diff --git a/main.tf b/main.tf
index 4c3cbda..d4a8b60 100644
--- a/main.tf
+++ b/main.tf
@@ -1 +1,107 @@
-# temporary main.tf to test tf-destroy
+/* = About =
+ * = Usage =
+ * module "mybucket" {
+ *   source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git"
+ *
+ *   bucket_name = "myt26bucket"
+ * }
+ * 
+ */
+
+locals {
+  enforced_tags = {
+    "boc:safeguard" = "title26"
+    "test:tag"      = "code"
+  }
+}
+
+#---
+# s3 bucket
+#---
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+  acl    = "private"
+
+  force_destroy = true
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = var.kms_key_id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = true
+    #enabled = false
+  }
+
+  logging {
+    target_bucket = var.access_log_bucket
+    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket)
+  }
+
+  lifecycle {
+    #prevent_destroy = true
+  }
+
+  tags = merge(
+    var.tags,
+    local.enforced_tags,
+    map("Name", var.bucket_name)
+  )
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid     = "DenyIncorrectEncryptionHeader"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.this.arn}/*"]
+    condition {
+      test     = "StringNotEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = ["aws:kms"]
+    }
+  }
+  statement {
+    sid     = "DenyUnEncryptedObjectUploads"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.this.arn}/*"]
+    condition {
+      test     = "Null"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = ["true"]
+    }
+  }
+}
+
+resource "null_resource" "s3_create_wait" {
+  triggers = {
+    bucket = aws_s3_bucket.this.id
+  }
+  provisioner "local-exec" {
+    when    = create
+    command = "sleep 120"
+  }
+}
+
+resource "aws_s3_bucket_object" "this_objects" {
+  bucket = aws_s3_bucket.this.id
+  count  = length(var.bucket_folders)
+  key    = format("%s/", element(var.bucket_folders, count.index))
+  source = "/dev/null"
+
+  depends_on = [null_resource.s3_create_wait]
+}