From c05dd9bf8e02f0162234b8362d01d22fa916ec38 Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 11:52:09 +0930
Subject: [PATCH 1/7] Switch to a boolean input variable for controlling
 mutability

---
 terraform/catalog/modules/ecr/main.tf      |  2 +-
 terraform/catalog/modules/ecr/variables.tf | 12 ++++--------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/terraform/catalog/modules/ecr/main.tf b/terraform/catalog/modules/ecr/main.tf
index 7e4fe6c..03697f3 100644
--- a/terraform/catalog/modules/ecr/main.tf
+++ b/terraform/catalog/modules/ecr/main.tf
@@ -4,7 +4,7 @@ locals {
 
 resource "aws_ecr_repository" "this" {
   name                 = var.name
-  image_tag_mutability = var.mutability
+  image_tag_mutability = var.mutable ? "MUTABLE" : "IMMUTABLE"
   image_scanning_configuration {
     scan_on_push = var.image_scanning_on_push
   }
diff --git a/terraform/catalog/modules/ecr/variables.tf b/terraform/catalog/modules/ecr/variables.tf
index 01fa7bb..fbfa5b3 100644
--- a/terraform/catalog/modules/ecr/variables.tf
+++ b/terraform/catalog/modules/ecr/variables.tf
@@ -9,19 +9,15 @@ variable "environment" {
 }
 
 variable "image_scanning_on_push" {
-  description = ""
+  description = "Enable / Disable image scanning on push to the repo."
   type        = bool
   default     = true
 }
 
-variable "mutability" {
+variable "mutable" {
   description = ""
-  type        = string
-  default     = "IMMUTABLE"
-  validation {
-    condition     = var.mutability == "MUTABLE" || var.mutability == "IMMUTABLE"
-    error_message = "mutability must be either MUTABLE or IMMUTABLE"
-  }
+  type        = bool
+  default     = false
 }
 
 variable "oidc_provider_arn" {

From dc765c9415a2a1ddf45e2bd37e4ca05ef2059c5c Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 11:52:23 +0930
Subject: [PATCH 2/7] Add an output for the push role

---
 terraform/catalog/modules/ecr/outputs.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/terraform/catalog/modules/ecr/outputs.tf b/terraform/catalog/modules/ecr/outputs.tf
index 1791b1d..5c26a90 100644
--- a/terraform/catalog/modules/ecr/outputs.tf
+++ b/terraform/catalog/modules/ecr/outputs.tf
@@ -6,4 +6,9 @@ output "repository_url" {
 output "repository_arn" {
   description = "ARN of the ECR repo."
   value       = aws_ecr_repository.this.arn
+}
+
+output "push_role_arn" {
+  description = "ARN of the IAM role that can push images to this repo."
+  value       = local.create_push_role ? aws_iam_role.push[0].arn : null
 }
\ No newline at end of file

From 3648fe7e74685be611e886e5775b911ff20b644f Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 11:54:02 +0930
Subject: [PATCH 3/7] Add an basic nginx app we can use for testing the github
 push role and ECR

---
 applications/hello-world/Dockerfile |  6 ++++++
 applications/hello-world/index.html | 10 ++++++++++
 applications/hello-world/nginx.conf |  8 ++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 applications/hello-world/Dockerfile
 create mode 100644 applications/hello-world/index.html
 create mode 100644 applications/hello-world/nginx.conf

diff --git a/applications/hello-world/Dockerfile b/applications/hello-world/Dockerfile
new file mode 100644
index 0000000..c31931c
--- /dev/null
+++ b/applications/hello-world/Dockerfile
@@ -0,0 +1,6 @@
+FROM nginx:alpine
+
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY index.html /usr/share/nginx/html/index.html
+
+EXPOSE 80
diff --git a/applications/hello-world/index.html b/applications/hello-world/index.html
new file mode 100644
index 0000000..b1457b2
--- /dev/null
+++ b/applications/hello-world/index.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Hello, World!</title>
+</head>
+<body>
+  <h1>Hello, World!</h1>
+</body>
+</html>
diff --git a/applications/hello-world/nginx.conf b/applications/hello-world/nginx.conf
new file mode 100644
index 0000000..d2fbd92
--- /dev/null
+++ b/applications/hello-world/nginx.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+
+  location / {
+    root /usr/share/nginx/html;
+    index index.html;
+  }
+}

From d43629563aa7f68a6cb1aa090697d7ea94bb58c5 Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 11:56:48 +0930
Subject: [PATCH 4/7] Switch to a variable for the region

---
 .github/workflows/terragrunt-apply.yml | 2 +-
 .github/workflows/terragrunt-plan.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terragrunt-apply.yml b/.github/workflows/terragrunt-apply.yml
index 83f225e..50f2030 100644
--- a/.github/workflows/terragrunt-apply.yml
+++ b/.github/workflows/terragrunt-apply.yml
@@ -27,7 +27,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         with:
           role-to-assume: ${{ vars.APPLY_ROLE_ARN }}
-          aws-region: ap-southeast-2
+          aws-region: ${{ vars.AWS_REGION }}
       - name: Terragrunt Apply
         uses: gruntwork-io/terragrunt-action@4ed5b7344c80315e5357f28f36159fc980bc2d5a # v3.4.0
         with:
diff --git a/.github/workflows/terragrunt-plan.yml b/.github/workflows/terragrunt-plan.yml
index 0db46b2..a2eee78 100644
--- a/.github/workflows/terragrunt-plan.yml
+++ b/.github/workflows/terragrunt-plan.yml
@@ -76,7 +76,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         with:
           role-to-assume: ${{ vars.PLAN_ROLE_ARN }}
-          aws-region: ap-southeast-2
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Terragrunt Plan
         id: plan

From 36c181a85cc032b914eba206add90088a10b7aa4 Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 12:00:10 +0930
Subject: [PATCH 5/7] Add workflow for building and pushing the hello world
 docker image

---
 .github/workflows/docker-push.yml | 43 +++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/docker-push.yml

diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml
new file mode 100644
index 0000000..6c9a847
--- /dev/null
+++ b/.github/workflows/docker-push.yml
@@ -0,0 +1,43 @@
+name: Build and Push
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'applications/hello-world/**'
+
+concurrency:
+  group: docker-push-hello-world
+  cancel-in-progress: false
+
+jobs:
+  build-and-push:
+    name: Build and push (dev)
+    runs-on: ubuntu-latest
+    environment: dev
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
+        with:
+          role-to-assume: ${{ vars.HELLO_WORLD_PUSH_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build and push
+        working-directory: applications/hello-world
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $REGISTRY/hello-world:$IMAGE_TAG .
+          docker push $REGISTRY/hello-world:$IMAGE_TAG

From 78064a98c63fa75402dcb7da99f0b30c097a1e72 Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 12:00:48 +0930
Subject: [PATCH 6/7] Refactor to use implicit stacks instead of explicit to
 better handle dependencies between each of the stacks

---
 .../stacks/github-oidc/terragrunt.stack.hcl   | 15 ---------
 .../stacks/network/terragrunt.stack.hcl       | 20 ------------
 .../catalog/units/github-oidc/terragrunt.hcl  | 14 --------
 terraform/catalog/units/vpc/terragrunt.hcl    | 19 -----------
 .../{terragrunt.stack.hcl => terragrunt.hcl}  | 27 ++++++++--------
 .../hello-world-ecr/terragrunt.hcl            | 23 +++++++++++++
 .../dev/ap-southeast-2/network/terragrunt.hcl | 30 +++++++++++++++++
 .../network/terragrunt.stack.hcl              | 32 -------------------
 8 files changed, 67 insertions(+), 113 deletions(-)
 delete mode 100644 terraform/catalog/stacks/github-oidc/terragrunt.stack.hcl
 delete mode 100644 terraform/catalog/stacks/network/terragrunt.stack.hcl
 delete mode 100644 terraform/catalog/units/github-oidc/terragrunt.hcl
 delete mode 100644 terraform/catalog/units/vpc/terragrunt.hcl
 rename terraform/environments/dev/ap-southeast-2/github-oidc/{terragrunt.stack.hcl => terragrunt.hcl} (50%)
 create mode 100644 terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
 create mode 100644 terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
 delete mode 100644 terraform/environments/dev/ap-southeast-2/network/terragrunt.stack.hcl

diff --git a/terraform/catalog/stacks/github-oidc/terragrunt.stack.hcl b/terraform/catalog/stacks/github-oidc/terragrunt.stack.hcl
deleted file mode 100644
index 1874697..0000000
--- a/terraform/catalog/stacks/github-oidc/terragrunt.stack.hcl
+++ /dev/null
@@ -1,15 +0,0 @@
-locals {
-  units_path = "${get_repo_root()}/terraform/catalog/units"
-}
-
-unit "github-oidc" {
-  source = "${local.units_path}/github-oidc"
-  path   = "github-oidc"
-
-  values = {
-    github_org   = values.github_org
-    github_repo  = values.github_repo
-    environment  = values.environment
-    state_bucket = values.state_bucket
-  }
-}
diff --git a/terraform/catalog/stacks/network/terragrunt.stack.hcl b/terraform/catalog/stacks/network/terragrunt.stack.hcl
deleted file mode 100644
index 99d11a9..0000000
--- a/terraform/catalog/stacks/network/terragrunt.stack.hcl
+++ /dev/null
@@ -1,20 +0,0 @@
-locals {
-  units_path = "${get_repo_root()}/terraform/catalog/units"
-}
-
-unit "vpc" {
-  source = "${local.units_path}/vpc"
-  path   = "vpc"
-
-  values = {
-    name                   = values.name
-    cidr_block             = values.cidr_block
-    az_count               = values.az_count
-    subnet_cidrs           = values.subnet_cidrs
-    enable_flow_logs       = values.enable_flow_logs
-    nat_use_spot_instances = values.nat_use_spot_instances
-    nat_instance_type      = values.nat_instance_type
-    environment            = values.environment
-    subnet_tags            = values.subnet_tags
-  }
-}
diff --git a/terraform/catalog/units/github-oidc/terragrunt.hcl b/terraform/catalog/units/github-oidc/terragrunt.hcl
deleted file mode 100644
index f8714e1..0000000
--- a/terraform/catalog/units/github-oidc/terragrunt.hcl
+++ /dev/null
@@ -1,14 +0,0 @@
-include "root" {
-  path = find_in_parent_folders("root.hcl")
-}
-
-terraform {
-  source = "${get_repo_root()}//terraform/catalog/modules/github-oidc"
-}
-
-inputs = {
-  github_org   = values.github_org
-  github_repo  = values.github_repo
-  environment  = values.environment
-  state_bucket = values.state_bucket
-}
diff --git a/terraform/catalog/units/vpc/terragrunt.hcl b/terraform/catalog/units/vpc/terragrunt.hcl
deleted file mode 100644
index f0403a5..0000000
--- a/terraform/catalog/units/vpc/terragrunt.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-include "root" {
-  path = find_in_parent_folders("root.hcl")
-}
-
-terraform {
-  source = "${get_repo_root()}//terraform/catalog/modules/vpc"
-}
-
-inputs = {
-  name                   = values.name
-  cidr_block             = values.cidr_block
-  az_count               = values.az_count
-  subnet_cidrs           = values.subnet_cidrs
-  enable_flow_logs       = values.enable_flow_logs
-  nat_use_spot_instances = values.nat_use_spot_instances
-  nat_instance_type      = values.nat_instance_type
-  environment            = values.environment
-  subnet_tags            = values.subnet_tags
-}
diff --git a/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.stack.hcl b/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
similarity index 50%
rename from terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.stack.hcl
rename to terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
index aa9efd0..aa2dd00 100644
--- a/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.stack.hcl
+++ b/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
@@ -1,19 +1,20 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/catalog/modules/github-oidc"
+}
+
 locals {
-  stacks_path  = "${get_repo_root()}/terraform/catalog/stacks"
-  environment  = "dev"
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   region_vars  = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   state_bucket = "terragrunt-tf-state-${local.account_vars.locals.account_name}-${local.region_vars.locals.aws_region}"
 }
 
-stack "dev-oidc" {
-  source = "${local.stacks_path}/github-oidc"
-  path   = "dev/oidc"
-
-  values = {
-    github_org   = "AdamJHall"
-    github_repo  = "platform-lab"
-    environment  = local.environment
-    state_bucket = local.state_bucket
-  }
-}
\ No newline at end of file
+inputs = {
+  github_org   = "AdamJHall"
+  github_repo  = "platform-lab"
+  environment  = "dev"
+  state_bucket = local.state_bucket
+}
diff --git a/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl b/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
new file mode 100644
index 0000000..60825a8
--- /dev/null
+++ b/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
@@ -0,0 +1,23 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/catalog/modules/ecr"
+}
+
+dependency "github_oidc" {
+  config_path = "../github-oidc"
+
+  mock_outputs = {
+    oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
+  }
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+}
+
+inputs = {
+  name              = "hello-world"
+  environment       = "dev"
+  oidc_provider_arn = dependency.github_oidc.outputs.oidc_provider_arn
+  github_repository = "AdamJHall/platform-lab"
+}
diff --git a/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl b/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
new file mode 100644
index 0000000..8b83b59
--- /dev/null
+++ b/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
@@ -0,0 +1,30 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/catalog/modules/vpc"
+}
+
+inputs = {
+  name        = "dev-network"
+  environment = "dev"
+  cidr_block  = "10.0.0.0/16"
+  az_count    = 2
+  subnet_cidrs = {
+    public              = ["10.0.0.0/20", "10.0.16.0/20"]
+    private             = ["10.0.32.0/20", "10.0.48.0/20"]
+    private_with_egress = ["10.0.64.0/20", "10.0.80.0/20"]
+  }
+  enable_flow_logs       = false
+  nat_use_spot_instances = true
+  nat_instance_type      = "t4g.nano"
+  subnet_tags = {
+    public = {
+      "kubernetes.io/role/elb" = "1"
+    }
+    private_with_egress = {
+      "kubernetes.io/role/internal-elb" = "1"
+    }
+  }
+}
diff --git a/terraform/environments/dev/ap-southeast-2/network/terragrunt.stack.hcl b/terraform/environments/dev/ap-southeast-2/network/terragrunt.stack.hcl
deleted file mode 100644
index 4b7c0b2..0000000
--- a/terraform/environments/dev/ap-southeast-2/network/terragrunt.stack.hcl
+++ /dev/null
@@ -1,32 +0,0 @@
-locals {
-  stacks_path = "${get_repo_root()}/terraform/catalog/stacks"
-  environment = "dev"
-}
-
-stack "dev-network" {
-  source = "${local.stacks_path}/network"
-  path   = "dev/network"
-
-  values = {
-    name          = "dev-network"
-    cidr_block    = "10.0.0.0/16"
-    az_count      = 2
-    subnet_cidrs  = {
-      public              = ["10.0.0.0/20", "10.0.16.0/20"]
-      private             = ["10.0.32.0/20", "10.0.48.0/20"]
-      private_with_egress = ["10.0.64.0/20", "10.0.80.0/20"]
-    }
-    enable_flow_logs       = false
-    nat_use_spot_instances = true
-    nat_instance_type      = "t4g.nano"
-    environment            = local.environment
-    subnet_tags            = {
-      public = {
-        "kubernetes.io/role/elb" = "1"
-      }
-      private_with_egress = {
-        "kubernetes.io/role/internal-elb" = "1"
-      }
-    }
-  }
-}

From 4ea8568c47b7b6b817a40558c089e65efe3ceb0f Mon Sep 17 00:00:00 2001
From: Adam Hall <adam.hall.1992@live.com>
Date: Sun, 7 Jun 2026 12:07:11 +0930
Subject: [PATCH 7/7] Move modules up one directory and remove the catalog/
 directory. Then update all references.

---
 .github/dependabot.yml                                   | 2 +-
 .github/workflows/ci-terraform.yml                       | 4 ++--
 .github/workflows/docker-push.yml                        | 2 +-
 .github/workflows/terragrunt-plan.yml                    | 4 ++--
 .pre-commit-config.yaml                                  | 2 +-
 README.md                                                | 9 +++------
 Taskfile.yml                                             | 4 ++--
 .../dev/ap-southeast-2/github-oidc/terragrunt.hcl        | 2 +-
 .../dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl    | 2 +-
 .../dev/ap-southeast-2/network/terragrunt.hcl            | 2 +-
 terraform/{catalog => }/modules/ecr/main.tf              | 0
 terraform/{catalog => }/modules/ecr/outputs.tf           | 0
 terraform/{catalog => }/modules/ecr/variables.tf         | 0
 terraform/{catalog => }/modules/ecr/versions.tf          | 0
 terraform/{catalog => }/modules/github-oidc/main.tf      | 0
 terraform/{catalog => }/modules/github-oidc/outputs.tf   | 0
 terraform/{catalog => }/modules/github-oidc/variables.tf | 0
 terraform/{catalog => }/modules/github-oidc/versions.tf  | 0
 terraform/{catalog => }/modules/vpc/flow_logs.tf         | 0
 terraform/{catalog => }/modules/vpc/main.tf              | 0
 terraform/{catalog => }/modules/vpc/nat.tf               | 0
 terraform/{catalog => }/modules/vpc/outputs.tf           | 0
 terraform/{catalog => }/modules/vpc/routing.tf           | 0
 terraform/{catalog => }/modules/vpc/variables.tf         | 0
 terraform/{catalog => }/modules/vpc/versions.tf          | 0
 25 files changed, 15 insertions(+), 18 deletions(-)
 rename terraform/{catalog => }/modules/ecr/main.tf (100%)
 rename terraform/{catalog => }/modules/ecr/outputs.tf (100%)
 rename terraform/{catalog => }/modules/ecr/variables.tf (100%)
 rename terraform/{catalog => }/modules/ecr/versions.tf (100%)
 rename terraform/{catalog => }/modules/github-oidc/main.tf (100%)
 rename terraform/{catalog => }/modules/github-oidc/outputs.tf (100%)
 rename terraform/{catalog => }/modules/github-oidc/variables.tf (100%)
 rename terraform/{catalog => }/modules/github-oidc/versions.tf (100%)
 rename terraform/{catalog => }/modules/vpc/flow_logs.tf (100%)
 rename terraform/{catalog => }/modules/vpc/main.tf (100%)
 rename terraform/{catalog => }/modules/vpc/nat.tf (100%)
 rename terraform/{catalog => }/modules/vpc/outputs.tf (100%)
 rename terraform/{catalog => }/modules/vpc/routing.tf (100%)
 rename terraform/{catalog => }/modules/vpc/variables.tf (100%)
 rename terraform/{catalog => }/modules/vpc/versions.tf (100%)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7b394f9..24f0d15 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,7 +9,7 @@ updates:
 
