From 23336e26f9fd3bd21121f41288bfa12d3c2aad4c Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Thu, 17 Dec 2020 11:28:16 -0500
Subject: [PATCH] update descriptions, add metadata tags

---
 standard/README.md | 15 ++++++++-------
 title26/README.md  | 15 ++++++++-------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/standard/README.md b/standard/README.md
index bc81091..4e6e1af 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -36,15 +36,16 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
 | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
-| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no |
-| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no |
-| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no |
-| bucket\_name | AWS Bucket Name | `string` | n/a | yes |
+| allowed\_cidr | List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
+| allowed\_endpoints | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
+| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
+| bucket\_name | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
 | data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
-| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time | `bool` | `false` | no |
-| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no |
-| tags | AWS Tags | `map(string)` | `{}` | no |
+| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| kms\_key\_id | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
 
diff --git a/title26/README.md b/title26/README.md
index 3c42447..208a498 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -41,15 +41,16 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
 | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
-| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no |
-| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no |
-| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no |
-| bucket\_name | AWS Bucket Name | `string` | n/a | yes |
+| allowed\_cidr | List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
+| allowed\_endpoints | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
+| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
+| bucket\_name | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
 | data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br>  "title26"<br>]</pre> | no |
 | enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
-| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time | `bool` | `false` | no |
-| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no |
-| tags | AWS Tags | `map(string)` | `{}` | no |
+| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| kms\_key\_id | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs