turbot · cbruno10 · Apr 28, 2025
diff --git a/README.md b/README.md
@@ -85,48 +85,24 @@ Several benchmarks have [input variables](https://powerpipe.io/docs/build/mod-va
 It's easiest to setup your vars file, starting with the sample:
 
 ```sh
-cp powerpipe.ppvars.example powerpipe.ppvars
+cp .powerpipe/mods/github.com/turbot/steampipe-mod-aws-tags@v1.0.1/powerpipe.ppvars.example powerpipe.ppvars
 vi powerpipe.ppvars
 ```
 
 Alternatively you can pass variables on the command line:
 
 ```sh
-powerpipe benchmark run aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'
+powerpipe benchmark run aws_tags.benchmark.mandatory --var 'aws_tags.mandatory_tags=["Application", "Environment", "Department", "Owner"]'
 ```
 
-Or through environment variables:
-
-```sh
-export PP_VAR_mandatory_tags='["Application", "Environment", "Department", "Owner"]'
-powerpipe control run aws_tags.control.ec2_instance_mandatory
-```
-
-These are only some of the ways you can set variables. For a full list, please see [Passing Input Variables](https://powerpipe.io/docs/build/mod-variables#passing-input-variables).
+These are only some of the ways you can set variables. For a full list, please see [Passing Variables for Dependency Mods](https://powerpipe.io/docs/build/mod-variables##passing-variables-for-dependency-mods).
 
 ### Common and Tag Dimensions
 
-The benchmark queries use common properties (like `account_id`, `connection_name` and `region`) and tags that are defined in the form of a default list of strings in the `variables.sp` file. These properties can be overwritten in several ways:
-
-It's easiest to setup your vars file, starting with the sample:
-
-```sh
-cp powerpipe.ppvars.example powerpipe.ppvars
-vi powerpipe.ppvars
-```
-
-Alternatively you can pass variables on the command line:
-
-```sh
-powerpipe benchmark run aws_tags.benchmark.limit --var 'tag_dimensions=["Environment", "Owner"]'
-```
-
-Or through environment variables:
+The benchmark queries use common properties (like `account_id`, `connection_name` and `region`) and tags that are defined in the form of a default list of strings in the `variables.sp` file. These properties can be overwritten like other variables:
 
 ```sh
-export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]'
-export PP_VAR_tag_dimensions='["Environment", "Owner"]'
-powerpipe benchmark run aws_tags.benchmark.limit
+powerpipe benchmark run aws_tags.benchmark.limit --var 'aws_tags.tag_dimensions=["Environment", "Owner"]'
 ```
 
 ### Remediation
@@ -141,7 +117,7 @@ For instance, with the results of the `ec2_instance_mandatory` control, you can
 OLDIFS=$IFS
 IFS='#'
 
-INPUT=$(powerpipe control run aws_tags.control.ec2_instance_mandatory --var 'mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
+INPUT=$(powerpipe control run aws_tags.control.ec2_instance_mandatory --var 'aws_tags.mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
 [ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }
 
 while read -r group_id title description control_id control_title control_description reason resource status account_id region
@@ -160,7 +136,7 @@ To remove prohibited tags from EC2 instances:
 OLDIFS=$IFS
 IFS='#'
 
-INPUT=$(powerpipe control run aws_tags.control.ec2_instance_prohibited --var 'prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
+INPUT=$(powerpipe control run aws_tags.control.ec2_instance_prohibited --var 'aws_tags.prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
 [ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }
 
 while read -r group_id title description control_id control_title control_description reason resource status account_id region

diff --git a/docs/index.md b/docs/index.md
@@ -88,7 +88,7 @@ vi powerpipe.ppvars
 Alternatively you can pass variables on the command line:
 
 ```sh
-powerpipe benchmark run aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'
+powerpipe benchmark run aws_tags.benchmark.mandatory --var 'aws_tags.mandatory_tags=["Application", "Environment", "Department", "Owner"]'
 ```
 
 Or through environment variables:
@@ -102,27 +102,10 @@ These are only some of the ways you can set variables. For a full list, please s
 
 ### Common and Tag Dimensions
 
-The benchmark queries use common properties (like `account_id`, `connection_name` and `region`) and tags that are defined in the form of a default list of strings in the `variables.sp` file. These properties can be overwritten in several ways:
-
-It's easiest to setup your vars file, starting with the sample:
-
-```sh
-cp powerpipe.ppvars.example powerpipe.ppvars
-vi powerpipe.ppvars
-```
-
-Alternatively you can pass variables on the command line:
-
-```sh
-powerpipe benchmark run aws_tags.benchmark.limit --var 'tag_dimensions=["Environment", "Owner"]'
-```
-
-Or through environment variables:
+The benchmark queries use common properties (like `account_id`, `connection_name` and `region`) and tags that are defined in the form of a default list of strings in the `variables.sp` file. These properties can be overwritten like other variables:
 
 ```sh
-export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]'
-export PP_VAR_tag_dimensions='["Environment", "Owner"]'
-powerpipe benchmark run aws_tags.benchmark.limit
+powerpipe benchmark run aws_tags.benchmark.limit --var 'aws_tags.tag_dimensions=["Environment", "Owner"]'
 ```
 
 ### Remediation
@@ -137,7 +120,7 @@ For instance, with the results of the `ec2_instance_mandatory` control, you can
 OLDIFS=$IFS
 IFS='#'
 
-INPUT=$(powerpipe control run aws_tags.control.ec2_instance_mandatory --var 'mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
+INPUT=$(powerpipe control run aws_tags.control.ec2_instance_mandatory --var 'aws_tags.mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
 [ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }
 
 while read -r group_id title description control_id control_title control_description reason resource status account_id region
@@ -156,7 +139,7 @@ To remove prohibited tags from EC2 instances:
 OLDIFS=$IFS
 IFS='#'
 
-INPUT=$(powerpipe control run aws_tags.control.ec2_instance_prohibited --var 'prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
+INPUT=$(powerpipe control run aws_tags.control.ec2_instance_prohibited --var 'aws_tags.prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
 [ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }
 
 while read -r group_id title description control_id control_title control_description reason resource status account_id region
@@ -180,4 +163,4 @@ This repository is published under the [Apache 2.0 license](https://www.apache.o
 Want to help but don't know where to start? Pick up one of the `help wanted` issues:
 
 - [Powerpipe](https://github.com/turbot/powerpipe/labels/help%20wanted)
-- [AWS Tags Mod](https://github.com/turbot/steampipe-mod-aws-tags/labels/help%20wanted)
+- [AWS Tags Mod](https://github.com/turbot/steampipe-mod-aws-tags/labels/help%20wanted)
diff --git a/powerpipe.ppvars.example b/powerpipe.ppvars.example
@@ -1,12 +1,12 @@
 # Dimensions
-common_dimensions = ["account_id", "region"]
-tag_dimensions    = []
+aws_tags.common_dimensions = ["account_id", "region"]
+aws_tags.tag_dimensions    = []
 
 # Tags
-mandatory_tags = ["Environment", "Owner"]
-prohibited_tags = ["Password", "Key"]
-tag_limit = 45
-expected_tag_values = {
+aws_tags.mandatory_tags = ["Environment", "Owner"]
+aws_tags.prohibited_tags = ["Password", "Key"]
+aws_tags.tag_limit = 45
+aws_tags.expected_tag_values = {
   // Simple match
   "Environment": ["Dev", "Staging", "Prod"]