diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 93cda0b..8f0b325 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,20 +1,27 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.48.0
+  rev: v1.83.5
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
-    - id: terraform_docs_replace
-      args: ['table']
-      exclude: common/*.tf
+#    - id: terraform_docs_replace
+#      args: ['table']
+#      exclude: common/*.tf
+#      exclude: version.tf
+#      exclude: examples
+    - id: terraform_docs
       exclude: version.tf
-      exclude: examples/
-    - id: terraform_tflint 
-      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
-      exclude: examples/
+      exclude: examples
+      args:
+        - --args=--config .terraform-docs.yml
+#    - id: terraform_tflint 
+#      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+#      exclude: examples
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.5.0
   hooks:
     - id: check-symlinks
     - id: detect-aws-credentials
+      args: [ "--allow-missing-credentials" ]
     - id: detect-private-key
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..418f24a
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,45 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+    
+output:
+  file: README.md
+  mode: replace
+#   mode: inject
+#   template: |-
+#     <!-- BEGIN_TF_DOCS -->
+#     {{ .Content }}
+#     <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true
diff --git a/README.md b/README.md
index 452b42c..1d39d7f 100644
--- a/README.md
+++ b/README.md
@@ -1,105 +1,113 @@
-# DARHTS/DAPPS S3 Workflow
-
-## Environments
-
-| Environment | Account |
-|-------------|---------|
-| dev | ma41 |
-| ite | adsd-dapps-ite |
-| uat | adsd-dapps-test |
-| stage | adsd-dapps-stage |
-| prod | adsd-dapps-prod |
-| train | adsd-dapps-prod |
-
-## DARHTS buckets
-
-Three buckets per environment, for the following purposes:
-
-* in: uploaded files from DARHTS Salesforce
-* clean: after s3 scan, files which do not have threats are moved here via EventBridge and Lambda
-* quarantine: after s3 scan, files which may have threats or are unknown types (not no_threats) are moved here via EventBridge and Lambda
-
-v-s3-ditd-darhts-{env}-in-{account}-{region-short}
-v-s3-ditd-darhts-{env}-clean-{account}-{region-short}
-v-s3-ditd-darhts-{env}-quarantine-{account}-{region-short}
-
-The `clean` bucket will need versioning turned on for replication to the DAPPS bucket (below)
-All 3 buckets will use a bucket-specific KMS key.
-All 3 buckets will use bucket keys
-All 3 buckets will have finops tags for the DARHTS project accountable by DITD.
-
-The `in` bucket will have GuardDuty S3 Malware scanning enabled, which requires an IAM role and IAM Policy to allow the service
-to scan and tag. These will have the following names:
-
-p-{in-bucketname}-gd
-r-{in-bucketname}-gd
-
-where {in-bucketname} is the bucket id of the `in` bucket id, without the `v-s3-` prefix.
-These IAM objects will have finops tags for the DARHTS project accountable by DITD.
-Need to determine where the scan events go, and how OIS will be notified.
-
-An EventBridge will be setup for the GuardDuty scan with three targets.  It will be named ditd-darhts-{env}-in-guardduty.
-
-1. Cloudwatch Log (format /aws/eventbridge/gd-{in-bucketname})
-1. DARHTS API
-   * needs URL per environment
-   * needs credentials per environment
-   * credentials into AWS Secret under /apps/darhts/{env}/api-credentials
-1. Lambda (for the move, format guardduty-move-files-{in-bucketname})
-   * BUCKET_IN = arn of in bucket
-   * BUCKET_CLEAN = arn of clean bucket
-   * BUCKET_QUARANTINE = arn of quarantine bucket
-   * with a log /aws/lambda/{lambda-name}
-   * Logic:
-     * triggered by event bridge after scan
-     * if scanned object tag is NO_THREATS_FOUND, copy to `clean` bucket, delete from `in` bucket
-     * if scanned object tag is anything else, copy to `quarantine` bucket, delete from `in` bucket
-
-On creation in the `clean` bucket, S3 notification even will trigger another EventBridge named ditd-darhts-env-in-guardduty to send indication
-to DARHTS API the object has arrived in the clean bucket.
-
-### Access to Buckets
-
-An IAM service use will be created and it will be allowed to assume a role.
-
-IAM service:
-
-* Name: s-ditd-darhts-{env}-s3
-* finops tags for DARHTS project accountable by DITD
-* need to determine how to pass and rotate credentials every 90 days
-* will neeed contact (Census) name and email address (group desired)
-* permission allow it to assume the role for the file activity (below)
-
-IAM role:
-
-* Name: r-ditd-darhts-{env}-s3
-* finops tags for DARHTS project accountable by DITD
-* permissions to PUT into `in` bucket
-* permissions to GET and TAG for `clean` bucket
-
-## DAPPS buckets
-
-Same environments as above.
-
-Nne bucket per environment, for the following purposes:
- 
-* clean: replicated files from DARHTS in bucket if no_threats AND sync-to-dapps tag set
-
-The format is:
