From d94bdccf9f16cb8407fa29c431f10d494d43f32d Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Wed, 2 May 2018 18:07:05 +0200
Subject: [PATCH 1/9] initial commit

---
 CHANGELOG.md                                  |  19 ++
 README.md                                     | 166 +++++++++++++++++-
 data_template_bucket_policy.tf                |  38 ++++
 data_template_outputs.tf                      |  87 +++++++++
 iam_access_keys.tf                            |   6 +
 iam_policy.tf                                 |  42 +++++
 iam_static_user_access_keys.tf                |  20 +++
 iam_static_user_policies.tf                   | 104 +++++++++++
 iam_static_users.tf                           |  55 ++++++
 iam_users.tf                                  |  12 ++
 kms_keys.tf                                   |  55 ++++++
 locals.tf                                     |   9 +
 outputs.tf                                    |  23 +++
 s3_bucket.tf                                  |  31 ++++
 s3_bucket_policy.tf                           |   5 +
 s3_objects.tf                                 |   7 +
 .../bucket_policy_deny_unencrypted.json.tpl   |  12 ++
 .../bucket_policy_end.json.tpl                |   2 +
 .../bucket_policy_start.json.tpl              |   3 +
 .../bucket_policy_user_template.json.tpl      |  12 ++
 templates/outputs/s3_full_users.tpl           |   4 +
 templates/outputs/s3_get_delete_users.tpl     |   3 +
 templates/outputs/s3_list_delete_users.tpl    |   4 +
 templates/outputs/standard_users.tpl          |   5 +
 variables_general.tf                          |  34 ++++
 variables_iam_static_users.tf                 |  32 ++++
 variables_iam_users.tf                        |  10 ++
 variables_keys.tf                             |   4 +
 variables_s3.tf                               |  39 ++++
 29 files changed, 842 insertions(+), 1 deletion(-)
 create mode 100644 CHANGELOG.md
 create mode 100644 data_template_bucket_policy.tf
 create mode 100644 data_template_outputs.tf
 create mode 100644 iam_access_keys.tf
 create mode 100644 iam_policy.tf
 create mode 100644 iam_static_user_access_keys.tf
 create mode 100644 iam_static_user_policies.tf
 create mode 100644 iam_static_users.tf
 create mode 100644 iam_users.tf
 create mode 100644 kms_keys.tf
 create mode 100644 locals.tf
 create mode 100644 outputs.tf
 create mode 100644 s3_bucket.tf
 create mode 100644 s3_bucket_policy.tf
 create mode 100644 s3_objects.tf
 create mode 100644 templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl
 create mode 100644 templates/bucket_policies/bucket_policy_end.json.tpl
 create mode 100644 templates/bucket_policies/bucket_policy_start.json.tpl
 create mode 100644 templates/bucket_policies/bucket_policy_user_template.json.tpl
 create mode 100644 templates/outputs/s3_full_users.tpl
 create mode 100644 templates/outputs/s3_get_delete_users.tpl
 create mode 100644 templates/outputs/s3_list_delete_users.tpl
 create mode 100644 templates/outputs/standard_users.tpl
 create mode 100644 variables_general.tf
 create mode 100644 variables_iam_static_users.tf
 create mode 100644 variables_iam_users.tf
 create mode 100644 variables_keys.tf
 create mode 100644 variables_s3.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..79ccd7d
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,19 @@
+## Release Version: 0.0.1
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* Tested with terraform v0.11.7
+
+INITIAL RELEASE:
+
+* S3 Bucket: supports object versioning, lifecycle policy (on whole bucket) to remove object versions older than X days
+* IAM Management Users: Admin, Sync
+* Standard Users: User keys (directories) with KMS encryption for uploads
+
+IMPROVEMENTS:
+
+* N/A
+
+BUG FIXES:
+
+* N/A
\ No newline at end of file
diff --git a/README.md b/README.md
index 8694e9e..2beef8a 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,165 @@
-# terraform-aws-s3-with-iam-access
\ No newline at end of file
+# AWS S3 Bucket with IAM Access Module
+Terraform module which creates an S3 bucket with varying levels of access for IAM users.
+
+The following resources can be created:
+* An S3 bucket
+* IAM User(s)
+* IAM Policies
+* KMS Keys
+
+## Usage
+### Specify this Module as Source
+```hcl
+module "alb" {
+  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"
+
+  # Or to specifiy a particular module version:
+  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git?ref=v0.0.1"
+```
+### General Arguments
+#### Resource Creation Location
+The arguments for the account ID, VPC ID and region are required to specify where the resources should be created:
+```hcl
+account_id = "123456789123"
+vpc_id = "vpc-ab123456"
+region = "eu-west-1" #default = "eu-central-1"
+```
+#### PGP Key 
+A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):
+```hcl
+pgp_keyname = "C123654C.pgp"
+```
+### S3 Bucket Arguments
+#### Bucket Name 
+Set the bucket name:
+```hcl
+s3_bucket_name = "my-s3-bucket"
+```
+#### Object Versioning 
+Enable S3 object versioning:
+```hcl
+s3_versioning_enabled = true #default = false
+```
+#### Object Lifecycle 
+Enable S3 object lifecycle for the whole bucket and specify a rule name.
+
+Object expiration and/or previous version deletion is specified in days:
+```hcl
+lifecycle_rule_enabled = true #default = false
+lifecycle_rule_id = "expire_objects_older_than_180_days_delete_previous_versions_older_than_90_days" #default = ""
+lifecycle_rule_expiration = 180 #default = 0
+lifecycle_rule_noncurrent_version_expiration = 90 #default = 90 
+```
+
+N.b. Object versioning must be enabled to expire current versions and delete previous versions of an object. 
