diff --git a/main.tf b/main.tf
index 6cb18d3..18b081d 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,9 @@
+locals {
+  enforced_tags = {
+    "boc:safeguard" = "title26"
+  }
+}
+
 #---
 # s3 bucket
 #---
@@ -22,7 +28,14 @@ resource "aws_s3_bucket" "this" {
     prevent_destroy = true
   }
 
-data "aws_iam_policy_document" "t26_s3" {
+  tags = merge(
+    var.tags,
+    local.enforced_tags,
+    map("Name", var.bucket_name)
+  )
+}
+
+data "aws_iam_policy_document" "this" {
   statement {
     sid     = "DenyIncorrectEncryptionHeader"
     effect  = "Deny"
@@ -31,7 +44,7 @@ data "aws_iam_policy_document" "t26_s3" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "StringNotEquals"
       variable = "s3:x-amz-server-side-encryption"
@@ -46,22 +59,21 @@ data "aws_iam_policy_document" "t26_s3" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "Null"
       variable = "s3:x-amz-server-side-encryption"
-      values     = ["true"]
+      values   = ["true"]
     }
   }
+}
 
-  tags = merge(
-    var.tags,
-    local.enforced_tags,
-    map( "Name", var.bucket_name)
-  )
-
+resource "null_resource" "s3_create_wait" {
+  triggers = {
+    bucket = aws_s3_bucket.this.id
+  }
   provisioner "local-exec" {
-    when = create
+    when    = create
     command = "sleep 120"
   }
 }
@@ -69,8 +81,8 @@ data "aws_iam_policy_document" "t26_s3" {
 resource "aws_s3_bucket_object" "this_objects" {
   bucket = aws_s3_bucket.this.id
   count  = length(var.bucket_folders)
-  key    = format("%s/",element(var.bucket_folders,count.index))
+  key    = format("%s/", element(var.bucket_folders, count.index))
   source = "/dev/null"
 
-  depends_on [aws_s3_bucket.this]
+  depends_on = [aws_s3_bucket.this]
 }