diff --git a/Jenkinsfile b/Jenkinsfile
index 8c7edda..e5d85cd 100755
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -34,7 +34,7 @@ metadata:
 spec:
   containers:
   - name: ${containerName}
-    image: gcr.io/pso-helmsman-cicd/jenkins-k8s-node:${env.CONTAINER_VERSION}
+    image: gcr.io/pso-helmsman-cicd/jenkins-k8s-node:${env.JENKINS_CONTAINER_VERSION}
     command: ['cat']
     tty: true
     volumeMounts:
diff --git a/Makefile b/Makefile
index bda4bd1..e123b3f 100644
--- a/Makefile
+++ b/Makefile
@@ -106,7 +106,7 @@ bootstrap:
 .PHONY: terraform_preapply
 terraform_preapply:
 	terraform init terraform/
-	terraform validate -check-variables=false terraform/
+	terraform validate terraform/
 	terraform plan -var "project=$(PROJECT)" -out=tfplan terraform/
 
 .PHONY: terraform
diff --git a/README.md b/README.md
index 3b7381f..0893ce5 100644
--- a/README.md
+++ b/README.md
@@ -163,7 +163,7 @@ gcloud init
 
 ### Tools
 
-1. [Terraform >= 0.11.7](https://www.terraform.io/downloads.html)
+1. [Terraform >= 0.12](https://www.terraform.io/downloads.html)
 2. [Google Cloud SDK version >= 204.0.0](https://cloud.google.com/sdk/docs/downloads-versioned-archives)
 3. [kubectl matching the latest GKE version](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 4. bash or bash compatible shell
diff --git a/terraform/main.tf b/terraform/main.tf
index 337c693..4f748d0 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -17,9 +17,10 @@ limitations under the License.
 // Provides access to available Google Container Engine versions in a zone for a given project.
 // https://www.terraform.io/docs/providers/google/d/google_container_engine_versions.html
 data "google_container_engine_versions" "gke_version" {
-  zone = "${var.zone_on_prem}"
+  zone = var.zone_on_prem
 }
 
 data "external" "account" {
   program = ["sh", "${path.module}/../scripts/get-gcloud-account.sh"]
 }
+
diff --git a/terraform/provider.tf b/terraform/provider.tf
index a85e7f1..d67a353 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -16,6 +16,6 @@ limitations under the License.
 
 // Configures the GCP Cloud Provider with default project and region
 provider "google" {
-  version = "~> 1.16.2"
-  project = "${var.project}"
+  version = "~> 2.11.0"
+  project = var.project
 }
diff --git a/terraform/staging.tf b/terraform/staging.tf
index 2e0f1d0..671ae66 100644
--- a/terraform/staging.tf
+++ b/terraform/staging.tf
@@ -23,72 +23,76 @@ limitations under the License.
 // Reserve regional external (static) IP addresses
 
 locals {
-  resource_labels = "${merge(var.labels, map("owner", data.external.account.result.gcloud_account))}"
+  resource_labels = merge(
+    var.labels,
+    {
+      "owner" = data.external.account.result.gcloud_account
+    },
+  )
 }
 
 resource "google_compute_address" "staging_public_ip_1" {
   name   = "gke-enterprise-demo-cloud-public-ip-1"
-  region = "${var.region_cloud}"
+  region = var.region_cloud
 }
 
 resource "google_compute_address" "staging_public_ip_2" {
   name   = "gke-enterprise-demo-cloud-public-ip-2"
-  region = "${var.region_on_prem}"
+  region = var.region_on_prem
 }
 
 // STAGING: invokes a module to create a policy based VPN, custom network/subnet, firewall rules as Cloud
 module "staging_cloud" {
-  source            = "modules/datacenter"
-  project           = "${var.project}"
+  source            = "./modules/datacenter"
+  project           = var.project
   network_name      = "gke-enterprise-demo-staging-cloud"
-  subnet_region     = "${var.region_cloud}"
-  primary_range     = "${lookup(var.cloud, "primary_range")}"
-  secondary_range   = "${lookup(var.cloud, "secondary_range")}"
-  vpn_ip            = "${google_compute_address.staging_public_ip_1.address}"
-  peer_ip           = "${google_compute_address.staging_public_ip_2.address}"
-  destination_range = "${lookup(var.cloud, "destination_range")}"
-  shared_secret     = "${random_string.staging_shared_secret.result}"
+  subnet_region     = var.region_cloud
+  primary_range     = var.cloud["primary_range"]
+  secondary_range   = var.cloud["secondary_range"]
+  vpn_ip            = google_compute_address.staging_public_ip_1.address
+  peer_ip           = google_compute_address.staging_public_ip_2.address
+  destination_range = var.cloud["destination_range"]
+  shared_secret     = random_string.staging_shared_secret.result
 }
 
 // invokes a module to create policy based VPN, custom network/subnet, firewall rules as
 // STAGING: on prem data center
 module "staging_on_prem" {
-  source            = "modules/datacenter"
-  project           = "${var.project}"
+  source            = "./modules/datacenter"
+  project           = var.project
   network_name      = "gke-enterprise-demo-staging-on-prem"
-  subnet_region     = "${var.region_on_prem}"
-  primary_range     = "${lookup(var.on_prem, "primary_range")}"
-  secondary_range   = "${lookup(var.on_prem, "secondary_range")}"
-  vpn_ip            = "${google_compute_address.staging_public_ip_2.address}"
-  peer_ip           = "${google_compute_address.staging_public_ip_1.address}"
-  destination_range = "${lookup(var.on_prem, "destination_range")}"
-  shared_secret     = "${random_string.staging_shared_secret.result}"
+  subnet_region     = var.region_on_prem
+  primary_range     = var.on_prem["primary_range"]
+  secondary_range   = var.on_prem["secondary_range"]
+  vpn_ip            = google_compute_address.staging_public_ip_2.address
+  peer_ip           = google_compute_address.staging_public_ip_1.address
+  destination_range = var.on_prem["destination_range"]
+  shared_secret     = random_string.staging_shared_secret.result
 }
 
 // Creates a Google Kubernetes Engine (GKE) cluster for the on premise data center
 // https://www.terraform.io/docs/providers/google/r/container_cluster.html
 resource "google_container_cluster" "staging_on_prem_cluster" {
   name    = "gke-enterprise-staging-on-prem-cluster"
-  project = "${var.project}"
+  project = var.project
 
-  zone             = "${var.zone_on_prem}"
-  additional_zones = "${var.zone_on_prem_failover}"
+  zone             = var.zone_on_prem
+  additional_zones = var.zone_on_prem_failover
 
-  network = "${module.staging_on_prem.network}"
+  network = module.staging_on_prem.network
 
-  subnetwork         = "${module.staging_on_prem.subnetwork}"
+  subnetwork         = module.staging_on_prem.subnetwork
   initial_node_count = 1
 
-  min_master_version = "${var.gke_master_version}"
+  min_master_version = var.gke_master_version
 
-  resource_labels = "${local.resource_labels}"
+  resource_labels = local.resource_labels
 
   ip_allocation_policy {
-    cluster_secondary_range_name = "${module.staging_on_prem.secondary_range_name}"
+    cluster_secondary_range_name = module.staging_on_prem.secondary_range_name
   }
 
   remove_default_node_pool = true
-  initial_node_count       = 1
 
   addons_config {
     network_policy_config {
@@ -103,7 +107,11 @@ resource "google_container_cluster" "staging_on_prem_cluster" {
 
   // Lifecycle is used for preventing destruction of the following resources when the terraform apply again
   lifecycle {
-    ignore_changes = ["network", "subnetwork", "ip_allocation_policy.0.services_secondary_range_name"]
+    ignore_changes = [
+      network,
+      subnetwork,
+      "ip_allocation_policy[0].services_secondary_range_name",
+    ]
   }
 
   timeouts {
@@ -115,14 +123,14 @@ resource "google_container_cluster" "staging_on_prem_cluster" {
 
 resource "google_container_node_pool" "staging_on_prem_cluster" {
   name    = "gke-enterprise-staging-on-prem-node-pool"
-  project = "${var.project}"
+  project = var.project
 
-  cluster    = "${google_container_cluster.staging_on_prem_cluster.name}"
-  zone       = "${var.zone_on_prem}"
+  cluster    = google_container_cluster.staging_on_prem_cluster.name
+  zone       = var.zone_on_prem
   node_count = 1
 
   node_config {
-    machine_type = "${lookup(var.on_prem, "machine_type")}"
+    machine_type = var.on_prem["machine_type"]
 
     // https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
     // Enable private gcr.io read access for the same project
@@ -134,7 +142,10 @@ resource "google_container_node_pool" "staging_on_prem_cluster" {
   }
 
   lifecycle {
-    ignore_changes = ["id", "node_config.0.metadata"]
+    ignore_changes = [
+      id,
+      "node_config[0].metadata",
+    ]
   }
 }
 
@@ -142,21 +153,20 @@ resource "google_container_node_pool" "staging_on_prem_cluster" {
 // https://www.terraform.io/docs/providers/google/r/container_cluster.html
 resource "google_container_cluster" "staging_cloud_cluster" {
   name               = "gke-enterprise-staging-cloud-cluster"
-  zone               = "${var.zone_cloud}"
-  network            = "${module.staging_cloud.network}"
-  subnetwork         = "${module.staging_cloud.subnetwork}"
+  zone               = var.zone_cloud
+  network            = module.staging_cloud.network
+  subnetwork         = module.staging_cloud.subnetwork
   initial_node_count = 1
 
