gleichda
diff --git a/‎examples/cloud-operations/asset-inventory-feed-remediation/README.md
+9-14 b/‎examples/cloud-operations/asset-inventory-feed-remediation/README.md
+9-14
diff --git a/‎examples/cloud-operations/dns-fine-grained-iam/README.md
+7-10 b/‎examples/cloud-operations/dns-fine-grained-iam/README.md
+7-10
diff --git a/‎examples/cloud-operations/dns-shared-vpc/README.md
+8-11 b/‎examples/cloud-operations/dns-shared-vpc/README.md
+8-11
diff --git a/‎examples/cloud-operations/iam-delegated-role-grants/README.md
+6-10 b/‎examples/cloud-operations/iam-delegated-role-grants/README.md
+6-10
diff --git a/‎examples/cloud-operations/onprem-sa-key-management/README.md
+5-8 b/‎examples/cloud-operations/onprem-sa-key-management/README.md
+5-8
diff --git a/‎examples/cloud-operations/packer-image-builder/README.md
+14-17 b/‎examples/cloud-operations/packer-image-builder/README.md
+14-17
@@ -50,30 +50,25 @@ Run the `subscription_pull` command until it returns nothing, then run the follo
 - the `tag_add` command
 - the `cf_logs` command until the logs show that the change has been picked up, verified, and the compliant tags have been force-set on the instance
 - the `tag_show` command to verify that the function output matches the resource state
-
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| project_id | Project id that references existing project. | <code>string</code> | ✓ |  |
-| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> |  | <code>&#34;.&#47;bundle.zip&#34;</code> |
-| name | Arbitrary string used to name created resources. | <code>string</code> |  | <code>&#34;asset-feed&#34;</code> |
-| project_create | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
-| region | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
+| [project_id](variables.tf#L35) | Project id that references existing project. | <code>string</code> | ✓ |  |
+| [bundle_path](variables.tf#L17) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> |  | <code>&#34;.&#47;bundle.zip&#34;</code> |
+| [name](variables.tf#L23) | Arbitrary string used to name created resources. | <code>string</code> |  | <code>&#34;asset-feed&#34;</code> |
+| [project_create](variables.tf#L29) | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
+| [region](variables.tf#L40) | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| cf_logs | Cloud Function logs read command. |  |
-| subscription_pull | Subscription pull command. |  |
-| tag_add | Instance add tag command. |  |
-| tag_show | Instance add tag command. |  |
+| [cf_logs](outputs.tf#L17) | Cloud Function logs read command. |  |
+| [subscription_pull](outputs.tf#L29) | Subscription pull command. |  |
+| [tag_add](outputs.tf#L39) | Instance add tag command. |  |
+| [tag_show](outputs.tf#L49) | Instance add tag command. |  |
 
 <!-- END TFDOC -->
-
-
@@ -98,26 +98,23 @@ dig app1.svc.example.org +short
 # 127.0.0.3
 # 127.0.0.7
 ```
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| project_id | Existing project id. | <code>string</code> | ✓ |  |
-| name | Arbitrary string used to name created resources. | <code>string</code> |  | <code>&#34;dns-sd-test&#34;</code> |
-| project_create | Create project instead ofusing an existing one. | <code>bool</code> |  | <code>false</code> |
-| region | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
-| zone_domain | Domain name used for the DNS zone. | <code>string</code> |  | <code>&#34;svc.example.org.&#34;</code> |
+| [project_id](variables.tf#L29) | Existing project id. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L17) | Arbitrary string used to name created resources. | <code>string</code> |  | <code>&#34;dns-sd-test&#34;</code> |
+| [project_create](variables.tf#L23) | Create project instead ofusing an existing one. | <code>bool</code> |  | <code>false</code> |
+| [region](variables.tf#L34) | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
+| [zone_domain](variables.tf#L40) | Domain name used for the DNS zone. | <code>string</code> |  | <code>&#34;svc.example.org.&#34;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| gcloud_commands | Commands used to SSH to the VMs. |  |
-| vms | VM names. |  |
+| [gcloud_commands](outputs.tf#L17) | Commands used to SSH to the VMs. |  |
+| [vms](outputs.tf#L25) | VM names. |  |
 
 <!-- END TFDOC -->
-
@@ -18,27 +18,24 @@ The resources created in this example are shown in the high level diagram below:
 <img src="diagram.png" width="640px">
 
 Note that Terraform 0.13 at least is required due to the use of `for_each` with modules.
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| billing_account_id | Billing account associated with the GCP Projects that will be created for each team. | <code>string</code> | ✓ |  |
-| folder_id | Folder ID in which DNS projects will be created. | <code>string</code> | ✓ |  |
-| shared_vpc_link | Shared VPC self link, used for DNS peering. | <code>string</code> | ✓ |  |
-| dns_domain | DNS domain under which each application team DNS domain will be created. | <code>string</code> |  | <code>&#34;example.org&#34;</code> |
-| prefix | Customer name to use as prefix for resources' naming. | <code>string</code> |  | <code>&#34;test-dns&#34;</code> |
-| project_services | Service APIs enabled by default. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;compute.googleapis.com&#34;,&#10;  &#34;dns.googleapis.com&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
-| teams | List of application teams requiring their own Cloud DNS instance. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;team1&#34;,&#10;  &#34;team2&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
+| [billing_account_id](variables.tf#L17) | Billing account associated with the GCP Projects that will be created for each team. | <code>string</code> | ✓ |  |
+| [folder_id](variables.tf#L28) | Folder ID in which DNS projects will be created. | <code>string</code> | ✓ |  |
+| [shared_vpc_link](variables.tf#L48) | Shared VPC self link, used for DNS peering. | <code>string</code> | ✓ |  |
+| [dns_domain](variables.tf#L22) | DNS domain under which each application team DNS domain will be created. | <code>string</code> |  | <code>&#34;example.org&#34;</code> |
+| [prefix](variables.tf#L33) | Customer name to use as prefix for resources' naming. | <code>string</code> |  | <code>&#34;test-dns&#34;</code> |
+| [project_services](variables.tf#L39) | Service APIs enabled by default. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;compute.googleapis.com&#34;,&#10;  &#34;dns.googleapis.com&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
+| [teams](variables.tf#L53) | List of application teams requiring their own Cloud DNS instance. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;team1&#34;,&#10;  &#34;team2&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| teams | Team resources |  |
+| [teams](outputs.tf#L17) | Team resources |  |
 
 <!-- END TFDOC -->
-
@@ -62,21 +62,17 @@ If you get any warnings, check the roles and remove any of them granting any of
 - `resourcemanager.projects.setIamPolicy`
 - `resourcemanager.folders.setIamPolicy`
 - `resourcemanager.organizations.setIamPolicy`
-
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| project_administrators | List identities granted administrator permissions. | <code>list&#40;string&#41;</code> | ✓ |  |
-| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ |  |
-| delegated_role_grants | List of roles that project administrators will be allowed to grant/revoke. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;roles&#47;storage.admin&#34;,&#10;  &#34;roles&#47;storage.hmacKeyAdmin&#34;,&#10;  &#34;roles&#47;storage.legacyBucketOwner&#34;,&#10;  &#34;roles&#47;storage.objectAdmin&#34;,&#10;  &#34;roles&#47;storage.objectCreator&#34;,&#10;  &#34;roles&#47;storage.objectViewer&#34;,&#10;  &#34;roles&#47;compute.admin&#34;,&#10;  &#34;roles&#47;compute.imageUser&#34;,&#10;  &#34;roles&#47;compute.instanceAdmin&#34;,&#10;  &#34;roles&#47;compute.instanceAdmin.v1&#34;,&#10;  &#34;roles&#47;compute.networkAdmin&#34;,&#10;  &#34;roles&#47;compute.networkUser&#34;,&#10;  &#34;roles&#47;compute.networkViewer&#34;,&#10;  &#34;roles&#47;compute.orgFirewallPolicyAdmin&#34;,&#10;  &#34;roles&#47;compute.orgFirewallPolicyUser&#34;,&#10;  &#34;roles&#47;compute.orgSecurityPolicyAdmin&#34;,&#10;  &#34;roles&#47;compute.orgSecurityPolicyUser&#34;,&#10;  &#34;roles&#47;compute.orgSecurityResourceAdmin&#34;,&#10;  &#34;roles&#47;compute.osAdminLogin&#34;,&#10;  &#34;roles&#47;compute.osLogin&#34;,&#10;  &#34;roles&#47;compute.osLoginExternalUser&#34;,&#10;  &#34;roles&#47;compute.packetMirroringAdmin&#34;,&#10;  &#34;roles&#47;compute.packetMirroringUser&#34;,&#10;  &#34;roles&#47;compute.publicIpAdmin&#34;,&#10;  &#34;roles&#47;compute.securityAdmin&#34;,&#10;  &#34;roles&#47;compute.serviceAgent&#34;,&#10;  &#34;roles&#47;compute.storageAdmin&#34;,&#10;  &#34;roles&#47;compute.viewer&#34;,&#10;  &#34;roles&#47;viewer&#34;&#10;&#93;">&#91;&#8230;&#93;</code> |
-| direct_role_grants | List of roles granted directly to project administrators. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;roles&#47;compute.admin&#34;,&#10;  &#34;roles&#47;storage.admin&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
-| project_create | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
-| restricted_role_grant | Role grant to which the restrictions will apply. | <code>string</code> |  | <code>&#34;roles&#47;resourcemanager.projectIamAdmin&#34;</code> |
+| [project_administrators](variables.tf#L62) | List identities granted administrator permissions. | <code>list&#40;string&#41;</code> | ✓ |  |
+| [project_id](variables.tf#L73) | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ |  |
+| [delegated_role_grants](variables.tf#L17) | List of roles that project administrators will be allowed to grant/revoke. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;roles&#47;storage.admin&#34;,&#10;  &#34;roles&#47;storage.hmacKeyAdmin&#34;,&#10;  &#34;roles&#47;storage.legacyBucketOwner&#34;,&#10;  &#34;roles&#47;storage.objectAdmin&#34;,&#10;  &#34;roles&#47;storage.objectCreator&#34;,&#10;  &#34;roles&#47;storage.objectViewer&#34;,&#10;  &#34;roles&#47;compute.admin&#34;,&#10;  &#34;roles&#47;compute.imageUser&#34;,&#10;  &#34;roles&#47;compute.instanceAdmin&#34;,&#10;  &#34;roles&#47;compute.instanceAdmin.v1&#34;,&#10;  &#34;roles&#47;compute.networkAdmin&#34;,&#10;  &#34;roles&#47;compute.networkUser&#34;,&#10;  &#34;roles&#47;compute.networkViewer&#34;,&#10;  &#34;roles&#47;compute.orgFirewallPolicyAdmin&#34;,&#10;  &#34;roles&#47;compute.orgFirewallPolicyUser&#34;,&#10;  &#34;roles&#47;compute.orgSecurityPolicyAdmin&#34;,&#10;  &#34;roles&#47;compute.orgSecurityPolicyUser&#34;,&#10;  &#34;roles&#47;compute.orgSecurityResourceAdmin&#34;,&#10;  &#34;roles&#47;compute.osAdminLogin&#34;,&#10;  &#34;roles&#47;compute.osLogin&#34;,&#10;  &#34;roles&#47;compute.osLoginExternalUser&#34;,&#10;  &#34;roles&#47;compute.packetMirroringAdmin&#34;,&#10;  &#34;roles&#47;compute.packetMirroringUser&#34;,&#10;  &#34;roles&#47;compute.publicIpAdmin&#34;,&#10;  &#34;roles&#47;compute.securityAdmin&#34;,&#10;  &#34;roles&#47;compute.serviceAgent&#34;,&#10;  &#34;roles&#47;compute.storageAdmin&#34;,&#10;  &#34;roles&#47;compute.viewer&#34;,&#10;  &#34;roles&#47;viewer&#34;&#10;&#93;">&#91;&#8230;&#93;</code> |
+| [direct_role_grants](variables.tf#L53) | List of roles granted directly to project administrators. | <code>list&#40;string&#41;</code> |  | <code title="&#91;&#10;  &#34;roles&#47;compute.admin&#34;,&#10;  &#34;roles&#47;storage.admin&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
+| [project_create](variables.tf#L67) | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
+| [restricted_role_grant](variables.tf#L78) | Role grant to which the restrictions will apply. | <code>string</code> |  | <code>&#34;roles&#47;resourcemanager.projectIamAdmin&#34;</code> |
 
 <!-- END TFDOC -->
-
@@ -60,24 +60,21 @@ gcloud auth activate-service-account --key-file data-uploader.json
 ```bash
 terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
 ```
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| project_id | Project id. | <code>string</code> | ✓ |  |
-| project_create | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
-| service_accounts | List of service accounts. | <code title="list&#40;object&#40;&#123;&#10;  name              &#61; string&#10;  iam_project_roles &#61; list&#40;string&#41;&#10;  public_keys_path  &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#91;&#10;  &#123;&#10;    name &#61; &#34;data-uploader&#34;&#10;    iam_project_roles &#61; &#91;&#10;      &#34;roles&#47;bigquery.dataOwner&#34;,&#10;      &#34;roles&#47;bigquery.jobUser&#34;,&#10;      &#34;roles&#47;storage.objectAdmin&#34;&#10;    &#93;&#10;    public_keys_path &#61; &#34;public-keys&#47;data-uploader&#47;&#34;&#10;  &#125;,&#10;  &#123;&#10;    name &#61; &#34;prisma-security&#34;&#10;    iam_project_roles &#61; &#91;&#10;      &#34;roles&#47;iam.securityReviewer&#34;&#10;    &#93;&#10;    public_keys_path &#61; &#34;public-keys&#47;prisma-security&#47;&#34;&#10;  &#125;,&#10;&#93;">&#91;&#8230;&#93;</code> |
-| services | Service APIs to enable. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [project_id](variables.tf#L23) | Project id. | <code>string</code> | ✓ |  |
+| [project_create](variables.tf#L17) | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
+| [service_accounts](variables.tf#L28) | List of service accounts. | <code title="list&#40;object&#40;&#123;&#10;  name              &#61; string&#10;  iam_project_roles &#61; list&#40;string&#41;&#10;  public_keys_path  &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#91;&#10;  &#123;&#10;    name &#61; &#34;data-uploader&#34;&#10;    iam_project_roles &#61; &#91;&#10;      &#34;roles&#47;bigquery.dataOwner&#34;,&#10;      &#34;roles&#47;bigquery.jobUser&#34;,&#10;      &#34;roles&#47;storage.objectAdmin&#34;&#10;    &#93;&#10;    public_keys_path &#61; &#34;public-keys&#47;data-uploader&#47;&#34;&#10;  &#125;,&#10;  &#123;&#10;    name &#61; &#34;prisma-security&#34;&#10;    iam_project_roles &#61; &#91;&#10;      &#34;roles&#47;iam.securityReviewer&#34;&#10;    &#93;&#10;    public_keys_path &#61; &#34;public-keys&#47;prisma-security&#47;&#34;&#10;  &#125;,&#10;&#93;">&#91;&#8230;&#93;</code> |
+| [services](variables.tf#L56) | Service APIs to enable. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| sa-credentials | SA json key templates. |  |
+| [sa-credentials](outputs.tf#L17) | SA json key templates. |  |
 
 <!-- END TFDOC -->
-
@@ -66,33 +66,30 @@ configurations respectively.
 The following example assumes that provisioning of a Compute Engine VM requires access to
 the resources over the Internet (i.e. to install OS packages). Since Compute VM has no public IP
 address for security reasons, Internet connectivity is done with [Cloud NAT](https://cloud.google.com/nat/docs/overview).
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| project_id | Project id that references existing project. | <code>string</code> | ✓ |  |
-| billing_account | Billing account id used as default for new projects. | <code>string</code> |  | <code>null</code> |
-| cidrs | CIDR ranges for subnets | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  image-builder &#61; &#34;10.0.0.0&#47;24&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| create_packer_vars | Create packer variables file using template file and terraform output. | <code>bool</code> |  | <code>false</code> |
-| packer_account_users | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| packer_source_cidrs | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#34;0.0.0.0&#47;0&#34;&#93;</code> |
-| project_create | Create project instead of using an existing one. | <code>bool</code> |  | <code>true</code> |
-| region | Default region for resources | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
-| root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
-| use_iap | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code>bool</code> |  | <code>true</code> |
+| [project_id](variables.tf#L55) | Project id that references existing project. | <code>string</code> | ✓ |  |
+| [billing_account](variables.tf#L17) | Billing account id used as default for new projects. | <code>string</code> |  | <code>null</code> |
+| [cidrs](variables.tf#L23) | CIDR ranges for subnets | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  image-builder &#61; &#34;10.0.0.0&#47;24&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [create_packer_vars](variables.tf#L31) | Create packer variables file using template file and terraform output. | <code>bool</code> |  | <code>false</code> |
+| [packer_account_users](variables.tf#L37) | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [packer_source_cidrs](variables.tf#L43) | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#34;0.0.0.0&#47;0&#34;&#93;</code> |
+| [project_create](variables.tf#L49) | Create project instead of using an existing one. | <code>bool</code> |  | <code>true</code> |
+| [region](variables.tf#L60) | Default region for resources | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
+| [root_node](variables.tf#L66) | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
+| [use_iap](variables.tf#L72) | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code>bool</code> |  | <code>true</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| builder_sa | Packer's service account email. |  |
-| compute_sa | Packer's temporary VM service account email. |  |
-| compute_subnetwork | Name of a subnetwork for Packer's temporary VM. |  |
-| compute_zone | Name of a compute engine zone for Packer's temporary VM. |  |
+| [builder_sa](outputs.tf#L17) | Packer's service account email. |  |
+| [compute_sa](outputs.tf#L22) | Packer's temporary VM service account email. |  |
+| [compute_subnetwork](outputs.tf#L27) | Name of a subnetwork for Packer's temporary VM. |  |
+| [compute_zone](outputs.tf#L32) | Name of a compute engine zone for Packer's temporary VM. |  |
 
 <!-- END TFDOC -->
-