feat: S3 Table Bucket Support (#323)

Author: magreenbaum

README.md

@@ -18,6 +18,7 @@ These features of S3 bucket configurations are supported:
 - ALB/NLB log delivery bucket policy
 - Account-level Public Access Block
 - S3 Directory Bucket
+- S3 Table Bucket
 
 ## Usage
 
@@ -124,6 +125,7 @@ Users of Terragrunt can achieve similar results by using modules provided in the
 - [S3 Inventory](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-inventory) - S3 bucket Inventory configuration.
 - [S3 Account-level Public Access Block](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/account-public-access) - Manage S3 account-level Public Access Block.
 - [S3 Directory Bucket](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/directory-bucket) - S3 Directory Bucket configuration.
+- [S3 Table Bucket](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/table-bucket) - S3 Table Bucket configuration.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

examples/table-bucket/README.md

@@ -0,0 +1,68 @@
+# S3 Table Bucket
+
+Configuration in this directory creates S3 table bucket with bucket policy and S3 Tables with table policies.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_table_bucket"></a> [table\_bucket](#module\_table\_bucket) | ../../modules/table-bucket | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3tables_namespace.namespace](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_namespace) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_owner_account_id"></a> [owner\_account\_id](#output\_owner\_account\_id) | Account ID of the account that owns the table bucket. |
+| <a name="output_s3_table_arns"></a> [s3\_table\_arns](#output\_s3\_table\_arns) | The table ARNs. |
+| <a name="output_s3_table_bucket_arn"></a> [s3\_table\_bucket\_arn](#output\_s3\_table\_bucket\_arn) | ARN of the table bucket. |
+| <a name="output_s3_table_bucket_created_at"></a> [s3\_table\_bucket\_created\_at](#output\_s3\_table\_bucket\_created\_at) | Date and time when the bucket was created. |
+| <a name="output_s3_table_created_at"></a> [s3\_table\_created\_at](#output\_s3\_table\_created\_at) | Dates and times when the tables were created. |
+| <a name="output_s3_table_created_by"></a> [s3\_table\_created\_by](#output\_s3\_table\_created\_by) | Account IDs of the accounts that created the tables |
+| <a name="output_s3_table_metadata_locations"></a> [s3\_table\_metadata\_locations](#output\_s3\_table\_metadata\_locations) | Locations of table metadata. |
+| <a name="output_s3_table_modified_at"></a> [s3\_table\_modified\_at](#output\_s3\_table\_modified\_at) | Dates and times when the tables was last modified. |
+| <a name="output_s3_table_modified_by"></a> [s3\_table\_modified\_by](#output\_s3\_table\_modified\_by) | Account IDs of the accounts that last modified the tables. |
+| <a name="output_s3_table_owner_account_ids"></a> [s3\_table\_owner\_account\_ids](#output\_s3\_table\_owner\_account\_ids) | Account IDs of the accounts that owns the tables. |
+| <a name="output_s3_table_types"></a> [s3\_table\_types](#output\_s3\_table\_types) | Types of the tables. One of customer or aws. |
+| <a name="output_s3_table_version_tokens"></a> [s3\_table\_version\_tokens](#output\_s3\_table\_version\_tokens) | Identifiers for the current version of table data. |
+| <a name="output_s3_table_warehouse_locations"></a> [s3\_table\_warehouse\_locations](#output\_s3\_table\_warehouse\_locations) | S3 URIs pointing to the S3 Bucket that contains the table data. |
+<!-- END_TF_DOCS -->

