qontract-reconcile 0.10.2.dev299__py3-none-any.whl → 0.10.2.dev430__py3-none-any.whl

reconcile/utils/terrascript_aws_client.py

@@ -1,4 +1,6 @@
 # ruff: noqa: N801
+from __future__ import annotations
+
 import base64
 import enum
 import json
@@ -9,7 +11,6 @@ import re
 import string
 import tempfile
 from collections import Counter
-from collections.abc import Iterable, Mapping, MutableMapping
 from dataclasses import dataclass, field
 from ipaddress import (
     ip_address,
@@ -18,7 +19,9 @@ from ipaddress import (
 from json import JSONDecodeError
 from threading import Lock
 from typing import (
+    TYPE_CHECKING,
     Any,
+    Self,
     cast,
 )
 
@@ -34,12 +37,14 @@ from terrascript import (
     Backend,
     Block,
     Data,
+    Locals,
     Module,
     Output,
     Provider,
     Resource,
     Terraform,
     Terrascript,
+    Variable,
     data,
     provider,
 )
@@ -143,12 +148,10 @@ import reconcile.utils.aws_helper as awsh
 from reconcile import queries
 from reconcile.cli import TERRAFORM_VERSION
 from reconcile.github_org import get_default_config
-from reconcile.gql_definitions.fragments.aws_vpc_request import (
-    VPCRequest,
-)
 from reconcile.gql_definitions.terraform_resources.terraform_resources_namespaces import (
     NamespaceTerraformResourceLifecycleV1,
 )
+from reconcile.typed_queries.aws_account_tags import get_aws_account_tags
 from reconcile.utils import gql
 from reconcile.utils.aws_api import (
     AmiTag,
@@ -168,10 +171,6 @@ from reconcile.utils.exceptions import (
     FetchResourceError,
     PrintToFileInGitRepositoryError,
 )
-from reconcile.utils.external_resource_spec import (
-    ExternalResourceSpec,
-    ExternalResourceSpecInventory,
-)
 from reconcile.utils.external_resources import (
     PROVIDER_AWS,
     get_external_resource_specs,
@@ -179,8 +178,11 @@ from reconcile.utils.external_resources import (
 from reconcile.utils.git import is_file_in_git_repo
 from reconcile.utils.gitlab_api import GitLabApi
 from reconcile.utils.jenkins_api import JenkinsApi
-from reconcile.utils.jinja2.utils import process_extracurlyjinja2_template
-from reconcile.utils.ocm import OCMMap
+from reconcile.utils.jinja2.utils import (
+    process_extracurlyjinja2_template,
+    process_jinja2_template,
+)
+from reconcile.utils.json import json_dumps
 from reconcile.utils.password_validator import (
     PasswordPolicy,
     PasswordValidator,
@@ -189,6 +191,25 @@ from reconcile.utils.secret_reader import SecretReader, SecretReaderBase
 from reconcile.utils.terraform import safe_resource_id
 from reconcile.utils.vcs import VCS
 
+if TYPE_CHECKING:
+    from collections.abc import Iterable, Mapping, MutableMapping
+
+    from reconcile.gql_definitions.fragments.aws_vpc_request import (
+        VPCRequest,
+    )
+    from reconcile.terraform_tgw_attachments import DesiredStateItem
+    from reconcile.terraform_users import Role
+    from reconcile.utils.external_resource_spec import (
+        ExternalResourceSpec,
+        ExternalResourceSpecInventory,
+    )
+    from reconcile.utils.ocm import OCMMap
+
+
+type TFResource = type[
+    Resource | Data | Module | Provider | Variable | Output | Locals | Terraform
+]
+
 GH_BASE_URL = os.environ.get("GITHUB_API", "https://api.github.com")
 ROSA_AUTH_LOGTOES_RELEASE = "repos/app-sre/logs-to-elasticsearch-lambda/releases/latest"
 ROSA_AUTH_KINESIS_TO_OS_RELEASE = (
@@ -250,6 +271,7 @@ VARIABLE_KEYS = [
     "extra_tags",
     "lifecycle",
     "max_session_duration",
+    "secret_format",
 ]
 
 EMAIL_REGEX = re.compile(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")
@@ -265,15 +287,10 @@ SUPPORTED_ALB_LISTENER_RULE_CONDITION_TYPE_MAPPING = {
     "host-header": "host_header",
     "http-request-method": "http_request_method",
     "path-pattern": "path_pattern",
+    "query-string": "query_string",
     "source-ip": "source_ip",
 }
 
-DEFAULT_TAGS = {
-    "tags": {
-        "app": "app-sre-infra",
-    },
-}
-
 AWS_ELB_ACCOUNT_IDS = {
     "us-east-1": "127311923021",
     "us-east-2": "033677994240",
@@ -304,9 +321,12 @@ AWS_US_GOV_ELB_ACCOUNT_IDS = {
     "us-gov-east-1": "190560391635",
 }
 
+VPC_REQUEST_DEFAULT_PRIVATE_SUBNET_TAGS = {"kubernetes.io/role/internal-elb": "1"}
+VPC_REQUEST_DEFAULT_PUBLIC_SUBNET_TAGS = {"kubernetes.io/role/elb": "1"}
+
 
 class OutputResourceNameNotUniqueError(Exception):
-    def __init__(self, namespace, duplicates):
+    def __init__(self, namespace: str | None, duplicates: Iterable[str]) -> None:
         self.namespace, self.duplicates = namespace, duplicates
         super().__init__(
             str.format(
@@ -326,7 +346,7 @@ class StateInaccessibleError(Exception):
 
 
 class UnknownProviderError(Exception):
-    def __init__(self, msg):
+    def __init__(self, msg: str) -> None:
         super().__init__("unknown provider error: " + str(msg))
 
 
@@ -453,9 +473,10 @@ class TerrascriptClient:
         integration: str,
         integration_prefix: str,
         thread_pool_size: int,
-        accounts: Iterable[dict[str, Any]],
+        accounts: Iterable[MutableMapping[str, Any]],
+        default_tags: Mapping[str, str] | None,
         settings: Mapping[str, Any] | None = None,
-        prefetch_resources_by_schemas: list[str] | None = None,
+        prefetch_resources_by_schemas: Iterable[str] | None = None,
         secret_reader: SecretReaderBase | None = None,
     ) -> None:
         self.integration = integration
@@ -467,6 +488,7 @@ class TerrascriptClient:
         else:
             self.secret_reader = SecretReader(settings=settings)
         self.configs: dict[str, dict] = {}
+        self.default_tags = default_tags or {"app": "app-sre-infra"}
         self.populate_configs(filtered_accounts)
         self.versions: dict[str, str] = {
             a["name"]: a["providerVersion"] for a in filtered_accounts
@@ -487,7 +509,7 @@ class TerrascriptClient:
                         region=region,
                         alias=region,
                         skip_region_validation=True,
-                        default_tags=DEFAULT_TAGS,
+                        default_tags={"tags": config["tags"]},
                     )
 
             # Add default region, which will be in resourcesDefaultRegion
@@ -496,7 +518,7 @@ class TerrascriptClient:
                 secret_key=config["aws_secret_access_key"],
                 region=config["resourcesDefaultRegion"],
                 skip_region_validation=True,
-                default_tags=DEFAULT_TAGS,
+                default_tags={"tags": config["tags"]},
             )
 
             ts += Terraform(
@@ -541,10 +563,10 @@ class TerrascriptClient:
         self.accounts = {a["name"]: a for a in filtered_accounts}
         self.uids = {a["name"]: a["uid"] for a in filtered_accounts}
         # default_regions info is needed in populate_tf_resource_rds, even in disabled accounts
-        self.default_regions = {
+        self.default_regions: dict[str, str] = {
             a["name"]: a["resourcesDefaultRegion"] for a in accounts
         }
-        self.partitions = {
+        self.partitions: dict[str, str] = {
             a["name"]: a.get("partition") or "aws" for a in filtered_accounts
         }
         self.rosa_auth_logtoes_zip = ""
@@ -566,19 +588,19 @@ class TerrascriptClient:
             for schema in prefetch_resources_by_schemas:
                 self._resource_cache.update(self.prefetch_resources(schema))
 
-    def __enter__(self):
+    def __enter__(self) -> Self:
         return self
 
-    def __exit__(self, *exc):
+    def __exit__(self, *exc: Any) -> None:
         self.cleanup()
 
-    def cleanup(self):
+    def cleanup(self) -> None:
         if self.gitlab is not None:
             self.gitlab.cleanup()
 
     @staticmethod
     def state_bucket_for_account(
-        integration: str, account_name: str, config: dict[str, Any]
+        integration: str, account_name: str, config: Mapping[str, Any]
     ) -> Backend:
         # creds
         access_key_backend_value = config["aws_access_key_id"]
@@ -643,7 +665,7 @@ class TerrascriptClient:
                 f.write(r.content)
         return zip_file
 
-    def get_logtoes_zip(self, release_url):
+    def get_logtoes_zip(self, release_url: str) -> str:
         if not self.rosa_auth_logtoes_zip:
             with self.rosa_auth_logtoes_zip_lock:
                 # this may have already happened, so we check again
@@ -656,7 +678,7 @@ class TerrascriptClient:
             return self.rosa_auth_logtoes_zip
         return self.download_logtoes_zip(release_url)
 
-    def download_logtoes_zip(self, release_url):
+    def download_logtoes_zip(self, release_url: str) -> str:
         headers = {"Authorization": "token " + self.token}
         r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
         r.raise_for_status()
@@ -670,7 +692,7 @@ class TerrascriptClient:
                 f.write(r.content)
         return zip_file
 
-    def get_rosa_auth_pre_signup_zip(self, release_url):
+    def get_rosa_auth_pre_signup_zip(self, release_url: str) -> str:
         if not self.rosa_auth_pre_signup_zip:
             with self.rosa_auth_pre_signup_zip_lock:
                 # this may have already happened, so we check again
@@ -685,7 +707,7 @@ class TerrascriptClient:
             return self.rosa_auth_pre_signup_zip
         return self.download_rosa_auth_pre_signup_zip(release_url)
 
-    def download_rosa_auth_pre_signup_zip(self, release_url):
+    def download_rosa_auth_pre_signup_zip(self, release_url: str) -> str:
         headers = {"Authorization": "token " + self.token}
         r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
         r.raise_for_status()
@@ -699,7 +721,7 @@ class TerrascriptClient:
                 f.write(r.content)
         return zip_file
 
-    def get_rosa_auth_pre_token_zip(self, release_url):
+    def get_rosa_auth_pre_token_zip(self, release_url: str) -> str:
         if not self.rosa_auth_pre_token_zip:
             with self.rosa_auth_pre_token_zip_lock:
                 # this may have already happened, so we check again
@@ -714,7 +736,7 @@ class TerrascriptClient:
             return self.rosa_auth_pre_token_zip
         return self.download_rosa_auth_pre_token_zip(release_url)
 
-    def download_rosa_auth_pre_token_zip(self, release_url):
+    def download_rosa_auth_pre_token_zip(self, release_url: str) -> str:
         headers = {"Authorization": "token " + self.token}
         r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
         r.raise_for_status()
@@ -744,7 +766,7 @@ class TerrascriptClient:
                     self.gitlab = GitLabApi(instance, secret_reader=self.secret_reader)
         return self.gitlab
 
-    def init_jenkins(self, instance: dict) -> JenkinsApi:
+    def init_jenkins(self, instance: Mapping[str, Any]) -> JenkinsApi:
         instance_name = instance["name"]
         if not self.jenkins_map.get(instance_name):
             with self.jenkins_lock:
@@ -758,8 +780,8 @@ class TerrascriptClient:
         return self.jenkins_map[instance_name]
 
     def filter_disabled_accounts(
-        self, accounts: Iterable[dict[str, Any]]
-    ) -> list[dict[str, Any]]:
+        self, accounts: Iterable[MutableMapping[str, Any]]
+    ) -> list[MutableMapping[str, Any]]:
         filtered_accounts = []
         for account in accounts:
             integration = self.integration.replace("_", "-")
@@ -767,7 +789,7 @@ class TerrascriptClient:
                 filtered_accounts.append(account)
         return filtered_accounts
 
-    def populate_configs(self, accounts: Iterable[awsh.Account]):
+    def populate_configs(self, accounts: Iterable[awsh.Account]) -> None:
         results = threaded.run(
             awsh.get_tf_secrets,
             accounts,
@@ -779,16 +801,19 @@ class TerrascriptClient:
             config["supportedDeploymentRegions"] = account["supportedDeploymentRegions"]
             config["resourcesDefaultRegion"] = account["resourcesDefaultRegion"]
             config["terraformState"] = account["terraformState"]
+            config["tags"] = dict(self.default_tags) | get_aws_account_tags(
+                account.get("organization", None)
+            )
             self.configs[account_name] = config
 
-    def _get_partition(self, account):
+    def _get_partition(self, account: str) -> str:
         return self.partitions.get(account) or "aws"
 
     @staticmethod
-    def get_tf_iam_group(group_name):
+    def get_tf_iam_group(group_name: str) -> aws_iam_group:
         return aws_iam_group(group_name, name=group_name)
 
-    def get_tf_iam_user(self, user_name):
+    def get_tf_iam_user(self, user_name: str) -> aws_iam_user:
         return aws_iam_user(
             user_name,
             name=user_name,
@@ -796,8 +821,8 @@ class TerrascriptClient:
             tags={"managed_by_integration": self.integration},
         )
 
-    def populate_iam_groups(self, roles):
-        groups = {}
+    def populate_iam_groups(self, roles: Iterable[Role]) -> dict[str, dict[str, str]]:
+        groups: dict[str, dict[str, str]] = {}
         for role in roles:
             users = role["users"]
             if len(users) == 0:
@@ -840,7 +865,7 @@ class TerrascriptClient:
         return groups
 
     @staticmethod
-    def _get_aws_username(user):
+    def _get_aws_username(user: Mapping[str, str]) -> str:
         return user.get("aws_username") or user["org_username"]
 
     @staticmethod
@@ -865,10 +890,10 @@ class TerrascriptClient:
 
     def populate_iam_users(
         self,
-        roles,
-        skip_reencrypt_accounts: list[str],
+        roles: Iterable[Role],
+        skip_reencrypt_accounts: Iterable[str],
         appsre_pgp_key: str | None,
-    ):
+    ) -> bool:
         error = False
         for role in roles:
             users = role["users"]
@@ -997,10 +1022,10 @@ class TerrascriptClient:
 
     def populate_users(
         self,
-        roles,
-        skip_reencrypt_accounts: list[str],
+        roles: Iterable[Role],
+        skip_reencrypt_accounts: Iterable[str],
         appsre_pgp_key: str | None = None,
-    ):
+    ) -> bool:
         self.populate_iam_groups(roles)
         err = self.populate_iam_users(
             roles,
@@ -1019,7 +1044,7 @@ class TerrascriptClient:
 
     @staticmethod
     def get_resource_lifecycle(
-        common_values: dict[str, Any],
+        common_values: Mapping[str, Any],
     ) -> dict[str, Any] | None:
         if lifecycle := common_values.get("lifecycle"):
             lifecycle = NamespaceTerraformResourceLifecycleV1(**lifecycle)
@@ -1033,10 +1058,14 @@ class TerrascriptClient:
             ignore_changes = (
                 "all" if "all" in lifecycle.ignore_changes else lifecycle.ignore_changes
             )
-            return lifecycle.dict(by_alias=True) | {"ignore_changes": ignore_changes}
+            return lifecycle.model_dump(by_alias=True) | {
+                "ignore_changes": ignore_changes
+            }
         return None
 
-    def populate_additional_providers(self, infra_account_name: str, accounts):
+    def populate_additional_providers(
+        self, infra_account_name: str, accounts: Iterable[Mapping[str, Any]]
+    ) -> None:
         for account in accounts:
             account_name = account["name"]
             assume_role = account.get("assume_role")
@@ -1046,28 +1075,18 @@ class TerrascriptClient:
             config = self.configs[account_name]
             existing_provider_aliases = {p.get("alias") for p in ts["provider"]["aws"]}
             if alias not in existing_provider_aliases:
-                if assume_role:
-                    ts += provider.aws(
-                        access_key=config["aws_access_key_id"],
-                        secret_key=config["aws_secret_access_key"],
-                        region=region,
-                        alias=alias,
-                        assume_role={"role_arn": assume_role},
-                        skip_region_validation=True,
-                        default_tags=DEFAULT_TAGS,
-                    )
-                else:
-                    ts += provider.aws(
-                        access_key=config["aws_access_key_id"],
-                        secret_key=config["aws_secret_access_key"],
-                        region=region,
-                        alias=alias,
-                        skip_region_validation=True,
-                        default_tags=DEFAULT_TAGS,
-                    )
+                ts += provider.aws(
+                    access_key=config["aws_access_key_id"],
+                    secret_key=config["aws_secret_access_key"],
+                    region=region,
+                    alias=alias,
+                    skip_region_validation=True,
+                    default_tags={"tags": config["tags"]},
+                    **{"assume_role": {"role_arn": assume_role}} if assume_role else {},
+                )
 
     def populate_route53(
-        self, desired_state: Iterable[dict[str, Any]], default_ttl: int = 300
+        self, desired_state: Iterable[Mapping[str, Any]], default_ttl: int = 300
     ) -> None:
         for zone in desired_state:
             acct_name = zone["account_name"]
@@ -1086,10 +1105,10 @@ class TerrascriptClient:
     def populate_route53_records(
         self,
         acct_name: str,
-        zone: dict[str, Any],
+        zone: Mapping[str, Any],
         zone_resource: aws_route53_zone,
         default_ttl: int = 300,
-    ):
+    ) -> None:
         counts = {}
         for record in zone.get("records") or []:
             record_fqdn = f"{record['name']}.{zone['name']}"
@@ -1166,7 +1185,7 @@ class TerrascriptClient:
             record_resource = aws_route53_record(record_id, **record_values)
             self.add_resource(acct_name, record_resource)
 
-    def populate_vpc_peerings(self, desired_state):
+    def populate_vpc_peerings(self, desired_state: Iterable[Mapping[str, Any]]) -> None:
         for item in desired_state:
             if item["deleted"]:
                 continue
@@ -1187,7 +1206,7 @@ class TerrascriptClient:
 
             # Requester's side of the connection - the cluster's account
             identifier = f"{requester['vpc_id']}-{accepter['vpc_id']}"
-            values = {
+            values: dict[str, Any] = {
                 # adding the alias to the provider will add this resource
                 # to the cluster's AWS account
                 "provider": "aws." + req_alias,
@@ -1308,25 +1327,32 @@ class TerrascriptClient:
                 "version": vpc_module_version,
                 "name": request.identifier,
                 "cidr": request.cidr_block.network_address,
-                "private_subnet_tags": {"kubernetes.io/role/internal-elb": "1"},
-                "public_subnet_tags": {"kubernetes.io/role/elb": "1"},
                 "create_database_subnet_group": False,
                 "enable_dns_hostnames": True,
+                "vpc_tags": request.vpc_tags or {},
                 "tags": {
                     "managed_by_integration": self.integration,
                 },
             }
 
-            if request.subnets and request.subnets.public:
-                vpc_module_values["public_subnets"] = request.subnets.public
-            if request.subnets and request.subnets.private:
-                vpc_module_values["private_subnets"] = request.subnets.private
-            if request.subnets and request.subnets.availability_zones:
-                vpc_module_values["azs"] = request.subnets.availability_zones
-
-            # We only want to enable nat_gateway if we have public and private subnets
-            if request.subnets and request.subnets.public and request.subnets.private:
-                vpc_module_values["enable_nat_gateway"] = True
+            if request.subnets:
+                if request.subnets.public:
+                    vpc_module_values["public_subnets"] = request.subnets.public
+                    vpc_module_values["public_subnet_tags"] = (
+                        VPC_REQUEST_DEFAULT_PUBLIC_SUBNET_TAGS
+                        | (request.subnets.public_subnet_tags or {})
+                    )
+                if request.subnets.private:
+                    vpc_module_values["private_subnets"] = request.subnets.private
+                    vpc_module_values["private_subnet_tags"] = (
+                        VPC_REQUEST_DEFAULT_PRIVATE_SUBNET_TAGS
+                        | (request.subnets.private_subnet_tags or {})
+                    )
+                if request.subnets.availability_zones:
+                    vpc_module_values["azs"] = request.subnets.availability_zones
+                # We only want to enable nat_gateway if we have public and private subnets
+                if request.subnets.public and request.subnets.private:
+                    vpc_module_values["enable_nat_gateway"] = True
 
             aws_account = request.account.name
             vpc_module = Module(request.identifier, **vpc_module_values)
@@ -1367,21 +1393,24 @@ class TerrascriptClient:
             )
             self.add_resource(aws_account, vpc_cidr_block_output)
 
-            if request.subnets and request.subnets.private:
-                private_subnets_output = Output(
-                    f"{request.identifier}-private_subnets",
-                    value=f"${{module.{request.identifier}.private_subnets}}",
-                )
-                self.add_resource(aws_account, private_subnets_output)
+            if request.subnets:
+                if request.subnets.private:
+                    private_subnets_output = Output(
+                        f"{request.identifier}-private_subnets",
+                        value=f"${{module.{request.identifier}.private_subnets}}",
+                    )
+                    self.add_resource(aws_account, private_subnets_output)
 
-            if request.subnets and request.subnets.public:
-                public_subnets_output = Output(
-                    f"{request.identifier}-public_subnets",
-                    value=f"${{module.{request.identifier}.public_subnets}}",
-                )
-                self.add_resource(aws_account, public_subnets_output)
+                if request.subnets.public:
+                    public_subnets_output = Output(
+                        f"{request.identifier}-public_subnets",
+                        value=f"${{module.{request.identifier}.public_subnets}}",
+                    )
+                    self.add_resource(aws_account, public_subnets_output)
 
-    def populate_tgw_attachments(self, desired_state):
+    def populate_tgw_attachments(
+        self, desired_state: Iterable[DesiredStateItem]
+    ) -> None:
         for item in desired_state:
             if item.deleted:
                 continue
@@ -1397,37 +1426,39 @@ class TerrascriptClient:
             req_account_name = req_account.name
             # Accepter's side of the connection - the cluster's account
             acc_account = accepter.account
-            acc_alias = self.get_provider_alias(acc_account.dict(by_alias=True))
+            acc_alias = self.get_provider_alias(acc_account.model_dump(by_alias=True))
             acc_uid = acc_account.uid
             if acc_account.assume_role:
                 acc_uid = awsh.get_account_uid_from_arn(acc_account.assume_role)
 
             tags = {"managed_by_integration": self.integration, "Name": connection_name}
             # add resource share
-            values = {
+            values_share: dict[str, Any] = {
                 "name": connection_name,
                 "allow_external_principals": True,
                 "tags": tags,
             }
             if self._multiregion_account(req_account_name):
-                values["provider"] = "aws." + requester.region
-            tf_resource_share = aws_ram_resource_share(connection_name, **values)
+                values_share["provider"] = "aws." + requester.region
+            tf_resource_share = aws_ram_resource_share(connection_name, **values_share)
             self.add_resource(infra_account_name, tf_resource_share)
 
             # share with accepter aws account
-            values = {
+            values_resource_principal_association: dict[str, str] = {
                 "principal": acc_uid,
                 "resource_share_arn": "${" + tf_resource_share.arn + "}",
             }
             if self._multiregion_account(req_account_name):
-                values["provider"] = "aws." + requester.region
-            tf_resource_association = aws_ram_principal_association(
-                connection_name, **values
+                values_resource_principal_association["provider"] = (
+                    "aws." + requester.region
+                )
+            tf_resource_principal_association = aws_ram_principal_association(
+                connection_name, **values_resource_principal_association
             )
-            self.add_resource(infra_account_name, tf_resource_association)
+            self.add_resource(infra_account_name, tf_resource_principal_association)
 
             # accept resource share from accepter aws account
-            values = {
+            values_share_resource_accepter: dict[str, Any] = {
                 "provider": "aws." + acc_alias,
                 "share_arn": "${" + tf_resource_share.arn + "}",
                 "depends_on": [
@@ -1436,7 +1467,7 @@ class TerrascriptClient:
                 ],
             }
             tf_resource_share_accepter = aws_ram_resource_share_accepter(
-                connection_name, **values
+                connection_name, **values_share_resource_accepter
             )
             self.add_resource(infra_account_name, tf_resource_share_accepter)
 
@@ -1446,20 +1477,23 @@ class TerrascriptClient:
 
             # tgw share association
             identifier = f"{requester.tgw_id}-{accepter.vpc_id}"
-            values = {
+            values_resource_association: dict[str, str] = {
                 "resource_arn": requester.tgw_arn,
                 "resource_share_arn": "${" + tf_resource_share.arn + "}",
             }
             if self._multiregion_account(req_account_name):
-                values["provider"] = "aws." + requester.region
-            tf_resource_association = aws_ram_resource_association(identifier, **values)
+                values_resource_association["provider"] = "aws." + requester.region
+            tf_resource_association = aws_ram_resource_association(
+                identifier, **values_resource_association
+            )
             self.add_resource(infra_account_name, tf_resource_association)
 
             # now that the tgw is shared to the cluster's aws account
             # we can create a vpc attachment to the tgw
             subnets_id_az = accepter.subnets_id_az
+            assert subnets_id_az is not None  # make mypy happy
             subnets = self.get_az_unique_subnet_ids(subnets_id_az)
-            values = {
+            values_resource_attachment: dict[str, Any] = {
                 "provider": "aws." + acc_alias,
                 "subnet_ids": subnets,
                 "transit_gateway_id": requester.tgw_id,
@@ -1471,20 +1505,22 @@ class TerrascriptClient:
                 "tags": tags,
             }
             tf_resource_attachment = aws_ec2_transit_gateway_vpc_attachment(
-                identifier, **values
+                identifier, **values_resource_attachment
             )
             # we send the attachment from the cluster's aws account
             self.add_resource(infra_account_name, tf_resource_attachment)
 
             # and accept the attachment in the non cluster's aws account
-            values = {
+            values_attachment_accepter = {
                 "transit_gateway_attachment_id": "${" + tf_resource_attachment.id + "}",
                 "tags": tags,
             }
             if self._multiregion_account(req_account_name):
-                values["provider"] = "aws." + requester.region
+                values_attachment_accepter["provider"] = "aws." + requester.region
             tf_resource_attachment_accepter = (
-                aws_ec2_transit_gateway_vpc_attachment_accepter(identifier, **values)
+                aws_ec2_transit_gateway_vpc_attachment_accepter(
+                    identifier, **values_attachment_accepter
+                )
             )
             self.add_resource(infra_account_name, tf_resource_attachment_accepter)
 
@@ -1530,16 +1566,16 @@ class TerrascriptClient:
                             + f"unsupported region: {route_region}"
                         )
                         continue
-                    values = {
+                    values_gateway_router = {
                         "destination_cidr_block": route["cidr_block"],
                         "transit_gateway_attachment_id": route["tgw_attachment_id"],
                         "transit_gateway_route_table_id": route["tgw_route_table_id"],
                     }
                     if self._multiregion_account(req_account_name):
-                        values["provider"] = "aws." + route_region
+                        values_gateway_router["provider"] = "aws." + route_region
                     route_identifier = f"{identifier}-{route['tgw_id']}"
                     tf_resource = aws_ec2_transit_gateway_route(
-                        route_identifier, **values
+                        route_identifier, **values_gateway_router
                     )
                     self.add_resource(infra_account_name, tf_resource)
 
@@ -1569,7 +1605,7 @@ class TerrascriptClient:
                             + f"unsupported region: {rule_region}"
                         )
                         continue
-                    values = {
+                    values_rule = {
                         "type": "ingress",
                         "from_port": 0,
                         "to_port": 0,
@@ -1578,31 +1614,37 @@ class TerrascriptClient:
                         "security_group_id": rule["security_group_id"],
                     }
                     if self._multiregion_account(req_account_name):
-                        values["provider"] = "aws." + rule_region
+                        values_rule["provider"] = "aws." + rule_region
                     rule_identifier = f"{identifier}-{rule['vpc_id']}"
-                    tf_resource = aws_security_group_rule(rule_identifier, **values)
+                    tf_resource = aws_security_group_rule(
+                        rule_identifier, **values_rule
+                    )
                     self.add_resource(infra_account_name, tf_resource)
 
             for zone in requester.hostedzones or []:
                 id = f"{identifier}-{zone}"
-                values = {
+                values_authorization = {
                     "vpc_id": accepter.vpc_id,
                     "vpc_region": accepter.region,
                     "zone_id": zone,
                 }
-                authorization = aws_route53_vpc_association_authorization(id, **values)
+                authorization = aws_route53_vpc_association_authorization(
+                    id, **values_authorization
+                )
                 self.add_resource(infra_account_name, authorization)
-                values = {
+                values_association = {
                     "provider": "aws." + acc_alias,
                     "vpc_id": f"${{aws_route53_vpc_association_authorization.{id}.vpc_id}}",
                     "vpc_region": accepter.region,
                     "zone_id": f"${{aws_route53_vpc_association_authorization.{id}.zone_id}}",
                 }
-                association = aws_route53_zone_association(id, **values)
+                association = aws_route53_zone_association(id, **values_association)
                 self.add_resource(infra_account_name, association)
 
     @staticmethod
-    def get_az_unique_subnet_ids(subnets_id_az):
+    def get_az_unique_subnet_ids(
+        subnets_id_az: Iterable[Mapping[str, str]],
+    ) -> list[str]:
         """returns a list of subnet ids which are unique per az"""
         results = []
         azs = []
@@ -1710,7 +1752,9 @@ class TerrascriptClient:
 
                 self.resource_spec_inventory[spec.id_object()] = spec
 
-    def populate_tf_resources(self, spec, ocm_map=None):
+    def populate_tf_resources(
+        self, spec: ExternalResourceSpec, ocm_map: OCMMap | None = None
+    ) -> None:
         if spec.provision_provider != PROVIDER_AWS:
             raise UnknownProviderError(spec.provision_provider)
 
@@ -1769,13 +1813,13 @@ class TerrascriptClient:
         else:
             raise UnknownProviderError(provider)
 
-    def populate_tf_resource_rds(self, spec):
+    def populate_tf_resource_rds(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # we want to allow an empty name, so we
@@ -1804,7 +1848,9 @@ class TerrascriptClient:
             # To get the provider we should use, we get the region
             # and use that as an alias in the provider definition
             if az:
-                provider = "aws." + self._region_from_availability_zone(az)
+                region_az = self._region_from_availability_zone(az)
+                assert region_az  # make mypy happy
+                provider = "aws." + region_az
                 values["provider"] = provider
             if region:
                 provider_region = f"aws.{region}"
@@ -1844,7 +1890,7 @@ class TerrascriptClient:
         # 'deps' should contain a list of terraform resource names
         # (not full objects) that must be created
         # before the actual RDS instance should be created
-        deps = []
+        deps: list[str] = []
 
         parameter_group = values.pop("parameter_group", None)
         if parameter_group:
@@ -1897,7 +1943,7 @@ class TerrascriptClient:
             em_identifier = f"{identifier}-enhanced-monitoring"
             em_values = {
                 "name": em_identifier,
-                "assume_role_policy": json.dumps(assume_role_policy, sort_keys=True),
+                "assume_role_policy": json_dumps(assume_role_policy),
             }
             role_tf_resource = aws_iam_role(em_identifier, **em_values)
             tf_resources.append(role_tf_resource)
@@ -1905,14 +1951,14 @@ class TerrascriptClient:
             role_res_name = self.get_dependencies([role_tf_resource])[0]
             deps.append(role_res_name)
 
-            em_values = {
+            em_values_attachment: dict[str, Any] = {
                 "role": role_tf_resource.name,
                 "policy_arn": f"arn:{self._get_partition(account)}:iam::aws:policy/service-role/"
                 + "AmazonRDSEnhancedMonitoringRole",
                 "depends_on": self.get_dependencies([role_tf_resource]),
             }
             attachment_tf_resource = aws_iam_role_policy_attachment(
-                em_identifier, **em_values
+                em_identifier, **em_values_attachment
             )
             tf_resources.append(attachment_tf_resource)
 
@@ -1930,9 +1976,8 @@ class TerrascriptClient:
             if reset_password:
                 password = self.generate_random_password()
             else:
-                password = spec.get_secret_field("db.password")
-                if not password:
-                    password = self.generate_random_password()
+                db_password = spec.get_secret_field("db.password")
+                password = db_password or self.generate_random_password()
         else:
             password = ""
         values["password"] = password
@@ -2024,7 +2069,7 @@ class TerrascriptClient:
         # to a provider version with this bug fix.
         # https://github.com/hashicorp/terraform-provider-aws/pull/20926
         if enhanced_monitoring and replica_source:
-            sleep_vals = {}
+            sleep_vals: dict[str, Any] = {}
             sleep_vals["depends_on"] = [attachment_res_name]
             sleep_vals["create_duration"] = "30s"
 
@@ -2117,7 +2162,7 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def _multiregion_account(self, name):
+    def _multiregion_account(self, name: str) -> bool:
         if name not in self.configs:
             return False
 
@@ -2134,11 +2179,11 @@ class TerrascriptClient:
                 return spec
         return None
 
-    def _get_db_name_from_values(self, values: dict) -> str:
+    def _get_db_name_from_values(self, values: Mapping[str, Any]) -> str:
         return values.get("name") or values.get("db_name") or ""
 
     @staticmethod
-    def _region_from_availability_zone(az):
+    def _region_from_availability_zone(az: str) -> str | None:
         # Find the region by removing the last character from the
         # availability zone. Availability zone is defined like
         # us-east-1a, us-east-1b, etc.  If there is no availability
@@ -2148,39 +2193,75 @@ class TerrascriptClient:
         return None
 
     @staticmethod
-    def _db_needs_auth(config):
-        return bool(
-            "replicate_source_db" not in config
-            and config.get("replica_source", None) is None
+    def _db_needs_auth(config: Mapping[str, Any]) -> bool:
+        return (
+            "replicate_source_db" not in config and config.get("replica_source") is None
         )
 
     @staticmethod
-    def validate_db_name(name):
+    def validate_db_name(name: str) -> bool:
         """Handle for Error creating DB Instance:
         InvalidParameterValue: DBName must begin with a letter
         and contain only alphanumeric characters."""
         pattern = r"^[a-zA-Z][a-zA-Z0-9_]+$"
-        return re.search(pattern, name) and len(name) < 64
+        return len(name) < 64 and re.search(pattern, name) is not None
 
     @staticmethod
-    def generate_random_password(string_length=20):
+    def generate_random_password(string_length: int = 20) -> str:
         """Generate a random string of letters and digits"""
         letters_and_digits = string.ascii_letters + string.digits
         return "".join(random.choice(letters_and_digits) for i in range(string_length))
 
-    def populate_tf_resource_s3(self, spec):
+    @staticmethod
+    def _build_tf_resource_s3_lifecycle_rules(
+        versioning: bool,
+        common_values: Mapping[str, Any],
+    ) -> list[dict]:
+        lifecycle_rules = common_values.get("lifecycle_rules") or []
+        if versioning and not any(
+            "noncurrent_version_expiration" in lr for lr in lifecycle_rules
+        ):
+            # Add a default noncurrent object expiration rule
+            # if one isn't already set
+            rule = {
+                "id": "expire_noncurrent_versions",
+                "enabled": True,
+                "noncurrent_version_expiration": {"days": 30},
+                "expiration": {"expired_object_delete_marker": True},
+                "abort_incomplete_multipart_upload_days": 3,
+            }
+            lifecycle_rules.append(rule)
+
+        if storage_class := common_values.get("storage_class"):
+            sc = storage_class.upper()
+            days = "1"
+            if sc.endswith("_IA"):
+                # Infrequent Access storage class has minimum 30 days
+                # before transition
+                days = "30"
+            rule = {
+                "id": sc + "_storage_class",
+                "enabled": True,
+                "transition": {"days": days, "storage_class": sc},
+                "noncurrent_version_transition": {"days": days, "storage_class": sc},
+            }
+            lifecycle_rules.append(rule)
+
+        return lifecycle_rules
+
+    def populate_tf_resource_s3(self, spec: ExternalResourceSpec) -> aws_s3_bucket:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # s3 bucket
         # Terraform resource reference:
         # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html
-        values = {}
+        values: dict[str, Any] = {}
         values["bucket"] = identifier
         versioning = common_values.get("versioning", True)
         values["versioning"] = {"enabled": versioning}
@@ -2207,47 +2288,11 @@ class TerrascriptClient:
         request_payer = common_values.get("request_payer")
         if request_payer:
             values["request_payer"] = request_payer
-        lifecycle_rules = common_values.get("lifecycle_rules")
-        if lifecycle_rules:
-            # common_values['lifecycle_rules'] is a list of lifecycle_rules
+        if lifecycle_rules := self._build_tf_resource_s3_lifecycle_rules(
+            versioning=versioning,
+            common_values=common_values,
+        ):
             values["lifecycle_rule"] = lifecycle_rules
-        if versioning:
-            lrs = values.get("lifecycle_rule", [])
-            expiration_rule = False
-            for lr in lrs:
-                if "noncurrent_version_expiration" in lr:
-                    expiration_rule = True
-                    break
-            if not expiration_rule:
-                # Add a default noncurrent object expiration rule if
-                # if one isn't already set
-                rule = {
-                    "id": "expire_noncurrent_versions",
-                    "enabled": "true",
-                    "noncurrent_version_expiration": {"days": 30},
-                }
-                if len(lrs) > 0:
-                    lrs.append(rule)
-                else:
-                    lrs = rule
-        sc = common_values.get("storage_class")
-        if sc:
-            sc = sc.upper()
-            days = "1"
-            if sc.endswith("_IA"):
-                # Infrequent Access storage class has minimum 30 days
-                # before transition
-                days = "30"
-            rule = {
-                "id": sc + "_storage_class",
-                "enabled": "true",
-                "transition": {"days": days, "storage_class": sc},
-                "noncurrent_version_transition": {"days": days, "storage_class": sc},
-            }
-            if values.get("lifecycle_rule"):
-                values["lifecycle_rule"].append(rule)
-            else:
-                values["lifecycle_rule"] = rule
         cors_rules = common_values.get("cors_rules")
         if cors_rules:
             # common_values['cors_rules'] is a list of cors_rules
@@ -2297,7 +2342,7 @@ class TerrascriptClient:
                         }
                     ],
                 }
-                rc_values["assume_role_policy"] = json.dumps(role, sort_keys=True)
+                rc_values["assume_role_policy"] = json_dumps(role)
                 role_resource = aws_iam_role(id, **rc_values)
                 tf_resources.append(role_resource)
 
@@ -2307,7 +2352,7 @@ class TerrascriptClient:
 
                 rc_values.clear()
                 rc_values["name"] = config["rule_name"] + "_iam_policy"
-                policy = {
+                policy: dict[str, Any] = {
                     "Version": "2012-10-17",
                     "Statement": [
                         {
@@ -2335,7 +2380,7 @@ class TerrascriptClient:
                         },
                     ],
                 }
-                rc_values["policy"] = json.dumps(policy, sort_keys=True)
+                rc_values["policy"] = json_dumps(policy)
                 policy_resource = aws_iam_policy(id, **rc_values)
                 tf_resources.append(policy_resource)
 
@@ -2374,6 +2419,7 @@ class TerrascriptClient:
         if len(deps) > 0:
             values["depends_on"] = self.get_dependencies(deps)
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
             values["provider"] = "aws." + region
         bucket_tf_resource = aws_s3_bucket(identifier, **values)
@@ -2508,10 +2554,12 @@ class TerrascriptClient:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
 
         # iam user for bucket
-        values = {}
-        values["name"] = identifier
-        values["tags"] = common_values["tags"]
-        values["depends_on"] = self.get_dependencies([bucket_tf_resource])
+        values = {
+            "name": identifier,
+            "tags": common_values["tags"],
+            "depends_on": self.get_dependencies([bucket_tf_resource]),
+        }
+
         user_tf_resource = aws_iam_user(identifier, **values)
         tf_resources.append(user_tf_resource)
 
@@ -2521,8 +2569,7 @@ class TerrascriptClient:
         )
 
         # iam user policy for bucket
-        values = {}
-        values["name"] = identifier
+        values = {"name": identifier}
 
         action = ["s3:*Object*"]
         if common_values.get("acl", "private") == "public-read":
@@ -2548,7 +2595,7 @@ class TerrascriptClient:
                 },
             ],
         }
-        values["policy"] = json.dumps(policy, sort_keys=True)
+        values["policy"] = json_dumps(policy)
         values["depends_on"] = self.get_dependencies([user_tf_resource])
 
         tf_aws_iam_policy = aws_iam_policy(identifier, **values)
@@ -2566,7 +2613,7 @@ class TerrascriptClient:
 
         return bucket_tf_resource
 
-    def populate_tf_resource_elasticache(self, spec):
+    def populate_tf_resource_elasticache(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         values = self.init_values(spec)
@@ -2574,7 +2621,7 @@ class TerrascriptClient:
         values.setdefault("replication_group_id", values["identifier"])
         values.pop("identifier", None)
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         default_region = self.default_regions.get(account)
@@ -2654,19 +2701,23 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_service_account(self, spec, ocm_map=None):
+    def populate_tf_resource_service_account(
+        self, spec: ExternalResourceSpec, ocm_map: OCMMap | None = None
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # iam user for bucket
-        values = {}
-        values["name"] = identifier
-        values["tags"] = common_values["tags"]
+        values = {
+            "name": identifier,
+            "tags": common_values["tags"],
+        }
+
         user_tf_resource = aws_iam_user(identifier, **values)
         tf_resources.append(user_tf_resource)
 
@@ -2750,13 +2801,15 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_secrets_manager_sa(self, spec):
+    def populate_tf_resource_secrets_manager_sa(
+        self, spec: ExternalResourceSpec
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         secrets_prefix = common_values["secrets_prefix"]
@@ -2780,7 +2833,7 @@ class TerrascriptClient:
 
         tf_resources.extend(
             self.get_tf_iam_service_user(
-                [], identifier, policy, common_values["tags"], output_prefix
+                None, identifier, policy, common_values["tags"], output_prefix
             )
         )
 
@@ -2790,20 +2843,20 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_role(self, spec):
+    def populate_tf_resource_role(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         assume_role = common_values["assume_role"]
         assume_role = {k: v for k, v in assume_role.items() if v is not None}
         assume_action = common_values.get("assume_action") or "AssumeRole"
         # assume role policy
-        assume_role_policy = {
+        assume_role_policy: dict[str, Any] = {
             "Version": "2012-10-17",
             "Statement": [
                 {
@@ -2818,10 +2871,10 @@ class TerrascriptClient:
             assume_role_policy["Statement"][0]["Condition"] = assume_condition
 
         # iam role
-        values = {
+        values: dict[str, Any] = {
             "name": identifier,
             "tags": common_values["tags"],
-            "assume_role_policy": json.dumps(assume_role_policy),
+            "assume_role_policy": json_dumps(assume_role_policy),
         }
 
         inline_policy = common_values.get("inline_policy")
@@ -2871,9 +2924,11 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_iam_policy(self, account: str, name: str, policy: dict[str, Any]):
+    def populate_iam_policy(
+        self, account: str, name: str, policy: Mapping[str, Any]
+    ) -> None:
         tf_aws_iam_policy = aws_iam_policy(
-            f"{account}-{name}", name=name, policy=json.dumps(policy)
+            f"{account}-{name}", name=name, policy=json_dumps(policy)
         )
         self.add_resource(account, tf_aws_iam_policy)
 
@@ -2882,8 +2937,8 @@ class TerrascriptClient:
         account: str,
         name: str,
         saml_provider_name: str,
-        aws_managed_policies: list[str],
-        customer_managed_policies: list[str] | None = None,
+        aws_managed_policies: Iterable[str],
+        customer_managed_policies: Iterable[str] | None = None,
         max_session_duration_hours: int = 1,
     ) -> None:
         """Manage the an IAM role needed for SAML authentication."""
@@ -2915,23 +2970,25 @@ class TerrascriptClient:
         role_tf_resource = aws_iam_role(
             f"{account}-{name}",
             name=name,
-            assume_role_policy=json.dumps(assume_role_policy),
+            assume_role_policy=json_dumps(assume_role_policy),
             managed_policy_arns=managed_policy_arns,
             max_session_duration=max_session_duration_hours * 3600,
         )
         self.add_resource(account, role_tf_resource)
 
-    def populate_tf_resource_sqs(self, spec):
+    def populate_tf_resource_sqs(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
         uid = self.uids.get(account)
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         specs = common_values.get("specs")
+        assert specs is not None  # make mypy happy
         all_queues_per_spec = []
         kms_keys = set()
         for _spec in specs:
@@ -2957,7 +3014,7 @@ class TerrascriptClient:
                 all_queues.append(queue_name)
                 sqs_policy = values.pop("sqs_policy", None)
                 if sqs_policy is not None:
-                    values["policy"] = json.dumps(sqs_policy, sort_keys=True)
+                    values["policy"] = json_dumps(sqs_policy)
                 dl_queue = values.pop("dl_queue", None)
                 if dl_queue is not None:
                     max_receive_count = int(values.pop("max_receive_count", 10))
@@ -2971,9 +3028,7 @@ class TerrascriptClient:
                         "deadLetterTargetArn": "${" + dl_data.arn + "}",
                         "maxReceiveCount": max_receive_count,
                     }
-                    values["redrive_policy"] = json.dumps(
-                        redrive_policy, sort_keys=True
-                    )
+                    values["redrive_policy"] = json_dumps(redrive_policy)
                 kms_master_key_id = values.pop("kms_master_key_id", None)
                 if kms_master_key_id is not None:
                     if kms_master_key_id.startswith("arn:"):
@@ -3005,9 +3060,11 @@ class TerrascriptClient:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
 
         # iam user for queue
-        values = {}
-        values["name"] = identifier
-        values["tags"] = common_values["tags"]
+        values = {
+            "name": identifier,
+            "tags": common_values["tags"],
+        }
+
         user_tf_resource = aws_iam_user(identifier, **values)
         tf_resources.append(user_tf_resource)
 
