terraform 中的表达式错误无效。如何摆脱发现无效的表达式令牌？

问：

│ Error: Invalid expression │ │ On modules/alerts/module/main.tf line 52: Expected the start of an │ expression, but found an invalid expression token.

variable "template" {
  type = object({
    queryFrequency   = string
    severity         = string
    queryPeriod      = string
    triggerThreshold = string
    triggerOperator  = string
    displayName      = string
    query            = string
    tactics          = list(string) 
    description      = string
    entity_mapping =  object({
        entity_type    = string
        field_mappings = list(object({
          identifier  = string
          column_name = string
    }))
  })
  
  })
  default = {
    queryFrequency   = "P1D"
    severity         = "Informational"
    queryPeriod      = "P1D"
    triggerThreshold = "0"
    triggerOperator  = "GreaterThan"
    displayName      = "EXAMPLE Rule - Attempts to sign in to disabled accounts 3"
    query            = <<EOF
let threshold = 3;
let aadFunc = (tableName:string){
table(tableName)
| where ResultType == "50057"
| where ResultDescription =~ "User account is disabled. The account has been disabled by an administrator."
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), 
applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type
| where applicationCount >= threshold
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
EOF
    tactics          = []
    description      = <<EOF
This is an example rule to identify parameters needed.
Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.
Default threshold for Azure Applications attempted to sign in to is 3.
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
50057 - User account is disabled. The account has been disabled by an administrator.
EOF
    entity_mapping =
    {
    entity_type = "Host"
    field_mapping = [{
      identifier  = "HostName"
      column_name = "Computer"
    }
    ]
    }
}
}

我试图更改等号、括号，但我仍然被这个错误阻止。我认为对于专家来说，这可能很容易看到，但我不知道发生了什么。我以为它可以是带有 EOF 块和白色标志的东西，比如 EOF 之前的空格，但事实并非如此。我正在尝试使用此变量模板来制定 azure sentinel 规则。