diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..79ccd7d
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,19 @@
+## Release Version: 0.0.1
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* Tested with terraform v0.11.7
+
+INITIAL RELEASE:
+
+* S3 Bucket: supports object versioning, lifecycle policy (on whole bucket) to remove object versions older than X days
+* IAM Management Users: Admin, Sync
+* Standard Users: User keys (directories) with KMS encryption for uploads
+
+IMPROVEMENTS:
+
+* N/A
+
+BUG FIXES:
+
+* N/A
\ No newline at end of file
diff --git a/README.md b/README.md
index 8694e9e..82ce740 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,159 @@
-# terraform-aws-s3-with-iam-access
\ No newline at end of file
+# AWS S3 Bucket with IAM Access Module
+Terraform module which creates an S3 bucket with varying levels of access for IAM users.
+
+The following resources can be created:
+* An S3 bucket
+* IAM User(s)
+* IAM Policies
+* KMS Keys
+
+## Usage
+### Specify this Module as Source
+```hcl
+module "s3" {
+  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"
+
+  # Or to specifiy a particular module version:
+  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git?ref=v0.0.1"
+```
+### General Arguments
+#### Resource Creation Location
+The argument for the region is required to specify where the resources should be created:
+```hcl
+region = "eu-west-1" #default = "eu-central-1"
+```
+#### PGP Key 
+A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):
+```hcl
+pgp_keyname = "C123654C.pgp"
+```
+### S3 Bucket Arguments
+#### Bucket Name 
+Set the bucket name:
+```hcl
+s3_bucket_name = "my-s3-bucket"
+```
+#### Object Versioning 
+Enable S3 object versioning:
+```hcl
+s3_versioning_enabled = true #default = false
+```
+#### Object Lifecycle 
+Enable S3 object lifecycle for the whole bucket and specify a rule name.
+
+Object expiration and/or previous version deletion is specified in days:
+```hcl
+lifecycle_rule_enabled = true #default = false
+lifecycle_rule_id = "expire_objects_older_than_180_days_delete_previous_versions_older_than_90_days" #default = ""
+lifecycle_rule_expiration = 180 #default = 0
+lifecycle_rule_noncurrent_version_expiration = 90 #default = 90 
+```
+
+N.b. Object versioning must be enabled to expire current versions and delete previous versions of an object. 
+
+#### Bucket Lifecycle Prevent Destroy
+By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform.
+
+### IAM Bucket Management Users 
+#### IAM User(s): S3 Bucket Full Permissions 
+Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):
+```hcl
+iam_user_s3_full_names = ["superadmin1", "superadmin2"]
+```
+#### IAM User(s): S3 Bucket List/Delete Permissions 
+Create IAM user(s) with limited administrative (list and delete) S3 bucket permissions (These users receive both management console and programmatic access):
+```hcl
+iam_user_s3_list_delete_names = ["admin1", "admin2"]
+```
+#### IAM User(s): S3 Bucket Get/Delete Permissions 
+Create IAM user(s) with limited administrative (get and delete) S3 bucket permissions (These users receive only programmatic access)
+
+Recommended as a synchronisation user:
+```hcl
+iam_user_s3_get_delete_names = ["sync_user", "sync_user2"]
+```
+### IAM Bucket Standard Users
+Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These users are assigned their own KMS keys which enable them to upload files in encrypted format as well as to download them and decrypt. (These users receive only programmatic access, therefore FTP client software such as CloudBerry or Cyberduck should be used):
+```hcl
+iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]
+```
+
+### Outputs 
+The following outputs are possible:
+* bucket_name (The name of the S3 bucket)
+* bucket_arn (The ARN of the S3 bucket)
+* s3_full_user_info  (The users with full S3 bucket permissions)
+* s3_list_delete_user_info (The users with list/delete S3 bucket permissions)
+* s3_get_delete_user_info (The users with get/delete S3 bucket permissions)
+* standard_user_info (The users with access to their own S3 bucket keys)
+
+
+Example usage:
+```hcl
+#The name of the S3 bucket
+output "Bucket-Name" {
+  value = "${module.s3.bucket_name}"
+}
+#The ARN of the S3 bucket
+output "Bucket-ARN" {
+  value = "${module.s3.bucket_arn}"