-
-v-s3-adsd-dapps-{env}-clean-{account}-{region-short}
-
-Bucket replication from the v-s3-ditd-darhts-{env}-clean bucket to the v-s3-adsd-dapps-{env}-clean buckets
-will be handled by an IAM role with the name
-
-r-ditd-darhts-{env}-clean-{account}-{region-short}-replication
-
-Which has permission for GETs on the source bucket and PUTs on the target bucket.
-It has a rule which replicates all prefixes where TWO tag values match.
-
-# CHANGELOG
-
-* 1.0.0 -- 2025-07-11
-  - initial
-
-
+<!-- BEGIN_TF_DOCS -->
+# About aws-app-ditd-darhts-s3-transfer
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_base"></a> [base](#module\_base) | git@github.e.it.census.gov:terraform-modules/boc-nts//base-label | n/a |
+| <a name="module_eventbridge_guardduty"></a> [eventbridge\_guardduty](#module\_eventbridge\_guardduty) | terraform-aws-modules/eventbridge/aws | n/a |
+| <a name="module_eventbridge_s3"></a> [eventbridge\_s3](#module\_eventbridge\_s3) | terraform-aws-modules/eventbridge/aws | n/a |
+| <a name="module_files_clean"></a> [files\_clean](#module\_files\_clean) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | tf-upgrade |
+| <a name="module_files_in"></a> [files\_in](#module\_files\_in) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | tf-upgrade |
+| <a name="module_files_out_clean"></a> [files\_out\_clean](#module\_files\_out\_clean) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | tf-upgrade |
+| <a name="module_files_quarantine"></a> [files\_quarantine](#module\_files\_quarantine) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | tf-upgrade |
+| <a name="module_lambda_layer"></a> [lambda\_layer](#module\_lambda\_layer) | terraform-aws-modules/lambda/aws | n/a |
+| <a name="module_lambda_move"></a> [lambda\_move](#module\_lambda\_move) | terraform-aws-modules/lambda/aws | n/a |
+| <a name="module_lambda_move_alias"></a> [lambda\_move\_alias](#module\_lambda\_move\_alias) | terraform-aws-modules/lambda/aws//modules/alias | n/a |
+| <a name="module_lambda_move_failure"></a> [lambda\_move\_failure](#module\_lambda\_move\_failure) | terraform-aws-modules/sqs/aws | n/a |
+| <a name="module_lambda_notify"></a> [lambda\_notify](#module\_lambda\_notify) | terraform-aws-modules/lambda/aws | n/a |
+| <a name="module_lambda_notify_alias"></a> [lambda\_notify\_alias](#module\_lambda\_notify\_alias) | terraform-aws-modules/lambda/aws//modules/alias | n/a |
+| <a name="module_lambda_notify_failure"></a> [lambda\_notify\_failure](#module\_lambda\_notify\_failure) | terraform-aws-modules/sqs/aws | n/a |
+| <a name="module_lambda_s3"></a> [lambda\_s3](#module\_lambda\_s3) | terraform-aws-modules/lambda/aws | n/a |
+| <a name="module_lambda_s3_alias"></a> [lambda\_s3\_alias](#module\_lambda\_s3\_alias) | terraform-aws-modules/lambda/aws//modules/alias | n/a |
+| <a name="module_lambda_s3_failure"></a> [lambda\_s3\_failure](#module\_lambda\_s3\_failure) | terraform-aws-modules/sqs/aws | n/a |
+| <a name="module_lambda_s3_tag"></a> [lambda\_s3\_tag](#module\_lambda\_s3\_tag) | terraform-aws-modules/lambda/aws | n/a |
+| <a name="module_lambda_s3_tag_alias"></a> [lambda\_s3\_tag\_alias](#module\_lambda\_s3\_tag\_alias) | terraform-aws-modules/lambda/aws//modules/alias | n/a |
+| <a name="module_lambda_s3_tag_failure"></a> [lambda\_s3\_tag\_failure](#module\_lambda\_s3\_tag\_failure) | terraform-aws-modules/sqs/aws | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.guardduty_event_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_resource_policy.guardduty_event_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource |
+| [aws_guardduty_malware_protection_plan.s3_malware](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_malware_protection_plan) | resource |
+| [aws_iam_role.guardduty_malware_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.guardduty_malware_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_kms_alias.app_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.app_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket_notification.files_clean](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_s3_bucket_notification.files_out_clean](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_secretsmanager_secret.app_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_version.app_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_guardduty_detector.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/guardduty_detector) | data source |
+| [aws_iam_policy_document.app_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.app_secret_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.guardduty_event_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.guardduty_malware_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.guardduty_malware_access_policy_old](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.guardduty_malware_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_move](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_s3_tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_role.inf_cloud_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [aws_kms_key.s3_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_s3_bucket.log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_api_client_id"></a> [api\_client\_id](#input\_api\_client\_id) | Salesforce API Client Id | `string` | n/a | yes |
