diff --git a/fast/extras/00-cicd-github/README.md b/fast/extras/00-cicd-github/README.md
index 52c322a3..acf249bc 100644
--- a/fast/extras/00-cicd-github/README.md
+++ b/fast/extras/00-cicd-github/README.md
@@ -34,7 +34,7 @@ The `repositories` variable is where you configure which repositories to create,
 
 This is an example that creates repositories for stages 00 and 01, defines an existing repositories as the source for modules, and populates initial files for stages 00, 01, and 02:
 
-```hcl
+```tfvars
 organization = "ludomagno"
 repositories = {
   fast_00_bootstrap = {
diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index df70a43e..6e0e1b55 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -226,7 +226,7 @@ Alongisde the GCS stored files, you can also configure a second copy to be saves
 
 This second set of files is disabled by default, you can enable it by setting the `outputs_location` variable to a valid path on a local filesystem, e.g.
 
-```hcl
+```tfvars
 outputs_location = "~/fast-config"
 ```
 
@@ -297,10 +297,11 @@ variable "groups" {
   description = "Group names to grant organization-level permissions."
   type        = map(string)
   default = {
-    gcp-network-admins      = "net-rockstars"
+    gcp-network-admins = "net-rockstars"
     # [...]
   }
 }
+# tftest skip
 ```
 
 If your groups layout differs substantially from the checklist, define all relevant groups in the `groups` variable, then rearrange IAM roles in the code to match your setup.
@@ -359,7 +360,7 @@ Provider key names are used by the `cicd_repositories` variable to configure aut
 
 This is a sample configuration of a GitHub and a Gitlab provider, `attribute_condition` attribute can use any of the mapped attribute for the provider (refer to the `identity-providers.tf` file for the full list) or set to `null` if needed:
 
-```hcl
+```tfvars
 federated_identity_providers = {
   github-sample = {
     attribute_condition = "attribute.repository_owner==\"my-github-org\""
@@ -374,9 +375,9 @@ federated_identity_providers = {
   gitlab-ce-sample = {
     attribute_condition = "attribute.namespace_path==\"my-gitlab-org\""
     issuer              = "gitlab"
-    custom_settings     = {
-      issuer_uri          = "https://gitlab.fast.example.com"
-      allowed_audiences   = ["https://gitlab.fast.example.com"]
+    custom_settings = {
+      issuer_uri        = "https://gitlab.fast.example.com"
+      allowed_audiences = ["https://gitlab.fast.example.com"]
     }
   }
 }
@@ -390,7 +391,7 @@ The repository design we support is fairly simple, with a repository for modules
 
 This is an example of configuring the bootstrap and resource management repositories in this stage. CI/CD configuration is optional, so the entire variable or any of its attributes can be set to null if not needed.
 
-```hcl
+```tfvars
 cicd_repositories = {
   bootstrap = {
     branch            = null
diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
index 56772816..d3656352 100644
--- a/fast/stages/01-resman/README.md
+++ b/fast/stages/01-resman/README.md
@@ -109,7 +109,7 @@ This stage provides a single built-in customization that offers a minimal (but u
 
 Consider the following example in a `tfvars` file:
 
-```hcl
+```tfvars
 team_folders = {
   team-a = {
     descriptive_name = "Team A"
diff --git a/fast/stages/02-security/README.md b/fast/stages/02-security/README.md
index 026ef771..024ababb 100644
--- a/fast/stages/02-security/README.md
+++ b/fast/stages/02-security/README.md
@@ -114,7 +114,7 @@ To support these scenarios, key IAM bindings are configured by default to be add
 
 An example of how to configure keys:
 
-```hcl
+```tfvars
 # terraform.tfvars
 
 kms_defaults = {
@@ -128,14 +128,14 @@ kms_keys = {
         "user:user1@example.com"
       ]
     }
-    labels = { service = "compute" }
-    locations = null
+    labels          = { service = "compute" }
+    locations       = null
     rotation_period = null
   }
   storage = {
-    iam = null
-    labels = { service = "compute" }
-    locations = ["europe"]
+    iam             = null
+    labels          = { service = "compute" }
+    locations       = ["europe"]
     rotation_period = null
   }
 }
@@ -162,7 +162,7 @@ The VPC SC configuration is set up by default in dry-run mode to allow easy expe
 
