diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..1c8cb71
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,50 @@
+name: Check quality gates
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  tflint:
+    name: Run TFlint
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+      name: Checkout source code
+
+    - uses: actions/cache@v2
+      name: Cache plugin dir
+      with:
+        path: ~/.tflint.d/plugins
+        key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
+
+    - uses: terraform-linters/setup-tflint@v2
+      name: Setup TFLint
+      with:
+        tflint_version: v0.42.2
+
+    - name: Show version
+      run: tflint --version
+
+    - name: Init TFLint
+      run: tflint --init
+
+    - name: Run TFLint
+      run: tflint -f compact
+  fmt:
+    name: Run Terraform format
+    runs-on: ubuntu-latest
+
+    steps: 
+    - uses: actions/checkout@v2
+      name: Checkout source code
+
+    - uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.1.7
+      name: Install Terraform
+
+    - name: Run terraform fmt
+      run: terraform fmt -check=true -write=false
diff --git a/main.tf b/main.tf
index 2b2ecd9..498c6b0 100644
--- a/main.tf
+++ b/main.tf
@@ -12,15 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-terraform {
-  required_version = ">= 0.13"
-}
-
-provider "google" {
-  project = var.project
-  region  = var.region
-}
-
 data "google_project" "project" {}
 
 data "google_client_openid_userinfo" "provider_identity" {}
@@ -44,29 +35,31 @@ locals {
   dataflow_temporary_gcs_bucket_path = "tmp/"
 
   dataflow_splunk_template_gcs_path = "gs://dataflow-templates/${var.dataflow_template_version}/Cloud_PubSub_to_Splunk"
+  # tflint-ignore: terraform_unused_declarations
   dataflow_pubsub_template_gcs_path = "gs://dataflow-templates/${var.dataflow_template_version}/Cloud_PubSub_to_Cloud_PubSub"
 
   # If provided, set Dataflow worker to new user-managed service account;
   # otherwise, use Compute Engine default service account
   dataflow_worker_service_account = ((var.dataflow_worker_service_account != "")
     ? "${var.dataflow_worker_service_account}@${var.project}.iam.gserviceaccount.com"
-    : "${data.google_project.project.number}-compute@developer.gserviceaccount.com")
+  : "${data.google_project.project.number}-compute@developer.gserviceaccount.com")
 
-  subnet_name = coalesce(var.subnet, "${var.network}-${var.region}")
+  subnet_name           = coalesce(var.subnet, "${var.network}-${var.region}")
   project_log_sink_name = "${var.dataflow_job_name}-project-log-sink"
+  # tflint-ignore: terraform_unused_declarations
   organization_log_sink_name = "${var.dataflow_job_name}-organization-log-sink"
 
-  dataflow_main_job_name = "${var.dataflow_job_name}-main-${random_id.dataflow_job_instance.hex}"
+  dataflow_main_job_name   = "${var.dataflow_job_name}-main-${random_id.dataflow_job_instance.hex}"
   dataflow_replay_job_name = "${var.dataflow_job_name}-replay-${random_id.dataflow_job_instance.hex}"
 
-  dataflow_input_topic_name = "${var.dataflow_job_name}-input-topic"
-  dataflow_input_subscription_name = "${var.dataflow_job_name}-input-subscription"
+  dataflow_input_topic_name             = "${var.dataflow_job_name}-input-topic"
+  dataflow_input_subscription_name      = "${var.dataflow_job_name}-input-subscription"
   dataflow_output_deadletter_topic_name = "${var.dataflow_job_name}-deadletter-topic"
-  dataflow_output_deadletter_sub_name = "${var.dataflow_job_name}-deadletter-subscription"
+  dataflow_output_deadletter_sub_name   = "${var.dataflow_job_name}-deadletter-subscription"
 
   # Dataflow job parameters (not externalized for this project)
-  dataflow_job_include_pubsub_message = true
-  dataflow_job_enable_batch_logs = false
+  dataflow_job_include_pubsub_message       = true
+  dataflow_job_enable_batch_logs            = false
   dataflow_job_enable_gzip_http_compression = true
 
   # Metrics scope for Monitoring dashboard defaults to project unless explicitly provided
@@ -83,7 +76,7 @@ resource "google_pubsub_subscription" "dataflow_input_pubsub_subscription" {
 
   # messages retained for 7 days (max)
   message_retention_duration = "604800s"
-  ack_deadline_seconds = 30
+  ack_deadline_seconds       = 30
 
   # subscription never expires
   expiration_policy {
@@ -92,9 +85,9 @@ resource "google_pubsub_subscription" "dataflow_input_pubsub_subscription" {
 }
 
 resource "google_logging_project_sink" "project_log_sink" {
-  name = local.project_log_sink_name
+  name        = local.project_log_sink_name
   destination = "pubsub.googleapis.com/projects/${var.project}/topics/${google_pubsub_topic.dataflow_input_pubsub_topic.name}"
-  filter = var.log_filter
+  filter      = var.log_filter
 
   unique_writer_identity = true
 }
@@ -109,17 +102,17 @@ resource "google_logging_project_sink" "project_log_sink" {
 # }
 
 output "dataflow_job_id" {
-    value = google_dataflow_job.dataflow_job.job_id
+  value = google_dataflow_job.dataflow_job.job_id
 }
 
 output "dataflow_input_topic" {
-    value = google_pubsub_topic.dataflow_input_pubsub_topic.name
+  value = google_pubsub_topic.dataflow_input_pubsub_topic.name
 }
 
 output "dataflow_output_deadletter_subscription" {
-    value = google_pubsub_subscription.dataflow_deadletter_pubsub_sub.name
+  value = google_pubsub_subscription.dataflow_deadletter_pubsub_sub.name
 }
 
 output "dataflow_log_export_dashboard" {
-    value = google_monitoring_dashboard.splunk-export-pipeline-dashboard.id
+  value = google_monitoring_dashboard.splunk-export-pipeline-dashboard.id
 }
diff --git a/monitoring.tf b/monitoring.tf
index 56dadcd..daf7b33 100644
--- a/monitoring.tf
+++ b/monitoring.tf
@@ -14,13 +14,13 @@
 
 resource "google_monitoring_group" "splunk-export-pipeline-group" {
   display_name = "Splunk Log Export Group"
-  project = local.scoping_project
+  project      = local.scoping_project
 
   filter = "resource.metadata.name=starts_with(\"${var.dataflow_job_name}\")"
 }
 
 resource "google_monitoring_dashboard" "splunk-export-pipeline-dashboard" {
-  project = local.scoping_project
+  project        = local.scoping_project
   dashboard_json = <<EOF
 {
   "displayName": "Splunk Log Export Ops",
diff --git a/network.tf b/network.tf
index 3c1d434..f880dd6 100644
--- a/network.tf
+++ b/network.tf
@@ -27,12 +27,12 @@ resource "google_compute_subnetwork" "splunk_subnet" {
 resource "google_dns_policy" "splunk_network_dns_policy" {
   count = var.create_network == true ? 1 : 0
 
-  name           = "${var.network}-dns-policy"
+  name = "${var.network}-dns-policy"
 
   enable_logging = true
 
   networks {
-    network_url =  google_compute_network.splunk_export[count.index].id
+    network_url = google_compute_network.splunk_export[count.index].id
   }
 }
 
@@ -59,7 +59,7 @@ resource "google_compute_router_nat" "dataflow_nat" {
   region                             = google_compute_router.dataflow_to_splunk_router[count.index].region
   nat_ip_allocate_option             = "MANUAL_ONLY"
   source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
-  nat_ips                            = google_compute_address.dataflow_nat_ip_address.*.self_link
+  nat_ips                            = google_compute_address.dataflow_nat_ip_address[*].self_link
   min_ports_per_vm                   = 128
   subnetwork {
     name                    = google_compute_subnetwork.splunk_subnet[count.index].id
diff --git a/permissions.tf b/permissions.tf
index 9ff943c..e557a72 100644
--- a/permissions.tf
+++ b/permissions.tf
@@ -14,26 +14,26 @@
 
 resource "google_pubsub_topic_iam_binding" "input_sub_publisher" {
   project = google_pubsub_topic.dataflow_input_pubsub_topic.project
-  topic = google_pubsub_topic.dataflow_input_pubsub_topic.name
-  role = "roles/pubsub.publisher"
+  topic   = google_pubsub_topic.dataflow_input_pubsub_topic.name
+  role    = "roles/pubsub.publisher"
   members = [
     google_logging_project_sink.project_log_sink.writer_identity
   ]
 }
 
