diff --git a/modules/dns/README.md b/modules/dns/README.md
index 2c00ebb1..780e9f0b 100644
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@@ -37,7 +37,7 @@ module "private-dns" {
 | *peer_network* | Peering network self link, only valid for 'peering' zone types. | <code title="">string</code> |  | <code title="">null</code> |
 | *recordsets* | List of DNS record objects to manage. | <code title="list&#40;object&#40;&#123;&#10;name    &#61; string&#10;type &#61; string&#10;ttl     &#61; number&#10;records &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">list(object({...}))</code> |  | <code title="">[]</code> |
 | *service_directory_namespace* | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code title="">string</code> |  | <code title="">null</code> |
-| *type* | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory'. | <code title="">string</code> |  | <code title="">private</code> |
+| *type* | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory'. | <code title="">string</code> |  | <code title="private&#10;validation &#123;&#10;condition     &#61; contains&#40;&#91;&#34;public&#34;, &#34;private&#34;, &#34;forwarding&#34;, &#34;peering&#34;, &#34;service-directory&#34;&#93;, var.type&#41;&#10;error_message &#61; &#34;Zone must be one of &#39;public&#39;, &#39;private&#39;, &#39;forwarding&#39;, &#39;peering&#39;, &#39;service-directory&#39;.&#34;&#10;&#125;">...</code> |
 | *zone_create* | Create zone. When set to false, uses a data source to reference existing zone. | <code title="">bool</code> |  | <code title="">true</code> |
 
 ## Outputs
diff --git a/modules/folder/README.md b/modules/folder/README.md
index 5b15204c..5e85b49a 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -46,7 +46,7 @@ module "folder" {
 |---|---|:---: |:---:|:---:|
 | name | Folder name. | <code title="">string</code> | ✓ |  |
 | parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition     &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ |  |
-| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">null</code> |
+| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 
diff --git a/modules/folders-unit/README.md b/modules/folders-unit/README.md
index 43c84ec0..9ebad644 100644
--- a/modules/folders-unit/README.md
+++ b/modules/folders-unit/README.md
@@ -36,10 +36,9 @@ module "folders-unit" {
 | short_name | Short name used as GCS bucket and service account prefixes, do not use capital letters or spaces. | <code title="">string</code> | ✓ |  |
 | *environments* | Unit environments short names. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="&#123;&#10;non-prod &#61; &#34;Non production&#34;&#10;prod     &#61; &#34;Production&#34;&#10;&#125;">...</code> |
 | *gcs_defaults* | Defaults use for the state GCS buckets. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="&#123;&#10;location      &#61; &#34;EU&#34;&#10;storage_class &#61; &#34;MULTI_REGIONAL&#34;&#10;&#125;">...</code> |
+| *iam* | IAM bindings for the top-level folder in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_billing_config* | Grant billing user role to service accounts, defaults to granting on the billing account. | <code title="object&#40;&#123;&#10;grant      &#61; bool&#10;target_org &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;grant      &#61; true&#10;target_org &#61; false&#10;&#125;">...</code> |
 | *iam_enviroment_roles* | IAM roles granted to the environment service account on the environment sub-folder. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="&#91;&#10;&#34;roles&#47;compute.networkAdmin&#34;,&#10;&#34;roles&#47;owner&#34;,&#10;&#34;roles&#47;resourcemanager.folderAdmin&#34;,&#10;&#34;roles&#47;resourcemanager.projectCreator&#34;,&#10;&#93;">...</code> |
-| *iam_members* | IAM members for roles applied on the unit folder. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">null</code> |
-| *iam_roles* | IAM roles applied on the unit folder. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">null</code> |
 | *iam_xpn_config* | Grant Shared VPC creation roles to service accounts, defaults to granting at folder level. | <code title="object&#40;&#123;&#10;grant      &#61; bool&#10;target_org &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;grant      &#61; true&#10;target_org &#61; false&#10;&#125;">...</code> |
 | *prefix* | Optional prefix used for GCS bucket names to ensure uniqueness. | <code title="">string</code> |  | <code title="">null</code> |
 | *service_account_keys* | Generate and store service account keys in the state file. | <code title="">bool</code> |  | <code title="">false</code> |
diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 3c69da48..33afea1f 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -66,7 +66,7 @@ module "bucket" {
 | project_id | Bucket project id. | <code title="">string</code> | ✓ |  |
 | *encryption_key* | KMS key that will be used for encryption. | <code title="">string</code> |  | <code title="">null</code> |
 | *force_destroy* | Optional map to set force destroy keyed by name, defaults to false. | <code title="">bool</code> |  | <code title="">false</code> |
-| *iam_members* | IAM members keyed by bucket name and role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
+| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *labels* | Labels to be attached to all buckets. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *location* | Bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
 | *logging_config* | Bucket logging configuration. | <code title="object&#40;&#123;&#10;log_bucket        &#61; string&#10;log_object_prefix &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
diff --git a/modules/project/README.md b/modules/project/README.md
index 61b62286..fcd8ca05 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -15,7 +15,7 @@ module "project" {
     "container.googleapis.com",
     "stackdriver.googleapis.com"
   ]
-  iam_members = {
+  iam = {
     "roles/container.hostServiceAgentUser" = [
       "serviceAccount:${var.gke_service_account}"
     ]
@@ -31,7 +31,7 @@ module "project" {
   name            = "project-example"
   project_create  = false
 
-  iam_additive_bindings = {
+  iam_additive = {
     "group:usergroup_watermlon_experimentation@lemonadeinc.io" = [
 	    "roles/viewer",
 	    "roles/storage.objectAdmin"
diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
index b1617e62..7f237482 100644
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@@ -25,7 +25,7 @@ module "secret-manager" {
 
 ### Secret IAM bindings
 
-IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the `iam_members` variable.
+IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the `iam` variable.
 
 ```hcl
 module "secret-manager" {