 Access levels are defined via the `vpc_sc_access_levels` variable, and referenced by key in perimeter definitions:
 
-```hcl
+```tfvars
 vpc_sc_access_levels = {
   onprem = {
     conditions = [{
@@ -176,7 +176,7 @@ vpc_sc_access_levels = {
 
 Ingress and egress policy are defined via the `vpc_sc_egress_policies` and `vpc_sc_ingress_policies`, and referenced by key in perimeter definitions:
 
-```hcl
+```tfvars
 vpc_sc_egress_policies = {
   iac-gcs = {
     from = {
@@ -187,7 +187,7 @@ vpc_sc_egress_policies = {
     to = {
       operations = [{
         method_selectors = ["*"]
-        service_name = "storage.googleapis.com"
+        service_name     = "storage.googleapis.com"
       }]
       resources = ["projects/123456782"]
     }
@@ -217,7 +217,7 @@ Support for independently adding projects to perimeters outside of this Terrafor
 
 Access levels and egress/ingress policies are referenced in perimeters via keys.
 
-```hcl
+```tfvars
 vpc_sc_perimeters = {
   dev = {
     egress_policies  = ["iac-gcs"]
diff --git a/modules/__experimental/net-neg/README.md b/modules/__experimental/net-neg/README.md
index a4113f0c..cb271c50 100644
--- a/modules/__experimental/net-neg/README.md
+++ b/modules/__experimental/net-neg/README.md
@@ -7,11 +7,11 @@ Note: this module will integrated into a general-purpose load balancing module i
 ## Example
 ```hcl
 module "neg" {
-  source     = "./fabric/modules/net-neg"
+  source     = "./fabric/modules/__experimental/net-neg/"
   project_id = "myproject"
   name       = "myneg"
-  network    = module.vpc.self_link
-  subnetwork = module.vpc.subnet_self_links["europe-west1/default"]
+  network    = var.vpc.self_link
+  subnetwork = var.subnet.self_link
   zone       = "europe-west1-b"
   endpoints = [
     for instance in module.vm.instances :
@@ -22,6 +22,7 @@ module "neg" {
     }
   ]
 }
+# tftest skip
 ```
 <!-- BEGIN TFDOC -->
 
diff --git a/tests/examples/conftest.py b/tests/examples/conftest.py
index e3e55d88..16863e26 100644
--- a/tests/examples/conftest.py
+++ b/tests/examples/conftest.py
@@ -20,9 +20,6 @@ from pathlib import Path
 import marko
 
 FABRIC_ROOT = Path(__file__).parents[2]
-BLUEPRINTS_PATH = FABRIC_ROOT / 'blueprints/'
-MODULES_PATH = FABRIC_ROOT / 'modules/'
-SUBMODULES_PATH = MODULES_PATH / 'cloud-config-container'
 
 FILE_TEST_RE = re.compile(r'# tftest-file +id=(\w+) +path=([\S]+)')
 
@@ -33,17 +30,12 @@ File = collections.namedtuple('File', 'path content')
 def pytest_generate_tests(metafunc):
   """Find all README.md files and collect code examples tagged for testing."""
   if 'example' in metafunc.fixturenames:
-    modules = [x for x in MODULES_PATH.iterdir() if x.is_dir()]
-    modules.extend(x for x in SUBMODULES_PATH.iterdir() if x.is_dir())
-    modules.extend(x for x in BLUEPRINTS_PATH.glob('*/*') if x.is_dir())
-    modules.sort()
+    readmes = FABRIC_ROOT.glob('**/README.md')
     examples = []
     ids = []
 
-    for module in modules:
-      readme = module / 'README.md'
-      if not readme.exists():
-        continue
+    for readme in readmes:
+      module = readme.parent
       doc = marko.parse(readme.read_text())
       index = 0
       files = collections.defaultdict(dict)