 resource "google_pubsub_subscription_iam_binding" "input_sub_subscriber" {
-  project = google_pubsub_subscription.dataflow_input_pubsub_subscription.project
+  project      = google_pubsub_subscription.dataflow_input_pubsub_subscription.project
   subscription = google_pubsub_subscription.dataflow_input_pubsub_subscription.name
-  role = "roles/pubsub.subscriber"
+  role         = "roles/pubsub.subscriber"
   members = [
     "serviceAccount:${local.dataflow_worker_service_account}"
   ]
 }
 
 resource "google_pubsub_subscription_iam_binding" "input_sub_viewer" {
-  project = google_pubsub_subscription.dataflow_input_pubsub_subscription.project
+  project      = google_pubsub_subscription.dataflow_input_pubsub_subscription.project
   subscription = google_pubsub_subscription.dataflow_input_pubsub_subscription.name
-  role = "roles/pubsub.viewer"
+  role         = "roles/pubsub.viewer"
   members = [
     "serviceAccount:${local.dataflow_worker_service_account}"
   ]
@@ -41,8 +41,8 @@ resource "google_pubsub_subscription_iam_binding" "input_sub_viewer" {
 
 resource "google_pubsub_topic_iam_binding" "deadletter_topic_publisher" {
   project = google_pubsub_topic.dataflow_deadletter_pubsub_topic.project
-  topic = google_pubsub_topic.dataflow_deadletter_pubsub_topic.name
-  role = "roles/pubsub.publisher"
+  topic   = google_pubsub_topic.dataflow_deadletter_pubsub_topic.name
+  role    = "roles/pubsub.publisher"
   members = [
     "serviceAccount:${local.dataflow_worker_service_account}"
   ]
@@ -50,7 +50,7 @@ resource "google_pubsub_topic_iam_binding" "deadletter_topic_publisher" {
 
 resource "google_storage_bucket_iam_binding" "dataflow_worker_bucket_access" {
   bucket = google_storage_bucket.dataflow_job_temp_bucket.name
-  role = "roles/storage.objectAdmin"
+  role   = "roles/storage.objectAdmin"
   members = [
     "serviceAccount:${local.dataflow_worker_service_account}"
   ]
@@ -58,7 +58,7 @@ resource "google_storage_bucket_iam_binding" "dataflow_worker_bucket_access" {
 
 resource "google_project_iam_binding" "dataflow_worker_role" {
   project = var.project
-  role = "roles/dataflow.worker"
+  role    = "roles/dataflow.worker"
   members = [
     "serviceAccount:${local.dataflow_worker_service_account}"
   ]
@@ -73,11 +73,11 @@ resource "google_project_iam_binding" "dataflow_worker_role" {
 # deployment will return an error. For security purposes, we do not modify access to existing
 # default Compute Engine service account
 resource "google_service_account_iam_binding" "terraform_caller_impersonate_dataflow_worker" {
-  count = (var.dataflow_worker_service_account != "") ? 1 : 0
+  count              = (var.dataflow_worker_service_account != "") ? 1 : 0
   service_account_id = google_service_account.dataflow_worker_service_account[0].id
-  role = "roles/iam.serviceAccountUser"
+  role               = "roles/iam.serviceAccountUser"
 
   members = [
-      "user:${data.google_client_openid_userinfo.provider_identity.email}"
+    "user:${data.google_client_openid_userinfo.provider_identity.email}"
   ]
 }
\ No newline at end of file
diff --git a/pipeline.tf b/pipeline.tf
index b43264c..a53a4a1 100644
--- a/pipeline.tf
+++ b/pipeline.tf
@@ -31,50 +31,50 @@ resource "google_pubsub_subscription" "dataflow_deadletter_pubsub_sub" {
 }
 
 resource "google_storage_bucket" "dataflow_job_temp_bucket" {
-  name = local.dataflow_temporary_gcs_bucket_name
-  location = var.region
+  name          = local.dataflow_temporary_gcs_bucket_name
+  location      = var.region
   storage_class = "REGIONAL"
 }
 
 resource "google_storage_bucket_object" "dataflow_job_temp_object" {
-  name = local.dataflow_temporary_gcs_bucket_path
+  name    = local.dataflow_temporary_gcs_bucket_path
   content = "Placeholder for Dataflow to write temporary files"
-  bucket = google_storage_bucket.dataflow_job_temp_bucket.name
+  bucket  = google_storage_bucket.dataflow_job_temp_bucket.name
 }
 
 resource "google_service_account" "dataflow_worker_service_account" {
-  count = (var.dataflow_worker_service_account != "") ? 1 : 0
-  account_id = var.dataflow_worker_service_account
-  display_name =  "Dataflow worker service account to execute pipeline operations"
+  count        = (var.dataflow_worker_service_account != "") ? 1 : 0
+  account_id   = var.dataflow_worker_service_account
+  display_name = "Dataflow worker service account to execute pipeline operations"
 }
 
 resource "google_dataflow_job" "dataflow_job" {
-  name = local.dataflow_main_job_name
-  template_gcs_path = local.dataflow_splunk_template_gcs_path
-  temp_gcs_location = "gs://${local.dataflow_temporary_gcs_bucket_name}/${local.dataflow_temporary_gcs_bucket_path}"
+  name                  = local.dataflow_main_job_name
+  template_gcs_path     = local.dataflow_splunk_template_gcs_path
+  temp_gcs_location     = "gs://${local.dataflow_temporary_gcs_bucket_name}/${local.dataflow_temporary_gcs_bucket_path}"
   service_account_email = local.dataflow_worker_service_account
-  machine_type = var.dataflow_job_machine_type
-  max_workers = var.dataflow_job_machine_count
+  machine_type          = var.dataflow_job_machine_type
+  max_workers           = var.dataflow_job_machine_count
   parameters = merge({
-    inputSubscription = google_pubsub_subscription.dataflow_input_pubsub_subscription.id
-    outputDeadletterTopic = google_pubsub_topic.dataflow_deadletter_pubsub_topic.id
-    url       = var.splunk_hec_url
-    token     = var.splunk_hec_token
-    parallelism = var.dataflow_job_parallelism
-    batchCount = var.dataflow_job_batch_count
-    includePubsubMessage = local.dataflow_job_include_pubsub_message
+    inputSubscription            = google_pubsub_subscription.dataflow_input_pubsub_subscription.id
+    outputDeadletterTopic        = google_pubsub_topic.dataflow_deadletter_pubsub_topic.id
+    url                          = var.splunk_hec_url
+    token                        = var.splunk_hec_token
+    parallelism                  = var.dataflow_job_parallelism
+    batchCount                   = var.dataflow_job_batch_count
+    includePubsubMessage         = local.dataflow_job_include_pubsub_message
     disableCertificateValidation = var.dataflow_job_disable_certificate_validation
-    enableBatchLogs = local.dataflow_job_enable_batch_logs                          # Supported as of 2022-03-21-00_RC01
-    enableGzipHttpCompression = local.dataflow_job_enable_gzip_http_compression     # Supported as of 2022-04-25-00_RC00
-  },
+    enableBatchLogs              = local.dataflow_job_enable_batch_logs            # Supported as of 2022-03-21-00_RC01
+    enableGzipHttpCompression    = local.dataflow_job_enable_gzip_http_compression # Supported as of 2022-04-25-00_RC00
+    },
     (var.dataflow_job_udf_gcs_path != "" && var.dataflow_job_udf_function_name != "") ?
     {
-      javascriptTextTransformGcsPath = var.dataflow_job_udf_gcs_path
+      javascriptTextTransformGcsPath      = var.dataflow_job_udf_gcs_path
       javascriptTextTransformFunctionName = var.dataflow_job_udf_function_name
-    } : {})
-  region = var.region
-  network = var.network
-  subnetwork = "regions/${var.region}/subnetworks/${local.subnet_name}"
+  } : {})
+  region           = var.region
+  network          = var.network
+  subnetwork       = "regions/${var.region}/subnetworks/${local.subnet_name}"
   ip_configuration = "WORKER_IP_PRIVATE"
 
   depends_on = [
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..eb71240
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,6 @@
+provider "random" {}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
diff --git a/variables.tf b/variables.tf
index 972788b..bf681fe 100644
--- a/variables.tf
+++ b/variables.tf
@@ -13,10 +13,12 @@
 # limitations under the License.
 