+}
+#The users with full S3 bucket permissions
+output "Superadmins" {
+  value = "${module.s3.s3_full_user_info}"
+}
+#The users with list/delete S3 bucket permissions
+output "Admins" {
+  value = "${module.s3.s3_list_delete_user_info}"
+}
+#The users with get/delete S3 bucket permissions
+output "Sync-Users" {
+  value = "${module.s3.s3_get_delete_user_info}"
+}
+#The users with access to their own S3 bucket keys
+output "User-Info" {
+  value = "${module.s3.standard_user_info}"
+}
+```
+
+Example output:
+```hcl
+Admins = [
+"user_name:   Admin",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"password":   <omitted>"
+]
+Bucket-ARN = arn:aws:s3:::my-s3-bucket
+Bucket-Name = my-s3-bucket
+Superadmins = [
+"user_name:   superadmin",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"password":   <omitted>"
+]
+Sync-Users = [
+"user_name:   sync-user",
+"access_key:  <omitted>",
+"secret_key:  <omitted>"
+]
+User-Info = [
+"user_name:   Huey",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Huey"
+
+"user_name:   Dewey",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Dewey"
+
+"user_name:   Louie",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Louie"
+]
+```
diff --git a/data_template_bucket_policy.tf b/data_template_bucket_policy.tf
new file mode 100644
index 0000000..bf31c53
--- /dev/null
+++ b/data_template_bucket_policy.tf
@@ -0,0 +1,38 @@
+# template file for policy section: denying the unencrypted uploads
+data "template_file" "bucket_policy_for_deny_unencrypted" {
+  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl")}"
+
+  vars {
+    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
+  }
+}
+
+# template file for policy section: standard users
+data "template_file" "bucket_policy_for_a_standard_user" {
+  count    = "${length(var.iam_user_s3_standard_names)}"
+  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_user_template.json.tpl")}"
+
+  vars {
+    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
+    user-name  = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+    kms-key    = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+  }
+}
+
+# combine policy sections into one 
+data "template_file" "bucket_policy" {
+  template = <<JSON
+$${policy_start}
+$${deny_unencrypted_object_uploads}
+$${user_policies}
+$${policy_end}
+
+JSON
+
+  vars {
+    policy_start                    = "${file("${path.module}/templates/bucket_policies/bucket_policy_start.json.tpl")}"
+    deny_unencrypted_object_uploads = "${data.template_file.bucket_policy_for_deny_unencrypted.rendered}"
+    user_policies                   = "${join(",\n", data.template_file.bucket_policy_for_a_standard_user.*.rendered)}"
+    policy_end                      = "${file("${path.module}/templates/bucket_policies/bucket_policy_end.json.tpl")}"
+  }
+}
\ No newline at end of file
diff --git a/data_template_outputs.tf b/data_template_outputs.tf
new file mode 100644
index 0000000..e9dbfbe
--- /dev/null
+++ b/data_template_outputs.tf
@@ -0,0 +1,87 @@
+# template file for the S3 full permission user output
+data "template_file" "s3_full_user_output" {
+  count    = "${local.count_iam_user_s3_full_names}"
+  template = "${file("${path.module}/templates/outputs/s3_full_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_full_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_full_access.*.encrypted_secret, count.index)}"
+    password   = "${element(aws_iam_user_login_profile.s3_full_login.*.encrypted_password, count.index)}"
+  }
+}
+
+# combine the S3 full permission user outputs together
+data "template_file" "s3_full_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_full_user_output.*.rendered)}"
+  }
+}
+
+# template file for the S3 list/delete permission user output
+data "template_file" "s3_list_delete_user_output" {
+  count    = "${local.count_iam_user_s3_list_delete_names}"
+  template = "${file("${path.module}/templates/outputs/s3_list_delete_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_list_delete_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_list_delete_access.*.encrypted_secret, count.index)}"
+    password   = "${element(aws_iam_user_login_profile.s3_list_delete_login.*.encrypted_password, count.index)}"
+  }
+}
+
+# combine the S3 list/delete permission user outputs together
