diff --git a/.vscode/settings.json b/.vscode/settings.json
index edc6e565..a8b8d514 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -19,5 +19,8 @@
   "python.testing.pytestEnabled": true,
   "[terraform]": {
     "editor.defaultFormatter": "hashicorp.terraform"
+  },
+  "[terraform-vars]": {
+    "editor.defaultFormatter": "hashicorp.terraform"
   }
 }
diff --git a/terraform/README.md b/terraform/README.md
index 4ad27690..cf1c045b 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -95,12 +95,7 @@ Terraform is [`plan`](https://www.terraform.io/cli/commands/plan)'d when code is
    ```
 
 1. Outside the [dev container](https://docs.calitp.org/eligibility-server/getting-started/), navigate to the `terraform/` directory.
-1. Create a `terraform.tfvars` file and specify the [variables](variables.tf):
-
-   ```hcl
-   VELOCITY_ETL_SERVICE_PRINCIPAL_ID = "..."
-   ```
-
+1. Create a [`terraform.tfvars` file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files) and specify the [variables](variables.tf).
 1. [Initialize Terraform.](https://www.terraform.io/cli/commands/init) You can also use this script later to switch between [environments](#environments).
 
    ```sh
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 5a4e3109..0a776c30 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,9 +1,13 @@
 # needs to be uppercase "because Azure DevOps will always transform pipeline variables to uppercase environment variables"
 # https://gaunacode.com/terraform-input-variables-using-azure-devops
+
 variable "VELOCITY_ETL_SERVICE_PRINCIPAL_ID" {
   description = "Object ID from the registered application for the Velocity server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID"
+  type        = string
 }
+
 variable "IP_ADDRESS_WHITELIST" {
-  description = "List of IP addresses allowed to connect to the app service."
+  description = "List of IP addresses allowed to connect to the app service, in CIDR notation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#ip_address. By default, all IP addresses are allowed."
   type        = list(string)
+  default     = []
 }