-  min_master_version = "${var.gke_master_version}"
+  min_master_version = var.gke_master_version
 
-  resource_labels = "${local.resource_labels}"
+  resource_labels = local.resource_labels
 
   ip_allocation_policy {
-    cluster_secondary_range_name = "${module.staging_cloud.secondary_range_name}"
+    cluster_secondary_range_name = module.staging_cloud.secondary_range_name
   }
 
   remove_default_node_pool = true
-  initial_node_count       = 1
 
   addons_config {
     network_policy_config {
@@ -170,7 +180,11 @@ resource "google_container_cluster" "staging_cloud_cluster" {
   }
 
   lifecycle {
-    ignore_changes = ["network", "subnetwork", "ip_allocation_policy.0.services_secondary_range_name"]
+    ignore_changes = [
+      network,
+      subnetwork,
+      "ip_allocation_policy[0].services_secondary_range_name",
+    ]
   }
 
   timeouts {
@@ -178,18 +192,17 @@ resource "google_container_cluster" "staging_cloud_cluster" {
     update = "40m"
     delete = "30m"
   }
-
 }
 
 resource "google_container_node_pool" "staging_cloud_cluster" {
   name       = "gke-enterprise-staging-cloud-node-pool"
-  project    = "${var.project}"
-  cluster    = "${google_container_cluster.staging_cloud_cluster.name}"
-  zone       = "${var.zone_cloud}"
+  project    = var.project
+  cluster    = google_container_cluster.staging_cloud_cluster.name
+  zone       = var.zone_cloud
   node_count = 1
 
   node_config {
-    machine_type = "${lookup(var.cloud, "machine_type")}"
+    machine_type = var.cloud["machine_type"]
 
     // https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
     // Enable private gcr.io read access for the same project
@@ -205,35 +218,38 @@ resource "google_container_node_pool" "staging_cloud_cluster" {
   }
 
   lifecycle {
-    ignore_changes = ["id", "node_config.0.metadata"]
+    ignore_changes = [
+      id,
+      "node_config[0].metadata",
+    ]
   }
 }
 
 resource "google_bigquery_dataset" "staging-log-sink-dataset" {
   dataset_id                  = "staging_gke_elasticsearch_log_dataset"
-  project                     = "${var.project}"
+  project                     = var.project
   location                    = "US"
   default_table_expiration_ms = "3600000"
 
-  labels {
+  labels = {
     env = "default"
   }
 }
 
 resource "google_logging_project_sink" "staging-bigquery-sink" {
   name                   = "gke-enterprise-demo-staging-gke-elasticsearch-log-sink"
-  project                = "${var.project}"
+  project                = var.project
   destination            = "bigquery.googleapis.com/projects/${var.project}/datasets/${google_bigquery_dataset.staging-log-sink-dataset.dataset_id}"
   filter                 = "resource.type=container"
   unique_writer_identity = true
 }
 
 resource "google_project_iam_binding" "staging_bigquery-sink-permissions" {
-  project = "${var.project}"
+  project = var.project
   role    = "roles/bigquery.dataEditor"
 
   members = [
-    "${google_logging_project_sink.staging-bigquery-sink.writer_identity}",
+    google_logging_project_sink.staging-bigquery-sink.writer_identity,
   ]
 }
 
diff --git a/terraform/variables.tf b/terraform/variables.tf
index b9707af..df7907f 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -16,7 +16,7 @@ limitations under the License.
 
 // Required variables
 variable "project" {
-  type = "string"
+  type = string
 }
 
 // Optional variables
@@ -33,7 +33,7 @@ variable "zone_on_prem" {
 }
 
 variable "zone_on_prem_failover" {
-  type    = "list"
+  type    = list(string)
   default = ["us-central1-b", "us-central1-c"]
 }
 
@@ -43,7 +43,7 @@ variable "zone_cloud" {
 
 variable "cloud" {
   description = "the cloud"
-  type        = "map"
+  type        = map(string)
 
   default = {
     primary_range     = "10.1.0.0/17"
@@ -55,7 +55,7 @@ variable "cloud" {
 
 variable "on_prem" {
   description = "the on prem dc"
-  type        = "map"
+  type        = map(string)
 
   default = {
     primary_range     = "10.2.0.0/17"
@@ -71,6 +71,6 @@ variable "gke_master_version" {
 
 // this map should be set should more labels be required to identify the container clusters and node groups
 variable "labels" {
-  type    = "map"
+  type    = map(string)
   default = {}
 }
diff --git a/terraform/versions.tf b/terraform/versions.tf
new file mode 100644
index 0000000..c51f32c
--- /dev/null
+++ b/terraform/versions.tf
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+  required_version = ">= 0.12"
+}