diff --git a/terraform/ces-module/variables.tf b/terraform/ces-module/variables.tf
index 99bdf41..0eabb68 100644
--- a/terraform/ces-module/variables.tf
+++ b/terraform/ces-module/variables.tf
@@ -187,8 +187,8 @@ variable "cas_oidc_config" {
     scopes                  = string
     attribute_mapping       = string
     principal_attribute     = string
-    allowed_groups          = list(string)
-    initial_admin_usernames = list(string)
+    allowed_groups          = string
+    initial_admin_usernames = string
   })
   default = {
     enabled                 = false
@@ -199,8 +199,8 @@ variable "cas_oidc_config" {
     scopes                  = "openid email profile groups"
     attribute_mapping       = "email:mail,family_name:surname,given_name:givenName,preferred_username:username,name:displayName,groups:externalGroups"
     principal_attribute     = "preferred_username"
-    allowed_groups          = []
-    initial_admin_usernames = []
+    allowed_groups          = ""
+    initial_admin_usernames = ""
   }
 }
 
diff --git a/terraform/examples/ces_keycloak_gke/main.tf b/terraform/examples/ces_keycloak_gke/main.tf
index 5ea727e..cce6f5e 100644
--- a/terraform/examples/ces_keycloak_gke/main.tf
+++ b/terraform/examples/ces_keycloak_gke/main.tf
@@ -149,8 +149,8 @@ module "ces" {
     display_name            = "CAS oidc provider"
     optional                = var.cas_oidc_optional
     scopes = join(" ", concat(["openid"], var.keycloak_client_scopes))
-    allowed_groups          = var.cas_oidc_allowed_groups
-    initial_admin_usernames = var.cas_oidc_initial_admin_usernames
+    allowed_groups          = join(", ", var.cas_oidc_allowed_groups)
+    initial_admin_usernames = join(", ", var.cas_oidc_initial_admin_usernames)
   }
   cas_oidc_client_secret = module.keycloak.client_secret
 }
\ No newline at end of file