examples/table-bucket/main.tf

@@ -0,0 +1,105 @@
+provider "aws" {
+  region = "eu-west-1"
+
+  # Make it faster by skipping something
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+}
+
+locals {
+  bucket_name = "s3-table-bucket-${random_pet.this.id}"
+}
+
+data "aws_caller_identity" "this" {}
+
+module "table_bucket" {
+  source = "../../modules/table-bucket"
+
+  table_bucket_name = local.bucket_name
+
+  maintenance_configuration = {
+    iceberg_unreferenced_file_removal = {
+      status = "enabled"
+
+      settings = {
+        non_current_days  = 7
+        unreferenced_days = 3
+      }
+    }
+  }
+
+  create_table_bucket_policy = true
+  table_bucket_policy_statements = [
+    {
+      effect = "Allow"
+      principals = [{
+        type        = "AWS"
+        identifiers = [data.aws_caller_identity.this.account_id]
+      }]
+      actions = [
+        "s3tables:GetTableData",
+        "s3tables:GetTableMetadataLocation"
+      ]
+    }
+  ]
+
+  tables = {
+    table1 = {
+      format    = "ICEBERG"
+      namespace = aws_s3tables_namespace.namespace.namespace
+
+      maintenance_configuration = {
+        iceberg_compaction = {
+          status = "enabled"
+          settings = {
+            target_file_size_mb = 64
+          }
+        }
+        iceberg_snapshot_management = {
+          status = "enabled"
+          settings = {
+            max_snapshot_age_hours = 40
+            min_snapshots_to_keep  = 3
+          }
+        }
+      }
+
+      create_table_policy = true
+      policy_statements = [
+        {
+          sid    = "DeleteTable"
+          effect = "Allow"
+          principals = [{
+            type        = "AWS"
+            identifiers = [data.aws_caller_identity.this.account_id]
+          }]
+          actions = [
+            "s3tables:DeleteTable",
+            "s3tables:UpdateTableMetadataLocation",
+            "s3tables:PutTableData",
+            "s3tables:GetTableMetadataLocation"
+          ]
+        }
+      ]
+    }
+    table2 = {
+      format    = "ICEBERG"
+      name      = "table2"
+      namespace = aws_s3tables_namespace.namespace.namespace
+    }
+    table3 = {
+      format    = "ICEBERG"
+      namespace = aws_s3tables_namespace.namespace.namespace
+    }
+  }
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+resource "aws_s3tables_namespace" "namespace" {
+  namespace        = "example_namespace"
+  table_bucket_arn = module.table_bucket.s3_table_bucket_arn
+}

examples/table-bucket/outputs.tf

@@ -0,0 +1,64 @@
+output "s3_table_bucket_arn" {
+  description = "ARN of the table bucket."
+  value       = module.table_bucket.s3_table_bucket_arn
+}
+
+output "s3_table_bucket_created_at" {
+  description = "Date and time when the bucket was created."
+  value       = module.table_bucket.s3_table_bucket_created_at
+}
+
+output "owner_account_id" {
+  description = "Account ID of the account that owns the table bucket."
+  value       = module.table_bucket.s3_table_bucket_owner_account_id
+}
+
+output "s3_table_arns" {
+  description = "The table ARNs."
+  value       = module.table_bucket.s3_table_arns
+}
+
+output "s3_table_created_at" {
+  description = "Dates and times when the tables were created."
+  value       = module.table_bucket.s3_table_created_at
+}
+
+output "s3_table_created_by" {
+  description = "Account IDs of the accounts that created the tables"
+  value       = module.table_bucket.s3_table_created_by
+}
+
+output "s3_table_metadata_locations" {
+  description = "Locations of table metadata."
+  value       = module.table_bucket.s3_table_metadata_locations
+}
+
+output "s3_table_modified_at" {
+  description = "Dates and times when the tables was last modified."
+  value       = module.table_bucket.s3_table_modified_at
+}
+
+output "s3_table_modified_by" {
+  description = "Account IDs of the accounts that last modified the tables."
+  value       = module.table_bucket.s3_table_modified_by
+}
+
+output "s3_table_owner_account_ids" {
+  description = "Account IDs of the accounts that owns the tables."
+  value       = module.table_bucket.s3_table_owner_account_ids
+}
+
+output "s3_table_types" {
+  description = "Types of the tables. One of customer or aws."
+  value       = module.table_bucket.s3_table_types
+}
+
+output "s3_table_version_tokens" {
+  description = "Identifiers for the current version of table data."
+  value       = module.table_bucket.s3_table_version_tokens
+}
+
+output "s3_table_warehouse_locations" {
+  description = "S3 URIs pointing to the S3 Bucket that contains the table data."
+  value       = module.table_bucket.s3_table_warehouse_locations
+}

examples/table-bucket/variables.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.83"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}

examples/table-bucket/versions.tf

@@ -0,0 +1,65 @@
+# S3 Table Bucket
+
+Creates S3 Table Bucket and Tables with various configurations.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3tables_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_table) | resource |
+| [aws_s3tables_table_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_table_bucket) | resource |
+| [aws_s3tables_table_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_table_bucket_policy) | resource |
+| [aws_s3tables_table_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3tables_table_policy) | resource |
+| [aws_iam_policy_document.table_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.table_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create"></a> [create](#input\_create) | Whether to create s3 table resources | `bool` | `true` | no |
+| <a name="input_create_table_bucket_policy"></a> [create\_table\_bucket\_policy](#input\_create\_table\_bucket\_policy) | Whether to create s3 table bucket policy | `bool` | `false` | no |
+| <a name="input_maintenance_configuration"></a> [maintenance\_configuration](#input\_maintenance\_configuration) | Map of table bucket maintenance configurations | `any` | `{}` | no |
+| <a name="input_table_bucket_name"></a> [table\_bucket\_name](#input\_table\_bucket\_name) | Name of the table bucket. Must be between 3 and 63 characters in length. Can consist of lowercase letters, numbers, and hyphens, and must begin and end with a lowercase letter or number | `string` | `null` | no |
+| <a name="input_table_bucket_override_policy_documents"></a> [table\_bucket\_override\_policy\_documents](#input\_table\_bucket\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| <a name="input_table_bucket_policy"></a> [table\_bucket\_policy](#input\_table\_bucket\_policy) | Amazon Web Services resource-based policy document in JSON format | `string` | `null` | no |
+| <a name="input_table_bucket_policy_statements"></a> [table\_bucket\_policy\_statements](#input\_table\_bucket\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
+| <a name="input_table_bucket_source_policy_documents"></a> [table\_bucket\_source\_policy\_documents](#input\_table\_bucket\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
+| <a name="input_tables"></a> [tables](#input\_tables) | Map of table configurations | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_s3_table_arns"></a> [s3\_table\_arns](#output\_s3\_table\_arns) | The table ARNs. |
+| <a name="output_s3_table_bucket_arn"></a> [s3\_table\_bucket\_arn](#output\_s3\_table\_bucket\_arn) | ARN of the table bucket. |
+| <a name="output_s3_table_bucket_created_at"></a> [s3\_table\_bucket\_created\_at](#output\_s3\_table\_bucket\_created\_at) | Date and time when the bucket was created. |
+| <a name="output_s3_table_bucket_owner_account_id"></a> [s3\_table\_bucket\_owner\_account\_id](#output\_s3\_table\_bucket\_owner\_account\_id) | Account ID of the account that owns the table bucket. |
+| <a name="output_s3_table_created_at"></a> [s3\_table\_created\_at](#output\_s3\_table\_created\_at) | Dates and times when the tables were created. |
+| <a name="output_s3_table_created_by"></a> [s3\_table\_created\_by](#output\_s3\_table\_created\_by) | Account IDs of the accounts that created the tables |
+| <a name="output_s3_table_metadata_locations"></a> [s3\_table\_metadata\_locations](#output\_s3\_table\_metadata\_locations) | Locations of table metadata. |
+| <a name="output_s3_table_modified_at"></a> [s3\_table\_modified\_at](#output\_s3\_table\_modified\_at) | Dates and times when the tables was last modified. |
+| <a name="output_s3_table_modified_by"></a> [s3\_table\_modified\_by](#output\_s3\_table\_modified\_by) | Account IDs of the accounts that last modified the tables. |
+| <a name="output_s3_table_owner_account_ids"></a> [s3\_table\_owner\_account\_ids](#output\_s3\_table\_owner\_account\_ids) | Account IDs of the accounts that owns the tables. |
+| <a name="output_s3_table_types"></a> [s3\_table\_types](#output\_s3\_table\_types) | Types of the tables. One of customer or aws. |
+| <a name="output_s3_table_version_tokens"></a> [s3\_table\_version\_tokens](#output\_s3\_table\_version\_tokens) | Identifiers for the current version of table data. |
+| <a name="output_s3_table_warehouse_locations"></a> [s3\_table\_warehouse\_locations](#output\_s3\_table\_warehouse\_locations) | S3 URIs pointing to the S3 Bucket that contains the table data. |
+<!-- END_TF_DOCS -->