diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf
index 189044fa..eab5165b 100644
--- a/modules/regional-service/main.tf
+++ b/modules/regional-service/main.tf
@@ -290,35 +290,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" {
       logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
       protoPayload.serviceName="run.googleapis.com"
       protoPayload.resourceName=("${join("\" OR \"", concat([
-      "namespaces/${var.project_id}/services/${var.name}"
-    ],
-    [
-      for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
-    ]))}")
+        "namespaces/${var.project_id}/services/${var.name}"
+      ],
+      [
+        for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
+      ]))}")
 
       -- Allow CI to reconcile services and their IAM policies.
       -(
         protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
         protoPayload.methodName=("${join("\" OR \"", [
-    "google.cloud.run.v2.Services.CreateService",
-    "google.cloud.run.v2.Services.UpdateService",
-    "google.cloud.run.v2.Services.SetIamPolicy",
-])}")
+          "google.cloud.run.v2.Services.CreateService",
+          "google.cloud.run.v2.Services.UpdateService",
+          "google.cloud.run.v2.Services.SetIamPolicy",
+        ])}")
       )
       EOT
 
-label_extractors = {
-  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-  "method_name" = "EXTRACT(protoPayload.methodName)"
-  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-}
-}
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+    }
+  }
 }
 
-notification_channels = var.notification_channels
+  notification_channels = var.notification_channels
 
-enabled = "true"
-project = var.project_id
+  enabled = "true"
+  project = var.project_id
 }
 
 // When the service is behind a load balancer, then it is publicly exposed and responsible