+
+#### Bucket Lifecycle Prevent Destroy
+By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform.
+
+### IAM Bucket Management Users 
+#### IAM User(s): S3 Bucket Full Permissions 
+Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):
+```hcl
+iam_user_s3_full = true #default = false
+iam_user_s3_full_names = ["superadmin1", "superadmin2"]
+```
+#### IAM User(s): S3 Bucket List/Delete Permissions 
+Create IAM user(s) with limited administrative (list and delete) S3 bucket permissions (These users receive both management console and programmatic access):
+```hcl
+iam_user_s3_list_delete = true #default = false
+iam_user_s3_list_delete_names = ["admin1", "admin2"]
+```
+#### IAM User(s): S3 Bucket Get/Delete Permissions 
+Create IAM user(s) with limited administrative (get and delete) S3 bucket permissions (These users receive only programmatic access)
+
+Recommended as a synchronisation user:
+```hcl
+iam_user_s3_get_delete = true #default = false
+iam_user_s3_get_delete_names = ["sync_user", "sync_user2"]
+```
+### IAM Bucket Standard Users
+Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These users are assigned their own KMS keys which enable them to upload files in encrypted format as well as to download them and decrypt. (These users receive only programmatic access, therefore FTP client software such as CloudBerry or Cyberduck should be used):
+```hcl
+iam_user_s3_standard = true #default = false
+iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]
+```
+
+### Outputs 
+The following outputs are possible:
+* bucket_name (The name of the S3 bucket)
+* bucket_arn (The ARN of the S3 bucket)
+* s3_full_user_info  (The users with full S3 bucket permissions)
+* s3_list_delete_user_info (The users with list/delete S3 bucket permissions)
+* s3_get_delete_user_info (The users with get/delete S3 bucket permissions)
+* standard_user_info (The users with access to their own S3 bucket keys)
+
+
+Example usage:
+```hcl
+#The name of the S3 bucket
+output "Bucket-Name" {
+  value = "${module.s3.bucket_name}"
+}
+#The ARN of the S3 bucket
+output "Bucket-ARN" {
+  value = "${module.s3.bucket_arn}"
+}
+#The users with full S3 bucket permissions
+output "Superadmins" {
+  value = "${module.s3.s3_full_user_info}"
+}
+#The users with list/delete S3 bucket permissions
+output "Admins" {
+  value = "${module.s3.s3_list_delete_user_info}"
+}
+#The users with get/delete S3 bucket permissions
+output "Sync-Users" {
+  value = "${module.s3.s3_get_delete_user_info}"
+}
+#The users with access to their own S3 bucket keys
+output "User-Info" {
+  value = "${module.s3.standard_user_info}"
+}
+```
+
+Example output:
+```hcl
+Admins = [
+"user_name:   Admin",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"password":   <omitted>"
+]
+Bucket-ARN = arn:aws:s3:::my-s3-bucket
+Bucket-Name = my-s3-bucket
+Superadmins = [
+"user_name:   superadmin",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"password":   <omitted>"
+]
+Sync-Users = [
+"user_name:   sync-user",
+"access_key:  <omitted>",
+"secret_key:  <omitted>"
+]
+User-Info = [
+"user_name:   Huey",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Huey"
+
+"user_name:   Dewey",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Dewey"
+
+"user_name:   Louie",
+"access_key:  <omitted>",
+"secret_key:  <omitted>",
+"kms_key:     <omitted>",
+"bucket_key: my-s3-bucket/Louie"
+]
+```
\ No newline at end of file
diff --git a/data_template_bucket_policy.tf b/data_template_bucket_policy.tf
new file mode 100644
index 0000000..bf31c53
--- /dev/null
+++ b/data_template_bucket_policy.tf
@@ -0,0 +1,38 @@
+# template file for policy section: denying the unencrypted uploads
+data "template_file" "bucket_policy_for_deny_unencrypted" {
+  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl")}"
+
+  vars {
+    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
+  }
+}
+
+# template file for policy section: standard users
+data "template_file" "bucket_policy_for_a_standard_user" {
+  count    = "${length(var.iam_user_s3_standard_names)}"
+  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_user_template.json.tpl")}"
+
+  vars {
+    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
+    user-name  = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+    kms-key    = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+  }
+}
+
+# combine policy sections into one 
+data "template_file" "bucket_policy" {
+  template = <<JSON
+$${policy_start}
+$${deny_unencrypted_object_uploads}
+$${user_policies}
+$${policy_end}
+
+JSON
+
+  vars {
+    policy_start                    = "${file("${path.module}/templates/bucket_policies/bucket_policy_start.json.tpl")}"
+    deny_unencrypted_object_uploads = "${data.template_file.bucket_policy_for_deny_unencrypted.rendered}"
+    user_policies                   = "${join(",\n", data.template_file.bucket_policy_for_a_standard_user.*.rendered)}"
+    policy_end                      = "${file("${path.module}/templates/bucket_policies/bucket_policy_end.json.tpl")}"
+  }
+}
\ No newline at end of file
diff --git a/data_template_outputs.tf b/data_template_outputs.tf
new file mode 100644
index 0000000..e9dbfbe
--- /dev/null
+++ b/data_template_outputs.tf
@@ -0,0 +1,87 @@
+# template file for the S3 full permission user output
+data "template_file" "s3_full_user_output" {
+  count    = "${local.count_iam_user_s3_full_names}"
+  template = "${file("${path.module}/templates/outputs/s3_full_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_full_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_full_access.*.encrypted_secret, count.index)}"
+    password   = "${element(aws_iam_user_login_profile.s3_full_login.*.encrypted_password, count.index)}"
+  }
+}
+
+# combine the S3 full permission user outputs together
+data "template_file" "s3_full_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_full_user_output.*.rendered)}"
+  }
+}
+
+# template file for the S3 list/delete permission user output
+data "template_file" "s3_list_delete_user_output" {
+  count    = "${local.count_iam_user_s3_list_delete_names}"
+  template = "${file("${path.module}/templates/outputs/s3_list_delete_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_list_delete_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_list_delete_access.*.encrypted_secret, count.index)}"
+    password   = "${element(aws_iam_user_login_profile.s3_list_delete_login.*.encrypted_password, count.index)}"
+  }
+}
+
+# combine the S3 list/delete permission user outputs together
+data "template_file" "s3_list_delete_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_list_delete_user_output.*.rendered)}"
+  }
+}
+
+# template file for the S3 get/delete permission user output
+data "template_file" "s3_get_delete_user_output" {
+  count    = "${local.count_iam_user_s3_get_delete_names}"
+  template = "${file("${path.module}/templates/outputs/s3_get_delete_users.tpl")}"
+
+  vars {
+    user-name  = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+    access-key = "${element(aws_iam_access_key.iam_user_s3_get_delete_access.*.id, count.index)}"
+    secret-key = "${element(aws_iam_access_key.iam_user_s3_get_delete_access.*.encrypted_secret, count.index)}"
+  }
+}
+
+# combine the S3 list/delete permission user outputs together
+data "template_file" "s3_get_delete_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.s3_get_delete_user_output.*.rendered)}"
+  }
+}
+
+# template file for the standard user output
+data "template_file" "standard_user_output" {
+  count    = "${local.count_standard_user}"
+  template = "${file("${path.module}/templates/outputs/standard_users.tpl")}"
+
+  vars {
+    user-name   = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+    access-key  = "${element(aws_iam_access_key.iam_user_standard_access.*.id, count.index)}"
+    secret-key  = "${element(aws_iam_access_key.iam_user_standard_access.*.encrypted_secret, count.index)}"
+    kms-key     = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+    bucket-name = "${aws_s3_bucket.s3_bucket.id}"
+  }
+}
+
+# combine the standard user outputs together
+data "template_file" "standard_user_outputs" {
+  template = "$${outputs}"
+
+  vars {
+    outputs = "${join("\n\n", data.template_file.standard_user_output.*.rendered)}"
+  }
+}
\ No newline at end of file
diff --git a/iam_access_keys.tf b/iam_access_keys.tf
new file mode 100644
index 0000000..99faf48
--- /dev/null
+++ b/iam_access_keys.tf
@@ -0,0 +1,6 @@
+#access keys for the standard users 
+resource "aws_iam_access_key" "iam_user_standard_access" {
+  count   = "${local.count_standard_user}"
+  user    = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
\ No newline at end of file
diff --git a/iam_policy.tf b/iam_policy.tf
new file mode 100644
index 0000000..90b3823
--- /dev/null
+++ b/iam_policy.tf
@@ -0,0 +1,42 @@
+# iam policy for the standard users
+resource "aws_iam_policy" "iam_policy_standard_user" {
+  count       = "${local.count_standard_user}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.standard_user.*.name, count.index)}-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.standard_user.*.name, count.index)} download and upload access to the respective S3 folder for ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+ "Version":"2012-10-17",
+ "Statement": [
+   {
+     "Sid": "AllowUserToSeeBucketListInTheConsole",
+     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}:*"]
+   },
+  {
+     "Sid": "AllowRootListingOfBucket",
+     "Action": ["s3:ListBucket"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}"],
+     "Condition":{"StringEquals":{"s3:prefix":["${element(aws_iam_user.standard_user.*.name, count.index)}/"],"s3:delimiter":["/"]}}
+    },
+   {
+     "Sid": "AllowListingOfUserFolder",
+     "Action": ["s3:ListBucket"],
+     "Effect": "Allow",
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}"],
+     "Condition":{"StringLike":{"s3:prefix":["${element(aws_iam_user.standard_user.*.name, count.index)}/*"]}}
+   },
+   {
+     "Sid": "AllowAllS3ActionsInUserFolder",
+     "Effect": "Allow",
+     "Action": ["s3:PutObject", "s3:GetObject"],
+     "Resource": ["${aws_s3_bucket.s3_bucket.arn}/${element(aws_iam_user.standard_user.*.name, count.index)}/*"]
+   }
+ ]
+}
+
+EOF
+}
\ No newline at end of file
diff --git a/iam_static_user_access_keys.tf b/iam_static_user_access_keys.tf
new file mode 100644
index 0000000..6da3a3d
--- /dev/null
+++ b/iam_static_user_access_keys.tf
@@ -0,0 +1,20 @@
+# iam access keys for full permission users 
+resource "aws_iam_access_key" "iam_user_s3_full_access" {
+  count   = "${local.count_iam_user_s3_full_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# iam access keys for list delete permission users 
+resource "aws_iam_access_key" "iam_user_s3_list_delete_access" {
+  count   = "${local.count_iam_user_s3_list_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# iam access keys for get delete permission users 
+resource "aws_iam_access_key" "iam_user_s3_get_delete_access" {
+  count   = "${local.count_iam_user_s3_get_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
\ No newline at end of file
diff --git a/iam_static_user_policies.tf b/iam_static_user_policies.tf
new file mode 100644
index 0000000..42bb733
--- /dev/null
+++ b/iam_static_user_policies.tf
@@ -0,0 +1,104 @@
+# iam policy for full permission users 
+resource "aws_iam_policy" "iam_policy_s3_all" {
+  count         = "${local.count_iam_user_s3_full_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}-s3-full-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)} full permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListAllMyBuckets"
+            ],
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.s3_bucket.arn}",
+                "${aws_s3_bucket.s3_bucket.arn}/*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+# iam policy for list delete permission users
+resource "aws_iam_policy" "iam_policy_s3_list_delete" {
+  count       = "${local.count_iam_user_s3_list_delete_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}-s3-list-delete-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)} list/delete permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListObjects",
+        "s3:DeleteObject",
+        "s3:ListAllMyBuckets"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}/*"
+    },
+    {
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+    }
+  ]
+}
+EOF
+}
+
+# iam policy for get delete permission users
+resource "aws_iam_policy" "iam_policy_s3_get_delete" {
+  count       = "${local.count_iam_user_s3_get_delete_names}"
+  name        = "${aws_s3_bucket.s3_bucket.bucket}-${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}-s3-list-delete-policy"
+  path        = "/"
+  description = "Grants ${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)} get/delete permissions for S3 bucket ${aws_s3_bucket.s3_bucket.bucket}"
+
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}/*"
+    },
+    {
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_s3_bucket.s3_bucket.arn}"
+    }
+  ]
+}
+EOF
+}
\ No newline at end of file
diff --git a/iam_static_users.tf b/iam_static_users.tf
new file mode 100644
index 0000000..f8b4777
--- /dev/null
+++ b/iam_static_users.tf
@@ -0,0 +1,55 @@
+# create iam user(s) with full s3 permissions
+resource "aws_iam_user" "iam_user_s3_full_access" {
+  count         = "${local.count_iam_user_s3_full_names}"
+  name          = "${element(var.iam_user_s3_full_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 full access policy to user(s): iam_user_s3_full_access
+resource "aws_iam_user_policy_attachment" "attach_s3_full_access" {
+  count      = "${local.count_iam_user_s3_full_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_all.arn}"
+}
+
+# create login profile for users with s3 full permissions 
+resource "aws_iam_user_login_profile" "s3_full_login" {
+  count   = "${local.count_iam_user_s3_full_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# create iam user(s) with s3 list, delete permissions
+resource "aws_iam_user" "iam_user_s3_list_delete_access" {
+  count         = "${local.count_iam_user_s3_list_delete_names}"
+  name          = "${element(var.iam_user_s3_list_delete_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 list delete access policy to user(s): iam_user_s3_list_delete
+resource "aws_iam_user_policy_attachment" "attach_s3_list_delete_access" {
+  count      = "${local.count_iam_user_s3_list_delete_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_list_delete.arn}"
+}
+
+# create login profile for users with s3 list, delete permissions
+resource "aws_iam_user_login_profile" "s3_list_delete_login" {
+  count   = "${local.count_iam_user_s3_list_delete_names}"
+  user    = "${element(aws_iam_user.iam_user_s3_list_delete_access.*.name, count.index)}"
+  pgp_key = "${base64encode(file("${var.pgp_keyname}"))}"
+}
+
+# create iam user(s) with s3 get, delete permissions
+resource "aws_iam_user" "iam_user_s3_get_delete_access" {
+  count         = "${local.count_iam_user_s3_get_delete_names}"
+  name          = "${element(var.iam_user_s3_get_delete_names, count.index)}"
+  force_destroy = true
+}
+
+# attach s3 get delete access policy to user(s): iam_user_s3_get_delete
+resource "aws_iam_user_policy_attachment" "attach_s3_get_delete" {
+  count      = "${local.count_iam_user_s3_get_delete_names}"
+  user       = "${element(aws_iam_user.iam_user_s3_get_delete_access.*.name, count.index)}"
+  policy_arn = "${aws_iam_policy.iam_policy_s3_get_delete.arn}"
+}
\ No newline at end of file
diff --git a/iam_users.tf b/iam_users.tf
new file mode 100644
index 0000000..157815e
--- /dev/null
+++ b/iam_users.tf
@@ -0,0 +1,12 @@
+# create standard iam user(s) based on number of names in variable "iam_user_names_s3_standard"
+resource "aws_iam_user" "standard_user" {
+  count = "${local.count_standard_user}"
+  name  = "${element(var.iam_user_s3_standard_names, count.index)}"
+}
+
+# attach standard user policies to standard users 
+resource "aws_iam_user_policy_attachment" "user-attachment" {
+  count      = "${local.count_standard_user}"
+  user       = "${element(aws_iam_user.standard_user.*.name, count.index)}"
+  policy_arn = "${element(aws_iam_policy.iam_policy_standard_user.*.arn, count.index)}"
+}
\ No newline at end of file
diff --git a/kms_keys.tf b/kms_keys.tf
new file mode 100644
index 0000000..987c852
--- /dev/null
+++ b/kms_keys.tf
@@ -0,0 +1,55 @@
+# create KMS keys for standard users to enable encrypted uploads 
+# permission is also given to the get, delete permissioned user(s)
+resource "aws_kms_key" "kmskey" {
+  count       = "${local.count_standard_user}"
+  description = "${element(var.iam_user_s3_standard_names, count.index)}"
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "Enable IAM User Permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "arn:aws:iam::${var.account_id}:root"
