diff --git a/examples/main.tf b/examples/main.tf
new file mode 100644
index 0000000..40a0ce7
--- /dev/null
+++ b/examples/main.tf
@@ -0,0 +1,33 @@
+module "keyvault" {
+  source              = "../terraform-keyvault"
+  location            = "westeurope"
+  resource_name = [
+    "service-mgmt-kv",
+  ]
+  keyvault        = {
+    resource_group_name = "service-mgmt-rg"
+    tenant_id           = data.azurerm_subscription.current.tenant_id
+  }
+  keyvault_config = {
+    mgmt = {
+      access_policies = {
+        frontdoor = {
+          object_id               = data.azuread_service_principal.frontdoor.object_id
+          key_permissions         = []
+          certificate_permissions = ["get", ]
+          secret_permissions      = ["get", ]
+        }
+      }
+    }
+    env = {
+      access_policies = {
+        admin       = {
+          object_id = data.azuread_group.grp-admin.object_id
+        }
+      }
+    }
+  }
+  tags = {
+    service = "service_name"
+  }
+}
diff --git a/variables.tf b/variables.tf
index 14a9d4f..44e0b72 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,6 +1,6 @@
 variable "resource_name" {
-  type    = set(string)
-  default     = {}
+  type        = set(string)
+  default     = []
   description = "Azure Keyvault"
 }
 variable "location" {
@@ -48,12 +48,10 @@ locals {
 
   # deep merge over merged config and use defaults if no variable is set
   keyvault_config = {
-    # get all config
-    for config in keys(var.keyvault_config) :
-    instance => {
-      for config in keys(local.default.keyvault_config) :
-      config =>
-        merge(local.default.keyvault_config, local.merged.keyvault_config[instance][config])
+    for config in keys(local.default.keyvault_config) :
+    config => {
+      for instance in keys(var.keyvault_config[config]) :
+      instance => merge(local.default.keyvault_config[config], var.keyvault_config[config][instance])
     }
   }
 }