Skip to main content
The table-bucket submodule creates and manages S3 Tables resources — purpose-built storage for analytics data using the Apache Iceberg table format. It supports creating a table bucket, configuring encryption and maintenance, attaching bucket-level policies, and creating individual Iceberg tables within the bucket.
S3 Tables are only available in select AWS regions. See the AWS documentation for supported regions.

Module Reference

module "table_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws//modules/table-bucket"

  table_bucket_name = "my-table-bucket"

  # ... see variables below
}

Input Variables

Bucket Configuration

create
bool
default:"true"
Whether to create S3 table resources. Set to false to conditionally skip resource creation.
region
string
default:"null"
Region where the resource(s) will be managed. Defaults to the region set in the provider configuration.
table_bucket_name
string
default:"null"
Name of the table bucket. Must be between 3 and 63 characters in length. Can consist of lowercase letters, numbers, and hyphens, and must begin and end with a lowercase letter or number.
tags
map(string)
default:"{}"
Key-value map of resource tags.

Encryption

encryption_configuration
any
default:"null"
Map of encryption configurations for the table bucket.

Maintenance

maintenance_configuration
any
default:"null"
Map of table bucket maintenance configurations, such as compaction settings.

Bucket Policy

create_table_bucket_policy
bool
default:"false"
Whether to create an S3 table bucket policy.
table_bucket_policy
string
default:"null"
An AWS resource-based policy document in JSON format to attach to the table bucket.
table_bucket_source_policy_documents
list(string)
default:"[]"
List of IAM policy documents that are merged together into the exported document. Statements must have unique sids.
table_bucket_override_policy_documents
list(string)
default:"[]"
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid.
table_bucket_policy_statements
any
default:"{}"
A map of IAM policy statements for custom permission usage.

Tables

tables
any
default:"{}"
Map of table configurations. Each key is a logical name for the table; each value configures the Apache Iceberg table within the bucket.

Outputs

Table Bucket

s3_table_bucket_arn
string
ARN of the table bucket. Returns null if the bucket was not created.
s3_table_bucket_created_at
string
Date and time when the table bucket was created.
s3_table_bucket_owner_account_id
string
Account ID of the account that owns the table bucket.

Tables

s3_table_arns
map(string)
Map of table names to their ARNs.
s3_table_created_at
map(string)
Map of table names to the dates and times when each table was created.
s3_table_created_by
map(string)
Map of table names to the account IDs of the accounts that created each table.
s3_table_metadata_locations
map(string)
Map of table names to the locations of their table metadata.
s3_table_modified_at
map(string)
Map of table names to the dates and times when each table was last modified.
s3_table_modified_by
map(string)
Map of table names to the account IDs of the accounts that last modified each table.
s3_table_owner_account_ids
map(string)
Map of table names to the account IDs of the accounts that own each table.
s3_table_types
map(string)
Map of table names to their types. One of customer or aws.
s3_table_version_tokens
map(string)
Map of table names to identifiers for the current version of each table’s data.
s3_table_warehouse_locations
map(string)
Map of table names to S3 URIs pointing to the S3 Bucket that contains each table’s data.

Complete Example

This example creates a table bucket with KMS encryption, maintenance configuration, and two Iceberg tables. 
resource "aws_kms_key" "tables" {
  description             = "KMS key for S3 table bucket encryption"
  deletion_window_in_days = 7
}

module "table_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws//modules/table-bucket"

  table_bucket_name = "my-analytics-table-bucket"

  encryption_configuration = {
    sse_algorithm     = "aws:kms"
    kms_master_key_id = aws_kms_key.tables.arn
  }

  maintenance_configuration = {
    iceberg_unreferenced_file_removal = {
      status = "enabled"
      settings = {
        non_current_days  = 90
        unreferenced_days = 3
      }
    }
  }

  create_table_bucket_policy = true
  table_bucket_policy_statements = {
    allow_analytics = {
      sid    = "AllowAnalyticsAccess"
      effect = "Allow"
      principals = [
        {
          type        = "AWS"
          identifiers = ["arn:aws:iam::123456789012:role/AnalyticsRole"]
        }
      ]
      actions = [
        "s3tables:GetTableData",
        "s3tables:PutTableData",
      ]
      resources = ["*"]
    }
  }

  tables = {
    orders = {
      table_name = "orders"
      namespace  = "analytics"
      format     = "ICEBERG"
    }
    events = {
      table_name = "events"
      namespace  = "analytics"
      format     = "ICEBERG"
    }
  }

  tags = {
    Environment = "production"
    Team        = "data-engineering"
  }
}

output "table_bucket_arn" {
  value = module.table_bucket.s3_table_bucket_arn
}

output "table_arns" {
  value = module.table_bucket.s3_table_arns
}