diff --git a/app/db-migrate b/app/db-migrate
index 4eab707e..b93465e4 100755
--- a/app/db-migrate
+++ b/app/db-migrate
@@ -8,7 +8,7 @@
 
 set -euo pipefail
 
-export PGPASSWORD=$(aws rds generate-db-auth-token --hostname=$DB_HOST --port=$DB_PORT --username=$DB_USER)
+export PGPASSWORD="$(aws rds generate-db-auth-token --hostname=$DB_HOST --port=$DB_PORT --username=$DB_USER)"
 echo "Running migrations"
 echo "  DB_HOST=$DB_HOST"
 echo "  DB_PORT=$DB_PORT"
diff --git a/bin/account-ids-by-name b/bin/account-ids-by-name
index 0169934e..2a2923a8 100755
--- a/bin/account-ids-by-name
+++ b/bin/account-ids-by-name
@@ -7,13 +7,13 @@ set -euo pipefail
 # We use script dir to make this script agnostic to where it's called from.
 # This is needed since this script its called from infra/<app>/build-repository
 # in an external data source
-script_dir=$(dirname "$0")
+script_dir="$(dirname "$0")"
 
 key_value_pairs=()
-backend_config_file_paths=$(ls -1 "${script_dir}"/../infra/accounts/*.*.s3.tfbackend)
+backend_config_file_paths="$(ls -1 "${script_dir}"/../infra/accounts/*.*.s3.tfbackend)"
 
 for backend_config_file_path in ${backend_config_file_paths}; do
-  backend_config_file=$(basename "${backend_config_file_path}")
+  backend_config_file="$(basename "${backend_config_file_path}")"
   backend_config_name="${backend_config_file/.s3.tfbackend/}"
   IFS='.' read -r account_name account_id <<< "${backend_config_name}"
   key_value_pairs+=("\"${account_name}\":\"${account_id}\"")
diff --git a/bin/check-database-roles b/bin/check-database-roles
index 50d06963..40381cc9 100755
--- a/bin/check-database-roles
+++ b/bin/check-database-roles
@@ -17,8 +17,8 @@ environment="$2"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 ./bin/terraform-init "infra/${app_name}/database" "${environment}"
-db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+db_role_manager_function_name="$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)"
+db_config="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")"
 payload="{\"action\":\"check\",\"config\":${db_config}}"
 
 echo "======================="
@@ -31,13 +31,13 @@ echo
 echo "Invoking Lambda function: ${db_role_manager_function_name}"
 echo "  Payload: ${payload}"
 echo
-cli_response=$(aws lambda invoke \
+cli_response="$(aws lambda invoke \
   --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
   --payload "$(echo -n "${payload}" | base64)" \
   --output json \
-  response.json)
+  response.json)"
 
 # Print logs out (they are returned base64 encoded)
 echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
@@ -47,7 +47,7 @@ cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+function_error="$(echo "${cli_response}" | jq -r '.FunctionError')"
 if [ "${function_error}" != "null" ]; then
   exit 1
 fi
diff --git a/bin/check-github-actions-auth b/bin/check-github-actions-auth
index 202d5fbd..4ddd32c6 100755
--- a/bin/check-github-actions-auth
+++ b/bin/check-github-actions-auth
@@ -12,9 +12,9 @@ account_name="$1"
 
 # This is used later to determine the run id of the workflow run
 # See comment below about "Getting workflow run id"
-prev_run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
+prev_run_create_time="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")"
 
-code_repository=$(terraform -chdir="infra/project-config" output --raw code_repository)
+code_repository="$(terraform -chdir="infra/project-config" output --raw code_repository)"
 
 echo "========================="
 echo "Check GitHub Actions Auth"
@@ -28,9 +28,9 @@ echo "::group::AWS account authentication details"
 
 terraform -chdir="infra/project-config" init > /dev/null
 terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
-aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
+aws_region="$(terraform -chdir="infra/project-config" output -raw default_region)"
 echo "aws_region=${aws_region}"
-github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
+github_actions_role_name="$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)"
 echo "github_actions_role_name=${github_actions_role_name}"
 