+data "template_file" "s3_list_delete_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_list_delete_user_output.*.rendered)}"
+  }
+}
+
+# template file for the S3 get/delete permission user output
+data "template_file" "s3_get_delete_user_output" {
+  count    = "${local.count_iam_user_s3_get_delete_names}"
+  template = "${file("${path.module}/templates/outputs/s3_get_delete_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_get_delete_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_get_delete_access.*.encrypted_secret, count.index)}"
+  }
+}
+
+# combine the S3 list/delete permission user outputs together
+data "template_file" "s3_get_delete_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_get_delete_user_output.*.rendered)}"
+  }
+}
+
+# template file for the standard user output
+data "template_file" "standard_user_output" {
+  count    = "${local.count_standard_user}"
+  template = "${file("${path.module}/templates/outputs/standard_users.tpl")}"
+
+  vars {
+    user-name   = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+    access-key  = "${element(aws_iam_access_key.iam_user_standard_access.*.id, count.index)}"
+    secret-key  = "${element(aws_iam_access_key.iam_user_standard_access.*.encrypted_secret, count.index)}"
+    kms-key     = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+    bucket-name = "${aws_s3_bucket.s3_bucket.id}"
+  }
+}
+
+# combine the standard user outputs together
+data "template_file" "standard_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.standard_user_output.*.rendered)}"
+  }
+}
\ No newline at end of file
diff --git a/iam_access_keys.tf b/iam_access_keys.tf
new file mode 100644
index 0000000..99faf48
--- /dev/null
+++ b/iam_access_keys.tf
@@ -0,0 +1,6 @@
+#access keys for the standard users 
+resource "aws_iam_access_key" "iam_user_standard_access" {
+  count   = "${local.count_standard_user}"
+  user    = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
\ No newline at end of file
diff --git a/iam_policy.tf b/iam_policy.tf
new file mode 100644
index 0000000..90b3823
--- /dev/null
+++ b/iam_policy.tf
@@ -0,0 +1,42 @@
+# iam policy for the standard users
+resource "aws_iam_policy" "iam_policy_standard_user" {
+  count       = "${local.count_standard_user}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.standard_user.*.name, count.index)}-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.standard_user.*.name, count.index)} download and upload access to the respective S3 folder for ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+ "Version":"2012-10-17",
+ "Statement": [
+   {
+     "Sid": "AllowUserToSeeBucketListInTheConsole",
+     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}:*"]
+   },
+  {
+     "Sid": "AllowRootListingOfBucket",
+     "Action": ["s3:ListBucket"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}"],
+     "Condition":{"StringEquals":{"s3:prefix":["${element(aws_iam_user.standard_user.*.name, count.index)}/"],"s3:delimiter":["/"]}}
+    },
+   {
+     "Sid": "AllowListingOfUserFolder",
+     "Action": ["s3:ListBucket"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}"],
+     "Condition":{"StringLike":{"s3:prefix":["${element(aws_iam_user.standard_user.*.name, count.index)}/*"]}}
+   },
+   {
+     "Sid": "AllowAllS3ActionsInUserFolder",
+     "Effect": "Allow",
+     "Action": ["s3:PutObject", "s3:GetObject"],
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}/${element(aws_iam_user.standard_user.*.name, count.index)}/*"]
+   }
+ ]
+}
+
+EOF
+}
\ No newline at end of file
diff --git a/iam_static_user_access_keys.tf b/iam_static_user_access_keys.tf
new file mode 100644
index 0000000..6da3a3d
--- /dev/null
+++ b/iam_static_user_access_keys.tf
@@ -0,0 +1,20 @@
+# iam access keys for full permission users 
+resource "aws_iam_access_key" "iam_user_s3_full_access" {
+  count   = "${local.count_iam_user_s3_full_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# iam access keys for list delete permission users 
+resource "aws_iam_access_key" "iam_user_s3_list_delete_access" {
+  count   = "${local.count_iam_user_s3_list_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# iam access keys for get delete permission users 
+resource "aws_iam_access_key" "iam_user_s3_get_delete_access" {
+  count   = "${local.count_iam_user_s3_get_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
\ No newline at end of file
diff --git a/iam_static_user_policies.tf b/iam_static_user_policies.tf
new file mode 100644
index 0000000..42bb733
--- /dev/null
+++ b/iam_static_user_policies.tf
@@ -0,0 +1,104 @@
+# iam policy for full permission users 
+resource "aws_iam_policy" "iam_policy_s3_all" {
+  count         = "${local.count_iam_user_s3_full_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}-s3-full-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)} full permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListAllMyBuckets"
+            ],
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.s3_bucket.arn}",
+                "${aws_s3_bucket.s3_bucket.arn}/*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+# iam policy for list delete permission users
+resource "aws_iam_policy" "iam_policy_s3_list_delete" {
+  count       = "${local.count_iam_user_s3_list_delete_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}-s3-list-delete-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)} list/delete permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListObjects",
+        "s3:DeleteObject",
+        "s3:ListAllMyBuckets"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}/*"
+    },
+    {
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+    }
+  ]
+}
+EOF
+}
+
+# iam policy for get delete permission users
+resource "aws_iam_policy" "iam_policy_s3_get_delete" {
+  count       = "${local.count_iam_user_s3_get_delete_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}-s3-list-delete-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)} get/delete permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}/*"
+    },
+    {
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+    }
+  ]
+}
+EOF
+}
\ No newline at end of file
diff --git a/iam_static_users.tf b/iam_static_users.tf
new file mode 100644
index 0000000..f8b4777
--- /dev/null
+++ b/iam_static_users.tf
@@ -0,0 +1,55 @@
+# create iam user(s) with full s3 permissions
+resource "aws_iam_user" "iam_user_s3_full_access" {
+  count         = "${local.count_iam_user_s3_full_names}"
+  name          = "${element(var.iam_user_s3_full_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 full access policy to user(s): iam_user_s3_full_access
+resource "aws_iam_user_policy_attachment" "attach_s3_full_access" {
+  count      = "${local.count_iam_user_s3_full_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_all.arn}"
+}
+
+# create login profile for users with s3 full permissions 
+resource "aws_iam_user_login_profile" "s3_full_login" {
+  count   = "${local.count_iam_user_s3_full_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# create iam user(s) with s3 list, delete permissions
+resource "aws_iam_user" "iam_user_s3_list_delete_access" {
+  count         = "${local.count_iam_user_s3_list_delete_names}"
+  name          = "${element(var.iam_user_s3_list_delete_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 list delete access policy to user(s): iam_user_s3_list_delete
+resource "aws_iam_user_policy_attachment" "attach_s3_list_delete_access" {
+  count      = "${local.count_iam_user_s3_list_delete_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_list_delete.arn}"
+}
+
+# create login profile for users with s3 list, delete permissions
+resource "aws_iam_user_login_profile" "s3_list_delete_login" {
+  count   = "${local.count_iam_user_s3_list_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# create iam user(s) with s3 get, delete permissions
+resource "aws_iam_user" "iam_user_s3_get_delete_access" {
+  count         = "${local.count_iam_user_s3_get_delete_names}"
+  name          = "${element(var.iam_user_s3_get_delete_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 get delete access policy to user(s): iam_user_s3_get_delete
+resource "aws_iam_user_policy_attachment" "attach_s3_get_delete" {
+  count      = "${local.count_iam_user_s3_get_delete_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_get_delete.arn}"
+}
\ No newline at end of file
diff --git a/iam_users.tf b/iam_users.tf
new file mode 100644
index 0000000..157815e
--- /dev/null
+++ b/iam_users.tf
@@ -0,0 +1,12 @@
+# create standard iam user(s) based on number of names in variable "iam_user_names_s3_standard"