@@ -3021,9 +3078,9 @@ class TerrascriptClient:
             policy_identifier = f"{identifier}-{policy_index}"
             if len(all_queues_per_spec) == 1:
                 policy_identifier = identifier
-            values = {}
-            values["name"] = policy_identifier
-            policy = {
+            values = {"name": policy_identifier}
+
+            policy: dict[str, Any] = {
                 "Version": "2012-10-17",
                 "Statement": [
                     {
@@ -3044,32 +3101,34 @@ class TerrascriptClient:
                     "Resource": list(kms_keys),
                 }
                 policy["Statement"].append(kms_statement)
-            values["policy"] = json.dumps(policy, sort_keys=True)
+            values["policy"] = json_dumps(policy)
             policy_tf_resource = aws_iam_policy(policy_identifier, **values)
             tf_resources.append(policy_tf_resource)
 
             # iam user policy attachment
-            values = {}
-            values["user"] = identifier
-            values["policy_arn"] = "${" + policy_tf_resource.arn + "}"
-            values["depends_on"] = self.get_dependencies([
-                user_tf_resource,
-                policy_tf_resource,
-            ])
+            values = {
+                "user": identifier,
+                "policy_arn": "${" + policy_tf_resource.arn + "}",
+                "depends_on": self.get_dependencies([
+                    user_tf_resource,
+                    policy_tf_resource,
+                ]),
+            }
+
             tf_resource = aws_iam_user_policy_attachment(policy_identifier, **values)
             tf_resources.append(tf_resource)
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_sns(self, spec):
+    def populate_tf_resource_sns(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
         policy = common_values.get("inline_policy")
         region = common_values.get("region") or self.default_regions.get(account)
-
-        values = {}
+        assert region  # make mypy happy
+        values: dict[str, Any] = {}
         fifo_topic = common_values.get("fifo_topic", False)
         topic_name = identifier + ".fifo" if fifo_topic else identifier
 
@@ -3077,16 +3136,18 @@ class TerrascriptClient:
         values["policy"] = policy
         values["fifo_topic"] = fifo_topic
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
         tf_resource = aws_sns_topic(identifier, **values)
         tf_resources.append(tf_resource)
 
         if "subscriptions" in common_values:
-            subscriptions = common_values.get("subscriptions")
+            subscriptions = common_values["subscriptions"]
             for index, sub in enumerate(subscriptions):
-                sub_values = {}
-                sub_values["topic_arn"] = "${aws_sns_topic" + "." + identifier + ".arn}"
+                sub_values = {
+                    "topic_arn": "${aws_sns_topic" + "." + identifier + ".arn}"
+                }
+
                 protocol = sub["protocol"]
                 endpoint = sub["endpoint"]
                 if protocol == "email" and not EMAIL_REGEX.match(endpoint):
@@ -3111,17 +3172,19 @@ class TerrascriptClient:
         tf_resources.append(Output(output_name, value=output_value))
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_dynamodb(self, spec):
+    def populate_tf_resource_dynamodb(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
         uid = self.uids.get(account)
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         specs = common_values.get("specs")
+        assert specs is not None  # make mypy happy
         all_tables = []
         for _spec in specs:
             defaults = self.get_values(_spec["defaults"])
@@ -3135,9 +3198,11 @@ class TerrascriptClient:
                 # Terraform resource reference:
                 # https://www.terraform.io/docs/providers/aws/r/
                 # dynamodb_table.html
-                values = {}
-                values["name"] = table
-                values["tags"] = common_values["tags"]
+                values = {
+                    "name": table,
+                    "tags": common_values["tags"],
+                }
+
                 values.update(defaults)
                 values["attribute"] = attributes
                 if self._multiregion_account(account):
@@ -3158,9 +3223,11 @@ class TerrascriptClient:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
 
         # iam user for table
-        values = {}
-        values["name"] = identifier
-        values["tags"] = common_values["tags"]
+        values = {
+            "name": identifier,
+            "tags": common_values["tags"],
+        }
+
         user_tf_resource = aws_iam_user(identifier, **values)
         tf_resources.append(user_tf_resource)
 
@@ -3184,7 +3251,7 @@ class TerrascriptClient:
                 }
             ],
         }
-        values["policy"] = json.dumps(policy, sort_keys=True)
+        values["policy"] = json_dumps(policy)
         values["depends_on"] = self.get_dependencies([user_tf_resource])
 
         tf_aws_iam_policy = aws_iam_policy(identifier, **values)
@@ -3200,23 +3267,24 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_ecr(self, spec):
+    def populate_tf_resource_ecr(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # ecr repository
         # Terraform resource reference:
         # https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
-        values = {}
+        values: dict[str, Any] = {}
         values["name"] = identifier
         values["tags"] = common_values["tags"]
 
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
             values["provider"] = "aws." + region
         ecr_tf_resource = aws_ecr_repository(identifier, **values)
@@ -3242,11 +3310,12 @@ class TerrascriptClient:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
 
         # iam user for repository
-        values = {}
-        values["name"] = identifier
-        values["tags"] = common_values["tags"]
-        values["depends_on"] = self.get_dependencies([ecr_tf_resource])
-        user_tf_resource = aws_iam_user(identifier, **values)
+        values_iam_user: dict[str, Any] = {
+            "name": identifier,
+            "tags": common_values["tags"],
+            "depends_on": self.get_dependencies([ecr_tf_resource]),
+        }
+        user_tf_resource = aws_iam_user(identifier, **values_iam_user)
         tf_resources.append(user_tf_resource)
 
         # iam access key for user
@@ -3255,8 +3324,7 @@ class TerrascriptClient:
         )
 
         # iam user policy for bucket
-        values = {}
-        values["name"] = identifier
+        values_policy: dict[str, Any] = {"name": identifier}
         policy = {
             "Version": "2012-10-17",
             "Statement": [
@@ -3293,10 +3361,10 @@ class TerrascriptClient:
                 },
             ],
         }
-        values["policy"] = json.dumps(policy, sort_keys=True)
-        values["depends_on"] = self.get_dependencies([user_tf_resource])
+        values_policy["policy"] = json_dumps(policy)
+        values_policy["depends_on"] = self.get_dependencies([user_tf_resource])
 
-        tf_aws_iam_policy = aws_iam_policy(identifier, **values)
+        tf_aws_iam_policy = aws_iam_policy(identifier, **values_policy)
         tf_resources.append(tf_aws_iam_policy)
 
         tf_aws_iam_user_policy_attachment = aws_iam_user_policy_attachment(
@@ -3309,7 +3377,7 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_s3_cloudfront(self, spec):
+    def populate_tf_resource_s3_cloudfront(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
@@ -3317,17 +3385,15 @@ class TerrascriptClient:
 
         bucket_tf_resource = self.populate_tf_resource_s3(spec)
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
 
         # cloudfront origin access identity
-        values = {}
-        values["comment"] = f"{identifier}-cf-identity"
+        values = {"comment": f"{identifier}-cf-identity"}
         cf_oai_tf_resource = aws_cloudfront_origin_access_identity(identifier, **values)
         tf_resources.append(cf_oai_tf_resource)
 
         # bucket policy for cloudfront
-        values = {}
-        values["bucket"] = identifier
+        values_policy: dict[str, Any] = {"bucket": identifier}
         policy = {
             "Version": "2012-10-17",
             "Statement": [
@@ -3345,26 +3411,27 @@ class TerrascriptClient:
                 }
             ],
         }
-        values["policy"] = json.dumps(policy, sort_keys=True)
-        values["depends_on"] = self.get_dependencies([bucket_tf_resource])
+        values_policy["policy"] = json_dumps(policy)
+        values_policy["depends_on"] = self.get_dependencies([bucket_tf_resource])
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
-            values["provider"] = "aws." + region
-        bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values)
+            values_policy["provider"] = "aws." + region
+        bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values_policy)
         tf_resources.append(bucket_policy_tf_resource)
 
-        values = common_values.get("distribution_config", {})
+        distribution_config = common_values.get("distribution_config", {})
         # aws_s3_bucket_acl
-        if "logging_config" in values:
+        if "logging_config" in distribution_config:
             # we could set this at a global level with a standard name like "cloudfront"
             # but we need all aws accounts upgraded to aws provider >3.60 first
             tf_resources.append(
                 aws_cloudfront_log_delivery_canonical_user_id(identifier)
             )
 
-            logging_config_bucket = values["logging_config"]
+            logging_config_bucket = distribution_config["logging_config"]
             acl_values = {}
-            access_control_policy = {
+            access_control_policy: dict[str, Any] = {
                 "owner": {
                     "id": "${data.aws_canonical_user_id.current.id}",
                 },
@@ -3388,7 +3455,7 @@ class TerrascriptClient:
             }
             external_account_id = logging_config_bucket.pop("external_account_id", None)
             if external_account_id:
-                external_account_policy = {
+                external_account_policy: dict[str, Any] = {
                     "grantee": {
                         "id": external_account_id,
                         "type": "CanonicalUser",
@@ -3403,13 +3470,15 @@ class TerrascriptClient:
             tf_resources.append(aws_s3_bucket_acl_resource)
 
         # cloud front distribution
-        values["tags"] = common_values["tags"]
-        values.setdefault("default_cache_behavior", {}).setdefault(
+        distribution_config["tags"] = common_values["tags"]
+        distribution_config.setdefault("default_cache_behavior", {}).setdefault(
             "target_origin_id", "default"
         )
         origin = {
             "domain_name": "${" + bucket_tf_resource.bucket_domain_name + "}",
-            "origin_id": values["default_cache_behavior"]["target_origin_id"],
+            "origin_id": distribution_config["default_cache_behavior"][
+                "target_origin_id"
+            ],
             "s3_origin_config": {
                 "origin_access_identity": "origin-access-identity/cloudfront/"
                 + "${"
@@ -3417,8 +3486,10 @@ class TerrascriptClient:
                 + "}"
             },
         }
-        values["origin"] = [origin]
-        cf_distribution_tf_resource = aws_cloudfront_distribution(identifier, **values)
+        distribution_config["origin"] = [origin]
+        cf_distribution_tf_resource = aws_cloudfront_distribution(
+            identifier, **distribution_config
+        )
         tf_resources.append(cf_distribution_tf_resource)
 
         # outputs
@@ -3443,7 +3514,7 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_s3_sqs(self, spec):
+    def populate_tf_resource_s3_sqs(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
@@ -3453,12 +3524,13 @@ class TerrascriptClient:
         bucket_tf_resource = self.populate_tf_resource_s3(spec)
 
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         provider = ""
         if self._multiregion_account(account):
             provider = "aws." + region
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         sqs_identifier = f"{identifier}-sqs"
-        sqs_values = {"name": sqs_identifier}
+        sqs_values: dict[str, Any] = {"name": sqs_identifier}
 
         sqs_values["visibility_timeout_seconds"] = int(
             common_values.get("visibility_timeout_seconds", 30)
@@ -3485,21 +3557,21 @@ class TerrascriptClient:
                 }
             ],
         }
-        sqs_values["policy"] = json.dumps(sqs_policy, sort_keys=True)
+        sqs_values["policy"] = json_dumps(sqs_policy)
 
         kms_encryption = common_values.get("kms_encryption", False)
         if kms_encryption:
             kms_identifier = f"{identifier}-kms"
             kms_values = {
-                "description": "app-interface created KMS key for" + sqs_identifier
+                "description": "app-interface created KMS key for" + sqs_identifier,
+                "key_usage": str(
+                    common_values.get("key_usage", "ENCRYPT_DECRYPT")
+                ).upper(),
+                "customer_master_key_spec": str(
+                    common_values.get("customer_master_key_spec", "SYMMETRIC_DEFAULT")
+                ).upper(),
+                "is_enabled": common_values.get("is_enabled", True),
             }
-            kms_values["key_usage"] = str(
-                common_values.get("key_usage", "ENCRYPT_DECRYPT")
-            ).upper()
-            kms_values["customer_master_key_spec"] = str(
-                common_values.get("customer_master_key_spec", "SYMMETRIC_DEFAULT")
-            ).upper()
-            kms_values["is_enabled"] = common_values.get("is_enabled", True)
 
             kms_policy = {
                 "Version": "2012-10-17",
@@ -3521,7 +3593,7 @@ class TerrascriptClient:
                     },
                 ],
             }
-            kms_values["policy"] = json.dumps(kms_policy, sort_keys=True)
+            kms_values["policy"] = json_dumps(kms_policy)
             if provider:
                 kms_values["provider"] = provider
 
@@ -3575,16 +3647,16 @@ class TerrascriptClient:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
 
         # iam user for queue
-        values = {}
-        values["name"] = sqs_identifier
+        values: dict[str, Any] = {"name": sqs_identifier}
         user_tf_resource = aws_iam_user(sqs_identifier, **values)
         tf_resources.append(user_tf_resource)
 
         # iam access key for user
-        values = {}
-        values["user"] = sqs_identifier
-        values["depends_on"] = self.get_dependencies([user_tf_resource])
-        access_key_tf_resource = aws_iam_access_key(sqs_identifier, **values)
+        values_key: dict[str, Any] = {
+            "user": sqs_identifier,
+            "depends_on": self.get_dependencies([user_tf_resource]),
+        }
+        access_key_tf_resource = aws_iam_access_key(sqs_identifier, **values_key)
         tf_resources.append(access_key_tf_resource)
         # outputs
         # sqs_aws_access_key_id
@@ -3597,9 +3669,8 @@ class TerrascriptClient:
         tf_resources.append(Output(output_name, value=output_value, sensitive=True))
 
         # iam policy for queue
-        values = {}
-        values["name"] = sqs_identifier
-        policy = {
+        values_policy: dict[str, Any] = {"name": sqs_identifier}
+        policy: dict[str, Any] = {
             "Version": "2012-10-17",
             "Statement": [
                 {
@@ -3620,20 +3691,21 @@ class TerrascriptClient:
                 "Resource": [sqs_values["kms_master_key_id"]],
             }
             policy["Statement"].append(kms_statement)
-        values["policy"] = json.dumps(policy, sort_keys=True)
-        policy_tf_resource = aws_iam_policy(sqs_identifier, **values)
+        values_policy["policy"] = json_dumps(policy)
+        policy_tf_resource = aws_iam_policy(sqs_identifier, **values_policy)
         tf_resources.append(policy_tf_resource)
 
         # iam user policy attachment
-        values = {}
-        values["user"] = sqs_identifier
-        values["policy_arn"] = "${" + policy_tf_resource.arn + "}"
-        values["depends_on"] = self.get_dependencies([
-            user_tf_resource,
-            policy_tf_resource,
-        ])
+        values_user_policy: dict[str, Any] = {
+            "user": sqs_identifier,
+            "policy_arn": "${" + policy_tf_resource.arn + "}",
+            "depends_on": self.get_dependencies([
+                user_tf_resource,
+                policy_tf_resource,
+            ]),
+        }
         user_policy_attachment_tf_resource = aws_iam_user_policy_attachment(
-            sqs_identifier, **values
+            sqs_identifier, **values_user_policy
         )
         tf_resources.append(user_policy_attachment_tf_resource)
 
@@ -3644,13 +3716,13 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_cloudwatch(self, spec):
+    def populate_tf_resource_cloudwatch(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # ecr repository
@@ -3666,6 +3738,7 @@ class TerrascriptClient:
         }
 
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         provider = ""
         if self._multiregion_account(account):
             provider = "aws." + region
@@ -3689,7 +3762,7 @@ class TerrascriptClient:
             role_identifier = f"{identifier}-lambda-execution-role"
             role_values = {
                 "name": role_identifier,
-                "assume_role_policy": json.dumps(assume_role_policy, sort_keys=True),
+                "assume_role_policy": json_dumps(assume_role_policy),
             }
 
             role_tf_resource = aws_iam_role(role_identifier, **role_values)
@@ -3721,7 +3794,7 @@ class TerrascriptClient:
 
             policy_values = {
                 "role": "${" + role_tf_resource.id + "}",
-                "policy": json.dumps(policy, sort_keys=True),
+                "policy": json_dumps(policy),
             }
             policy_tf_resource = aws_iam_role_policy(policy_identifier, **policy_values)
             tf_resources.append(policy_tf_resource)
@@ -3741,29 +3814,26 @@ class TerrascriptClient:
                 "filename": zip_file,
                 "source_code_hash": '${filebase64sha256("' + zip_file + '")}',
                 "role": "${" + role_tf_resource.arn + "}",
-            }
-
-            lambda_values["function_name"] = lambda_identifier
-            lambda_values["runtime"] = common_values.get("runtime", "nodejs18.x")
-            lambda_values["timeout"] = common_values.get("timeout", 30)
-            lambda_values["handler"] = common_values.get("handler", "index.handler")
-            lambda_values["memory_size"] = common_values.get("memory_size", 128)
-
-            lambda_values["vpc_config"] = {
-                "subnet_ids": "${data.aws_elasticsearch_domain."
-                + es_identifier
-                + ".vpc_options.0.subnet_ids}",
-                "security_group_ids": "${data.aws_elasticsearch_domain."
-                + es_identifier
-                + ".vpc_options.0.security_group_ids}",
-            }
-
-            lambda_values["environment"] = {
-                "variables": {
-                    "es_endpoint": "${data.aws_elasticsearch_domain."
+                "function_name": lambda_identifier,
+                "runtime": common_values.get("runtime", "nodejs18.x"),
+                "timeout": common_values.get("timeout", 30),
+                "handler": common_values.get("handler", "index.handler"),
+                "memory_size": common_values.get("memory_size", 128),
+                "vpc_config": {
+                    "subnet_ids": "${data.aws_elasticsearch_domain."
                     + es_identifier
-                    + ".endpoint}"
-                }
+                    + ".vpc_options.0.subnet_ids}",
+                    "security_group_ids": "${data.aws_elasticsearch_domain."
+                    + es_identifier
+                    + ".vpc_options.0.security_group_ids}",
+                },
+                "environment": {
+                    "variables": {
+                        "es_endpoint": "${data.aws_elasticsearch_domain."
+                        + es_identifier
+                        + ".endpoint}"
+                    }
+                },
             }
 
             if provider:
@@ -3852,7 +3922,7 @@ class TerrascriptClient:
         }
         values = {
             "name": identifier,
-            "policy": json.dumps(policy, sort_keys=True),
+            "policy": json_dumps(policy),
             "depends_on": self.get_dependencies([user_tf_resource]),
         }
 
@@ -3869,13 +3939,13 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_kms(self, spec):
+    def populate_tf_resource_kms(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
         values.pop("identifier", None)
 
@@ -3892,6 +3962,7 @@ class TerrascriptClient:
             if key in values:
                 values[key] = values[key].upper()
         region = values.pop("region", None) or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
             values["provider"] = "aws." + region
 
@@ -3903,9 +3974,10 @@ class TerrascriptClient:
         output_value = "${" + tf_resource.key_id + "}"
         tf_resources.append(Output(output_name, value=output_value))
 
-        alias_values = {}
-        alias_values["name"] = "alias/" + identifier
-        alias_values["target_key_id"] = "${aws_kms_key." + identifier + ".key_id}"
+        alias_values = {
+            "name": "alias/" + identifier,
+            "target_key_id": "${aws_kms_key." + identifier + ".key_id}",
+        }
         if self._multiregion_account(account):
             alias_values["provider"] = "aws." + region
         tf_resource = aws_kms_alias(identifier, **alias_values)
@@ -3913,28 +3985,30 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_kinesis(self, spec):
+    def populate_tf_resource_kinesis(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
-        tags = common_values["tags"]
-        kinesis_values = {
+        tags: dict[str, str] = common_values["tags"]
+        kinesis_values: dict[str, Any] = {
             "name": identifier,
             "tags": tags,
+            "shard_count": common_values.get("shard_count"),
+            "retention_period": common_values.get("retention_period", 24),
+            "encryption_type": common_values.get("encryption_type", None),
         }
-        kinesis_values["shard_count"] = common_values.get("shard_count")
-        kinesis_values["retention_period"] = common_values.get("retention_period", 24)
-        kinesis_values["encryption_type"] = common_values.get("encryption_type", None)
+
         if kinesis_values["encryption_type"] == "KMS":
             kinesis_values["kms_key_id"] = common_values.get("kms_key_id")
 
         # get region and set provider if required
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         provider = ""
         if self._multiregion_account(account):
             provider = "aws." + region
@@ -3969,7 +4043,7 @@ class TerrascriptClient:
             role_identifier = f"{identifier}-lambda-execution-role"
             role_values = {
                 "name": role_identifier,
-                "assume_role_policy": json.dumps(assume_role_policy, sort_keys=True),
+                "assume_role_policy": json_dumps(assume_role_policy),
                 "tags": tags,
             }
 
@@ -4006,7 +4080,7 @@ class TerrascriptClient:
             policy_tf_resource = aws_iam_policy(
                 policy_identifier,
                 name=policy_identifier,
-                policy=json.dumps(policy, sort_keys=True),
+                policy=json_dumps(policy),
                 tags=tags,
             )
             tf_resources.append(policy_tf_resource)
@@ -4054,34 +4128,31 @@ class TerrascriptClient:
                 "source_code_hash": '${filebase64sha256("' + zip_file + '")}',
                 "role": "${" + role_tf_resource.arn + "}",
                 "tags": tags,
-            }
-
-            lambda_values["function_name"] = lambda_identifier
-            lambda_values["runtime"] = common_values.get("runtime", "python3.9")
-            lambda_values["timeout"] = common_values.get("timeout", 30)
-            lambda_values["handler"] = common_values.get(
-                "handler", "lambda_function.handler"
-            )
-            lambda_values["memory_size"] = common_values.get("memory_size", 128)
-
-            lambda_values["vpc_config"] = {
-                "subnet_ids": "${data.aws_elasticsearch_domain."
-                + es_identifier
-                + ".vpc_options.0.subnet_ids}",
-                "security_group_ids": "${data.aws_elasticsearch_domain."
-                + es_identifier
-                + ".vpc_options.0.security_group_ids}",
-            }
-
-            index_prefix = common_values.get("index_prefix", f"{identifier}-")
-            lambda_values["environment"] = {
-                "variables": {
-                    "es_endpoint": "${data.aws_elasticsearch_domain."
+                "function_name": lambda_identifier,
+                "runtime": common_values.get("runtime", "python3.9"),
+                "timeout": common_values.get("timeout", 30),
+                "handler": common_values.get("handler", "lambda_function.handler"),
+                "memory_size": common_values.get("memory_size", 128),
+                "vpc_config": {
+                    "subnet_ids": "${data.aws_elasticsearch_domain."
                     + es_identifier
-                    + ".endpoint}",
-                    "index_prefix": index_prefix,
-                }
+                    + ".vpc_options.0.subnet_ids}",
+                    "security_group_ids": "${data.aws_elasticsearch_domain."
+                    + es_identifier
+                    + ".vpc_options.0.security_group_ids}",
+                },
+                "environment": {
+                    "variables": {
+                        "es_endpoint": "${data.aws_elasticsearch_domain."
+                        + es_identifier
+                        + ".endpoint}",
+                        "index_prefix": common_values.get(
+                            "index_prefix", f"{identifier}-"
+                        ),
+                    }
+                },
             }
+
             secret_name = es_resource.get_secret_field("secret_name")
             if secret_name:
                 lambda_values["environment"]["variables"]["secret_name"] = secret_name
@@ -4160,7 +4231,9 @@ class TerrascriptClient:
         self.add_resources(account, tf_resources)
 
     @staticmethod
-    def _get_retention_in_days(values, account, identifier):
+    def _get_retention_in_days(
+        values: Mapping[str, Any], account: str, identifier: str
+    ) -> int:
         default_retention_in_days = 14
         allowed_retention_in_days = [
             1,
@@ -4194,17 +4267,21 @@ class TerrascriptClient:
         return retention_in_days
 
     def get_tf_iam_service_user(
-        self, dep_tf_resource, identifier, policy, tags, output_prefix
-    ):
+        self,
+        dep_tf_resource: TFResource | None,
+        identifier: str,
+        policy: Mapping[str, Any],
+        tags: Mapping[str, str],
+        output_prefix: str,
+    ) -> list[TFResource]:
         # iam resources
         # Terraform resource reference:
         # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
-        tf_resources = []
+        tf_resources: list[TFResource] = []
 
         # iam user
-        values = {}
-        values["name"] = identifier
-        values["tags"] = tags
+        values: dict[str, Any] = {"name": identifier, "tags": tags}
+
         if dep_tf_resource:
             values["depends_on"] = self.get_dependencies([dep_tf_resource])
         user_tf_resource = aws_iam_user(identifier, **values)
@@ -4216,12 +4293,13 @@ class TerrascriptClient:
         )
 
         # iam user policy
-        values = {}
-        values["name"] = identifier
-        values["policy"] = json.dumps(policy, sort_keys=True)
-        values["depends_on"] = self.get_dependencies([user_tf_resource])
+        values_policy: dict[str, Any] = {
+            "name": identifier,
+            "policy": json_dumps(policy),
+            "depends_on": self.get_dependencies([user_tf_resource]),
+        }
 
-        tf_aws_iam_policy = aws_iam_policy(identifier, **values)
+        tf_aws_iam_policy = aws_iam_policy(identifier, **values_policy)
         tf_resources.append(tf_aws_iam_policy)
 
         tf_aws_iam_user_policy_attachment = aws_iam_user_policy_attachment(
@@ -4234,11 +4312,15 @@ class TerrascriptClient:
 
         return tf_resources
 
-    def get_tf_iam_access_key(self, user_tf_resource, identifier, output_prefix):
-        tf_resources = []
-        values = {}
-        values["user"] = identifier
-        values["depends_on"] = self.get_dependencies([user_tf_resource])
+    def get_tf_iam_access_key(
+        self, user_tf_resource: aws_iam_user, identifier: str, output_prefix: str
+    ) -> list[TFResource]:
+        tf_resources: list[TFResource] = []
+        values: dict[str, Any] = {
+            "user": identifier,
+            "depends_on": self.get_dependencies([user_tf_resource]),
+        }
+
         tf_resource = aws_iam_access_key(identifier, **values)
         tf_resources.append(tf_resource)
         # outputs
@@ -4253,11 +4335,11 @@ class TerrascriptClient:
 
         return tf_resources
 
-    def add_resources(self, account, tf_resources):
+    def add_resources(self, account: str, tf_resources: Iterable[TFResource]) -> None:
         for r in tf_resources:
             self.add_resource(account, r)
 
-    def add_resource(self, account, tf_resource):
+    def add_resource(self, account: str, tf_resource: TFResource) -> None:
         if account not in self.locks:
             logging.debug(
                 f"integration {self.integration} is disabled for account {account}. "
@@ -4267,7 +4349,7 @@ class TerrascriptClient:
         with self.locks[account]:
             self.tss[account].add(tf_resource)
 
-    def add_moved(self, account: str, moved: Moved):
+    def add_moved(self, account: str, moved: Moved) -> None:
         if account not in self.locks:
             logging.debug(
                 f"integration {self.integration} is disabled for account {account}. "
@@ -4331,12 +4413,11 @@ class TerrascriptClient:
 
         :return: key is AWS account name and value is terraform configuration
         """
-        return {
-            name: json.dumps(ts, indent=2, sort_keys=True)
-            for name, ts in self.tss.items()
-        }
+        return {name: json_dumps(ts, indent=2) for name, ts in self.tss.items()}
 
-    def init_values(self, spec: ExternalResourceSpec, init_tags: bool = True) -> dict:
+    def init_values(
+        self, spec: ExternalResourceSpec, init_tags: bool = True
+    ) -> dict[str, Any]:
         """
         Initialize the values of the terraform resource and merge the defaults and
         overrides.
@@ -4389,7 +4470,7 @@ class TerrascriptClient:
         return values
 
     @staticmethod
-    def aggregate_values(values):
+    def aggregate_values(values: dict[str, Any]) -> None:
         split_char = "."
         copy = values.copy()
         for k, v in copy.items():
@@ -4403,18 +4484,17 @@ class TerrascriptClient:
             values.pop(k, None)
 
     @staticmethod
-    def override_values(values, overrides):
+    def override_values(values: dict[str, Any], overrides: str | None) -> None:
         if overrides is None:
             return
         data = json.loads(overrides)
-        for k, v in data.items():
-            values[k] = v
+        values.update(data)
 
     def init_common_outputs(
         self,
-        tf_resources: list[Resource],
+        tf_resources: list[TFResource],
         spec: ExternalResourceSpec,
-    ):
+    ) -> None:
         output_format = "{}__{}_{}"
         # cluster
         output_name = output_format.format(
@@ -4445,15 +4525,15 @@ class TerrascriptClient:
             output_name = output_format.format(
                 spec.output_prefix, self.integration_prefix, "annotations"
             )
-            anno_json = json.dumps(spec.annotations()).encode("utf-8")
+            anno_json = json_dumps(spec.annotations()).encode("utf-8")
             output_value = base64.b64encode(anno_json).decode()
             tf_resources.append(Output(output_name, value=output_value))
 
-    def prefetch_resources(self, schema) -> dict[str, dict[str, str]]:
+    def prefetch_resources(self, schema: str) -> dict[str, dict[str, str]]:
         gqlapi = gql.get_api()
         return {r["path"]: r for r in gqlapi.get_resources_by_schema(schema)}
 
-    def get_raw_values(self, path) -> dict[str, str]:
+    def get_raw_values(self, path: str) -> dict[str, str]:
         if path in self._resource_cache:
             return self._resource_cache[path]
 
@@ -4482,7 +4562,7 @@ class TerrascriptClient:
         ]
 
     @staticmethod
-    def get_elasticsearch_service_role_tf_resource():
+    def get_elasticsearch_service_role_tf_resource() -> aws_iam_service_linked_role:
         """Service role for ElasticSearch."""
         service_role = {
             "aws_service_name": "es.amazonaws.com",
@@ -4490,7 +4570,7 @@ class TerrascriptClient:
         return aws_iam_service_linked_role("elasticsearch", **service_role)
 
     @staticmethod
-    def is_elasticsearch_domain_name_valid(name):
+    def is_elasticsearch_domain_name_valid(name: str) -> bool:
         """Handle for Error creating Elasticsearch:
         InvalidParameterValue: Elasticsearch domain name must start with a
         lowercase letter and must be between 3 and 28 characters. Valid
@@ -4498,7 +4578,7 @@ class TerrascriptClient:
         if len(name) < 3 or len(name) > 28:
             return False
         pattern = r"^[a-z][a-z0-9-]+$"
-        return re.search(pattern, name)
+        return re.search(pattern, name) is not None
 
     @staticmethod
     def elasticsearch_log_group_identifier(
@@ -4585,7 +4665,7 @@ class TerrascriptClient:
         }
         log_groups_policy_values = {
             "policy_name": "es-log-publishing-permissions",
-            "policy_document": json.dumps(log_groups_policy, sort_keys=True),
+            "policy_document": json_dumps(log_groups_policy),
         }
         resource_policy = aws_cloudwatch_log_resource_policy(
             "es_log_publishing_resource_policy",
@@ -4600,7 +4680,7 @@ class TerrascriptClient:
         resource: Mapping[str, Any],
         values: Mapping[str, Any],
         output_prefix: str,
-    ) -> tuple[list[dict[str, Any]], list[dict[str, object]]]:
+    ) -> tuple[list[TFResource], list[dict[str, object]]]:
         """
         Generate cloud_watch_log_group terraform_resources
         for the given resource. Further, generate
@@ -4608,7 +4688,7 @@ class TerrascriptClient:
         by the consumer.
         """
         es_log_group_retention_days = 90
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         publishing_options = []
 
         # res.get('', []) won't work, as publish_log_types is
@@ -4711,13 +4791,13 @@ class TerrascriptClient:
 
         return advanced_security_options
 
-    def populate_tf_resource_elasticsearch(self, spec):
+    def populate_tf_resource_elasticsearch(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         if not self.is_elasticsearch_domain_name_valid(values["identifier"]):
@@ -4730,10 +4810,11 @@ class TerrascriptClient:
             )
 
         tags = values["tags"]
-        es_values = {}
-        es_values["domain_name"] = identifier
-        es_values["tags"] = tags
-        es_values["elasticsearch_version"] = values.get("elasticsearch_version")
+        es_values: dict[str, Any] = {
+            "domain_name": identifier,
+            "tags": tags,
+            "elasticsearch_version": values.get("elasticsearch_version"),
+        }
 
         (
             log_group_resources,
@@ -4916,9 +4997,10 @@ class TerrascriptClient:
                 }
             ],
         }
-        es_values["access_policies"] = json.dumps(access_policies, sort_keys=True)
+        es_values["access_policies"] = json_dumps(access_policies)
 
         region = values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         provider = ""
         if self._multiregion_account(account):
             provider = "aws." + region
@@ -4971,7 +5053,7 @@ class TerrascriptClient:
 
                 version_values = {
                     "secret_id": "${" + aws_secret_resource.id + "}",
-                    "secret_string": json.dumps(master_user, sort_keys=True),
+                    "secret_string": json_dumps(master_user),
                 }
                 if provider:
                     version_values["provider"] = provider
@@ -4998,7 +5080,7 @@ class TerrascriptClient:
                 iam_policy_resource = aws_iam_policy(
                     secret_identifier,
                     name=f"{identifier}-secretsmanager-policy",
-                    policy=json.dumps(policy, sort_keys=True),
+                    policy=json_dumps(policy),
                     tags=tags,
                 )
                 tf_resources.append(iam_policy_resource)
@@ -5057,8 +5139,8 @@ class TerrascriptClient:
 
     # TODO: @fishi0x01 remove this function after migration APPSRE-3409
     def _build_es_advanced_security_options_deprecated(
-        self, advanced_security_options: MutableMapping[str, Any]
-    ) -> MutableMapping[str, Any]:
+        self, advanced_security_options: dict[str, Any]
+    ) -> dict[str, Any]:
         master_user_options = advanced_security_options.pop("master_user_options", {})
 
         if master_user_options:
@@ -5079,13 +5161,13 @@ class TerrascriptClient:
 
         return advanced_security_options
 
-    def populate_tf_resource_acm(self, spec):
+    def populate_tf_resource_acm(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         values = {}
@@ -5124,6 +5206,7 @@ class TerrascriptClient:
                 values["subject_alternative_names"] = alt_names
 
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
             values["provider"] = "aws." + region
 
@@ -5165,13 +5248,15 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_s3_cloudfront_public_key(self, spec):
+    def populate_tf_resource_s3_cloudfront_public_key(
+        self, spec: ExternalResourceSpec
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         values = {"name": identifier, "comment": "managed by app-interface"}
@@ -5213,8 +5298,13 @@ class TerrascriptClient:
         self.add_resources(account, tf_resources)
 
     def _get_alb_target_ips_by_openshift_service(
-        self, identifier, openshift_service, account_name, namespace_info, ocm_map
-    ):
+        self,
+        identifier: str,
+        openshift_service: str,
+        account_name: str,
+        namespace_info: Mapping[str, Any],
+        ocm_map: OCMMap,
+    ) -> set[str]:
         account = self.accounts[account_name]
         cluster = namespace_info["cluster"]
         ocm = ocm_map.get(cluster["name"])
@@ -5240,17 +5330,24 @@ class TerrascriptClient:
         return ips
 
     @staticmethod
-    def _get_alb_rule_condition_value(condition):
+    def _get_alb_rule_condition_value(
+        condition: Mapping[str, Any],
+    ) -> dict[str, dict[str, str]]:
         condition_type = condition["type"]
         condition_type_key = SUPPORTED_ALB_LISTENER_RULE_CONDITION_TYPE_MAPPING.get(
             condition_type
         )
         if condition_type_key is None:
             raise KeyError(f"unknown alb rule condition type {condition_type}")
+
+        # Query string conditions use a different structure than other condition types
+        if condition_type == "query-string":
+            return {condition_type_key: condition[condition_type_key]}
+
         return {condition_type_key: {"values": condition[condition_type_key]}}
 
     @staticmethod
-    def _get_principal_for_s3_bucket_policy(region: str) -> Mapping[str, str]:
+    def _get_principal_for_s3_bucket_policy(region: str) -> dict[str, str]:
         if region in AWS_ELB_ACCOUNT_IDS:
             return {"AWS": f"arn:aws:iam::{AWS_ELB_ACCOUNT_IDS[region]}:root"}
         if region in AWS_US_GOV_ELB_ACCOUNT_IDS:
@@ -5259,16 +5356,18 @@ class TerrascriptClient:
             }
         return {"Service": "logdelivery.elasticloadbalancing.amazonaws.com"}
 
-    def populate_tf_resource_alb(self, spec, ocm_map=None):
+    def populate_tf_resource_alb(
+        self, spec: ExternalResourceSpec, ocm_map: OCMMap | None = None
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         namespace_info = spec.namespace
         self.init_common_outputs(tf_resources, spec)
 
-        default_region = self.default_regions.get(account)
+        default_region = self.default_regions[account]
         cluster_region = namespace_info["cluster"]["spec"]["region"]
 
         if self._multiregion_account(account):
@@ -5393,7 +5492,7 @@ class TerrascriptClient:
             lb_access_logs_s3_bucket_policy_values = {
                 "provider": provider,
                 "bucket": f"${{{lb_access_logs_s3_bucket_tf_resource.id}}}",
-                "policy": json.dumps(policy, sort_keys=True),
+                "policy": json_dumps(policy),
             }
             lb_access_logs_s3_bucket_policy_tf_resource = aws_s3_bucket_policy(
                 policy_identifier, **lb_access_logs_s3_bucket_policy_values
@@ -5421,6 +5520,10 @@ class TerrascriptClient:
             t_protocol_version = t.get("protocol_version") or "HTTP1"
 
             if t_openshift_service:
+                if ocm_map is None:
+                    raise ValueError(
+                        "ocm_map should be not none raising exception to make mypy happy"
+                    )
                 target_ips = self._get_alb_target_ips_by_openshift_service(
                     identifier, t_openshift_service, account, namespace_info, ocm_map
                 )
@@ -5593,7 +5696,7 @@ class TerrascriptClient:
         for rule_num, rule in enumerate(resource["rules"]):
             # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule#type
             action = rule["action"]
-            action_values = {}
+            action_values: dict[str, Any] = {}
             action_type = action.get("type")
             if action_type == "forward":
                 action_values = {
@@ -5679,18 +5782,19 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_secrets_manager(self, spec):
+    def populate_tf_resource_secrets_manager(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         values = {"name": identifier}
 
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         if self._multiregion_account(account):
             values["provider"] = "aws." + region
 
@@ -5698,11 +5802,16 @@ class TerrascriptClient:
         tf_resources.append(aws_secret_resource)
 
         secret = common_values.get("secret")
+        assert secret  # make mypy happy
         secret_data = self.secret_reader.read_all(secret)
 
-        version_values = {
+        secret_format = common_values.get("secret_format")
+        if secret_format is not None:
+            secret_data = self._apply_secret_format(str(secret_format), secret_data)
+
+        version_values: dict[str, Any] = {
             "secret_id": "${" + aws_secret_resource.id + "}",
-            "secret_string": json.dumps(secret_data, sort_keys=True),
+            "secret_string": json_dumps(secret_data),
         }
 
         if self._multiregion_account(account):
@@ -5723,6 +5832,66 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
+    @staticmethod
+    def _unflatten_dotted_keys_dict(flat_dict: dict[str, str]) -> dict[str, Any]:
+        """Convert a flat dictionary with dotted keys to a nested dictionary.
+
+        Example:
+            {"db.host": "localhost", "db.port": "5432"} ->
+            {"db": {"host": "localhost", "port": "5432"}}
+
+        Raises:
+            ValueError: If there are conflicting keys (e.g., "a.b" and "a.b.c")
+        """
+        result: dict[str, Any] = {}
+        for key, value in flat_dict.items():
+            parts = key.split(".")
+            current = result
+            for i, part in enumerate(parts[:-1]):
+                if part not in current:
+                    current[part] = {}
+                elif not isinstance(current[part], dict):
+                    # Conflict: trying to traverse through a non-dict value
+                    conflicting_path = ".".join(parts[: i + 1])
+                    raise ValueError(
+                        f"Conflicting keys detected: '{conflicting_path}' is both a "
+                        f"value and a nested path in key '{key}'"
+                    )
+                current = current[part]
+
+            # Check if we're trying to set a value where a dict already exists
+            if parts[-1] in current and isinstance(current[parts[-1]], dict):
+                raise ValueError(
+                    f"Conflicting keys detected: '{key}' conflicts with nested keys"
+                )
+
+            current[parts[-1]] = value
+
+        return result
+
+    @staticmethod
+    def _apply_secret_format(
+        secret_format: str, secret_data: dict[str, str]
+    ) -> dict[str, str]:
+        # Convert flat dict with dotted keys to nested dict for Jinja2
+        nested_secret_data = TerrascriptClient._unflatten_dotted_keys_dict(secret_data)
+        rendered_data = process_jinja2_template(secret_format, nested_secret_data)
+
+        parsed_data = json.loads(rendered_data)
+
+        if not isinstance(parsed_data, dict):
+            raise ValueError("secret_format must be a dictionary")
+
+        # validate secret is a dict[str, str]
+        for k, v in parsed_data.items():
+            if not isinstance(k, str):
+                raise ValueError(f"key '{k}' is not a string")
+
+            if not isinstance(v, str):
+                raise ValueError(f"dictionary value '{v}' under '{k}' is not a string")
+
+        return parsed_data
+
     def get_commit_sha(self, repo_info: Mapping) -> str:
         url = repo_info["url"]
         ref = repo_info["ref"]
@@ -5741,7 +5910,8 @@ class TerrascriptClient:
                 return commit.sha
             case "gitlab":
                 gitlab = self.init_gitlab()
-                project = gitlab.get_project(url)
+                if not (project := gitlab.get_project(url)):
+                    raise ValueError(f"could not find gitlab project for url {url}")
                 commits = project.commits.list(ref_name=ref, per_page=1, page=1)
                 return commits[0].id
             case _:
@@ -5781,7 +5951,7 @@ class TerrascriptClient:
                     return True
         return False
 
-    def populate_tf_resource_asg(self, spec) -> None:
+    def populate_tf_resource_asg(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
@@ -5868,7 +6038,7 @@ class TerrascriptClient:
         template_resource = aws_launch_template(identifier, **template_values)
         tf_resources.append(template_resource)
 
-        asg_value = {
+        asg_value: dict[str, Any] = {
             "name": identifier,
             "max_size": common_values.get("max_size"),
             "min_size": common_values.get("min_size"),
@@ -5924,12 +6094,12 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_route53_zone(self, spec):
+    def populate_tf_resource_route53_zone(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # https://www.terraform.io/docs/providers/aws/r/route53_zone.html
@@ -5973,16 +6143,20 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_rosa_authenticator(self, spec):
+    def populate_tf_resource_rosa_authenticator(
+        self, spec: ExternalResourceSpec
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         # Prepare consts
         region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
         bucket_name = common_values.get("cognito_callback_bucket_name")
+        assert bucket_name  # make mypy happy
         bucket_url = f"https://{bucket_name}.s3.{region}.amazonaws.com"
         lambda_managed_policy_arn = (
             "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
@@ -5992,6 +6166,7 @@ class TerrascriptClient:
         vpc_id = common_values.get("vpc_id")
         subnet_ids = common_values.get("subnet_ids")
         network_interface_ids = common_values.get("network_interface_ids")
+        assert network_interface_ids is not None  # make mypy happy
         certificate_arn = common_values.get("certificate_arn")
         domain_name = common_values.get("domain_name")
         openshift_ingress_load_balancer_arn = common_values.get(
@@ -6017,7 +6192,7 @@ class TerrascriptClient:
         lambda_iam_role_resource = aws_iam_role(
             "lambda_role",
             name=f"ocm-{identifier}-cognito-lambda-role",
-            assume_role_policy=json.dumps(lambda_role_policy),
+            assume_role_policy=json_dumps(lambda_role_policy),
             managed_policy_arns=[lambda_managed_policy_arn],
             force_detach_policies=False,
             max_session_duration=3600,
@@ -6692,7 +6867,7 @@ class TerrascriptClient:
         )
         tf_resources.append(api_gateway_stage_resource)
 
-        rest_api_policy = json.dumps({
+        rest_api_policy = json_dumps({
             "Version": "2012-10-17",
             "Statement": [
                 {
@@ -6796,7 +6971,7 @@ class TerrascriptClient:
                 },
             ],
         }
-        cloudwatch_assume_role_policy = json.dumps(policy, sort_keys=True)
+        cloudwatch_assume_role_policy = json_dumps(policy)
 
         cloudwatch_iam_role_resource = aws_iam_role(
             "cloudwatch_assume_role",
@@ -6824,7 +6999,7 @@ class TerrascriptClient:
             ],
         }
 
-        cloudwatch_iam_policy_document = json.dumps(policy, sort_keys=True)
+        cloudwatch_iam_policy_document = json_dumps(policy)
 
         cloudwatch_iam_policy_resource = aws_iam_policy(
             "cloudwatch",
@@ -6868,15 +7043,18 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_rosa_authenticator_vpce(self, spec):
+    def populate_tf_resource_rosa_authenticator_vpce(
+        self, spec: ExternalResourceSpec
+    ) -> None:
         account = spec.provisioner_name
         identifier = spec.identifier
         common_values = self.init_values(spec)
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         self.init_common_outputs(tf_resources, spec)
 
         vpc_id = common_values.get("vpc_id")
         subnet_ids = common_values.get("subnet_ids")
+        assert subnet_ids is not None  # make mypy happy
         vpce_security_group_rule_common_args = common_values.get(
             "vpce_security_group_rule_common_properties", None
         )
@@ -6935,11 +7113,11 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
-    def populate_tf_resource_msk(self, spec):
+    def populate_tf_resource_msk(self, spec: ExternalResourceSpec) -> None:
         account = spec.provisioner_name
         values = self.init_values(spec)
         output_prefix = spec.output_prefix
-        tf_resources = []
+        tf_resources: list[TFResource] = []
         resource_id = spec.identifier
 
         del values["identifier"]
@@ -7066,7 +7244,7 @@ class TerrascriptClient:
 
                 version_values = {
                     "secret_id": "${" + secret_resource.arn + "}",
-                    "secret_string": json.dumps(secret, sort_keys=True),
+                    "secret_string": json_dumps(secret),
                 }
                 version_resource = aws_secretsmanager_secret_version(
                     secret_identifier, **version_values
@@ -7075,7 +7253,7 @@ class TerrascriptClient:
 
                 secret_policy_values = {
                     "secret_arn": "${" + secret_resource.arn + "}",
-                    "policy": json.dumps({
+                    "policy": json_dumps({
                         "Version": "2012-10-17",
                         "Statement": [
                             {