 # Get the account id associated with the account name extracting the
@@ -38,7 +38,7 @@ echo "github_actions_role_name=${github_actions_role_name}"
 # <account_name>.<account_id>.s3.tfbackend.
 # The cut command splits the string with period as the delimiter and
 # extracts the second field.
-account_id=$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)
+account_id="$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)"
 echo "account_id=${account_id}"
 
 aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
@@ -76,13 +76,13 @@ echo "Previous workflow run created at ${prev_run_create_time}"
 echo "Check workflow run create time until we find a newer workflow run"
 while : ; do
   echo -n "."
-  run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
+  run_create_time="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")"
   [[ "${run_create_time}" > "${prev_run_create_time}" ]] && break
 done
 echo "Found newer workflow run created at ${run_create_time}"
 
 echo "Get id of workflow run"
-workflow_run_id=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")
+workflow_run_id="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")"
 echo "Workflow run id: ${workflow_run_id}"
 
 workflow_run_url="https://github.com/${code_repository}/actions/runs/${workflow_run_id}"
diff --git a/bin/configure-monitoring-secret b/bin/configure-monitoring-secret
index ed3720af..929e12c6 100755
--- a/bin/configure-monitoring-secret
+++ b/bin/configure-monitoring-secret
@@ -19,13 +19,13 @@ integration_endpoint_url="$3"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 
-has_incident_management_service=$(terraform -chdir="infra/${app_name}/app-config" output -raw has_incident_management_service)
+has_incident_management_service="$(terraform -chdir="infra/${app_name}/app-config" output -raw has_incident_management_service)"
 if [ "${has_incident_management_service}" = "false" ]; then
   echo "Application does not have incident management service, no secret to create"
   exit 0
 fi
 
-secret_name=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.incident_management_service_integration.integration_url_param_name")
+secret_name="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.incident_management_service_integration.integration_url_param_name")"
 
 echo "====================="
 echo "Setting up SSM secret"
diff --git a/bin/create-or-update-database-roles b/bin/create-or-update-database-roles
index a0865901..2ba5b32a 100755
--- a/bin/create-or-update-database-roles
+++ b/bin/create-or-update-database-roles
@@ -19,8 +19,8 @@ environment="$2"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 ./bin/terraform-init "infra/${app_name}/database" "${environment}"
-db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+db_role_manager_function_name="$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)"
+db_config="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")"
 payload="{\"action\":\"manage\",\"config\":${db_config}}"
 
 echo "================================"
@@ -33,13 +33,13 @@ echo
 echo "Invoking Lambda function: ${db_role_manager_function_name}"
 echo "  Payload: ${payload}"
 echo
-cli_response=$(aws lambda invoke \
+cli_response="$(aws lambda invoke \
   --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
   --payload "$(echo -n "${payload}" | base64)" \
   --output json \
-  response.json)
+  response.json)"
 
 # Print logs out (they are returned base64 encoded)
 echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
@@ -49,7 +49,7 @@ cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+function_error="$(echo "${cli_response}" | jq -r '.FunctionError')"
 if [ "${function_error}" != "null" ]; then
   exit 1
 fi
diff --git a/bin/create-tfbackend b/bin/create-tfbackend
index 0c7f67cb..0fc257e4 100755
--- a/bin/create-tfbackend
+++ b/bin/create-tfbackend
@@ -26,9 +26,9 @@ backend_config_file="${module_dir}/${backend_config_name}.s3.tfbackend"
 # and the name of the DynamoDB table that was created for tf state locks.
 # This will be used to configure the S3 backends in all the application
 # modules
-tf_state_bucket_name=$(terraform -chdir="infra/accounts" output --raw tf_state_bucket_name)
-tf_locks_table_name=$(terraform -chdir="infra/accounts" output --raw tf_locks_table_name)
-region=$(terraform -chdir="infra/accounts" output --raw region)
+tf_state_bucket_name="$(terraform -chdir="infra/accounts" output --raw tf_state_bucket_name)"
+tf_locks_table_name="$(terraform -chdir="infra/accounts" output --raw tf_locks_table_name)"
+region="$(terraform -chdir="infra/accounts" output --raw region)"
 
 echo "===================================="
 echo "Create terraform backend config file"
diff --git a/bin/current-account-config-name b/bin/current-account-config-name
index 80af12e3..f5a0419e 100755
--- a/bin/current-account-config-name
+++ b/bin/current-account-config-name
@@ -5,8 +5,8 @@
 # The config name is "<account name>.<account id>""
 set -euo pipefail
 
-current_account_id=$(./bin/current-account-id)
-backend_config_file_path=$(ls -1 infra/accounts/*."${current_account_id}".s3.tfbackend)
-backend_config_file=$(basename "${backend_config_file_path}")
+current_account_id="$(./bin/current-account-id)"
+backend_config_file_path="$(ls -1 infra/accounts/*."${current_account_id}".s3.tfbackend)"
+backend_config_file="$(basename "${backend_config_file_path}")"
 backend_config_name="${backend_config_file/.s3.tfbackend/}"
 echo "${backend_config_name}"
diff --git a/bin/deploy-release b/bin/deploy-release
index e5b56d82..5503378f 100755
--- a/bin/deploy-release
+++ b/bin/deploy-release
@@ -22,8 +22,8 @@ echo "::endgroup::"
 
 # Wait for the service to become stable
 
-cluster_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)
-service_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_name)
+cluster_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)"
+service_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_name)"
 echo "Wait for service ${service_name} to become stable"
 aws ecs wait services-stable --cluster "${cluster_name}" --services "${service_name}"
 
diff --git a/bin/destroy-pr-environment b/bin/destroy-pr-environment
index 92c97eb1..77760978 100755
--- a/bin/destroy-pr-environment
+++ b/bin/destroy-pr-environment
@@ -33,13 +33,13 @@ terraform -chdir="infra/${app_name}/service" workspace select default
 echo "Delete workspace: ${workspace}"
 terraform -chdir="infra/${app_name}/service" workspace delete "${workspace}"
 
-pr_info=$(cat <<EOF
+pr_info="$(cat <<EOF
 <!-- begin PR environment info -->
 ## Preview environment
 ♻️ Environment destroyed ♻️
 <!-- end PR environment info -->
 EOF
-)
+)"
 
 pr_body="$(gh pr view "${pr_number}" --json body | jq --raw-output .body)"
 if [[ $pr_body == *"<!-- begin PR environment info -->"*"<!-- end PR environment info -->"* ]]; then
diff --git a/bin/infra-deploy-status-check-configs b/bin/infra-deploy-status-check-configs
index 9dadc1c7..502ee141 100755
--- a/bin/infra-deploy-status-check-configs
+++ b/bin/infra-deploy-status-check-configs
@@ -94,13 +94,13 @@ function get_app_names() {
 
 function get_account_layer_configs() {
   local configs
-  configs=$(get_root_module_configs "accounts")
+  configs="$(get_root_module_configs "accounts")"
   echo "${configs}" | jq -c '. + {account_name: (.backend_config_name | split(".")[0])}'
 }
 
 function get_network_layer_configs() {
   local configs
-  configs=$(get_root_module_configs "networks")
+  configs="$(get_root_module_configs "networks")"
   echo "${configs}" | jq -c '. + {extra_params: "-var=\"network_name=\(.backend_config_name)\""}'
 }
 
diff --git a/bin/is-image-published b/bin/is-image-published
index deaa24e6..fb0f2023 100755
--- a/bin/is-image-published
+++ b/bin/is-image-published
@@ -8,13 +8,13 @@ app_name="$1"
 git_ref="$2"
 
 # Get commit hash
-image_tag=$(git rev-parse "${git_ref}")
+image_tag="$(git rev-parse "${git_ref}")"
 
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
-region=$(./bin/current-region)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)"
+region="$(./bin/current-region)"
 
 result=""
 result=$(aws ecr describe-images --repository-name "${image_repository_name}" --image-ids "imageTag=${image_tag}" --region "${region}" 2> /dev/null ) || true
diff --git a/bin/lint-markdown b/bin/lint-markdown
index 73733a10..176cfe66 100755
--- a/bin/lint-markdown
+++ b/bin/lint-markdown
@@ -4,7 +4,7 @@
 # running, regardless where the user is when invoking this script.
 
 # Grab the full directory name for where this script lives.
-script_dir=$(readlink -f "$0" | xargs dirname)
+script_dir="$(readlink -f "$0" | xargs dirname)"
 
 # Move up to the root since we want to do everything relative to that. Note that this only impacts
 # this script, but will leave the user wherever they were when the script exists.
diff --git a/bin/publish-release b/bin/publish-release
index 2d12453b..a5144466 100755
--- a/bin/publish-release
+++ b/bin/publish-release
@@ -17,9 +17,9 @@ echo "  image_tag=${image_tag}"
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)"
 
-region=$(./bin/current-region)
+region="$(./bin/current-region)"
 read -r image_registry_id image_repository_url <<< "$(aws ecr describe-repositories --repository-names "${image_repository_name}" --query "repositories[0].[registryId,repositoryUri]" --output text)"
 image_registry="${image_registry_id}.dkr.ecr.${region}.amazonaws.com"
 
diff --git a/bin/run-command b/bin/run-command
index edde6ba6..7b706467 100755
--- a/bin/run-command
+++ b/bin/run-command
@@ -59,24 +59,24 @@ echo "  task_role_arn=${task_role_arn:-}"
 echo
 
 # Use the same cluster, task definition, and network configuration that the application service uses
-cluster_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)
-service_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_name)
+cluster_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)"
+service_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_name)"
 
 # Get the log group and log stream prefix so that we can print out the ECS task's logs after running the task
-log_group=$(terraform -chdir="infra/${app_name}/service" output -raw application_log_group)
-log_stream_prefix=$(terraform -chdir="infra/${app_name}/service" output -raw application_log_stream_prefix)
+log_group="$(terraform -chdir="infra/${app_name}/service" output -raw application_log_group)"
+log_stream_prefix="$(terraform -chdir="infra/${app_name}/service" output -raw application_log_stream_prefix)"
 
-service_task_definition_arn=$(aws ecs describe-services --no-cli-pager --cluster "${cluster_name}" --services "${service_name}" --query "services[0].taskDefinition" --output text)
+service_task_definition_arn="$(aws ecs describe-services --no-cli-pager --cluster "${cluster_name}" --services "${service_name}" --query "services[0].taskDefinition" --output text)"
 # For subsequent commands, use the task definition family rather than the service's task definition ARN
 # because in the case of migrations, we'll deploy a new task definition revision before updating the
 # service, so the service will be using an old revision, but we want to use the latest revision.
-task_definition_family=$(aws ecs describe-task-definition --no-cli-pager --task-definition "${service_task_definition_arn}" --query "taskDefinition.family" --output text)
+task_definition_family="$(aws ecs describe-task-definition --no-cli-pager --task-definition "${service_task_definition_arn}" --query "taskDefinition.family" --output text)"
 
-network_config=$(aws ecs describe-services --no-cli-pager --cluster "${cluster_name}" --services "${service_name}" --query "services[0].networkConfiguration")
-current_region=$(./bin/current-region)
-aws_user_id=$(aws sts get-caller-identity --no-cli-pager --query UserId --output text)
+network_config="$(aws ecs describe-services --no-cli-pager --cluster "${cluster_name}" --services "${service_name}" --query "services[0].networkConfiguration")"
+current_region="$(./bin/current-region)"
+aws_user_id="$(aws sts get-caller-identity --no-cli-pager --query UserId --output text)"
 
-container_name=$(aws ecs describe-task-definition --task-definition "${task_definition_family}" --query "taskDefinition.containerDefinitions[0].name" --output text)
+container_name="$(aws ecs describe-task-definition --task-definition "${task_definition_family}" --query "taskDefinition.containerDefinitions[0].name" --output text)"
 
 overrides=$(cat << EOF
 {
@@ -91,15 +91,15 @@ EOF
 )
 
 if [ -n "${environment_variables}" ]; then
-  overrides=$(echo "${overrides}" | jq ".containerOverrides[0].environment |= ${environment_variables}")
+  overrides="$(echo "${overrides}" | jq ".containerOverrides[0].environment |= ${environment_variables}")"
 fi
 
 if [ -n "${task_role_arn}" ]; then
-  overrides=$(echo "${overrides}" | jq ".taskRoleArn |= \"${task_role_arn}\"")
+  overrides="$(echo "${overrides}" | jq ".taskRoleArn |= \"${task_role_arn}\"")"
 fi
 
-task_start_time=$(date +%s)
-task_start_time_millis=$((task_start_time * 1000))
+task_start_time="$(date +%s)"
+task_start_time_millis="$((task_start_time * 1000))"
 
 aws_args=(
   ecs run-task
@@ -114,13 +114,13 @@ aws_args=(
 )
 echo "::group::Running AWS CLI command"
 printf " ... %s\n" "${aws_args[@]}"
-task_arn=$(aws --no-cli-pager "${aws_args[@]}" --query "tasks[0].taskArn" --output text)
+task_arn="$(aws --no-cli-pager "${aws_args[@]}" --query "tasks[0].taskArn" --output text)"
 echo "::endgroup::"
 echo
 
 # Get the task id by extracting the substring after the last '/' since the task ARN is of
 # the form "arn:aws:ecs:<region>:<account id>:task/<cluster name>/<task id>"
-ecs_task_id=$(basename "${task_arn}")
+ecs_task_id="$(basename "${task_arn}")"
 
 # The log stream has the format "prefix-name/container-name/ecs-task-id"
 # See https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_awslogs.html
@@ -139,12 +139,12 @@ echo "  log_stream=${log_stream}"
 
 num_retries_waiting_for_logs=0
 while true; do
-  num_retries_waiting_for_logs=$((num_retries_waiting_for_logs+1))
+  num_retries_waiting_for_logs="$((num_retries_waiting_for_logs+1))"
   if [ "${num_retries_waiting_for_logs}" -eq 20 ]; then
     echo "Timing out task ${ecs_task_id} waiting for logs"
     exit 1
   fi
-  is_log_stream_created=$(aws logs describe-log-streams --no-cli-pager --log-group-name "${log_group}" --query "length(logStreams[?logStreamName==\`${log_stream}\`])")
+  is_log_stream_created="$(aws logs describe-log-streams --no-cli-pager --log-group-name "${log_group}" --query "length(logStreams[?logStreamName==\`${log_stream}\`])")"
   if [ "${is_log_stream_created}" == "1" ]; then
     break
   fi
@@ -169,28 +169,28 @@ logs_start_time_millis="${task_start_time_millis}"
 while true; do
   # Print logs with human readable timestamps by fetching the log events as JSON
   # then transforming them afterwards using jq
-  log_events=$(aws logs get-log-events \
+  log_events="$(aws logs get-log-events \
     --no-cli-pager \
     --log-group-name "${log_group}" \
     --log-stream-name "${log_stream}" \
     --start-time "${logs_start_time_millis}" \
     --start-from-head \
     --no-paginate \
-    --output json)
+    --output json)"
   # Divide timestamp by 1000 since AWS timestamps are in milliseconds
   echo "${log_events}" | jq -r '.events[] | ((.timestamp / 1000 | strftime("%Y-%m-%d %H:%M:%S")) + "\t" + .message)'
 
