diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md
index 469d317..3b790e9 100644
--- a/patch-aws-auth/README.md
+++ b/patch-aws-auth/README.md
@@ -1,7 +1,29 @@
 # About patch-aws-auth
+
 This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into
 Kubernetes (k8s) users and group permissions.
 
+You pass an array of ConfigMap objects for IAM users and IAM roles.
+
+# Configuration
+## User ConfigMap Entry
+
+| Name | Description |
+|------|-------------|
+| userarn | ARN of IAM user. This is calculated from the `aws_username` if empty |
+| aws\_username | If present, lookup the ARN for this user and populate the `userarn` variable above |
+| username | The Kubernetes user to map this IAM user into |
+| groups | A list of Kubernetes groups (defined through RoleBinding) to assign to the IAM user |
+
+## Role ConfigMap Entry
+
+| Name | Description |
+|------|-------------|
+| rolearn | ARN of IAM role. This is calculated from the `aws_rolename` if empty |
+| aws\_rolename | If present, lookup the ARN for this role and populate the `rolearn` variable above |
+| username | The Kubernetes user to map this IAM user into |
+| groups | A list of Kubernetes groups (defined through RoleBinding) to assign to the IAM user |
+
 # Example variable usage
 
 ```hcl
@@ -82,12 +104,7 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | `null` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | The DNS domain name of the cluster.  Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no |
-| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EKS worker node instance type (default: t3.xlarge) | `string` | `"t3.xlarge"` | no |
 | <a name="input_keep_temporary_files"></a> [keep\_temporary\_files](#input\_keep\_temporary\_files) | This module creates temporary files in setup/patch-aws-auth.TIMESTAMP.*.  This flag determines whether to keep or remove them (default: false) | `bool` | `false` | no |
-| <a name="input_nodegroup_desired_size"></a> [nodegroup\_desired\_size](#input\_nodegroup\_desired\_size) | EKS Nodegroup desire size (default: 1) | `number` | `1` | no |
-| <a name="input_nodegroup_instance_disk_size"></a> [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no |
-| <a name="input_nodegroup_maximum_size"></a> [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no |
-| <a name="input_nodegroup_minumum_size"></a> [nodegroup\_minumum\_size](#input\_nodegroup\_minumum\_size) | EKS Nodegroup minimum size (default: 1) | `number` | `1` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile. This is needed because we call the AWSCLI. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region (default: pull from current running provider) | `string` | `""` | no |
 
diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf
index cc31aab..d4232e7 100644
--- a/patch-aws-auth/main.tf
+++ b/patch-aws-auth/main.tf
@@ -1,8 +1,30 @@
 /* 
 * # About patch-aws-auth
+* 
 * This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into
 * Kubernetes (k8s) users and group permissions.
 *
+* You pass an array of ConfigMap objects for IAM users and IAM roles.
+*
+* # Configuration
+* ## User ConfigMap Entry
+*
+* | Name | Description |
+* |------|-------------|
+* | userarn | ARN of IAM user. This is calculated from the `aws_username` if empty |
+* | aws_username | If present, lookup the ARN for this user and populate the `userarn` variable above |
+* | username | The Kubernetes user to map this IAM user into |
+* | groups | A list of Kubernetes groups (defined through RoleBinding) to assign to the IAM user |
+*
+* ## Role ConfigMap Entry
+*
+* | Name | Description |
+* |------|-------------|
+* | rolearn | ARN of IAM role. This is calculated from the `aws_rolename` if empty |
+* | aws_rolename | If present, lookup the ARN for this role and populate the `rolearn` variable above |
+* | username | The Kubernetes user to map this IAM user into |
+* | groups | A list of Kubernetes groups (defined through RoleBinding) to assign to the IAM user |
+*
 * # Example variable usage
 * 
 * ```hcl