diff --git a/.gitignore b/.gitignore
index 1fef4ab..4df0dc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,6 @@
 
 # .tfvars files
 *.tfvars
+
+.terraform/*
+logs
diff --git a/main.tf b/main.tf
index 6cb18d3..431f310 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,9 @@
+locals {
+  enforced_tags = {
+    "boc:safeguard" = "title26"
+  }
+}
+
 #---
 # s3 bucket
 #---
@@ -22,7 +28,14 @@ resource "aws_s3_bucket" "this" {
     prevent_destroy = true
   }
 
-data "aws_iam_policy_document" "t26_s3" {
+  tags = merge(
+    var.tags,
+    local.enforced_tags,
+    map("Name", var.bucket_name)
+  )
+}
+
+data "aws_iam_policy_document" "this" {
   statement {
     sid     = "DenyIncorrectEncryptionHeader"
     effect  = "Deny"
@@ -31,7 +44,7 @@ data "aws_iam_policy_document" "t26_s3" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "StringNotEquals"
       variable = "s3:x-amz-server-side-encryption"
@@ -46,22 +59,21 @@ data "aws_iam_policy_document" "t26_s3" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "Null"
       variable = "s3:x-amz-server-side-encryption"
-      values     = ["true"]
+      values   = ["true"]
     }
   }
+}
 
-  tags = merge(
-    var.tags,
-    local.enforced_tags,
-    map( "Name", var.bucket_name)
-  )
-
+resource "null_resource" "s3_create_wait" {
+  triggers = {
+    bucket = aws_s3_bucket.this.id
+  }
   provisioner "local-exec" {
-    when = create
+    when    = create
     command = "sleep 120"
   }
 }
@@ -69,8 +81,8 @@ data "aws_iam_policy_document" "t26_s3" {
 resource "aws_s3_bucket_object" "this_objects" {
   bucket = aws_s3_bucket.this.id
   count  = length(var.bucket_folders)
-  key    = format("%s/",element(var.bucket_folders,count.index))
+  key    = format("%s/", element(var.bucket_folders, count.index))
   source = "/dev/null"
 
-  depends_on [aws_s3_bucket.this]
+  depends_on = [null_resource.s3_create_wait]
 }
diff --git a/variables.tf b/variables.tf
index 429b59f..771bef0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,16 +1,22 @@
 variable "bucket_name" {
   description = "AWS Bucket Name"
-  type = string
+  type        = string
 }
 
 variable "bucket_folders" {
   description = "List of folders (keys) to create after creation of bucket"
-  type = list(string)
-  default = [ ]
+  type        = list(string)
+  default     = []
 }
 
 variable "kms_key_id" {
   description = "AWS KMS Key ID (one per bucket)"
-  type = string
-  default = ""
+  type        = string
+  default     = ""
+}
+
+variable "tags" {
+  description = "AWS Tags"
+  type = map(string)
+  default = { }
 }