  module.org.google_pubsub_topic_iam_member.pubsub_sinks_binding["notice"]:
     condition: []
     project: project-id
     role: roles/pubsub.publisher
     topic: pubsub_sink
-  module.org.google_storage_bucket_iam_member.storage-sinks-binding["audit"]:
+  module.org.google_storage_bucket_iam_member.storage_sinks_binding["audit"]:
     bucket: test-prod-log-audit-0
     condition: []
     role: roles/storage.objectCreator
-  module.org.google_storage_bucket_iam_member.storage-sinks-binding["warnings"]:
+  module.org.google_storage_bucket_iam_member.storage_sinks_binding["warnings"]:
     bucket: test-gcs_sink
     condition: []
     role: roles/storage.objectCreator
diff --git a/tests/modules/project/context.yaml b/tests/modules/project/context.yaml
index a78fb09bd..b6cce50a4 100644
--- a/tests/modules/project/context.yaml
+++ b/tests/modules/project/context.yaml
@@ -269,7 +269,7 @@ values:
     project: my-project
     service: compute.googleapis.com
     timeouts: null
-  google_pubsub_topic_iam_member.pubsub-sinks-binding["test-pubsub"]:
+  google_pubsub_topic_iam_member.pubsub_sinks_binding["test-pubsub"]:
     condition: []
     project: test-prod-audit-logs-0
     role: roles/pubsub.publisher
diff --git a/tests/modules/project/examples/data.yaml b/tests/modules/project/examples/data.yaml
index a7fa255b5..1d5a93769 100644
--- a/tests/modules/project/examples/data.yaml
+++ b/tests/modules/project/examples/data.yaml
@@ -124,7 +124,7 @@ values:
   module.project.data.google_storage_project_service_account.gcs_sa[0]:
     project: test-project
     user_project: null
-  module.project.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
+  module.project.google_bigquery_dataset_iam_member.bq_sinks_binding["info"]:
     condition: []
     role: roles/bigquery.dataEditor
   module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
@@ -138,7 +138,7 @@ values:
   module.project.google_kms_crypto_key_iam_member.service_agent_cmek["key-0.gs-project-accounts"]:
     condition: []
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
-  module.project.google_logging_project_exclusion.logging-exclusion["no-gce-instances"]:
+  module.project.google_logging_project_exclusion.logging_exclusion["no-gce-instances"]:
     description: no-gce-instances (Terraform-managed).
     disabled: null
     filter: resource.type=gce_instance
@@ -372,7 +372,7 @@ values:
     member: group:organization-admins@example.org
     project: test-project
     role: roles/owner
-  module.project.google_project_iam_member.bucket-sinks-binding["debug"]:
+  module.project.google_project_iam_member.bucket_sinks_binding["debug"]:
     condition:
     - title: debug bucket writer
     role: roles/logging.bucketWriter
@@ -478,12 +478,12 @@ values:
     project: test-project
     service: run.googleapis.com
     timeouts: null
-  module.project.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
+  module.project.google_pubsub_topic_iam_member.pubsub_sinks_binding["notice"]:
     condition: []
     project: project-id
     role: roles/pubsub.publisher
     topic: pubsub_sink
-  module.project.google_storage_bucket_iam_member.gcs-sinks-binding["warnings"]:
+  module.project.google_storage_bucket_iam_member.gcs_sinks_binding["warnings"]:
     bucket: test-gcs_sink
     condition: []
     role: roles/storage.objectCreator
diff --git a/tests/modules/project/examples/log-scopes.yaml b/tests/modules/project/examples/log-scopes.yaml
index 52fbd47bf..b7b2a5a6e 100644
--- a/tests/modules/project/examples/log-scopes.yaml
+++ b/tests/modules/project/examples/log-scopes.yaml
@@ -34,7 +34,7 @@ values:
     locked: null
     project: other-project
     retention_days: 30
-  module.project.google_logging_log_scope.log-scopes["scope"]:
+  module.project.google_logging_log_scope.log_scopes["scope"]:
     description: My log scope
     location: global
     name: scope
diff --git a/tests/modules/project/examples/logging.yaml b/tests/modules/project/examples/logging.yaml
index d0f87d281..bcccdc602 100644
--- a/tests/modules/project/examples/logging.yaml
+++ b/tests/modules/project/examples/logging.yaml
@@ -92,10 +92,10 @@ values:
     uniform_bucket_level_access: true
   module.project-host.data.google_logging_project_settings.logging_sa[0]:
     project: test-project
-  module.project-host.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
+  module.project-host.google_bigquery_dataset_iam_member.bq_sinks_binding["info"]:
     condition: []
     role: roles/bigquery.dataEditor
-  module.project-host.google_logging_project_exclusion.logging-exclusion["no-gce-instances"]:
+  module.project-host.google_logging_project_exclusion.logging_exclusion["no-gce-instances"]:
     description: no-gce-instances (Terraform-managed).
     disabled: null
     filter: resource.type=gce_instance
@@ -170,11 +170,11 @@ values:
     terraform_labels:
       goog-terraform-provisioned: 'true'
     timeouts: null
-  module.project-host.google_project_iam_member.bucket-sinks-binding["debug"]:
+  module.project-host.google_project_iam_member.bucket_sinks_binding["debug"]:
     condition:
     - title: debug bucket writer
     role: roles/logging.bucketWriter
-  module.project-host.google_project_iam_member.project-sinks-binding["alert"]:
+  module.project-host.google_project_iam_member.project_sinks_binding["alert"]:
     condition: []
     project: projects/test-dest-prj
     role: roles/logging.logWriter
@@ -184,12 +184,12 @@ values:
     project: test-project
     service: logging.googleapis.com
     timeouts: null
-  module.project-host.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
+  module.project-host.google_pubsub_topic_iam_member.pubsub_sinks_binding["notice"]:
     condition: []
     project: project-id
     role: roles/pubsub.publisher
     topic: pubsub_sink
-  module.project-host.google_storage_bucket_iam_member.gcs-sinks-binding["warnings"]:
+  module.project-host.google_storage_bucket_iam_member.gcs_sinks_binding["warnings"]:
     bucket: test-gcs_sink
     condition: []
     role: roles/storage.objectCreator
diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml
index b83294bb6..be0710119 100644
--- a/tests/modules/project_factory/examples/example.yaml
+++ b/tests/modules/project_factory/examples/example.yaml
@@ -847,15 +847,15 @@ values:
     terraform_labels:
       goog-terraform-provisioned: 'true'
     timeouts: null
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
   : condition: []
     project: $project_ids:dev-spoke-0
     role: roles/compute.networkUser
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-ta-app0-be-roles/logging.logWriter"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-ta-app0-be-roles/logging.logWriter"]
   : condition: []
     project: test-pf-dev-ta-app0-be
     role: roles/logging.logWriter
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-ta-app0-be-roles/monitoring.metricWriter"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-ta-app0-be-roles/monitoring.metricWriter"]
   : condition: []
     project: test-pf-dev-ta-app0-be
     role: roles/monitoring.metricWriter
@@ -872,15 +872,15 @@ values:
   module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_tags_tag_binding.binding["context"]:
     tag_value: $tag_values:context/project-factory
     timeouts: null
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project_roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
   : condition: []
     project: $project_ids:dev-spoke-0
     role: roles/compute.networkUser
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["$project_ids:dev-ta-app0-be-roles/logging.logWriter"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project_roles["$project_ids:dev-ta-app0-be-roles/logging.logWriter"]
   : condition: []
     project: test-pf-dev-ta-app0-be
     role: roles/logging.logWriter
-  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["$project_ids:dev-ta-app0-be-roles/monitoring.metricWriter"]
+  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project_roles["$project_ids:dev-ta-app0-be-roles/monitoring.metricWriter"]
   : condition: []
     project: test-pf-dev-ta-app0-be
     role: roles/monitoring.metricWriter
@@ -894,11 +894,11 @@ values:
     member: serviceAccount:app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com
     project: test-pf-dev-ta-app0-be
     timeouts: null
-  ? module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_project_iam_member.project-roles["$project_ids:dev-tb-app0-0-roles/logging.logWriter"]
+  ? module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_project_iam_member.project_roles["$project_ids:dev-tb-app0-0-roles/logging.logWriter"]
   : condition: []
     project: test-pf-dev-tb-app0-0
     role: roles/logging.logWriter
-  ? module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_project_iam_member.project-roles["$project_ids:dev-tb-app0-0-roles/monitoring.metricWriter"]
+  ? module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_project_iam_member.project_roles["$project_ids:dev-tb-app0-0-roles/monitoring.metricWriter"]
   : condition: []
     project: test-pf-dev-tb-app0-0
     role: roles/monitoring.metricWriter
@@ -912,11 +912,11 @@ values:
     member: serviceAccount:vm-default@test-pf-dev-tb-app0-0.iam.gserviceaccount.com
     project: test-pf-dev-tb-app0-0
     timeouts: null
-  ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-tb-app0-1-roles/logging.logWriter"]
+  ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-tb-app0-1-roles/logging.logWriter"]
   : condition: []
     project: test-pf-dev-tb-app0-1
     role: roles/logging.logWriter
-  ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-tb-app0-1-roles/monitoring.metricWriter"]
+  ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-tb-app0-1-roles/monitoring.metricWriter"]
   : condition: []
     project: test-pf-dev-tb-app0-1
     role: roles/monitoring.metricWriter
@@ -930,18 +930,18 @@ values:
     member: serviceAccount:app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com
     project: test-pf-dev-tb-app0-1
     timeouts: null
-  ? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]
+  ? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]
   : condition: []
     role: roles/iam.serviceAccountUser
-  ? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"]
+  ? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"]
   : condition: []
     role: roles/iam.serviceAccountUser
     service_account_id: projects/test-pf-dev-ta-app0-be/serviceAccounts/app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com
-  ? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.bindings["test"]
+  ? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.bindings["test"]
   : condition: []
     member: group:team-a-admins@example.org
     role: roles/iam.serviceAccountUser
-  ? module.project-factory.module.service_accounts-iam["dev-tb-app0-0/vm-default"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
+  ? module.project-factory.module.service-accounts-iam["dev-tb-app0-0/vm-default"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
   : condition: []
     members:
     - serviceAccount:dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
@@ -950,7 +950,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.project-factory.terraform_data.project-preconditions:
+  module.project-factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/modules/project_factory/examples/test-1.yaml b/tests/modules/project_factory/examples/test-1.yaml
index fb0f441fe..dc66b6c71 100644
--- a/tests/modules/project_factory/examples/test-1.yaml
+++ b/tests/modules/project_factory/examples/test-1.yaml
@@ -209,7 +209,7 @@ values:
     input: null
     output: null
     triggers_replace: null
-  module.project-factory.terraform_data.project-preconditions:
+  module.project-factory.terraform_data.project_preconditions:
     input: null
     output: null
     triggers_replace: null
diff --git a/tests/modules/pubsub/examples/bigquery-subscription-with-service-account.yaml b/tests/modules/pubsub/examples/bigquery-subscription-with-service-account.yaml
index c03a12aa5..83736a9cf 100644
--- a/tests/modules/pubsub/examples/bigquery-subscription-with-service-account.yaml
+++ b/tests/modules/pubsub/examples/bigquery-subscription-with-service-account.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.iam-service-account.google_project_iam_member.project-roles["project-id-roles/bigquery.dataEditor"]:
+  module.iam-service-account.google_project_iam_member.project_roles["project-id-roles/bigquery.dataEditor"]:
     project: project-id
     role: roles/bigquery.dataEditor
   module.iam-service-account.google_service_account.service_account[0]: