diff --git a/dashboard.tf b/dashboard.tf
index b639e7c637da63493c73454e6218775040cccde6..dcf1d6555da35588d3ed69b5199519ac13796af0 100644
--- a/dashboard.tf
+++ b/dashboard.tf
@@ -5,18 +5,15 @@
 # - Request latencies for 50th, 95th and 99th percentile.
 # - Container CPU and memory utilisations for 50th, 95th and 99th percentile.
 # - Container instance count and billable instance time.
-
-data "template_file" "dashboard_json" {
-  count = var.create_monitoring_dashboard ? 1 : 0
-
-  template = file("${path.module}/dashboard.json")
-  vars = {
+locals {
+  dashboard_template = templatefile("${path.module}/dashboard.json", {
     service_name = var.name
     region       = var.cloud_run_region
-  }
+  })
 }
 
 resource "google_monitoring_dashboard" "dashboard" {
-  for_each       = toset([for template in data.template_file.dashboard_json : template.rendered])
-  dashboard_json = each.key
+  count = var.create_monitoring_dashboard ? 1 : 0
+
+  dashboard_json = local.dashboard_template
 }
diff --git a/locals.tf b/locals.tf
index ecddd7a1a6a4e8c4bff7dee65a8ef8c19390d5d1..a98d3da264404e2feed05b1f1315f2061580cdb9 100644
--- a/locals.tf
+++ b/locals.tf
@@ -50,16 +50,18 @@ locals {
   # should be configured.
   monitor_hosts = var.disable_monitoring ? {} : merge(
     {
-      trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
-        "enable_auth_proxy"       = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
-        "enable_egress_connector" = local.webapp_allowed_ingress != "all"
+      webapp = {
+        host                    = trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/"),
+        enable_auth_proxy       = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
+        enable_egress_connector = local.webapp_allowed_ingress != "all"
       },
     },
     local.can_monitor_custom_dns ? {
       for dns_name in local.dns_names :
       (dns_name) => {
-        "enable_auth_proxy"       = local.webapp_allowed_ingress == "internal",
-        "enable_egress_connector" = local.webapp_allowed_ingress == "internal"
+        host                    = dns_name
+        enable_auth_proxy       = local.webapp_allowed_ingress == "internal",
+        enable_egress_connector = local.webapp_allowed_ingress == "internal"
       }
     } : {}
   )
diff --git a/main.tf b/main.tf
index 6a0b1c5cbd434b67d6067f9200ae3d782d2c1e57..753057d42f06bf384c051e069d49a9d7a6d1b4ad 100644
--- a/main.tf
+++ b/main.tf
@@ -7,10 +7,10 @@ resource "google_service_account" "webapp" {
   display_name = coalesce(var.service_account_display_name, "Web application Cloud Run service account")
 }
 
-# The webapp service account has the ability to connect to the SQL instance.
-# (Only if sql_instance_connection_name is non-empty.)
+# Grant the webapp service account the ability to connect to the SQL instance
+# via the grant_sql_client_role_to_webapp_sa boolean variable.
 resource "google_project_iam_member" "webapp_sql_client" {
-  count = (var.sql_instance_connection_name != "") ? 1 : 0
+  count = var.grant_sql_client_role_to_webapp_sa ? 1 : 0
 
   project = local.sql_instance_project
   role    = "roles/cloudsql.client"
@@ -20,13 +20,9 @@ resource "google_project_iam_member" "webapp_sql_client" {
 # A Cloud Run service which hosts the webapp
 
 resource "google_cloud_run_service" "webapp" {
-  name     = var.name
-  location = var.cloud_run_region
-  project  = var.project
-
-  # Google Beta provider is required for mounting secrets AToW
-  provider = google-beta
-
+  name                       = var.name
+  location                   = var.cloud_run_region
+  project                    = var.project
   autogenerate_revision_name = true
 
   metadata {
@@ -198,11 +194,14 @@ resource "google_cloud_run_service" "webapp" {
   depends_on = [
     google_secret_manager_secret_iam_member.secrets_access,
   ]
+  # Google Beta provider is required for mounting secrets AToW
+  provider = google-beta
 }
 
 # Allow unauthenticated invocations for the webapp.
 resource "google_cloud_run_service_iam_member" "webapp_all_users_invoker" {
-  count    = var.allow_unauthenticated_invocations ? 1 : 0
+  count = var.allow_unauthenticated_invocations ? 1 : 0
+
   location = google_cloud_run_service.webapp.location
   project  = google_cloud_run_service.webapp.project
   service  = google_cloud_run_service.webapp.name
@@ -219,8 +218,7 @@ resource "google_cloud_run_domain_mapping" "webapp" {
   for_each = toset(var.ingress_style == "domain-mapping" ? local.dns_names : [])
 
   location = var.cloud_run_region
-
-  name = each.key
+  name     = each.key
 
   metadata {
     # For managed Cloud Run, the namespace *must* be the project name.
@@ -235,11 +233,9 @@ resource "google_cloud_run_domain_mapping" "webapp" {
 module "uptime_monitoring" {
   for_each = local.monitor_hosts
 
-  source = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v2"
-
-  host    = each.key
-  project = var.project
-
+  source                = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v2"
+  host                  = each.value.host
+  project               = var.project
   alert_email_addresses = var.alerting_email_address != "" ? [var.alerting_email_address] : []
 
   uptime_check = {
diff --git a/providers.tf b/providers.tf
deleted file mode 100644
index 49650b62c9d0b6bb14c0bc5ccd31a5c79272dcf1..0000000000000000000000000000000000000000
--- a/providers.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-provider "google" {
-  alias = "stackdriver"
-}
diff --git a/variables.tf b/variables.tf
index bf744526dee7beec4b2ffae567d7fdc600f765a8..2d24f7884cf77a74815d07907e15bb11602fa371 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,15 @@ variable "sql_instance_connection_name" {
   default     = ""
 }
 
+variable "grant_sql_client_role_to_webapp_sa" {
+  description = <<EOI
+    When set to true the 'roles/cloudsql.client' role will be granted to the
+    webapp service account at the project level to allow it to connect to Cloud SQL.
+  EOI
+  type        = bool
+  default     = false
+}
+
 variable "cloud_run_region" {
   description = "Override region used to create Cloud Resources"
   default     = ""
diff --git a/versions.tf b/versions.tf
index c3a7d201f3b9ae91d0c352dc69826e943d453b70..6540a891bd2ad7f6ee891798aeaf5dc48ae405b3 100644
--- a/versions.tf
+++ b/versions.tf
@@ -5,8 +5,10 @@ terraform {
     google = {
       source  = "hashicorp/google"
       version = ">= 3.70, < 5.0"
+      configuration_aliases = [
+        google.stackdriver
+      ]
     }
-
     google-beta = {
       source  = "hashicorp/google-beta"
       version = ">= 3.70, < 5.0"
@@ -14,4 +16,4 @@ terraform {
   }
 
   required_version = ">= 1.0, < 2.0"
-}
\ No newline at end of file
+}