diff --git a/README.md b/README.md
index d27262c..2df36f7 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
 # About aws-iam-role
 
-This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the  
-necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).  
+This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the
+necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).
 The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is expected to be in your `$PATH`.
 
-There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any  
+There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any
 details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs.
 
 Because of this quirk, this is a two-step apply.  The first step creates the IAM role and creates an LDIF file in
@@ -40,7 +40,7 @@ module "myrole1" {
   ldap_host                  = "ldap.e.tco.census.gov"
   ldap_port                  = 389
 }
-```  
+```
 Creating a non-SAML role
 ```hcl
 module "myrole2" {
@@ -48,6 +48,7 @@ module "myrole2" {
 
   role_name                  = "my-role2"
   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+}
 ```
 
 ## Requirements
@@ -58,53 +59,53 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
-| external | n/a |
-| ldap | n/a |
-| null | n/a |
-| template | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_external"></a> [external](#provider\_external) | n/a |
+| <a name="provider_ldap"></a> [ldap](#provider\_ldap) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
-No Modules.
+No modules.
 
 ## Resources
 
-| Name |
-|------|
-| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
-| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
-| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
-| [external_external](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) |
-| [ldap_object](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) |
-| [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) |
-| [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) |
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [ldap_object.role](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource |
+| [null_resource.role_ldif](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [external_external.ldap_provider_bin](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+| [template_file.role](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| account\_alias | AWS Account Alias | `string` | `""` | no |
-| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| assume\_policy\_document | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
-| attached\_policies | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
-| component\_tags | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
-| enable\_ldap\_creation | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
-| ldap\_host | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
-| ldap\_password | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
-| ldap\_port | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |
-| ldap\_user | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no |
-| override\_prefixes | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| role\_name | Role/application name without prefix | `string` | n/a | yes |
-| saml\_provider\_arn | ARN of SAML Provider | `string` | `""` | no |
-| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_assume_policy_document"></a> [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
+| <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
+| <a name="input_enable_ldap_creation"></a> [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
+| <a name="input_ldap_host"></a> [ldap\_host](#input\_ldap\_host) | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
+| <a name="input_ldap_password"></a> [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
+| <a name="input_ldap_port"></a> [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |
+| <a name="input_ldap_user"></a> [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | n/a | yes |
+| <a name="input_saml_provider_arn"></a> [saml\_provider\_arn](#input\_saml\_provider\_arn) | ARN of SAML Provider | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| role\_arn | Created role ARN |
-| role\_name | Created role name |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Created role ARN |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Created role name |
diff --git a/main.tf b/main.tf
index 2881546..2249513 100644
--- a/main.tf
+++ b/main.tf
@@ -49,6 +49,7 @@
 * 
 *   role_name                  = "my-role2"
 *   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+* }
 * ```
 */