diff --git a/README.md b/README.md
index 75bc53c..32aac9c 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,24 @@ Because of this quirk, this is a two-step apply.  The first step creates the IAM
 % terraform apply -target=module.myrole
 ```
 
+# Notes
+## Policies
+
+When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module
+with `plan` or `apply`.  The module is called with an unknown value and it fails if not.  You'll need to target your
+first apply with that of the policy like:
+
+```shell
+tf-apply -target=aws_iam_policy.mypolicy
+```
+
+and then you can continue with the rest of the operation.  In Terraform 0.12, modules do not support `depends_on`.
+
+## LDAP Settings
+You will get a very weird error about the LDAP provider having an invalid DN format if you pass anything to `ldap_user`
+variable that does not look like a DN (cn=something,...).  Be sure you've got a valid username and password for
+LDAP.  It's less importatn if you do not have `enable_ldap_creation` set to true (not sure if it will fail though).
+
 # Usage
 
 Creating a SAML role with two attached policies
diff --git a/main.tf b/main.tf
index bea0a8e..93d461a 100644
--- a/main.tf
+++ b/main.tf
@@ -21,6 +21,24 @@
 * % terraform apply -target=module.myrole
 * ```
 *
+* # Notes
+* ## Policies
+*
+* When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module
+* with `plan` or `apply`.  The module is called with an unknown value and it fails if not.  You'll need to target your
+* first apply with that of the policy like:
+*
+* ```shell
+* tf-apply -target=aws_iam_policy.mypolicy
+* ```
+*
+* and then you can continue with the rest of the operation.  In Terraform 0.12, modules do not support `depends_on`.
+*
+* ## LDAP Settings
+* You will get a very weird error about the LDAP provider having an invalid DN format if you pass anything to `ldap_user`
+* variable that does not look like a DN (cn=something,...).  Be sure you've got a valid username and password for
+* LDAP.  It's less importatn if you do not have `enable_ldap_creation` set to true (not sure if it will fail though).
+*
 * # Usage
 *
 * Creating a SAML role with two attached policies