diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md
index ed177d27..72a6b69f 100644
--- a/blueprints/data-solutions/shielded-folder/README.md
+++ b/blueprints/data-solutions/shielded-folder/README.md
@@ -159,18 +159,18 @@ terraform apply
|---|---|:---:|:---:|:---:|
| [access_policy_config](variables.tf#L17) | Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. | object({…}) | ✓ | |
| [folder_config](variables.tf#L49) | Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
-| [organization](variables.tf#L129) | Organization details. | object({…}) | ✓ | |
-| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. | string | ✓ | |
-| [project_config](variables.tf#L142) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
+| [organization](variables.tf#L148) | Organization details. | object({…}) | ✓ | |
+| [prefix](variables.tf#L156) | Prefix used for resources that need unique names. | string | ✓ | |
+| [project_config](variables.tf#L161) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
| [data_dir](variables.tf#L29) | Relative path for the folder storing configuration data. | string | | "data" |
| [enable_features](variables.tf#L35) | Flag to enable features on the solution. | object({…}) | | {…} |
| [groups](variables.tf#L65) | User groups. | object({…}) | | {} |
-| [kms_keys](variables.tf#L75) | KMS keys to create, keyed by name. | map(object({…})) | | {} |
-| [log_locations](variables.tf#L87) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} |
-| [log_sinks](variables.tf#L104) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} |
-| [vpc_sc_access_levels](variables.tf#L162) | VPC SC access level definitions. | map(object({…})) | | {} |
-| [vpc_sc_egress_policies](variables.tf#L191) | VPC SC egress policy definitions. | map(object({…})) | | {} |
-| [vpc_sc_ingress_policies](variables.tf#L211) | VPC SC ingress policy definitions. | map(object({…})) | | {} |
+| [kms_keys](variables.tf#L75) | KMS keys to create, keyed by name. | map(object({…})) | | {} |
+| [log_locations](variables.tf#L111) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} |
+| [log_sinks](variables.tf#L123) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} |
+| [vpc_sc_access_levels](variables.tf#L181) | VPC SC access level definitions. | map(object({…})) | | {} |
+| [vpc_sc_egress_policies](variables.tf#L210) | VPC SC egress policy definitions. | map(object({…})) | | {} |
+| [vpc_sc_ingress_policies](variables.tf#L230) | VPC SC ingress policy definitions. | map(object({…})) | | {} |
## Outputs
diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md
index e28aac7b..9d47bdaf 100644
--- a/fast/stages/2-security/README.md
+++ b/fast/stages/2-security/README.md
@@ -284,13 +284,12 @@ Some references that might be useful in setting up this stage:
-
## Files
| name | description | modules | resources |
|---|---|---|---|
-| [core-dev.tf](./core-dev.tf) | None | kms · project | google_project_iam_member |
-| [core-prod.tf](./core-prod.tf) | None | kms · project | google_project_iam_member |
+| [core-dev.tf](./core-dev.tf) | None | kms · project | |
+| [core-prod.tf](./core-prod.tf) | None | kms · project | |
| [main.tf](./main.tf) | Module-level locals and resources. | | |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [variables.tf](./variables.tf) | Module variables. | | |
@@ -303,17 +302,16 @@ Some references that might be useful in setting up this stage:
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
| [folder_ids](variables.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L84) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L100) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
-| [service_accounts](variables.tf#L111) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L97) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L113) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [service_accounts](variables.tf#L124) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman |
| [groups](variables.tf#L46) | Group names to grant organization-level permissions. | map(string) | | {…} | 0-bootstrap |
-| [kms_defaults](variables.tf#L61) | Defaults used for KMS keys. | object({…}) | | {…} | |
-| [kms_keys](variables.tf#L73) | KMS keys to create, keyed by name. Null attributes will be interpolated with defaults. | map(object({…})) | | {} | |
-| [outputs_location](variables.tf#L94) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
-| [vpc_sc_access_levels](variables.tf#L122) | VPC SC access level definitions. | map(object({…})) | | {} | |
-| [vpc_sc_egress_policies](variables.tf#L151) | VPC SC egress policy definitions. | map(object({…})) | | {} | |
-| [vpc_sc_ingress_policies](variables.tf#L171) | VPC SC ingress policy definitions. | map(object({…})) | | {} | |
-| [vpc_sc_perimeters](variables.tf#L192) | VPC SC regular perimeter definitions. | object({…}) | | {} | |
+| [kms_keys](variables.tf#L61) | KMS keys to create, keyed by name. | map(object({…})) | | {} | |
+| [outputs_location](variables.tf#L107) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
+| [vpc_sc_access_levels](variables.tf#L135) | VPC SC access level definitions. | map(object({…})) | | {} | |
+| [vpc_sc_egress_policies](variables.tf#L164) | VPC SC egress policy definitions. | map(object({…})) | | {} | |
+| [vpc_sc_ingress_policies](variables.tf#L184) | VPC SC ingress policy definitions. | map(object({…})) | | {} | |
+| [vpc_sc_perimeters](variables.tf#L205) | VPC SC regular perimeter definitions. | object({…}) | | {} | |
## Outputs
@@ -322,5 +320,4 @@ Some references that might be useful in setting up this stage:
| [kms_keys](outputs.tf#L59) | KMS key ids. | | |
| [stage_perimeter_projects](outputs.tf#L64) | Security project numbers. They can be added to perimeter resources. | | |
| [tfvars](outputs.tf#L74) | Terraform variable files for the following stages. | ✓ | |
-