diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9af80b1..52c10ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Versions
 
+## version 1.x
+
 * v1.0.0 -- 20210301
   - initial creation
 
@@ -22,3 +24,30 @@
 
 * v1.3.0 -- 20211018
   - add new bocApplicationData CPASS_ApprovalGroup attribute
+
+* 2.0.1 -- 20211216
+  - add max_session_duration variable
+  - split ldap variables into variables.ldap.tf
+  - add defaults.tf
+
+* v1.3.0 -- 20211018
+  - add new bocApplicationData CPASS_ApprovalGroup attribute
+
+* 1.3.1 -- 20211216
+  - add max_session_duration variable
+  - split ldap variables into variables.ldap.tf
+  - add defaults.tf
+
+## version 2.x
+
+branch: compat-tf-0.13
+tag: 2.0.1
+
+* v1.3.0-compat-tf-0.13 -- 20211122
+  - tag compat-tf-0.13
+  - add provider support for tf 0.13+
+
+* 2.0.1 -- 20211216
+  - add max_session_duration variable
+  - split ldap variables into variables.ldap.tf
+  - add defaults.tf
diff --git a/README.md b/README.md
index f92f23d..05ca258 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ module "myrole1" {
   ldap_password              = "password1234$$"
 
   # optional
+  max_session_duration       = 14400 # 4h
   ldap_host                  = "ldap.e.tco.census.gov"
   ldap_port                  = 389
 }
@@ -148,6 +149,7 @@ No modules.
 | <a name="input_ldap_password"></a> [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
 | <a name="input_ldap_port"></a> [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |
 | <a name="input_ldap_user"></a> [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | n/a | `number` | `3600` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Role/application description | `string` | `""` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | n/a | yes |
diff --git a/defaults.tf b/defaults.tf
new file mode 100644
index 0000000..71d8828
--- /dev/null
+++ b/defaults.tf
@@ -0,0 +1,6 @@
+locals {
+  _defaults = {
+    "force_detach_policies" = false
+    "max_session_duration"  = 3600
+  }
+}
diff --git a/main.tf b/main.tf
index eaa4ffe..4097ccc 100644
--- a/main.tf
+++ b/main.tf
@@ -57,6 +57,7 @@
 *   ldap_password              = "password1234$$"
 * 
 *   # optional
+*   max_session_duration       = 14400 # 4h
 *   ldap_host                  = "ldap.e.tco.census.gov"
 *   ldap_port                  = 389
 * }
@@ -135,8 +136,8 @@ locals {
 resource "aws_iam_role" "role" {
   name                  = local.role_name
   description           = local.role_description
-  force_detach_policies = false
-  max_session_duration  = 3600
+  force_detach_policies = lookup(local._defaults["force_detatch_policies"], false)
+  max_session_duration  = var.max_session_duration
   #  assume_role_policy    = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document
   assume_role_policy = var.assume_policy_document
 
@@ -153,7 +154,7 @@ resource "aws_iam_role" "role" {
     var.tags,
     local.base_tags,
     lookup(var.component_tags, "role", {}),
-    map("Name", local.role_name)
+    tomap({ Name = local.role_name })
   )
 }
 
@@ -196,7 +197,8 @@ resource "null_resource" "role_ldif" {
 }
 
 resource "ldap_object" "role" {
-  count    = local.ldap_exists && local.enable_ldap ? 1 : 0
+  count = local.ldap_exists && local.enable_ldap ? 1 : 0
+  #  count    = local.enable_ldap ? 1 : 0
   provider = ldap
   dn       = local.ldap_dn
   object_classes = [
diff --git a/variables.ldap.tf b/variables.ldap.tf
new file mode 100644
index 0000000..5b7f231
--- /dev/null
+++ b/variables.ldap.tf
@@ -0,0 +1,27 @@
+#---
+# ldap 
+#---
+variable "ldap_user" {
+  description = "LDAP user for writing data into eDirectory or Active Directory"
+  type        = string
+  default     = ""
+}
+
+variable "ldap_password" {
+  description = "LDAP password for ldap_user for writing data into eDirectory or Active Directory"
+  type        = string
+  default     = ""
+}
+
+variable "ldap_host" {
+  description = "LDAP Hostname (default is for eBOCAS)"
+  type        = string
+  default     = "ldap.e.tco.census.gov"
+}
+
+variable "ldap_port" {
+  description = "LDAP port (default is 389 but also using STARTTLS)"
+  type        = number
+  default     = 389
+}
+
diff --git a/variables.tf b/variables.tf
index 8cfe127..fcc3376 100644
--- a/variables.tf
+++ b/variables.tf
@@ -51,31 +51,10 @@ variable "instance_profile_path" {
   default     = "/"
 }
 
-#---
-# ldap 
-#---
-variable "ldap_user" {
-  description = "LDAP user for writing data into eDirectory or Active Directory"
-  type        = string
-  default     = ""
-}
-
-variable "ldap_password" {
-  description = "LDAP password for ldap_user for writing data into eDirectory or Active Directory"
-  type        = string
-  default     = ""
-}
-
-variable "ldap_host" {
-  description = "LDAP Hostname (default is for eBOCAS)"
-  type        = string
-  default     = "ldap.e.tco.census.gov"
-}
-
-variable "ldap_port" {
-  description = "LDAP port (default is 389 but also using STARTTLS)"
-  type        = number
-  default     = 389
+variable "max_session_duration" {
+  descriptio = "Override the maximum session duration from the default (3600)"
+  type       = number
+  default    = 3600
 }
 
 variable "component_tags" {
@@ -83,32 +62,3 @@ variable "component_tags" {
   type        = map(map(string))
   default     = { "role" = {}, "policy" = {} }
 }
-
-
-## #---
-## # instance role
-## #---
-## variable "ec2_role_name" {
-##   description = "EC2 instace Role/application name without prefix"
-##   type        = string
-##   default     = ""
-## }
-## 
-## variable "enable_instance_role" {
-##   description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name"
-##   type        = bool
-##   default     = false
-## }
-## 
-## variable "ec2_assume_policy_document" {
-##   description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)"
-##   type        = string
-##   default     = ""
-## }
-## 
-## variable "ec2_attached_policies" {
-##   description = "List of IAM Policy ARNs to attach to this EC2 instance role"
-##   type        = list(string)
-##   default     = []
-## }
-## 
diff --git a/version.tf b/version.tf
index 08f3f68..e4a1130 100644
--- a/version.tf
+++ b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.3.0"
+  _module_version = "1.3.1"
 }