+| <a name="input_api_client_secret"></a> [api\_client\_secret](#input\_api\_client\_secret) | Salesforce API Client Secreet | `string` | n/a | yes |
+| <a name="input_dlq_event_age"></a> [dlq\_event\_age](#input\_dlq\_event\_age) | Dead Letter Queue maximum\_event\_age\_in\_seconds (default: 3600) | `number` | `3600` | no |
+| <a name="input_dlq_retry_attempts"></a> [dlq\_retry\_attempts](#input\_dlq\_retry\_attempts) | Dead Letter Queue maxium\_retry\_attempts (default: 3) | `number` | `3` | no |
+| <a name="input_environment_label"></a> [environment\_label](#input\_environment\_label) | Label to be used as the environment | `string` | n/a | yes |
+| <a name="input_input_resource_label"></a> [input\_resource\_label](#input\_input\_resource\_label) | Label to be used on input components (in, clean, quarantine and related resources) | `string` | n/a | yes |
+| <a name="input_input_resource_tags"></a> [input\_resource\_tags](#input\_input\_resource\_tags) | AWS Tags to apply to input resources (should include finops\_ tags) | `map(string)` | `{}` | no |
+| <a name="input_lambda_environment_variables_override"></a> [lambda\_environment\_variables\_override](#input\_lambda\_environment\_variables\_override) | Map of lambda environment variables and values to override from the defaults | `map(string)` | `{}` | no |
+| <a name="input_lambda_ephemeral_storage_size"></a> [lambda\_ephemeral\_storage\_size](#input\_lambda\_ephemeral\_storage\_size) | Lambda emphemral storage size (minimum 512M) | `number` | `512` | no |
+| <a name="input_lambda_memory_size"></a> [lambda\_memory\_size](#input\_lambda\_memory\_size) | Memory size (minimum 128M) | `number` | `128` | no |
+| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Lambda Timeout in seconds | `number` | `300` | no |
+| <a name="input_log_bucket"></a> [log\_bucket](#input\_log\_bucket) | AWS Log Bucket (default: inf-logs-ACCOUNT-REGION) | `string` | `null` | no |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to keep cloudwatch logs (default is 30). See the documentation for available values. | `number` | `30` | no |
+| <a name="input_output_resource_label"></a> [output\_resource\_label](#input\_output\_resource\_label) | Label to be used on output components (replication clean and related resources) | `string` | n/a | yes |
+| <a name="input_output_resource_tags"></a> [output\_resource\_tags](#input\_output\_resource\_tags) | AWS Tags to apply to output resources (should include finops\_ tags) | `map(string)` | `{}` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_python_runtime"></a> [python\_runtime](#input\_python\_runtime) | Python runtime version | `string` | `"3.12"` | no |
+| <a name="input_secret_description"></a> [secret\_description](#input\_secret\_description) | Description to be used for the AWS Secret for the Salesforce API | `string` | `"Credentials for Salesforce API"` | no |
+| <a name="input_secret_key_name"></a> [secret\_key\_name](#input\_secret\_key\_name) | Name to be used for the AWS Secret KMS Key | `string` | n/a | yes |
+| <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Label to be used for the AWS Secret for the Salesforce API | `string` | n/a | yes |
+| <a name="input_settings"></a> [settings](#input\_settings) | Configuration settings map | `map(any)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_s3_bucket_files_clean"></a> [s3\_bucket\_files\_clean](#output\_s3\_bucket\_files\_clean) | files-clean bucket ARN and id |
+| <a name="output_s3_bucket_files_in"></a> [s3\_bucket\_files\_in](#output\_s3\_bucket\_files\_in) | files-in bucket ARN and id |
+| <a name="output_s3_bucket_files_out_clean"></a> [s3\_bucket\_files\_out\_clean](#output\_s3\_bucket\_files\_out\_clean) | files-out-clean bucket ARN and id |
+| <a name="output_s3_bucket_files_quarantine"></a> [s3\_bucket\_files\_quarantine](#output\_s3\_bucket\_files\_quarantine) | files-quarantine bucket ARN and id |
+| <a name="output_settings"></a> [settings](#output\_settings) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/base.tf b/base.tf
index 703bef2..cc777b6 100644
--- a/base.tf
+++ b/base.tf
@@ -1,4 +1,4 @@
 module "base" {
-  source   = "git@github.e.it.census.gov:terraform-modules/boc-nts//base-label"
-#  filename = format("%v/%v", path.module, "base.yml")
+  source = "git@github.e.it.census.gov:terraform-modules/boc-nts//base-label"
+  #  filename = format("%v/%v", path.module, "base.yml")
 }
diff --git a/eventbridge.guardduty.tf b/eventbridge.guardduty.tf
index a9ebaa4..8e756c7 100644
--- a/eventbridge.guardduty.tf
+++ b/eventbridge.guardduty.tf
@@ -42,7 +42,7 @@ resource "aws_cloudwatch_log_resource_policy" "guardduty_event_log" {
 }
 
 module "eventbridge_guardduty" {
-  source = "terraform-aws-modules/eventbridge/aws"
+  source    = "terraform-aws-modules/eventbridge/aws"
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "in", "guardduty")
 
   append_rule_postfix = false
diff --git a/eventbridge.s3.tf b/eventbridge.s3.tf
index 00d048c..ffdc1b0 100644
--- a/eventbridge.s3.tf
+++ b/eventbridge.s3.tf
@@ -1,5 +1,5 @@
 module "eventbridge_s3" {
-  source = "terraform-aws-modules/eventbridge/aws"
+  source    = "terraform-aws-modules/eventbridge/aws"
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "clean", "s3")
 
   append_rule_postfix = false
diff --git a/lambda.layer.tf b/lambda.layer.tf
index f4014f2..623ace3 100644
--- a/lambda.layer.tf
+++ b/lambda.layer.tf
@@ -1,15 +1,15 @@
 module "lambda_layer" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_layer   = true
-#  create_package = true
+  create_layer = true
+  #  create_package = true
   create_package = false
 
   layer_name          = format("%v-common", var.input_resource_label)
   description         = "DAHRTS DAPPS common code"
   compatible_runtimes = [format("python%v", var.python_runtime)]
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-move.package.zip")
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-move.package.zip")
   source_path = [
     {
       path = "${path.root}/code/packages",
diff --git a/lambda.move.tf b/lambda.move.tf
index 6d11285..681e22c 100644
--- a/lambda.move.tf
+++ b/lambda.move.tf
@@ -30,8 +30,8 @@ module "lambda_move" {
   tracing_mode                   = "PassThrough"
   reserved_concurrent_executions = -1
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-move.zip")
-  source_path = "${path.root}/code/darhts-guardduty-move.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-move.zip")
+  source_path            = "${path.root}/code/darhts-guardduty-move.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
@@ -39,12 +39,12 @@ module "lambda_move" {
 
   environment_variables = merge(
     {
-      Enabled                          = true
-      GUARDDUTY_MOVE_VERBOSE           = false
+      Enabled                          = local.settings["guardduty-move"].enabled
+      GUARDDUTY_MOVE_VERBOSE           = local.settings["guardduty-move"].verbose
       GUARDDUTY_MOVE_BUCKET_IN         = module.files_in.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_CLEAN      = module.files_clean.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_QUARANTINE = module.files_quarantine.s3_bucket_id
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      POWERTOOLS_LOG_LEVEL             = local.settings["guardduty-move"].log_level
     },
     var.lambda_environment_variables_override,
   )
diff --git a/lambda.notify.tf b/lambda.notify.tf
index f3b49e2..d52ee61 100644
--- a/lambda.notify.tf
+++ b/lambda.notify.tf
@@ -1,8 +1,8 @@
 module "lambda_notify" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,8 +33,8 @@ module "lambda_notify" {
   dead_letter_target_arn         = module.lambda_notify_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-notify.zip")
-  source_path = "${path.root}/code/darhts-guardduty-notify.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-notify.zip")
+  source_path            = "${path.root}/code/darhts-guardduty-notify.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
@@ -42,14 +42,14 @@ module "lambda_notify" {
 
   environment_variables = merge(
     {
-      Enabled                                 = true
-      GUARDDUTY_NOTIFY_VERBOSE                = false
+      Enabled                                 = local.settings["guardduty-notify"].enabled
+      GUARDDUTY_NOTIFY_VERBOSE                = local.settings["guardduty-notify"].verbose
       GUARDDUTY_NOTIFY_SECRET_NAME            = var.secret_name
-      GUARDDUTY_NOTIFY_ENVIRONMENT            = var.app_info.environment
-      GUARDDUTY_NOTIFY_AUTH_URL               = var.app_info.token_url
-      GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-      GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = "GuardDutyObjectScan__e"
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      GUARDDUTY_NOTIFY_ENVIRONMENT            = local.settings["guardduty-notify"].environment
+      GUARDDUTY_NOTIFY_AUTH_URL               = local.settings["guardduty-notify"].auth_url
+      GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = local.settings["guardduty-notify"].salesforce_api_version
+      GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = local.settings["guardduty-notify"].platform_event_name
+      POWERTOOLS_LOG_LEVEL                    = local.settings["guardduty-notify"].log_level
     },
     var.lambda_environment_variables_override,
   )
diff --git a/lambda.s3-tag.tf b/lambda.s3-tag.tf
index f9638c2..ada3aa7 100644
--- a/lambda.s3-tag.tf
+++ b/lambda.s3-tag.tf
@@ -1,8 +1,8 @@
 module "lambda_s3_tag" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,8 +33,8 @@ module "lambda_s3_tag" {
   dead_letter_target_arn         = module.lambda_s3_tag_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-s3-tag.zip")
-  source_path = "${path.root}/code/darhts-s3-tag.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-s3-tag.zip")
+  source_path            = "${path.root}/code/darhts-s3-tag.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
@@ -42,17 +42,13 @@ module "lambda_s3_tag" {
 
   environment_variables = merge(
     {
-      Enabled                 = true
-      S3_TAG_VERBOSE          = false
-      S3_TAG_ENVIRONMENT      = var.app_info.environment
+      Enabled                 = local.settings["s3-tag"].enabled
+      S3_TAG_VERBOSE          = local.settings["s3-tag"].verbose
+      S3_TAG_ENVIRONMENT      = local.settings["s3-tag"].environment
       S3_TAG_BUCKET_CLEAN_IN  = module.files_clean.s3_bucket_id
       S3_TAG_BUCKET_CLEAN_OUT = module.files_out_clean.s3_bucket_id
-      S3_TAG_TRIGGER_TAGS = jsonencode({
-        GuardDutyMalwareScanStatus = "NO_THREATS_FOUND"
-        darhts_certified           = "true"
-      })
-      # use DEBUG for debbuing, along with S3_MOVE_VERBOSE
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      S3_TAG_TRIGGER_TAGS     = jsonencode(local.settings["s3-tag"].trigger_tags)
+      POWERTOOLS_LOG_LEVEL    = local.settings["s3-tag"].log_level
     },
     var.lambda_environment_variables_override,
   )
diff --git a/lambda.s3.tf b/lambda.s3.tf
index f957aab..b289b89 100644
--- a/lambda.s3.tf
+++ b/lambda.s3.tf
@@ -1,8 +1,8 @@
 module "lambda_s3" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,8 +33,8 @@ module "lambda_s3" {
   dead_letter_target_arn         = module.lambda_s3_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-s3-notify.zip")
-  source_path = "${path.root}/code/darhts-s3-notify.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-s3-notify.zip")
+  source_path            = "${path.root}/code/darhts-s3-notify.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
@@ -42,14 +42,14 @@ module "lambda_s3" {
 
   environment_variables = merge(
     {
-      Enabled                          = true
-      S3_NOTIFY_VERBOSE                = false
+      Enabled                          = local.settings["s3"].enabled
+      S3_NOTIFY_VERBOSE                = local.settings["s3"].verbose
       S3_NOTIFY_SECRET_NAME            = var.secret_name
-      S3_NOTIFY_ENVIRONMENT            = var.app_info.environment
-      S3_NOTIFY_AUTH_URL               = var.app_info.token_url
-      S3_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-      S3_NOTIFY_PLATFORM_EVENT_NAME    = "DARHTSCleanCreateObjectEvent__e"
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      S3_NOTIFY_ENVIRONMENT            = local.settings["s3"].environment
+      S3_NOTIFY_AUTH_URL               = local.settings["s3"].auth_url
+      S3_NOTIFY_SALESFORCE_API_VERSION = local.settings["s3"].salesforce_api_version
+      S3_NOTIFY_PLATFORM_EVENT_NAME    = local.settings["s3"].platform_event_name
+      POWERTOOLS_LOG_LEVEL             = local.settings["s3"].log_level
     },
     var.lambda_environment_variables_override,
   )
diff --git a/main.tf b/main.tf
index 81227f2..1f7c49e 100644
--- a/main.tf
+++ b/main.tf
@@ -1,13 +1,18 @@
+/*
+* # About aws-app-ditd-darhts-s3-transfer
+*
+*/
+
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   region              = data.aws_region.current.name
-  region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
-  iam_arn      = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+  iam_arn             = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
 
   base_tags = {
     "boc:created_by"        = "terraform"
     "boc:tf_module_version" = local._module_version
-    "boc:tf_module_name" = local._module_name
+    "boc:tf_module_name"    = local._module_name
   }
 }
diff --git a/outputs.tf b/outputs.tf
index 53d50df..1b8bb18 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -10,8 +10,8 @@
 output "s3_bucket_files_in" {
   description = "files-in bucket ARN and id"
   value = {
-    id  = module.files_in.s3_bucket_id
-    arn = module.files_in.s3_bucket_arn
+    id      = module.files_in.s3_bucket_id
+    arn     = module.files_in.s3_bucket_arn
     key_arn = module.files_in.kms_key_arn
   }
 }
@@ -19,8 +19,8 @@ output "s3_bucket_files_in" {
 output "s3_bucket_files_quarantine" {
   description = "files-quarantine bucket ARN and id"
   value = {
-    id  = module.files_quarantine.s3_bucket_id
-    arn = module.files_quarantine.s3_bucket_arn
+    id      = module.files_quarantine.s3_bucket_id
+    arn     = module.files_quarantine.s3_bucket_arn
     key_arn = module.files_quarantine.kms_key_arn
   }
 }
@@ -28,16 +28,16 @@ output "s3_bucket_files_quarantine" {
 output "s3_bucket_files_clean" {
   description = "files-clean bucket ARN and id"
   value = {
-    id  = module.files_clean.s3_bucket_id
-    arn = module.files_clean.s3_bucket_arn
+    id      = module.files_clean.s3_bucket_id
+    arn     = module.files_clean.s3_bucket_arn
     key_arn = module.files_clean.kms_key_arn
   }
 }
 output "s3_bucket_files_out_clean" {
   description = "files-out-clean bucket ARN and id"
   value = {
-    id  = module.files_out_clean.s3_bucket_id
-    arn = module.files_out_clean.s3_bucket_arn
+    id      = module.files_out_clean.s3_bucket_id
+    arn     = module.files_out_clean.s3_bucket_arn
     key_arn = module.files_out_clean.kms_key_arn
   }
 }
diff --git a/secret.tf b/secret.tf
index fbe54a4..560d398 100644
--- a/secret.tf
+++ b/secret.tf
@@ -13,7 +13,7 @@ resource "aws_secretsmanager_secret" "app_secret" {
     local.base_tags,
     var.tags,
     local.input_finops_roles["secret"],
-    { Name = var.app_info.secret_name},
+    { Name = var.secret_name },
   )
 }
 
@@ -77,7 +77,7 @@ data "aws_iam_policy_document" "app_secret_key" {
 }
 
 resource "aws_kms_key" "app_secret" {
-  description         = format("KMS CMK %v in %v", var.app_info.key_name, local.region)
+  description         = format("KMS CMK %v in %v", var.secret_key_name, local.region)
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.app_secret_key.json
   multi_region        = false
@@ -86,11 +86,11 @@ resource "aws_kms_key" "app_secret" {
     local.base_tags,
     var.tags,
     local.input_finops_roles["kms"],
-    { Name = format("v-kms-%v", var.app_info.key_name) },
+    { Name = format("v-kms-%v", var.secret_key_name) },
   )
 }
 
 resource "aws_kms_alias" "app_secret" {
-  name          = format("alias/v-kms-%v", var.app_info.key_name)
+  name          = format("alias/v-kms-%v", var.secret_key_name)
   target_key_id = aws_kms_key.app_secret.key_id
 }
diff --git a/settings.tf b/settings.tf
index b202438..d44bfb6 100644
--- a/settings.tf
+++ b/settings.tf
@@ -1,11 +1,11 @@
 locals {
-  _settings = var.settings
+  _settings        = var.settings
   settings_default = yamldecode(file("${path.module}/settings.default.yml"))
-  settings = { for k in keys(var.settings_default): k => merge(
+  settings = { for k in keys(local.settings_default) : k => merge(
     local.settings_default["default"],
     local.settings_default[k],
     local._settings[k],
-  ) if k!="default" }
+  ) if k != "default" }
 }
 
 output "settings" {
diff --git a/tags.tf b/tags.tf
index 5b5cd5f..921f61c 100644
--- a/tags.tf
+++ b/tags.tf
@@ -10,6 +10,6 @@ locals {
     "sqs",
     "secret",
   ]
-  input_finops_roles = {for r in local.tag_roles: r => { "finops_project_role" = trimprefix(format("%v_%v",lookup(var.input_resource_tags,"finops_project_name",""),r),"_") } }
-  output_finops_roles = {for r in local.tag_roles: r => { "finops_project_role" = trimprefix(format("%v_%v",lookup(var.output_resource_tags,"finops_project_name",""),r),"_") } }
+  input_finops_roles  = { for r in local.tag_roles : r => { "finops_project_role" = trimprefix(format("%v_%v", lookup(var.input_resource_tags, "finops_project_name", ""), r), "_") } }
+  output_finops_roles = { for r in local.tag_roles : r => { "finops_project_role" = trimprefix(format("%v_%v", lookup(var.output_resource_tags, "finops_project_name", ""), r), "_") } }
 }
diff --git a/variables.tf b/variables.tf
index 19324b2..9f8e2b9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -39,7 +39,12 @@ variable "secret_name" {
 variable "secret_description" {
   description = "Description to be used for the AWS Secret for the Salesforce API"
   type        = string
-  default = "Credentials for Salesforce API"
+  default     = "Credentials for Salesforce API"
+}
+
+variable "secret_key_name" {
+  description = "Name to be used for the AWS Secret KMS Key"
+  type        = string
 }
 
 variable "dlq_retry_attempts" {
@@ -68,12 +73,12 @@ variable "output_resource_tags" {
 
 variable "log_bucket" {
   description = "AWS Log Bucket (default: inf-logs-ACCOUNT-REGION)"
-  type = string
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "settings" {
   description = "Configuration settings map"
-  type = map(any)
-  default = {}
+  type        = map(any)
+  default     = {}
 }
diff --git a/version.tf b/version.tf
index cb594b5..f37a441 100644
--- a/version.tf
+++ b/version.tf
@@ -1,4 +1,4 @@
 locals {
-  _module_name = "aws-app-ditd-darhts-s3-transfer"
+  _module_name    = "aws-app-ditd-darhts-s3-transfer"
   _module_version = "0.9.9"
 }