   - package-ecosystem: opentofu
     directories:
-      - /terraform/catalog/modules/**/*
+      - /terraform/modules/**/*
     schedule:
       interval: weekly
     cooldown:
diff --git a/.github/workflows/ci-terraform.yml b/.github/workflows/ci-terraform.yml
index 89261ae..5d35cf1 100644
--- a/.github/workflows/ci-terraform.yml
+++ b/.github/workflows/ci-terraform.yml
@@ -34,9 +34,9 @@ jobs:
 
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
 
-      - name: Validate all catalog modules
+      - name: Validate all modules
         run: |
-          find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+          find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
             echo "--- Validating $dir ---"
             tofu -chdir="$dir" init -backend=false
             tofu -chdir="$dir" validate
diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml
index 6c9a847..6970ec0 100644
--- a/.github/workflows/docker-push.yml
+++ b/.github/workflows/docker-push.yml
@@ -31,7 +31,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5
 
       - name: Build and push
         working-directory: applications/hello-world
diff --git a/.github/workflows/terragrunt-plan.yml b/.github/workflows/terragrunt-plan.yml
index a2eee78..8d735e1 100644
--- a/.github/workflows/terragrunt-plan.yml
+++ b/.github/workflows/terragrunt-plan.yml
@@ -34,9 +34,9 @@ jobs:
         run: |
           CHANGED=$(git diff --name-only "origin/$BASE_REF...HEAD")
 
-          # A catalog change (module/unit/stack) can affect every environment,
+          # A module change can affect every environment,
           # so plan them all. Otherwise, only plan environments with direct changes.
-          if echo "$CHANGED" | grep -q '^terraform/catalog/'; then
+          if echo "$CHANGED" | grep -q '^terraform/modules/'; then
             ENVS=$(find terraform/environments \
               -maxdepth 1 -mindepth 1 -type d \
               -printf '%f\n' | sort \
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 85fb73e..798db59 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -30,7 +30,7 @@ repos:
 
       - id: tofu-validate
         name: tofu validate
-        entry: bash -c 'find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+        entry: bash -c 'find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
           echo "--- Validating $dir ---";
           tofu -chdir="$dir" init -backend=false;
           tofu -chdir="$dir" validate;
diff --git a/README.md b/README.md
index a130bd7..72e0538 100644
--- a/README.md
+++ b/README.md
@@ -6,12 +6,9 @@ A personal sandbox for learning Terraform and Kubernetes, using Terragrunt to ma
 
 ```
 terraform/
-├── catalog/
-│   ├── modules/    # Raw Terraform modules
-│   ├── units/      # Terragrunt wrappers around modules
-│   └── stacks/     # Compositions of units
+├── modules/        # Raw OpenTofu modules
 └── environments/
-    └── dev/        # Environment-specific stack instantiations
+    └── dev/        # Environment-specific Terragrunt units
 ```
 
 ## Prerequisites
@@ -44,7 +41,7 @@ task tf:destroy:dev   # destroy all units in dev
 
 ```bash
 task tf:fmt           # format all Terraform files
-task tf:validate      # validate all catalog modules
+task tf:validate      # validate all modules
 task tf:clean         # remove local Terraform and Terragrunt caches
 ```
 
diff --git a/Taskfile.yml b/Taskfile.yml
index 546e958..9bc2376 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -47,10 +47,10 @@ tasks:
       - tofu fmt -recursive terraform/
 
   tf:validate:
-    desc: Validate all catalog modules
+    desc: Validate all modules
     cmds:
       - |
-        find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+        find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
           echo "--- Validating $dir ---"
           tofu -chdir="$dir" init -backend=false
           tofu -chdir="$dir" validate
diff --git a/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl b/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
index aa2dd00..d501dad 100644
--- a/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
+++ b/terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl
@@ -3,7 +3,7 @@ include "root" {
 }
 
 terraform {
-  source = "${get_repo_root()}//terraform/catalog/modules/github-oidc"
+  source = "${get_repo_root()}//terraform/modules/github-oidc"
 }
 
 locals {
diff --git a/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl b/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
index 60825a8..d9178e9 100644
--- a/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
+++ b/terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl
@@ -3,7 +3,7 @@ include "root" {
 }
 
 terraform {
-  source = "${get_repo_root()}//terraform/catalog/modules/ecr"
+  source = "${get_repo_root()}//terraform/modules/ecr"
 }
 
 dependency "github_oidc" {
diff --git a/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl b/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
index 8b83b59..7546e63 100644
--- a/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
+++ b/terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl
@@ -3,7 +3,7 @@ include "root" {
 }
 
 terraform {
-  source = "${get_repo_root()}//terraform/catalog/modules/vpc"
+  source = "${get_repo_root()}//terraform/modules/vpc"
 }
 
 inputs = {
diff --git a/terraform/catalog/modules/ecr/main.tf b/terraform/modules/ecr/main.tf
similarity index 100%
rename from terraform/catalog/modules/ecr/main.tf
rename to terraform/modules/ecr/main.tf
diff --git a/terraform/catalog/modules/ecr/outputs.tf b/terraform/modules/ecr/outputs.tf
similarity index 100%
rename from terraform/catalog/modules/ecr/outputs.tf
rename to terraform/modules/ecr/outputs.tf
diff --git a/terraform/catalog/modules/ecr/variables.tf b/terraform/modules/ecr/variables.tf
similarity index 100%
rename from terraform/catalog/modules/ecr/variables.tf
rename to terraform/modules/ecr/variables.tf
diff --git a/terraform/catalog/modules/ecr/versions.tf b/terraform/modules/ecr/versions.tf
similarity index 100%
rename from terraform/catalog/modules/ecr/versions.tf
rename to terraform/modules/ecr/versions.tf
diff --git a/terraform/catalog/modules/github-oidc/main.tf b/terraform/modules/github-oidc/main.tf
similarity index 100%
rename from terraform/catalog/modules/github-oidc/main.tf
rename to terraform/modules/github-oidc/main.tf
diff --git a/terraform/catalog/modules/github-oidc/outputs.tf b/terraform/modules/github-oidc/outputs.tf
similarity index 100%
rename from terraform/catalog/modules/github-oidc/outputs.tf
rename to terraform/modules/github-oidc/outputs.tf
diff --git a/terraform/catalog/modules/github-oidc/variables.tf b/terraform/modules/github-oidc/variables.tf
similarity index 100%
rename from terraform/catalog/modules/github-oidc/variables.tf
rename to terraform/modules/github-oidc/variables.tf
diff --git a/terraform/catalog/modules/github-oidc/versions.tf b/terraform/modules/github-oidc/versions.tf
similarity index 100%
rename from terraform/catalog/modules/github-oidc/versions.tf
rename to terraform/modules/github-oidc/versions.tf
diff --git a/terraform/catalog/modules/vpc/flow_logs.tf b/terraform/modules/vpc/flow_logs.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/flow_logs.tf
rename to terraform/modules/vpc/flow_logs.tf
diff --git a/terraform/catalog/modules/vpc/main.tf b/terraform/modules/vpc/main.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/main.tf
rename to terraform/modules/vpc/main.tf
diff --git a/terraform/catalog/modules/vpc/nat.tf b/terraform/modules/vpc/nat.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/nat.tf
rename to terraform/modules/vpc/nat.tf
diff --git a/terraform/catalog/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/outputs.tf
rename to terraform/modules/vpc/outputs.tf
diff --git a/terraform/catalog/modules/vpc/routing.tf b/terraform/modules/vpc/routing.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/routing.tf
rename to terraform/modules/vpc/routing.tf
diff --git a/terraform/catalog/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/variables.tf
rename to terraform/modules/vpc/variables.tf
diff --git a/terraform/catalog/modules/vpc/versions.tf b/terraform/modules/vpc/versions.tf
similarity index 100%
rename from terraform/catalog/modules/vpc/versions.tf
rename to terraform/modules/vpc/versions.tf