diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md
index 2f992e0..8ce2fae 100644
--- a/patch-aws-auth/README.md
+++ b/patch-aws-auth/README.md
@@ -67,6 +67,7 @@ module "awsauth_base_users" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1 |
 
 ## Providers
@@ -101,8 +102,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aws_auth_roles"></a> [aws\_auth\_roles](#input\_aws\_auth\_roles) | A list of objects where each object has rolearn, aws\_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role.  Leaving rolearn as an empty string will pull the role ARN from AWS. | <pre>list(object({<br>    rolearn      = string<br>    aws_rolename = string<br>    username     = string<br>    groups       = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_aws_auth_users"></a> [aws\_auth\_users](#input\_aws\_auth\_users) | A list of objects where each object has userarn, aws\_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user.  Leaving userarn as an empty string will pull the user ARN from AWS. | <pre>list(object({<br>    userarn      = string<br>    aws_username = string<br>    username     = string<br>    groups       = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_aws_auth_roles"></a> [aws\_auth\_roles](#input\_aws\_auth\_roles) | A list of objects where each object has rolearn, aws\_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role.  Leaving rolearn as an empty string will pull the role ARN from AWS. | <pre>list(object({<br>    rolearn      = optional(string, null)<br>    aws_rolename = optional(string, null)<br>    username     = string<br>    groups       = optional(list(string), [])<br>  }))</pre> | `[]` | no |
+| <a name="input_aws_auth_users"></a> [aws\_auth\_users](#input\_aws\_auth\_users) | A list of objects where each object has userarn, aws\_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user.  Leaving userarn as an empty string will pull the user ARN from AWS. | <pre>list(object({<br>    userarn      = optional(string, null)<br>    aws_username = optional(string, null)<br>    username     = string<br>    groups       = optional(list(string), [])<br>  }))</pre> | `[]` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | `null` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | The DNS domain name of the cluster.  Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no |
diff --git a/patch-aws-auth/variables.aws-auth.tf b/patch-aws-auth/variables.aws-auth.tf
index d43c508..19b562d 100644
--- a/patch-aws-auth/variables.aws-auth.tf
+++ b/patch-aws-auth/variables.aws-auth.tf
@@ -3,21 +3,32 @@
 variable "aws_auth_users" {
   description = "A list of objects where each object has userarn, aws_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user.  Leaving userarn as an empty string will pull the user ARN from AWS."
   type = list(object({
-    userarn      = string
-    aws_username = string
+    userarn      = optional(string, null)
+    aws_username = optional(string, null)
     username     = string
-    groups       = list(string)
+    groups       = optional(list(string), [])
   }))
   default = []
+
+  validation {
+    condition     = all([for v in var.aws_auth_users : v.userarn != null && v.aws_username != null])
+    error_message = "Both userarn and aws_userarn may not be null."
+  }
 }
 
 variable "aws_auth_roles" {
   description = "A list of objects where each object has rolearn, aws_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role.  Leaving rolearn as an empty string will pull the role ARN from AWS."
   type = list(object({
-    rolearn      = string
-    aws_rolename = string
+    rolearn      = optional(string, null)
+    aws_rolename = optional(string, null)
     username     = string
-    groups       = list(string)
+    groups       = optional(list(string), [])
   }))
   default = []
+
+  validation {
+    condition     = all([for v in var.aws_auth_roles : v.rolearn != null && v.aws_rolename != null])
+    error_message = "Both rolearn and aws_rolename may not be null."
+  }
 }
+
diff --git a/patch-aws-auth/versions.tf b/patch-aws-auth/versions.tf
index 9896697..9765c48 100644
--- a/patch-aws-auth/versions.tf
+++ b/patch-aws-auth/versions.tf
@@ -1,9 +1,9 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
     null = {
       source  = "hashicorp/null"
       version = ">= 3.1"
     }
   }
-  #  required_version = ">= 0.13"
 }