kinesis streams and firehose VPC endpoints

README.md

@@ -294,6 +294,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no |
 | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no |
 | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no |
+| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | bool | `"false"` | no |
+| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | bool | `"false"` | no |
 | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no |
 | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | `"false"` | no |
 | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no |
@@ -319,6 +321,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no |
 | intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no |
 | intra\_subnets | A list of intra subnets | list(string) | `[]` | no |
+| kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | bool | `"false"` | no |
+| kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | list(string) | `[]` | no |
+| kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | bool | `"false"` | no |
+| kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | list(string) | `[]` | no |
+| kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | `"false"` | no |
 | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | `[]` | no |
 | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |

main.tf

@@ -1286,6 +1286,50 @@ resource "aws_vpc_endpoint" "cloudtrail" {
 }
 
 
+#######################
+# VPC Endpoint for Kinesis Streams
+#######################
+data "aws_vpc_endpoint_service" "kinesis_streams" {
+  count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0
+
+  service = "kinesis-streams"
+}
+
+resource "aws_vpc_endpoint" "kinesis_streams" {
+  count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.kinesis_streams[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.kinesis_streams_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.kinesis_streams_endpoint_private_dns_enabled
+}
+
+
+#######################
+# VPC Endpoint for Kinesis Firehose
+#######################
+data "aws_vpc_endpoint_service" "kinesis_firehose" {
+  count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0
+
+  service = "kinesis-firehose"
+}
+
+resource "aws_vpc_endpoint" "kinesis_firehose" {
+  count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.kinesis_firehose[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.kinesis_firehose_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.kinesis_firehose_endpoint_private_dns_enabled
+}
+
+
 ##########################
 # Route table association
 ##########################

variables.tf

@@ -646,6 +646,54 @@ variable "cloudtrail_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_kinesis_streams_endpoint" {
+  description = "Should be true if you want to provision a Kinesis Streams endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "kinesis_streams_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "kinesis_streams_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "kinesis_streams_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_kinesis_firehose_endpoint" {
+  description = "Should be true if you want to provision a Kinesis Firehose endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "kinesis_firehose_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "kinesis_firehose_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "kinesis_firehose_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool