From 8272694360b7eefa8e3f5efafa64c72c731897ef Mon Sep 17 00:00:00 2001
From: Simone Ruffilli <sruffilli@google.com>
Date: Fri, 4 Feb 2022 07:42:56 +0100
Subject: [PATCH 1/4] 02-net-nva: README.md updates

---
 fast/README.md                      |  4 ++--
 fast/stages/00-bootstrap/README.md  |  8 ++++++--
 fast/stages/00-bootstrap/outputs.tf |  6 ++++++
 fast/stages/01-resman/outputs.tf    | 19 ++++++++++++++-----
 fast/stages/README.md               |  4 ++--
 5 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/fast/README.md b/fast/README.md
index be35c36aa..7108c04a8 100644
--- a/fast/README.md
+++ b/fast/README.md
@@ -47,8 +47,8 @@ As mentioned before, fast relies on multiple stages to progressively bring up yo
 
 - [Security](stages/02-security/README.md)<br/>
   Manages centralized security configurations in a separate stage, typically owned by the security team. This stage implements VPC Security Controls via separate perimeters for environments and central services, and creates projects to host centralized KMS keys used by the whole organization. It's intentionally easy to extend to include other security-related resources, like Secret Manager.
-- [Networking](stages/02-networking/README.md)<br/>
-  Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets.
+- Networking ([VPN](02-networking/README.md)/[NVA](02-networking-nva/README.md))  
+  Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. It's currently available in two versions: [spokes connected via VPN](02-networking/README.md), [and spokes connected via appliances](02-networking-nva/README.md).
 
 ### Environment-level resources (03)
 
diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 994d67a9a..06ee9986e 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -177,11 +177,15 @@ Below is the outline of the output files generated by this stage:
 │   ├── providers.tf
 │   ├── terraform-bootstrap.auto.tfvars.json
 ├── 02-networking
-│   ├── providers.tf
+│   ├── terraform-bootstrap.auto.tfvars.json
+├── 02-networking-nva
 │   ├── terraform-bootstrap.auto.tfvars.json
 ├── 02-security
-│   ├── providers.tf
 │   ├── terraform-bootstrap.auto.tfvars.json
+├── 03-gke-multitenant-dev
+│   └── terraform-bootstrap.auto.tfvars.json
+├── 03-gke-multitenant-prod
+│   └── terraform-bootstrap.auto.tfvars.json
 ├── 03-project-factory-dev
 │   └── terraform-bootstrap.auto.tfvars.json
 ├── 03-project-factory-prod
diff --git a/fast/stages/00-bootstrap/outputs.tf b/fast/stages/00-bootstrap/outputs.tf
index 8912fb873..d07fdf19d 100644
--- a/fast/stages/00-bootstrap/outputs.tf
+++ b/fast/stages/00-bootstrap/outputs.tf
@@ -42,6 +42,12 @@ locals {
       organization       = var.organization
       prefix             = var.prefix
     })
+    "02-networking-nva" = jsonencode({
+      billing_account_id = var.billing_account.id
+      custom_roles       = module.organization.custom_role_id
+      organization       = var.organization
+      prefix             = var.prefix
+    })
     "02-security" = jsonencode({
       billing_account_id = var.billing_account.id
       organization       = var.organization
diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf
index 67fce0bc1..9edaf64ff 100644
--- a/fast/stages/01-resman/outputs.tf
+++ b/fast/stages/01-resman/outputs.tf
@@ -25,16 +25,16 @@ locals {
       name   = "networking"
       sa     = module.branch-network-sa.email
     })
+    "02-networking-nva" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
+      bucket = module.branch-network-gcs.name
+      name   = "networking-nva"
+      sa     = module.branch-network-sa.email
+    })
     "02-security" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
       bucket = module.branch-security-gcs.name
       name   = "security"
       sa     = module.branch-security-sa.email
     })
-    "99-sandbox" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
-      bucket = module.branch-sandbox-gcs.name
-      name   = "sandbox"
-      sa     = module.branch-sandbox-sa.email
-    })
     "03-project-factory-dev" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
       bucket = module.branch-teams-dev-projectfactory-gcs.name
       name   = "team-dev"
@@ -45,12 +45,21 @@ locals {
       name   = "team-prod"
       sa     = module.branch-teams-prod-projectfactory-sa.email
     })
+    "99-sandbox" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
+      bucket = module.branch-sandbox-gcs.name
+      name   = "sandbox"
+      sa     = module.branch-sandbox-sa.email
+    })
   }
   tfvars = {
     "02-networking" = jsonencode({
       folder_id          = module.branch-network-folder.id
       project_factory_sa = local._project_factory_sas
     })
+    "02-networkin-nva" = jsonencode({
+      folder_id          = module.branch-network-folder.id
+      project_factory_sa = local._project_factory_sas
+    })
     "02-security" = jsonencode({
       folder_id = module.branch-security-folder.id
       kms_restricted_admins = {
diff --git a/fast/stages/README.md b/fast/stages/README.md
index df9d5bef9..1c5a8144e 100644
--- a/fast/stages/README.md
+++ b/fast/stages/README.md
@@ -17,8 +17,8 @@ Refer to each stage's documentation for a detailed description of its purpose, t
 
 - [Security](02-security/README.md)  
   Manages centralized security configurations in a separate stage, and is typically owned by the security team. This stage implements VPC Security Controls via separate perimeters for environments and central services, and creates projects to host centralized KMS keys used by the whole organization. It's meant to be easily extended to include other security-related resources which are required, like Secret Manager.
-- [Networking](02-networking/README.md)  
-  Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets.
+- Networking ([VPN](02-networking/README.md)/[NVA](02-networking-nva/README.md))  
+  Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. It's currently available in two versions: [spokes connected via VPN](02-networking/README.md), [and spokes connected via appliances](02-networking-nva/README.md).
 
 ## Environment-level resources (03)
 

From 2291e0643ada061e9d264c9fa1dba791dcdb417a Mon Sep 17 00:00:00 2001
From: Daniel Marzini <dmarzi@google.com>
Date: Thu, 3 Feb 2022 23:31:52 +0100
Subject: [PATCH 2/4] remove module.organization.custom_role_id.xpnServiceAdmin

to be discussed with jccb
---
 fast/stages/00-bootstrap/organization.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index f4f2cc3d5..51ae428a3 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -191,7 +191,6 @@ resource "google_organization_iam_binding" "org_admin_delegated" {
           "roles/compute.orgFirewallPolicyAdmin",
           "roles/compute.xpnAdmin",
           "roles/orgpolicy.policyAdmin",
-          module.organization.custom_role_id.xpnServiceAdmin
         ],
         local.billing_org ? [
           "roles/billing.admin",

From b1a409079226668a6e92e0c13e770bcf0ea56d0e Mon Sep 17 00:00:00 2001
From: Daniel Marzini <dmarzi@google.com>
Date: Fri, 4 Feb 2022 00:24:09 +0100
Subject: [PATCH 3/4] small firewall policies fix

---
 modules/folder/{firewal_policies.tf => firewall_policies.tf} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/folder/{firewal_policies.tf => firewall_policies.tf} (100%)

diff --git a/modules/folder/firewal_policies.tf b/modules/folder/firewall_policies.tf
similarity index 100%
rename from modules/folder/firewal_policies.tf
rename to modules/folder/firewall_policies.tf

From 52c4b608c23711218813da588d1d8ad98f538267 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Fri, 4 Feb 2022 08:27:39 +0100
Subject: [PATCH 4/4] Rename tf files to use dashes

---
 fast/stages/00-bootstrap/README.md                 |  8 ++++----
 fast/stages/01-resman/README.md                    | 14 +++++++-------
 modules/folder/README.md                           |  4 ++--
 .../{firewall_policies.tf => firewall-policies.tf} |  0
 ...zation_policies.tf => organization-policies.tf} |  0
 modules/net-glb/README.md                          | 12 ++++++------
 .../{backend_services.tf => backend-services.tf}   |  0
 ...orwarding_rule.tf => global-forwarding-rule.tf} |  0
 .../net-glb/{health_checks.tf => health-checks.tf} |  0
 .../{ssl_certificates.tf => ssl-certificates.tf}   |  0
 .../net-glb/{target_proxy.tf => target-proxy.tf}   |  0
 modules/net-glb/{url_map.tf => url-map.tf}         |  0
 modules/organization/README.md                     |  4 ++--
 .../{firewall_policies.tf => firewall-policies.tf} |  0
 ...zation_policies.tf => organization-policies.tf} |  0
 modules/project/README.md                          |  8 ++++----
 ...zation_policies.tf => organization-policies.tf} |  0
 .../{service_accounts.tf => service-accounts.tf}   |  0
 modules/project/{shared_vpc.tf => shared-vpc.tf}   |  0
 modules/project/{vpc_sc.tf => vpc-sc.tf}           |  0
 .../vpc-sc/{access_levels.tf => access-levels.tf}  |  0
 ...ters_bridge.tf => service-perimeters-bridge.tf} |  0
 ...rs_regular.tf => service-perimeters-regular.tf} |  0
 23 files changed, 25 insertions(+), 25 deletions(-)
 rename modules/folder/{firewall_policies.tf => firewall-policies.tf} (100%)
 rename modules/folder/{organization_policies.tf => organization-policies.tf} (100%)
 rename modules/net-glb/{backend_services.tf => backend-services.tf} (100%)
 rename modules/net-glb/{global_forwarding_rule.tf => global-forwarding-rule.tf} (100%)
 rename modules/net-glb/{health_checks.tf => health-checks.tf} (100%)
 rename modules/net-glb/{ssl_certificates.tf => ssl-certificates.tf} (100%)
 rename modules/net-glb/{target_proxy.tf => target-proxy.tf} (100%)
 rename modules/net-glb/{url_map.tf => url-map.tf} (100%)
 rename modules/organization/{firewall_policies.tf => firewall-policies.tf} (100%)
 rename modules/organization/{organization_policies.tf => organization-policies.tf} (100%)
 rename modules/project/{organization_policies.tf => organization-policies.tf} (100%)
 rename modules/project/{service_accounts.tf => service-accounts.tf} (100%)
 rename modules/project/{shared_vpc.tf => shared-vpc.tf} (100%)
 rename modules/project/{vpc_sc.tf => vpc-sc.tf} (100%)
 rename modules/vpc-sc/{access_levels.tf => access-levels.tf} (100%)
 rename modules/vpc-sc/{service_perimeters_bridge.tf => service-perimeters-bridge.tf} (100%)
 rename modules/vpc-sc/{service_perimeters_regular.tf => service-perimeters-regular.tf} (100%)

diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 06ee9986e..7157bb18c 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -305,9 +305,9 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
 
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
-| [billing_dataset](outputs.tf#L85) | BigQuery dataset prepared for billing export. |  |  |
-| [project_ids](outputs.tf#L90) | Projects created by this stage. |  |  |
-| [providers](outputs.tf#L101) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
-| [tfvars](outputs.tf#L110) | Terraform variable files for the following stages. | ✓ |  |
+| [billing_dataset](outputs.tf#L91) | BigQuery dataset prepared for billing export. |  |  |
+| [project_ids](outputs.tf#L96) | Projects created by this stage. |  |  |
+| [providers](outputs.tf#L107) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
+| [tfvars](outputs.tf#L116) | Terraform variable files for the following stages. | ✓ |  |
 
 <!-- END TFDOC -->
diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
index 50f8edaf5..b83c17a08 100644
--- a/fast/stages/01-resman/README.md
+++ b/fast/stages/01-resman/README.md
@@ -175,12 +175,12 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
-| [networking](outputs.tf#L79) | Data for the networking stage. |  | <code>02-networking</code> |
-| [project_factories](outputs.tf#L89) | Data for the project factories stage. |  | <code>xx-teams</code> |
-| [providers](outputs.tf#L106) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
-| [sandbox](outputs.tf#L113) | Data for the sandbox stage. |  | <code>xx-sandbox</code> |
-| [security](outputs.tf#L123) | Data for the networking stage. |  | <code>02-security</code> |
-| [teams](outputs.tf#L133) | Data for the teams stage. |  |  |
-| [tfvars](outputs.tf#L146) | Terraform variable files for the following stages. | ✓ |  |
+| [networking](outputs.tf#L88) | Data for the networking stage. |  | <code>02-networking</code> |
+| [project_factories](outputs.tf#L98) | Data for the project factories stage. |  | <code>xx-teams</code> |
+| [providers](outputs.tf#L115) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
+| [sandbox](outputs.tf#L122) | Data for the sandbox stage. |  | <code>xx-sandbox</code> |
+| [security](outputs.tf#L132) | Data for the networking stage. |  | <code>02-security</code> |
+| [teams](outputs.tf#L142) | Data for the teams stage. |  |  |
+| [tfvars](outputs.tf#L155) | Terraform variable files for the following stages. | ✓ |  |
 
 <!-- END TFDOC -->
diff --git a/modules/folder/README.md b/modules/folder/README.md
index 569394ca3..e41dcb5bf 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -223,11 +223,11 @@ module "folder2" {
 
 | name | description | resources |
 |---|---|---|
-| [firewal_policies.tf](./firewal_policies.tf) | None | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
+| [firewall-policies.tf](./firewall-policies.tf) | None | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
 | [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_folder_iam_binding</code> |
 | [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
-| [organization_policies.tf](./organization_policies.tf) | Folder-level organization policies. | <code>google_folder_organization_policy</code> |
+| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_folder_organization_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
diff --git a/modules/folder/firewall_policies.tf b/modules/folder/firewall-policies.tf
similarity index 100%
rename from modules/folder/firewall_policies.tf
rename to modules/folder/firewall-policies.tf
diff --git a/modules/folder/organization_policies.tf b/modules/folder/organization-policies.tf
similarity index 100%
rename from modules/folder/organization_policies.tf
rename to modules/folder/organization-policies.tf
diff --git a/modules/net-glb/README.md b/modules/net-glb/README.md
index 5fd19d5a8..e59fee2a9 100644
--- a/modules/net-glb/README.md
+++ b/modules/net-glb/README.md
@@ -499,13 +499,13 @@ An External Global Load Balancer is made of multiple components, that change dep
 
 | name | description | resources |
 |---|---|---|
-| [backend_services.tf](./backend_services.tf) | Bucket and group backend services. | <code>google_compute_backend_bucket</code> · <code>google_compute_backend_service</code> |
-| [global_forwarding_rule.tf](./global_forwarding_rule.tf) | Global address and forwarding rule. | <code>google_compute_global_address</code> · <code>google_compute_global_forwarding_rule</code> |
-| [health_checks.tf](./health_checks.tf) | Health checks. | <code>google_compute_health_check</code> |
+| [backend-services.tf](./backend-services.tf) | Bucket and group backend services. | <code>google_compute_backend_bucket</code> · <code>google_compute_backend_service</code> |
+| [global-forwarding-rule.tf](./global-forwarding-rule.tf) | Global address and forwarding rule. | <code>google_compute_global_address</code> · <code>google_compute_global_forwarding_rule</code> |
+| [health-checks.tf](./health-checks.tf) | Health checks. | <code>google_compute_health_check</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
-| [ssl_certificates.tf](./ssl_certificates.tf) | SSL certificates. | <code>google_compute_managed_ssl_certificate</code> · <code>google_compute_ssl_certificate</code> |
-| [target_proxy.tf](./target_proxy.tf) | HTTP and HTTPS target proxies. | <code>google_compute_target_http_proxy</code> · <code>google_compute_target_https_proxy</code> |
-| [url_map.tf](./url_map.tf) | URL maps. | <code>google_compute_url_map</code> |
+| [ssl-certificates.tf](./ssl-certificates.tf) | SSL certificates. | <code>google_compute_managed_ssl_certificate</code> · <code>google_compute_ssl_certificate</code> |
+| [target-proxy.tf](./target-proxy.tf) | HTTP and HTTPS target proxies. | <code>google_compute_target_http_proxy</code> · <code>google_compute_target_https_proxy</code> |
+| [url-map.tf](./url-map.tf) | URL maps. | <code>google_compute_url_map</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
 
diff --git a/modules/net-glb/backend_services.tf b/modules/net-glb/backend-services.tf
similarity index 100%
rename from modules/net-glb/backend_services.tf
rename to modules/net-glb/backend-services.tf
diff --git a/modules/net-glb/global_forwarding_rule.tf b/modules/net-glb/global-forwarding-rule.tf
similarity index 100%
rename from modules/net-glb/global_forwarding_rule.tf
rename to modules/net-glb/global-forwarding-rule.tf
diff --git a/modules/net-glb/health_checks.tf b/modules/net-glb/health-checks.tf
similarity index 100%
rename from modules/net-glb/health_checks.tf
rename to modules/net-glb/health-checks.tf
diff --git a/modules/net-glb/ssl_certificates.tf b/modules/net-glb/ssl-certificates.tf
similarity index 100%
rename from modules/net-glb/ssl_certificates.tf
rename to modules/net-glb/ssl-certificates.tf
diff --git a/modules/net-glb/target_proxy.tf b/modules/net-glb/target-proxy.tf
similarity index 100%
rename from modules/net-glb/target_proxy.tf
rename to modules/net-glb/target-proxy.tf
diff --git a/modules/net-glb/url_map.tf b/modules/net-glb/url-map.tf
similarity index 100%
rename from modules/net-glb/url_map.tf
rename to modules/net-glb/url-map.tf
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 3fd0d1bf0..a7f79d7b9 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -243,11 +243,11 @@ module "org" {
 
 | name | description | resources |
 |---|---|---|
-| [firewall_policies.tf](./firewall_policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
+| [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
 | [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
 | [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
-| [organization_policies.tf](./organization_policies.tf) | Organization-level organization policies. | <code>google_organization_policy</code> |
+| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_organization_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
diff --git a/modules/organization/firewall_policies.tf b/modules/organization/firewall-policies.tf
similarity index 100%
rename from modules/organization/firewall_policies.tf
rename to modules/organization/firewall-policies.tf
diff --git a/modules/organization/organization_policies.tf b/modules/organization/organization-policies.tf
similarity index 100%
rename from modules/organization/organization_policies.tf
rename to modules/organization/organization-policies.tf
diff --git a/modules/project/README.md b/modules/project/README.md
index d10953efd..ae91cf2bd 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -184,13 +184,13 @@ module "project" {
 | [iam.tf](./iam.tf) | Generic and OSLogin-specific IAM bindings and roles. | <code>google_project_iam_binding</code> · <code>google_project_iam_custom_role</code> · <code>google_project_iam_member</code> |
 | [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_project_exclusion</code> · <code>google_logging_project_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_project_metadata_item</code> · <code>google_essential_contacts_contact</code> · <code>google_monitoring_monitored_project</code> · <code>google_project</code> · <code>google_project_service</code> · <code>google_resource_manager_lien</code> |
-| [organization_policies.tf](./organization_policies.tf) | Project-level organization policies. | <code>google_project_organization_policy</code> |
+| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | <code>google_project_organization_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
-| [service_accounts.tf](./service_accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_service_identity</code> |
-| [shared_vpc.tf](./shared_vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> |
+| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_service_identity</code> |
+| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
-| [vpc_sc.tf](./vpc_sc.tf) | VPC-SC project-level perimeter configuration. | <code>google_access_context_manager_service_perimeter_resource</code> |
+| [vpc-sc.tf](./vpc-sc.tf) | VPC-SC project-level perimeter configuration. | <code>google_access_context_manager_service_perimeter_resource</code> |
 
 ## Variables
 
diff --git a/modules/project/organization_policies.tf b/modules/project/organization-policies.tf
similarity index 100%
rename from modules/project/organization_policies.tf
rename to modules/project/organization-policies.tf
diff --git a/modules/project/service_accounts.tf b/modules/project/service-accounts.tf
similarity index 100%
rename from modules/project/service_accounts.tf
rename to modules/project/service-accounts.tf
diff --git a/modules/project/shared_vpc.tf b/modules/project/shared-vpc.tf
similarity index 100%
rename from modules/project/shared_vpc.tf
rename to modules/project/shared-vpc.tf
diff --git a/modules/project/vpc_sc.tf b/modules/project/vpc-sc.tf
similarity index 100%
rename from modules/project/vpc_sc.tf
rename to modules/project/vpc-sc.tf
diff --git a/modules/vpc-sc/access_levels.tf b/modules/vpc-sc/access-levels.tf
similarity index 100%
rename from modules/vpc-sc/access_levels.tf
rename to modules/vpc-sc/access-levels.tf
diff --git a/modules/vpc-sc/service_perimeters_bridge.tf b/modules/vpc-sc/service-perimeters-bridge.tf
similarity index 100%
rename from modules/vpc-sc/service_perimeters_bridge.tf
rename to modules/vpc-sc/service-perimeters-bridge.tf
diff --git a/modules/vpc-sc/service_perimeters_regular.tf b/modules/vpc-sc/service-perimeters-regular.tf
similarity index 100%
rename from modules/vpc-sc/service_perimeters_regular.tf
rename to modules/vpc-sc/service-perimeters-regular.tf