diff --git a/README.md b/README.md
index beee4bb..9fdc10b 100644
--- a/README.md
+++ b/README.md
@@ -181,6 +181,8 @@ Here is an example of using this module:
| [preserve\_security\_group\_id](#input\_preserve\_security\_group\_id) | When `false` and `security_group_create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the [terraform-aws-security-group README](https://github.com/cloudposse/terraform-aws-security-group) for further discussion. | `bool` | `false` | no |
| [properties](#input\_properties) | Contents of the server.properties file. Supported properties are documented in the [MSK Developer Guide](https://docs.aws.amazon.com/msk/latest/developerguide/msk-configuration-properties.html) | `map(string)` | `{}` | no |
| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable public access to MSK cluster (given that all of the requirements are met) | `bool` | `false` | no |
+| [vpc\_connectivity\_client\_authentication\_sasl\_iam\_enabled](#input\_vpc\_connectivity\_client\_authentication\_sasl\_iam\_enabled) |(Optional) Enables SASL/IAM authentication for VPC connectivity | `bool` | `false` | no |
+| [vpc\_connectivity\_client\_authentication\_sasl\_scram_\_enabled](#input\_vpc\_connectivity\_client\_authentication\_sasl\_scram_\_enabled) |(Optional) Enables SASL/SCRAM authentication for VPC connectivity | `bool` | `false` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [s3\_logs\_bucket](#input\_s3\_logs\_bucket) | Name of the S3 bucket to deliver logs to | `string` | `""` | no |
| [s3\_logs\_enabled](#input\_s3\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to S3 | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 617eddd..31a1274 100644
--- a/main.tf
+++ b/main.tf
@@ -152,6 +152,14 @@ resource "aws_msk_cluster" "default" {
public_access {
type = var.public_access_enabled ? "SERVICE_PROVIDED_EIPS" : "DISABLED"
}
+ vpc_connectivity {
+ client_authentication {
+ sasl {
+ iam = var.vpc_connectivity_client_authentication_sasl_iam_enabled
+ scram = var.vpc_connectivity_client_authentication_sasl_scram_enabled
+ }
+ }
+ }
}
}
diff --git a/variables.tf b/variables.tf
index 60cc51f..ee8ab9d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -247,3 +247,17 @@ variable "public_access_enabled" {
description = "Enable public access to MSK cluster (given that all of the requirements are met)"
nullable = false
}
+
+variable "vpc_connectivity_client_authentication_sasl_iam_enabled" {
+ type = bool
+ default = false
+ description = "Enables SASL/IAM authentication for VPC connectivity"
+ nullable = false
+}
+
+variable "vpc_connectivity_client_authentication_sasl_scram_enabled" {
+ type = bool
+ default = false
+ description = "Enables SASL/SCRAM authentication for VPC connectivity."
+ nullable = false
+}