feat: S3 table and table bucket CMK encryption support (#327)

Author: magreenbaum

examples/table-bucket/README.md

@@ -20,20 +20,21 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 2.0 |
 | <a name="module_table_bucket"></a> [table\_bucket](#module\_table\_bucket) | ../../modules/table-bucket | n/a |
 
 ## Resources
@@ -43,6 +44,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_s3tables_namespace.namespace](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_namespace) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

examples/table-bucket/main.tf

@@ -13,11 +13,18 @@ locals {
 
 data "aws_caller_identity" "this" {}
 
+data "aws_region" "this" {}
+
 module "table_bucket" {
   source = "../../modules/table-bucket"
 
   table_bucket_name = local.bucket_name
 
+  encryption_configuration = {
+    kms_key_arn   = module.kms.key_arn
+    sse_algorithm = "aws:kms"
+  }
+
   maintenance_configuration = {
     iceberg_unreferenced_file_removal = {
       status = "enabled"
@@ -49,6 +56,11 @@ module "table_bucket" {
       format    = "ICEBERG"
       namespace = aws_s3tables_namespace.namespace.namespace
 
+      encryption_configuration = {
+        kms_key_arn   = module.kms.key_arn
+        sse_algorithm = "aws:kms"
+      }
+
       maintenance_configuration = {
         iceberg_compaction = {
           status = "enabled"
@@ -103,3 +115,47 @@ resource "aws_s3tables_namespace" "namespace" {
   namespace        = "example_namespace"
   table_bucket_arn = module.table_bucket.s3_table_bucket_arn
 }
+
+module "kms" {
+  source  = "terraform-aws-modules/kms/aws"
+  version = "~> 2.0"
+
+  description             = "Key example for s3 table buckets"
+  deletion_window_in_days = 7
+
+  # https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html
+  key_statements = [
+    {
+      sid = "s3TablesMaintenancePolicy"
+      actions = [
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ]
+      resources = ["*"]
+
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["maintenance.s3tables.amazonaws.com"]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "StringEquals"
+          variable = "aws:SourceAccount"
+          values = [
+            data.aws_caller_identity.this.id,
+          ]
+        },
+        {
+          test     = "StringLike"
+          variable = "kms:EncryptionContext:aws:s3:arn"
+          values = [
+            "arn:aws:s3tables:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:bucket/${local.bucket_name}/table/*"
+          ]
+        }
+      ]
+    }
+  ]
+}

examples/table-bucket/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.83"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"

modules/table-bucket/README.md

@@ -8,13 +8,13 @@ Creates S3 Table Bucket and Tables with various configurations.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 
 ## Modules
 
@@ -37,7 +37,8 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_create"></a> [create](#input\_create) | Whether to create s3 table resources | `bool` | `true` | no |
 | <a name="input_create_table_bucket_policy"></a> [create\_table\_bucket\_policy](#input\_create\_table\_bucket\_policy) | Whether to create s3 table bucket policy | `bool` | `false` | no |
-| <a name="input_maintenance_configuration"></a> [maintenance\_configuration](#input\_maintenance\_configuration) | Map of table bucket maintenance configurations | `any` | `{}` | no |
+| <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | Map of encryption configurations | `any` | `null` | no |
+| <a name="input_maintenance_configuration"></a> [maintenance\_configuration](#input\_maintenance\_configuration) | Map of table bucket maintenance configurations | `any` | `null` | no |
 | <a name="input_table_bucket_name"></a> [table\_bucket\_name](#input\_table\_bucket\_name) | Name of the table bucket. Must be between 3 and 63 characters in length. Can consist of lowercase letters, numbers, and hyphens, and must begin and end with a lowercase letter or number | `string` | `null` | no |
 | <a name="input_table_bucket_override_policy_documents"></a> [table\_bucket\_override\_policy\_documents](#input\_table\_bucket\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
 | <a name="input_table_bucket_policy"></a> [table\_bucket\_policy](#input\_table\_bucket\_policy) | Amazon Web Services resource-based policy document in JSON format | `string` | `null` | no |

modules/table-bucket/main.tf

@@ -2,6 +2,7 @@ resource "aws_s3tables_table_bucket" "this" {
   count = var.create ? 1 : 0
 
   name                      = var.table_bucket_name
+  encryption_configuration  = var.encryption_configuration
   maintenance_configuration = var.maintenance_configuration
 }
 
@@ -67,6 +68,7 @@ resource "aws_s3tables_table" "this" {
   name                      = try(each.value.table_name, each.key)
   namespace                 = each.value.namespace
   table_bucket_arn          = aws_s3tables_table_bucket.this[0].arn
+  encryption_configuration  = try(each.value.encryption_configuration, null)
   maintenance_configuration = try(each.value.maintenance_configuration, null)
 }
 

modules/table-bucket/variables.tf

@@ -10,10 +10,16 @@ variable "table_bucket_name" {
   default     = null
 }
 
+variable "encryption_configuration" {
+  description = "Map of encryption configurations"
+  type        = any
+  default     = null
+}
+
 variable "maintenance_configuration" {
   description = "Map of table bucket maintenance configurations"
   type        = any
-  default     = {}
+  default     = null
 }
 
 variable "create_table_bucket_policy" {

modules/table-bucket/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.83"
+      version = ">= 5.98"
     }
   }
 }

wrappers/table-bucket/main.tf

@@ -5,7 +5,8 @@ module "wrapper" {
 
   create                                 = try(each.value.create, var.defaults.create, true)
   create_table_bucket_policy             = try(each.value.create_table_bucket_policy, var.defaults.create_table_bucket_policy, false)
-  maintenance_configuration              = try(each.value.maintenance_configuration, var.defaults.maintenance_configuration, {})
+  encryption_configuration               = try(each.value.encryption_configuration, var.defaults.encryption_configuration, null)
+  maintenance_configuration              = try(each.value.maintenance_configuration, var.defaults.maintenance_configuration, null)
   table_bucket_name                      = try(each.value.table_bucket_name, var.defaults.table_bucket_name, null)
   table_bucket_override_policy_documents = try(each.value.table_bucket_override_policy_documents, var.defaults.table_bucket_override_policy_documents, [])
   table_bucket_policy                    = try(each.value.table_bucket_policy, var.defaults.table_bucket_policy, null)

wrappers/table-bucket/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.83"
+      version = ">= 5.98"
     }
   }
 }