Kinesis Data Stream (on-demand)

aws-kinesis

Amazon Kinesis Data Stream with encryption at rest on by default and a plug-and-play capacity mode. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. ON_DEMAND by default means there is no shard math to do — the stream scales itself; flip to PROVISIONED when you want a fixed, cheaper-per-hour shard count you control. Optional enhanced fan-out consumers are registered for you. No VPC, no public endpoint — access is purely IAM-governed against the stream ARN.

Secure defaults:

• Encryption at rest always on (encryption_type = "KMS") using the AWS-managed Kinesis key (alias/aws/kinesis): encrypted records, no key to manage, no monthly key charge. Bring a customer-managed key via kms_key_id for full control and rotation policy.
• ON_DEMAND capacity by default — no over/under-provisioning, no shard resharding to operate.
• Enhanced monitoring off by default (shard_level_metrics = []) — each shard-level metric is billed per shard-hour, so it is opt-in.
• No network exposure: Kinesis has no VPC/public surface; reads and writes are authorized through IAM only.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).