+resource "aws_iam_user" "standard_user" {
+  count = "${local.count_standard_user}"
+  name  = "${element(var.iam_user_s3_standard_names, count.index)}"
+}
+
+# attach standard user policies to standard users 
+resource "aws_iam_user_policy_attachment" "user-attachment" {
+  count      = "${local.count_standard_user}"
+  user       = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+  policy_arn = "${element(aws_iam_policy.iam_policy_standard_user.*.arn, count.index)}"
+}
\ No newline at end of file
diff --git a/kms_keys.tf b/kms_keys.tf
new file mode 100644
index 0000000..a9e0b02
--- /dev/null
+++ b/kms_keys.tf
@@ -0,0 +1,55 @@
+# create KMS keys for standard users to enable encrypted uploads 
+# permission is also given to the get, delete permissioned user(s)
+resource "aws_kms_key" "kmskey" {
+  count       = "${local.count_standard_user}"
+  description = "${element(var.iam_user_s3_standard_names, count.index)}"
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "Enable IAM User Permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        "Action": "kms:*",
+        "Resource": "*"
+      },
+      {
+        "Sid": "Allow use of the key",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": [
+            "${element(aws_iam_user.standard_user.*.arn, count.index)}",
+            "${element(aws_iam_user.iam_user_s3_get_delete_access.*.arn, count.index)}"
+          ]
+        },
+        "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey"],
+        "Resource": "*"
+      },
+      {
+        "Sid": "Allow attachment of persistent resources",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "${element(aws_iam_user.standard_user.*.arn, count.index)}"
+        },
+        "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
+        "Resource": "*",
+        "Condition": {
+          "Bool": {
+            "kms:GrantIsForAWSResource": "true"
+          }
+        }
+      }
+    ]
+}
+POLICY
+}
+
+# create alias(') for the KMS key(s)
+resource "aws_kms_alias" "kmskeyaliases" {
+  name          = "alias/${element(var.iam_user_s3_standard_names, count.index)}"
+  target_key_id = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+}
\ No newline at end of file
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..e80ab65
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,9 @@
+locals {
+  #IAM static users 
+  count_iam_user_s3_full_names        = "${length(var.iam_user_s3_full_names)}" 
+  count_iam_user_s3_list_delete_names = "${length(var.iam_user_s3_list_delete_names)}"
+  count_iam_user_s3_get_delete_names  = "${length(var.iam_user_s3_get_delete_names)}"
+
+  #IAM standard users
+  count_standard_user = "${length(var.iam_user_s3_standard_names)}"
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..040e6dc
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,23 @@
+output "s3_full_user_info" {
+  value = "${list("${data.template_file.s3_full_user_outputs.rendered}")}"
+}
+
+output "s3_list_delete_user_info" {
+  value = "${list("${data.template_file.s3_list_delete_user_outputs.rendered}")}"
+}
+
+output "s3_get_delete_user_info" {
+  value = "${list("${data.template_file.s3_get_delete_user_outputs.rendered}")}"
+}
+
+output "standard_user_info" {
+  value = "${list("${data.template_file.standard_user_outputs.rendered}")}"
+}
+
+output "bucket_name" {
+  value = "${aws_s3_bucket.s3_bucket.id}"
+}
+
+output "bucket_arn" {
+  value = "${aws_s3_bucket.s3_bucket.arn}"
+}
\ No newline at end of file
diff --git a/s3_bucket.tf b/s3_bucket.tf
new file mode 100644
index 0000000..c32a03f
--- /dev/null
+++ b/s3_bucket.tf
@@ -0,0 +1,31 @@
+# The S3 bucket 
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket = "${var.s3_bucket_name}"
+  acl    = "private"
+  region = "${var.region}"
+
+  versioning {
+    enabled = "${var.s3_versioning_enabled}" #default = false
+  }
+
+  lifecycle_rule {
+    enabled = "${var.lifecycle_rule_enabled}" #default = false
+    id      = "${var.lifecycle_rule_id}"      #required #default = ""
+    prefix  = "${var.lifecycle_rule_prefix}"  #default = whole bucket
+
+    expiration {
+      days = "${var.lifecycle_rule_expiration}" #default = 0
+    }
+
+    noncurrent_version_expiration {
+      days = "${var.lifecycle_rule_noncurrent_version_expiration}" #default = 90
+    }
+  }
+