 variable "project" {
+  type        = string
   description = "Project for Dataflow job deployment"
 }
 
 variable "region" {
+  type        = string
   description = "Region to deploy regional-resources into. This must match subnet's region if deploying into existing network (e.g. Shared VPC)"
 }
 
@@ -28,11 +30,13 @@ variable "create_network" {
 
 variable "network" {
   description = "Network to deploy into"
+  type        = string
 }
 
 variable "subnet" {
+  type        = string
   description = "Subnet to deploy into. This is required when deploying into existing network (e.g. Shared VPC)"
-  default = ""
+  default     = ""
 }
 
 variable "primary_subnet_cidr" {
@@ -44,30 +48,34 @@ variable "primary_subnet_cidr" {
 # Dashboard parameters
 
 variable "scoping_project" {
+  type        = string
   description = "Cloud Monitoring scoping project to create dashboard under. This assumes a pre-existing scoping project whose metrics scope contains the service project. If parameter is empty, scoping project defaults to service project where dataflow job is running."
-  default = ""
+  default     = ""
 }
 
 # Log sink details
 
 variable "log_filter" {
+  type        = string
   description = "Log filter to use when exporting logs"
 }
 
 # Dataflow job output
 
 variable "splunk_hec_url" {
+  type        = string
   description = "Splunk HEC URL to write data to. Example: https://[MY_SPLUNK_IP_OR_FQDN]:8088"
-  
+
   validation {
-    condition = can(regex("https?://.*(:[0-9]+)?", var.splunk_hec_url))
+    condition     = can(regex("https?://.*(:[0-9]+)?", var.splunk_hec_url))
     error_message = "Splunk HEC url must of the form <protocol>://<host>:<port> ."
   }
 }
 
 variable "splunk_hec_token" {
+  type        = string
   description = "Splunk HEC token"
-  sensitive = true
+  sensitive   = true
 }
 
 # Dataflow job parameters
@@ -85,50 +93,54 @@ variable "dataflow_worker_service_account" {
 
   validation {
     condition = (var.dataflow_worker_service_account == "" ||
-                can(regex("[a-z]([-a-z0-9]*[a-z0-9])", var.dataflow_worker_service_account)))
+    can(regex("[a-z]([-a-z0-9]*[a-z0-9])", var.dataflow_worker_service_account)))
     error_message = "Dataflow worker service account id must match the regular expression [a-z]([-a-z0-9]*[a-z0-9])."
   }
 }
 
 variable "dataflow_job_name" {
+  type        = string
   description = "Dataflow job name. No spaces"
 }
 
 variable "dataflow_job_machine_type" {
+  type        = string
   description = "Dataflow job worker machine type"
-  default = "n1-standard-4"
+  default     = "n1-standard-4"
 }
 
 variable "dataflow_job_machine_count" {
   description = "Dataflow job max worker count. Defaults to 2."
-  type = number
-  default = 2
+  type        = number
+  default     = 2
 }
 
 variable "dataflow_job_parallelism" {
   description = "Maximum parallel requests to Splunk. Defaults to 8."
-  type = number
-  default = 8
+  type        = number
+  default     = 8
 }
 
 variable "dataflow_job_batch_count" {
   description = "Batch count of messages in single request to Splunk. Defaults to 50."
-  type = number
-  default = 50
+  type        = number
+  default     = 50
 }
 
 variable "dataflow_job_disable_certificate_validation" {
   description = "Disable SSL certificate validation (default: false)"
-  type = bool
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "dataflow_job_udf_gcs_path" {
+  type        = string
   description = "[Optional Dataflow UDF] GCS path for JavaScript file (default: '')"
-  default = ""
+  default     = ""
 }
 
 variable "dataflow_job_udf_function_name" {
+  type        = string
   description = "[Optional Dataflow UDF] Name of JavaScript function to be called (default: '')"
-  default = ""
+  default     = ""
 }
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..9c285bf
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 0.14.4"
+  required_providers {
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.1.0"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.54.0"
+    }
+  }
+}