diff --git a/tf/bao.tf b/tf/bao.tf
index e32691a..7539400 100644
--- a/tf/bao.tf
+++ b/tf/bao.tf
@@ -3,8 +3,8 @@ resource "vault_auth_backend" "kubernetes" {
 }
 
 resource "vault_kubernetes_auth_backend_config" "example" {
-  backend                = vault_auth_backend.kubernetes.path
-  kubernetes_host        = "https://kubernetes.default.svc.cluster.local:443"
+  backend         = vault_auth_backend.kubernetes.path
+  kubernetes_host = "https://kubernetes.default.svc.cluster.local:443"
 }
 
 resource "vault_kubernetes_auth_backend_role" "k8s-default" {
@@ -13,7 +13,7 @@ resource "vault_kubernetes_auth_backend_role" "k8s-default" {
   bound_service_account_names      = ["default"]
   bound_service_account_namespaces = ["*"]
   token_ttl                        = 3600
-  token_policies                   = [
+  token_policies = [
     vault_policy.k8s_default.name
   ]
 }
@@ -30,6 +30,6 @@ resource "vault_policy" "k8s_default" {
 
   policy = templatefile("bao-policies/k8s-default.hcl", {
     k8s_auth_backend_accessor = vault_auth_backend.kubernetes.accessor,
-    k8s_secrets_path = vault_mount.static_secrets.path,
+    k8s_secrets_path          = vault_mount.static_secrets.path,
   })
 }
diff --git a/tf/keycloak-clients.tf b/tf/keycloak-clients.tf
index 62d40b2..ed5d17b 100644
--- a/tf/keycloak-clients.tf
+++ b/tf/keycloak-clients.tf
@@ -2,16 +2,16 @@
 module "keycloak_client_tofu" {
   source = "./keycloak-client"
 
-  realm = keycloak_realm.dev.id
+  realm       = keycloak_realm.dev.id
   vault_mount = vault_mount.static_secrets.path
 
-  client_id = "tofu"
+  client_id                = "tofu"
   service_accounts_enabled = true
 }
 
 data "keycloak_openid_client" "realm_management" {
-    realm_id = keycloak_realm.dev.id
-    client_id = "realm-management"
+  realm_id  = keycloak_realm.dev.id
+  client_id = "realm-management"
 }
 
 resource "keycloak_openid_client_service_account_role" "client_service_account_role" {
diff --git a/tf/keycloak-normal-flow.tf b/tf/keycloak-normal-flow.tf
index aba91dc..fa83f9a 100644
--- a/tf/keycloak-normal-flow.tf
+++ b/tf/keycloak-normal-flow.tf
@@ -1,6 +1,6 @@
 resource "keycloak_authentication_flow" "webauthn_browser" {
-  realm_id = keycloak_realm.dev.id
-  alias    = "webauthn_browser"
+  realm_id    = keycloak_realm.dev.id
+  alias       = "webauthn_browser"
   description = "browser based authentication"
 }
 
@@ -18,20 +18,20 @@ resource "keycloak_authentication_subflow" "webauthn_flow" {
   parent_flow_alias = keycloak_authentication_flow.webauthn_browser.alias
   provider_id       = "basic-flow"
   requirement       = "ALTERNATIVE"
-  depends_on = [ keycloak_authentication_execution.auth_cookie ]
+  depends_on        = [keycloak_authentication_execution.auth_cookie]
 }
 
 resource "keycloak_authentication_execution" "user_pass" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.webauthn_flow.alias
-  authenticator = "auth-username-password-form"
-  requirement = "REQUIRED"
+  authenticator     = "auth-username-password-form"
+  requirement       = "REQUIRED"
 }
 
 resource "keycloak_authentication_execution" "webauthn" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.webauthn_flow.alias
-  authenticator = "webauthn-authenticator"
-  requirement = "REQUIRED"
+  authenticator     = "webauthn-authenticator"
+  requirement       = "REQUIRED"
 }
 
diff --git a/tf/keycloak-passkey-flow.tf b/tf/keycloak-passkey-flow.tf
index 5813bf8..f7b9f3f 100644
--- a/tf/keycloak-passkey-flow.tf
+++ b/tf/keycloak-passkey-flow.tf
@@ -1,6 +1,6 @@
 resource "keycloak_authentication_flow" "passkey" {
-  realm_id = keycloak_realm.dev.id
-  alias    = "passkey"
+  realm_id    = keycloak_realm.dev.id
+  alias       = "passkey"
   description = "browser based authentication"
 }
 
@@ -17,14 +17,14 @@ resource "keycloak_authentication_subflow" "passkey_forms" {
   parent_flow_alias = keycloak_authentication_flow.passkey.alias
   provider_id       = "basic-flow"
   requirement       = "ALTERNATIVE"
-  depends_on = [ keycloak_authentication_execution.auth_cookie ]
+  depends_on        = [keycloak_authentication_execution.auth_cookie]
 }
 
 resource "keycloak_authentication_execution" "passkey_username" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_forms.alias
-  authenticator = "auth-username-form"
-  requirement = "REQUIRED"
+  authenticator     = "auth-username-form"
+  requirement       = "REQUIRED"
 }
 
 resource "keycloak_authentication_subflow" "passkey_passwordless_or_2fa" {
@@ -33,15 +33,15 @@ resource "keycloak_authentication_subflow" "passkey_passwordless_or_2fa" {
   parent_flow_alias = keycloak_authentication_subflow.passkey_forms.alias
   provider_id       = "basic-flow"
   requirement       = "REQUIRED"
-  depends_on = [ keycloak_authentication_execution.passkey_username ]
+  depends_on        = [keycloak_authentication_execution.passkey_username]
 }
 
 resource "keycloak_authentication_execution" "passkey_webauthn_passwordless" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_passwordless_or_2fa.alias
-  authenticator = "webauthn-authenticator-passwordless"
-  requirement = "ALTERNATIVE"
-  depends_on = [ keycloak_authentication_execution.passkey_username ]
+  authenticator     = "webauthn-authenticator-passwordless"
+  requirement       = "ALTERNATIVE"
+  depends_on        = [keycloak_authentication_execution.passkey_username]
 }
 
 resource "keycloak_authentication_subflow" "passkey_password_and_second_factor" {
@@ -53,10 +53,10 @@ resource "keycloak_authentication_subflow" "passkey_password_and_second_factor"
 }
 
 resource "keycloak_authentication_execution" "passkey_password" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_password_and_second_factor.alias
-  authenticator = "auth-password-form"
-  requirement = "REQUIRED"
+  authenticator     = "auth-password-form"
+  requirement       = "REQUIRED"
 }
 
 resource "keycloak_authentication_subflow" "passkey_second_factor" {
@@ -68,22 +68,22 @@ resource "keycloak_authentication_subflow" "passkey_second_factor" {
 }
 
 resource "keycloak_authentication_execution" "passkey_user_configured_condition" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
-  authenticator = "conditional-user-configured"
-  requirement = "REQUIRED"
+  authenticator     = "conditional-user-configured"
+  requirement       = "REQUIRED"
 }
 
 resource "keycloak_authentication_execution" "passkey_webauthn" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
-  authenticator = "webauthn-authenticator"
-  requirement = "ALTERNATIVE"
+  authenticator     = "webauthn-authenticator"
+  requirement       = "ALTERNATIVE"
 }
 
 resource "keycloak_authentication_execution" "passkey_otp" {
-  realm_id = keycloak_realm.dev.id
+  realm_id          = keycloak_realm.dev.id
   parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
-  authenticator = "auth-otp-form"
-  requirement = "ALTERNATIVE"
+  authenticator     = "auth-otp-form"
+  requirement       = "ALTERNATIVE"
 }
diff --git a/tf/keycloak.tf b/tf/keycloak.tf
index f777612..9370843 100644
--- a/tf/keycloak.tf
+++ b/tf/keycloak.tf
@@ -1,11 +1,11 @@
 resource "keycloak_realm" "dev" {
-  realm   = "dev.janky.solutions"
-  enabled = true
-  display_name = "Janky Solutions (dev)"
+  realm                       = "dev.janky.solutions"
+  enabled                     = true
+  display_name                = "Janky Solutions (dev)"
   default_signature_algorithm = "RS256"
 }
 
 resource "keycloak_authentication_bindings" "browser_authentication_binding" {
-  realm_id        = keycloak_realm.dev.id
-  browser_flow  = keycloak_authentication_flow.passkey.alias
+  realm_id     = keycloak_realm.dev.id
+  browser_flow = keycloak_authentication_flow.passkey.alias
 }
diff --git a/tf/providers.tf b/tf/providers.tf
index 1af373c..ac98a59 100644
--- a/tf/providers.tf
+++ b/tf/providers.tf
@@ -1,9 +1,9 @@
 data "terraform_remote_state" "kube" {
   backend = "kubernetes"
   config = {
-    secret_suffix    = "state"
-    namespace        = "tofu"
-    config_path      = "../.kubeconfig"
+    secret_suffix = "state"
+    namespace     = "tofu"
+    config_path   = "../.kubeconfig"
   }
 }
 
@@ -12,13 +12,13 @@ provider "vault" {}
 terraform {
   required_providers {
     keycloak = {
-      source = "mrparkers/keycloak"
+      source  = "mrparkers/keycloak"
       version = ">= 4.0.0"
     }
   }
 }
 
 provider "keycloak" {
-    realm         = "dev.janky.solutions"
-    url           = "https://auth.janky.solutions"
+  realm = "dev.janky.solutions"
+  url   = "https://auth.janky.solutions"
 }