+  #Make prevent_destroy setable with variable when terraform code has been changed to make this possible 
+  #hashicorp/terraform#3116
+
+  #lifecycle {
+  #  prevent_destroy = true
+  #}
+}
\ No newline at end of file
diff --git a/s3_bucket_policy.tf b/s3_bucket_policy.tf
new file mode 100644
index 0000000..58f0a6a
--- /dev/null
+++ b/s3_bucket_policy.tf
@@ -0,0 +1,5 @@
+# S3 bucket policy
+resource "aws_s3_bucket_policy" "s3_bucket_policy" {
+  bucket = "${aws_s3_bucket.s3_bucket.id}"
+  policy = "${data.template_file.bucket_policy.rendered}"
+}
\ No newline at end of file
diff --git a/s3_objects.tf b/s3_objects.tf
new file mode 100644
index 0000000..86da1f5
--- /dev/null
+++ b/s3_objects.tf
@@ -0,0 +1,7 @@
+resource "aws_s3_bucket_object" "bucket_objects" {
+  count      = "${local.count_standard_user}"
+  bucket     = "${var.s3_bucket_name}"
+  key        = "${element(var.iam_user_s3_standard_names, count.index)}"
+  content    = "."
+  kms_key_id = "${element(aws_kms_key.kmskey.*.arn, count.index)}"
+}
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl b/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl
new file mode 100644
index 0000000..f70304d
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl
@@ -0,0 +1,12 @@
+{
+"Sid":"DenyUnEncryptedObjectUploads",
+"Effect":"Deny",
+"Principal":"*",
+"Action":"s3:PutObject",
+"Resource":"${bucket-arn}/*",
+"Condition":{
+"StringNotEquals":{
+"s3:x-amz-server-side-encryption":"aws:kms"
+}
+}
+},
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_end.json.tpl b/templates/bucket_policies/bucket_policy_end.json.tpl
new file mode 100644
index 0000000..858797f
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_end.json.tpl
@@ -0,0 +1,2 @@
+  ]
+}
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_start.json.tpl b/templates/bucket_policies/bucket_policy_start.json.tpl
new file mode 100644
index 0000000..8535ca2
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_start.json.tpl
@@ -0,0 +1,3 @@
+{
+   "Version":"2012-10-17",
+   "Statement":[
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_user_template.json.tpl b/templates/bucket_policies/bucket_policy_user_template.json.tpl
new file mode 100644
index 0000000..056d72c
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_user_template.json.tpl
@@ -0,0 +1,12 @@
+     {
+      "Sid":"AllowEncryptedObjectUploads-${user-name}",
+     "Effect":"Allow",
+     "Principal":"*",
+     "Action":"s3:PutObject",
+     "Resource":"${bucket-arn}/${user-name}/*",
+     "Condition":{
+       "StringEquals":{
+         "s3:x-amz-server-side-encryption-aws-kms-key-id":"${kms-key}"
+         }
+       }
+     }
\ No newline at end of file
diff --git a/templates/outputs/s3_full_users.tpl b/templates/outputs/s3_full_users.tpl
new file mode 100644
index 0000000..05eb366
--- /dev/null
+++ b/templates/outputs/s3_full_users.tpl
@@ -0,0 +1,4 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"password":   ${password}"
\ No newline at end of file
diff --git a/templates/outputs/s3_get_delete_users.tpl b/templates/outputs/s3_get_delete_users.tpl
new file mode 100644
index 0000000..0cde73c
--- /dev/null
+++ b/templates/outputs/s3_get_delete_users.tpl
@@ -0,0 +1,3 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}"
\ No newline at end of file
diff --git a/templates/outputs/s3_list_delete_users.tpl b/templates/outputs/s3_list_delete_users.tpl
new file mode 100644
index 0000000..05eb366
--- /dev/null
+++ b/templates/outputs/s3_list_delete_users.tpl
@@ -0,0 +1,4 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"password":   ${password}"
\ No newline at end of file
diff --git a/templates/outputs/standard_users.tpl b/templates/outputs/standard_users.tpl
new file mode 100644
index 0000000..77da2aa
--- /dev/null
+++ b/templates/outputs/standard_users.tpl
@@ -0,0 +1,5 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"kms_key:     ${kms-key}",
+"bucket_key: ${bucket-name}/${user-name}"
\ No newline at end of file
diff --git a/variables_general.tf b/variables_general.tf
new file mode 100644
index 0000000..b1dfb83
--- /dev/null
+++ b/variables_general.tf
@@ -0,0 +1,24 @@
+data "aws_caller_identity" "current" {}
+
+# Account
+provider "aws" {
+  region = "${var.region}"
+}
+
+# Region
+variable "region" {
+  description = "The AWS region to run in."