   # If the task stopped, then stop tailing logs
-  last_task_status=$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].containers[?name=='${container_name}'].lastStatus" --output text)
+  last_task_status="$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].containers[?name=='${container_name}'].lastStatus" --output text)"
   if [ "${last_task_status}" = "STOPPED" ]; then
     break
   fi
 
   # If there were new logs printed, then update the logs start time filter
   # to be the last log's timestamp + 1
-  last_log_timestamp=$(echo "${log_events}" | jq -r '.events[-1].timestamp' )
+  last_log_timestamp="$(echo "${log_events}" | jq -r '.events[-1].timestamp' )"
   if [ "${last_log_timestamp}" != "null" ]; then
-    logs_start_time_millis=$((last_log_timestamp + 1))
+    logs_start_time_millis="$((last_log_timestamp + 1))"
   fi
 
   # Give the application a moment to generate more logs before fetching again
@@ -199,20 +199,20 @@ done
 echo "::endgroup::"
 echo
 
-container_exit_code=$(
+container_exit_code="$(
   aws ecs describe-tasks \
   --cluster "${cluster_name}" \
   --tasks "${task_arn}" \
   --query "tasks[0].containers[?name=='${container_name}'].exitCode" \
   --output text
-)
+)"
 
 if [[ "${container_exit_code}" == "null" || "${container_exit_code}" != "0" ]]; then
   echo "Task failed" >&2
   # Although we could avoid extra calls to AWS CLI if we just got the full JSON response from
   # `aws ecs describe-tasks` and parsed it with jq, we are trying to avoid unnecessary dependencies.
-  container_status=$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].containers[?name=='${container_name}'].[lastStatus,exitCode,reason]" --output text)
-  task_status=$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].[lastStatus,stopCode,stoppedAt,stoppedReason]" --output text)
+  container_status="$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].containers[?name=='${container_name}'].[lastStatus,exitCode,reason]" --output text)"
+  task_status="$(aws ecs describe-tasks --cluster "${cluster_name}" --tasks "${task_arn}" --query "tasks[0].[lastStatus,stopCode,stoppedAt,stoppedReason]" --output text)"
 
   echo "Container status (lastStatus, exitCode, reason): ${container_status}" >&2
   echo "Task status (lastStatus, stopCode, stoppedAt, stoppedReason): ${task_status}" >&2
diff --git a/bin/run-database-migrations b/bin/run-database-migrations
index ba47ea15..6353219f 100755
--- a/bin/run-database-migrations
+++ b/bin/run-database-migrations
@@ -31,16 +31,16 @@ echo "Step 0. Check if app has a database"
 
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-has_database=$(terraform -chdir="infra/${app_name}/app-config" output -raw has_database)
+has_database="$(terraform -chdir="infra/${app_name}/app-config" output -raw has_database)"
 if [ "${has_database}" = "false" ]; then
   echo "Application does not have a database, no migrations to run"
   exit 0
 fi
 
-db_migrator_user=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config.migrator_username")
+db_migrator_user="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config.migrator_username")"
 
 ./bin/terraform-init "infra/${app_name}/service" "${environment}"
-migrator_role_arn=$(terraform -chdir="infra/${app_name}/service" output -raw migrator_role_arn)
+migrator_role_arn="$(terraform -chdir="infra/${app_name}/service" output -raw migrator_role_arn)"
 
 echo
 echo "::group::Step 1. Update task definition without updating service"
@@ -57,9 +57,9 @@ echo 'Step 2. Run "db-migrate" command'
 command='["db-migrate"]'
 
 # Indent the later lines more to make the output of run-command prettier
-environment_variables=$(cat << EOF
+environment_variables="$(cat << EOF
 [{ "name" : "DB_USER", "value" : "${db_migrator_user}" }]
 EOF
-)
+)"
 
 ./bin/run-command --task-role-arn "${migrator_role_arn}" --environment-variables "${environment_variables}" "${app_name}" "${environment}" "${command}"
diff --git a/bin/set-up-current-account b/bin/set-up-current-account
index 8bfc8eea..9d5bfea1 100755
--- a/bin/set-up-current-account
+++ b/bin/set-up-current-account
@@ -24,12 +24,12 @@ set -euo pipefail
 
 account_name="$1"
 
-account_id=$(./bin/current-account-id)
-region=$(./bin/current-region)
+account_id="$(./bin/current-account-id)"
+region="$(./bin/current-region)"
 
 # Get project name
 terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
-project_name=$(terraform -chdir="infra/project-config" output --raw project_name)
+project_name="$(terraform -chdir="infra/project-config" output --raw project_name)"
 
 tf_state_bucket_name="${project_name}-${account_id}-${region}-tf"
 tf_state_key="infra/account.tfstate"
@@ -72,7 +72,7 @@ cd infra/accounts
 # is already an existing OpenID Connect provider for GitHub Actions. This check
 # is needed since there can only be one OpenID Connect provider per URL per AWS
 # account.
-github_arn=$(aws iam list-open-id-connect-providers | jq -r ".[] | .[] | .Arn" | grep github || echo "")
+github_arn="$(aws iam list-open-id-connect-providers | jq -r ".[] | .[] | .Arn" | grep github || echo "")"
 
 if [[ -z "${github_arn}" ]]; then
   aws iam create-open-id-connect-provider \
diff --git a/template-only-bin/destroy-account b/template-only-bin/destroy-account
index e855096b..f97fbd9a 100755
--- a/template-only-bin/destroy-account
+++ b/template-only-bin/destroy-account
@@ -6,7 +6,7 @@
 # -----------------------------------------------------------------------------
 set -euxo pipefail
 
-config_name=$(./bin/current-account-config-name)
+config_name="$(./bin/current-account-config-name)"
 backend_config_file="${config_name}.s3.tfbackend"
 
 cd infra/accounts
diff --git a/template-only-bin/install-template b/template-only-bin/install-template
index d1967006..1bef0d63 100755
--- a/template-only-bin/install-template
+++ b/template-only-bin/install-template
@@ -4,8 +4,8 @@
 # this script from your project's root directory.
 set -euox pipefail
 
-cur_dir=$(pwd)
-script_dir=$(dirname "$0")
+cur_dir="$(pwd)"
+script_dir="$(dirname "$0")"
 template_dir="${script_dir}/.."
 
 echo "Copy files from template-infra"
diff --git a/template-only-bin/update-template b/template-only-bin/update-template
index 906531c6..9906b78d 100755
--- a/template-only-bin/update-template
+++ b/template-only-bin/update-template
@@ -11,7 +11,7 @@ set -euo pipefail
 
 target_version=${1:-"main"}
 
-current_version=$(cat .template-version)
+current_version="$(cat .template-version)"
 
 echo "Clone template-infra"
 git clone https://github.com/navapbc/template-infra.git
@@ -21,7 +21,7 @@ cd template-infra
 git checkout "${target_version}"
 
 # Get version hash to update .template-version after patch is successful
-target_version_hash=$(git rev-parse HEAD)
+target_version_hash="$(git rev-parse HEAD)"
 
 # Note: Keep this list in sync with the files copied in install-template
 git diff "${current_version}" "${target_version}" --binary -- .github bin docs infra Makefile .dockleconfig .gitignore .grype.yml .hadolint.yaml .trivyignore .terraform-version > update.patch