+        },
+        "Action": "kms:*",
+        "Resource": "*"
+      },
+      {
+        "Sid": "Allow use of the key",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": [
+            "${element(aws_iam_user.standard_user.*.arn, count.index)}",
+            "${element(aws_iam_user.iam_user_s3_get_delete_access.*.arn, count.index)}"
+          ]
+        },
+        "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey"],
+        "Resource": "*"
+      },
+      {
+        "Sid": "Allow attachment of persistent resources",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "${element(aws_iam_user.standard_user.*.arn, count.index)}"
+        },
+        "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
+        "Resource": "*",
+        "Condition": {
+          "Bool": {
+            "kms:GrantIsForAWSResource": "true"
+          }
+        }
+      }
+    ]
+}
+POLICY
+}
+
+# create alias(') for the KMS key(s)
+resource "aws_kms_alias" "kmskeyaliases" {
+  name          = "alias/${element(var.iam_user_s3_standard_names, count.index)}"
+  target_key_id = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
+}
\ No newline at end of file
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..5181301
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,9 @@
+locals {
+  #IAM static users 
+  count_iam_user_s3_full_names        = "${var.iam_user_s3_full ? "${length(var.iam_user_s3_full_names)}" :0 }"
+  count_iam_user_s3_list_delete_names = "${var.iam_user_s3_list_delete ? "${length(var.iam_user_s3_list_delete_names)}" :0 }"
+  count_iam_user_s3_get_delete_names  = "${var.iam_user_s3_get_delete ? "${length(var.iam_user_s3_get_delete_names)}" :0 }"
+
+  #IAM standard users
+  count_standard_user = "${length(var.iam_user_s3_standard_names)}"
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..040e6dc
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,23 @@
+output "s3_full_user_info" {
+  value = "${list("${data.template_file.s3_full_user_outputs.rendered}")}"
+}
+
+output "s3_list_delete_user_info" {
+  value = "${list("${data.template_file.s3_list_delete_user_outputs.rendered}")}"
+}
+
+output "s3_get_delete_user_info" {
+  value = "${list("${data.template_file.s3_get_delete_user_outputs.rendered}")}"
+}
+
+output "standard_user_info" {
+  value = "${list("${data.template_file.standard_user_outputs.rendered}")}"
+}
+
+output "bucket_name" {
+  value = "${aws_s3_bucket.s3_bucket.id}"
+}
+
+output "bucket_arn" {
+  value = "${aws_s3_bucket.s3_bucket.arn}"
+}
\ No newline at end of file
diff --git a/s3_bucket.tf b/s3_bucket.tf
new file mode 100644
index 0000000..c32a03f
--- /dev/null
+++ b/s3_bucket.tf
@@ -0,0 +1,31 @@
+# The S3 bucket 
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket = "${var.s3_bucket_name}"
+  acl    = "private"
+  region = "${var.region}"
+
+  versioning {
+    enabled = "${var.s3_versioning_enabled}" #default = false
+  }
+
+  lifecycle_rule {
+    enabled = "${var.lifecycle_rule_enabled}" #default = false
+    id      = "${var.lifecycle_rule_id}"      #required #default = ""
+    prefix  = "${var.lifecycle_rule_prefix}"  #default = whole bucket
+
+    expiration {
+      days = "${var.lifecycle_rule_expiration}" #default = 0
+    }
+
+    noncurrent_version_expiration {
+      days = "${var.lifecycle_rule_noncurrent_version_expiration}" #default = 90
+    }
+  }
+
+  #Make prevent_destroy setable with variable when terraform code has been changed to make this possible 
+  #hashicorp/terraform#3116
+
+  #lifecycle {
+  #  prevent_destroy = true
+  #}
+}
\ No newline at end of file
diff --git a/s3_bucket_policy.tf b/s3_bucket_policy.tf
new file mode 100644
index 0000000..58f0a6a
--- /dev/null
+++ b/s3_bucket_policy.tf
@@ -0,0 +1,5 @@
+# S3 bucket policy
+resource "aws_s3_bucket_policy" "s3_bucket_policy" {
+  bucket = "${aws_s3_bucket.s3_bucket.id}"
+  policy = "${data.template_file.bucket_policy.rendered}"
+}
\ No newline at end of file
diff --git a/s3_objects.tf b/s3_objects.tf
new file mode 100644
index 0000000..86da1f5
--- /dev/null
+++ b/s3_objects.tf
@@ -0,0 +1,7 @@
+resource "aws_s3_bucket_object" "bucket_objects" {
+  count      = "${local.count_standard_user}"
+  bucket     = "${var.s3_bucket_name}"
+  key        = "${element(var.iam_user_s3_standard_names, count.index)}"
+  content    = "."
+  kms_key_id = "${element(aws_kms_key.kmskey.*.arn, count.index)}"
+}
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl b/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl
new file mode 100644
index 0000000..f70304d
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl
@@ -0,0 +1,12 @@
+{
+"Sid":"DenyUnEncryptedObjectUploads",
+"Effect":"Deny",
+"Principal":"*",
+"Action":"s3:PutObject",
+"Resource":"${bucket-arn}/*",
+"Condition":{
+"StringNotEquals":{
+"s3:x-amz-server-side-encryption":"aws:kms"
+}
+}
+},
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_end.json.tpl b/templates/bucket_policies/bucket_policy_end.json.tpl
new file mode 100644
index 0000000..858797f
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_end.json.tpl
@@ -0,0 +1,2 @@
+  ]
+}
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_start.json.tpl b/templates/bucket_policies/bucket_policy_start.json.tpl
new file mode 100644
index 0000000..8535ca2
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_start.json.tpl
@@ -0,0 +1,3 @@
+{
+   "Version":"2012-10-17",
+   "Statement":[
\ No newline at end of file
diff --git a/templates/bucket_policies/bucket_policy_user_template.json.tpl b/templates/bucket_policies/bucket_policy_user_template.json.tpl
new file mode 100644
index 0000000..056d72c
--- /dev/null
+++ b/templates/bucket_policies/bucket_policy_user_template.json.tpl
@@ -0,0 +1,12 @@
+     {
+      "Sid":"AllowEncryptedObjectUploads-${user-name}",
+     "Effect":"Allow",
+     "Principal":"*",
+     "Action":"s3:PutObject",
+     "Resource":"${bucket-arn}/${user-name}/*",
+     "Condition":{
+       "StringEquals":{
+         "s3:x-amz-server-side-encryption-aws-kms-key-id":"${kms-key}"
+         }
+       }
+     }
\ No newline at end of file
diff --git a/templates/outputs/s3_full_users.tpl b/templates/outputs/s3_full_users.tpl
new file mode 100644
index 0000000..05eb366
--- /dev/null
+++ b/templates/outputs/s3_full_users.tpl
@@ -0,0 +1,4 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"password":   ${password}"
\ No newline at end of file
diff --git a/templates/outputs/s3_get_delete_users.tpl b/templates/outputs/s3_get_delete_users.tpl
new file mode 100644
index 0000000..0cde73c
--- /dev/null
+++ b/templates/outputs/s3_get_delete_users.tpl
@@ -0,0 +1,3 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}"
\ No newline at end of file
diff --git a/templates/outputs/s3_list_delete_users.tpl b/templates/outputs/s3_list_delete_users.tpl
new file mode 100644
index 0000000..05eb366
--- /dev/null
+++ b/templates/outputs/s3_list_delete_users.tpl
@@ -0,0 +1,4 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"password":   ${password}"
\ No newline at end of file
diff --git a/templates/outputs/standard_users.tpl b/templates/outputs/standard_users.tpl
new file mode 100644
index 0000000..77da2aa
--- /dev/null
+++ b/templates/outputs/standard_users.tpl
@@ -0,0 +1,5 @@
+"user_name:   ${user-name}",
+"access_key:  ${access-key}",
+"secret_key:  ${secret-key}",
+"kms_key:     ${kms-key}",
+"bucket_key: ${bucket-name}/${user-name}"
\ No newline at end of file
diff --git a/variables_general.tf b/variables_general.tf
new file mode 100644
index 0000000..3afbfb4
--- /dev/null
+++ b/variables_general.tf
@@ -0,0 +1,34 @@
+data "aws_caller_identity" "current" {}
+
+# Account
+provider "aws" {
+  region = "${var.region}"
+}
+
+# Account ID
+variable "account_id" {
+  description = "The AWS account ID."
+}
+
+# Region
+variable "region" {
+  description = "The AWS region to run in."
+  default     = "eu-central-1"
+}
+
+# VPC ID
+variable "vpc_id" {
+  description = "The VPC ID in which the resources should be created."
+}
+
+# Prefix
+variable "prefix" {
+  description = "A prefix which is added to each resource name."
+  default     = ""
+}
+
+# Suffix
+variable "suffix" {
+  description = "A suffix which is added to each resource name."
+  default     = ""
+}
\ No newline at end of file
diff --git a/variables_iam_static_users.tf b/variables_iam_static_users.tf
new file mode 100644
index 0000000..f872c2d
--- /dev/null
+++ b/variables_iam_static_users.tf
@@ -0,0 +1,32 @@
+variable "iam_user_s3_full" {
+  description = "Enable IAM user(s) with S3 bucket full access"
+  default     = false
+}
+
+variable "iam_user_s3_full_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket full access"
+  default     = []
+}
+
+variable "iam_user_s3_list_delete" {
+  description = "Enable IAM user(s) with S3 bucket list/delete permissions"
+  default     = false
+}
+
+variable "iam_user_s3_list_delete_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket list/delete permissions"
+  default     = []
+}
+
+variable "iam_user_s3_get_delete" {
+  description = "Enable IAM user(s) with S3 bucket get/delete permissions"
+  default     = false
+}
+
+variable "iam_user_s3_get_delete_names" {
+  type        = "list"
+  description = "Names of the IAM users with S3 bucket get/delete permissions"
+  default     = []
+}
\ No newline at end of file
diff --git a/variables_iam_users.tf b/variables_iam_users.tf
new file mode 100644
index 0000000..62b6143
--- /dev/null
+++ b/variables_iam_users.tf
@@ -0,0 +1,10 @@
+variable "iam_user_s3_standard" {
+  description = "Enable IAM user(s) with S3 bucket full access"
+  default     = false
+}
+
+variable "iam_user_s3_standard_names" {
+  type        = "list"
+  description = "Names of the IAM users with standard access"
+  default     = []
+}
\ No newline at end of file
diff --git a/variables_keys.tf b/variables_keys.tf
new file mode 100644
index 0000000..f10cb6a
--- /dev/null
+++ b/variables_keys.tf
@@ -0,0 +1,4 @@
+variable "pgp_keyname" {
+  description = "Public PGP key in binary format"
+  default     = ""
+}
\ No newline at end of file
diff --git a/variables_s3.tf b/variables_s3.tf
new file mode 100644
index 0000000..4d26526
--- /dev/null
+++ b/variables_s3.tf
@@ -0,0 +1,39 @@
+variable "s3_bucket_name" {
+  description = "Name of the S3 bucket"
+  default     = ""
+}
+
+variable "s3_versioning_enabled" {
+  description = "To enable file versioning"
+  default     = false
+}
+
+variable "lifecycle_rule_enabled" {
+  description = "To enable the lifecycle rule"
+  default     = false
+}
+
+variable "lifecycle_rule_id" {
+  description = "Name of the lifecyle rule id."
+  default     = ""
+}
+
+variable "lifecycle_rule_prefix" {
+  description = "Lifecycle rule prefix."
+  default     = ""
+}
+
+variable "lifecycle_rule_expiration" {
+  description = "Delete current object version X days after creation"
+  default     = 0
+}
+
+variable "lifecycle_rule_noncurrent_version_expiration" {
+  description = "Delete noncurrent object versions X days after creation"
+  default     = 90
+}
+
+variable "s3_lifecycle_prevent_destroy" {
+  description = "Prevent/allow terraform to destroy the bucket"
+  default     = false
+}
\ No newline at end of file

From bdf5aa397ad8c162d831cf675cd385fed3c25166 Mon Sep 17 00:00:00 2001
From: Geary <29755594+Geartrixy@users.noreply.github.com>
Date: Wed, 2 May 2018 18:35:25 +0200
Subject: [PATCH 2/9] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2beef8a..c47010f 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ The following resources can be created:
 ## Usage
 ### Specify this Module as Source
 ```hcl
-module "alb" {
+module "s3" {
   source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"
 
   # Or to specifiy a particular module version:
@@ -162,4 +162,4 @@ User-Info = [
 "kms_key:     <omitted>",
 "bucket_key: my-s3-bucket/Louie"
 ]
-```
\ No newline at end of file
+```

From 7320be03b90381141b8f0859992ab306687e737e Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Wed, 2 May 2018 18:36:11 +0200
Subject: [PATCH 3/9] README.md -> ammended typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2beef8a..7624473 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ The following resources can be created:
 ## Usage
 ### Specify this Module as Source
 ```hcl
-module "alb" {
+module "s3" {
   source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"
 
   # Or to specifiy a particular module version:

From a1d5b10da37ced735ca71ff40d4b1f30812887df Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:38:54 +0200
Subject: [PATCH 4/9] "account_id" variable replaced with
 "data.aws_caller_identity.current.account_id"

---
 kms_keys.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kms_keys.tf b/kms_keys.tf
index 987c852..a9e0b02 100644
--- a/kms_keys.tf
+++ b/kms_keys.tf
@@ -12,7 +12,7 @@ resource "aws_kms_key" "kmskey" {
         "Sid": "Enable IAM User Permissions",
         "Effect": "Allow",
         "Principal": {
-          "AWS": "arn:aws:iam::${var.account_id}:root"
+          "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         },
         "Action": "kms:*",
         "Resource": "*"

From 7e68293d057de3f32bcf8e65e10be20f01d9578a Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:39:41 +0200
Subject: [PATCH 5/9] Removed "account_id" and "vpc_id" variables as not
 required

---
 variables_general.tf | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/variables_general.tf b/variables_general.tf
index 3afbfb4..b1dfb83 100644
--- a/variables_general.tf
+++ b/variables_general.tf
@@ -5,22 +5,12 @@ provider "aws" {
   region = "${var.region}"
 }
 
-# Account ID
-variable "account_id" {
-  description = "The AWS account ID."
-}
-
 # Region
 variable "region" {
   description = "The AWS region to run in."
   default     = "eu-central-1"
 }
 
-# VPC ID
-variable "vpc_id" {
-  description = "The VPC ID in which the resources should be created."
-}
-
 # Prefix
 variable "prefix" {
   description = "A prefix which is added to each resource name."

From b768591308ff3bca441169ab4a4325b8fb3ce9f1 Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:40:48 +0200
Subject: [PATCH 6/9] Changed IAM user creation to be based on when the lists
 have values, as opposed to an "enable" variable

---
 locals.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/locals.tf b/locals.tf
index 5181301..e80ab65 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,8 +1,8 @@
 locals {
   #IAM static users 
-  count_iam_user_s3_full_names        = "${var.iam_user_s3_full ? "${length(var.iam_user_s3_full_names)}" :0 }"
-  count_iam_user_s3_list_delete_names = "${var.iam_user_s3_list_delete ? "${length(var.iam_user_s3_list_delete_names)}" :0 }"
-  count_iam_user_s3_get_delete_names  = "${var.iam_user_s3_get_delete ? "${length(var.iam_user_s3_get_delete_names)}" :0 }"
+  count_iam_user_s3_full_names        = "${length(var.iam_user_s3_full_names)}" 
+  count_iam_user_s3_list_delete_names = "${length(var.iam_user_s3_list_delete_names)}"
+  count_iam_user_s3_get_delete_names  = "${length(var.iam_user_s3_get_delete_names)}"
 
   #IAM standard users
   count_standard_user = "${length(var.iam_user_s3_standard_names)}"

From c2cb0d31c5765dc1c47a0e6e41aec02ac090f2a0 Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:41:15 +0200
Subject: [PATCH 7/9] Removed "enable" variables for IAM user creation

---
 variables_iam_static_users.tf | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/variables_iam_static_users.tf b/variables_iam_static_users.tf
index f872c2d..ebc295c 100644
--- a/variables_iam_static_users.tf
+++ b/variables_iam_static_users.tf
@@ -1,7 +1,3 @@
-variable "iam_user_s3_full" {
-  description = "Enable IAM user(s) with S3 bucket full access"
-  default     = false
-}
 
 variable "iam_user_s3_full_names" {
   type        = "list"
@@ -9,22 +5,12 @@ variable "iam_user_s3_full_names" {
   default     = []
 }
 
-variable "iam_user_s3_list_delete" {
-  description = "Enable IAM user(s) with S3 bucket list/delete permissions"
-  default     = false
-}
-
 variable "iam_user_s3_list_delete_names" {
   type        = "list"
   description = "Names of the IAM users with S3 bucket list/delete permissions"
   default     = []
 }
 
-variable "iam_user_s3_get_delete" {
-  description = "Enable IAM user(s) with S3 bucket get/delete permissions"
-  default     = false
-}
-
 variable "iam_user_s3_get_delete_names" {
   type        = "list"
   description = "Names of the IAM users with S3 bucket get/delete permissions"

From 95239e272f7e0dd6e4cf0b19caf1033901595b1b Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:41:45 +0200
Subject: [PATCH 8/9] Removed "enable" variable for user creation

---
 variables_iam_users.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/variables_iam_users.tf b/variables_iam_users.tf
index 62b6143..c3228d2 100644
--- a/variables_iam_users.tf
+++ b/variables_iam_users.tf
@@ -1,8 +1,3 @@
-variable "iam_user_s3_standard" {
-  description = "Enable IAM user(s) with S3 bucket full access"
-  default     = false
-}
-
 variable "iam_user_s3_standard_names" {
   type        = "list"
   description = "Names of the IAM users with standard access"

From ad3a2e0989d9d9843f5820f128abbffcb3680c13 Mon Sep 17 00:00:00 2001
From: "ZOI\\graham.geary" <gg@zoi.de>
Date: Mon, 2 Jul 2018 10:42:12 +0200
Subject: [PATCH 9/9] Updated README.md to reflect changes

---
 README.md | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/README.md b/README.md
index c47010f..82ce740 100644
--- a/README.md
+++ b/README.md
@@ -18,10 +18,8 @@ module "s3" {
 ```
 ### General Arguments
 #### Resource Creation Location
-The arguments for the account ID, VPC ID and region are required to specify where the resources should be created:
+The argument for the region is required to specify where the resources should be created:
 ```hcl
-account_id = "123456789123"
-vpc_id = "vpc-ab123456"
 region = "eu-west-1" #default = "eu-central-1"
 ```
 #### PGP Key 
@@ -60,13 +58,11 @@ By default the prevent_destroy lifecycle is to "true" to prevent accidental buck
 #### IAM User(s): S3 Bucket Full Permissions 
 Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):
 ```hcl
-iam_user_s3_full = true #default = false
 iam_user_s3_full_names = ["superadmin1", "superadmin2"]
 ```
 #### IAM User(s): S3 Bucket List/Delete Permissions 
 Create IAM user(s) with limited administrative (list and delete) S3 bucket permissions (These users receive both management console and programmatic access):
 ```hcl
-iam_user_s3_list_delete = true #default = false
 iam_user_s3_list_delete_names = ["admin1", "admin2"]
 ```
 #### IAM User(s): S3 Bucket Get/Delete Permissions 
@@ -74,13 +70,11 @@ Create IAM user(s) with limited administrative (get and delete) S3 bucket permis
 
 Recommended as a synchronisation user:
 ```hcl
-iam_user_s3_get_delete = true #default = false
 iam_user_s3_get_delete_names = ["sync_user", "sync_user2"]
 ```
 ### IAM Bucket Standard Users
 Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These users are assigned their own KMS keys which enable them to upload files in encrypted format as well as to download them and decrypt. (These users receive only programmatic access, therefore FTP client software such as CloudBerry or Cyberduck should be used):
 ```hcl
-iam_user_s3_standard = true #default = false
 iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]
 ```