+  default     = "eu-central-1"
+}
+
+# Prefix
+variable "prefix" {
+  description = "A prefix which is added to each resource name."
+  default     = ""
+}
+
+# Suffix
+variable "suffix" {
+  description = "A suffix which is added to each resource name."
+  default     = ""
+}
\ No newline at end of file
diff --git a/variables_iam_static_users.tf b/variables_iam_static_users.tf
new file mode 100644
index 0000000..ebc295c
--- /dev/null
+++ b/variables_iam_static_users.tf
@@ -0,0 +1,18 @@
+
+variable "iam_user_s3_full_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket full access"
+  default     = []
+}
+
+variable "iam_user_s3_list_delete_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket list/delete permissions"
+  default     = []
+}
+
+variable "iam_user_s3_get_delete_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket get/delete permissions"
+  default     = []
+}
\ No newline at end of file
diff --git a/variables_iam_users.tf b/variables_iam_users.tf
new file mode 100644
index 0000000..c3228d2
--- /dev/null
+++ b/variables_iam_users.tf
@@ -0,0 +1,5 @@
+variable "iam_user_s3_standard_names" {
+  type        = "list"
+  description = "Names of the IAM users with standard access"
+  default     = []
+}
\ No newline at end of file
diff --git a/variables_keys.tf b/variables_keys.tf
new file mode 100644
index 0000000..f10cb6a
--- /dev/null
+++ b/variables_keys.tf
@@ -0,0 +1,4 @@
+variable "pgp_keyname" {
+  description = "Public PGP key in binary format"
+  default     = ""
+}
\ No newline at end of file
diff --git a/variables_s3.tf b/variables_s3.tf
new file mode 100644
index 0000000..4d26526
--- /dev/null
+++ b/variables_s3.tf
@@ -0,0 +1,39 @@
+variable "s3_bucket_name" {
+  description = "Name of the S3 bucket"
+  default     = ""
+}
+
+variable "s3_versioning_enabled" {
+  description = "To enable file versioning"
+  default     = false
+}
+
+variable "lifecycle_rule_enabled" {
+  description = "To enable the lifecycle rule"
+  default     = false
+}
+
+variable "lifecycle_rule_id" {
+  description = "Name of the lifecyle rule id."
+  default     = ""
+}
+
+variable "lifecycle_rule_prefix" {
+  description = "Lifecycle rule prefix."
+  default     = ""
+}
+
+variable "lifecycle_rule_expiration" {
+  description = "Delete current object version X days after creation"
+  default     = 0
+}
+
+variable "lifecycle_rule_noncurrent_version_expiration" {
+  description = "Delete noncurrent object versions X days after creation"
+  default     = 90
+}
+
+variable "s3_lifecycle_prevent_destroy" {
+  description = "Prevent/allow terraform to destroy the bucket"
+  default     = false
+}
\ No newline at end of file