diff --git a/examples/test_fixture_endpoint/README.md b/examples/test_fixture_endpoint/README.md
new file mode 100644
index 000000000..db7173a41
--- /dev/null
+++ b/examples/test_fixture_endpoint/README.md
@@ -0,0 +1,36 @@
+# Test fixture of simple VPC
+
+Configuration in this directory creates a set of VPC resources to be tested by test kitchen.
+
+There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between 2 availability zones.
+
+## Usage
+
+To run the tests, from the repo root execute:
+
+```bash
+$ kitchen test
+...
+Finished in 4.25 seconds (files took 2.75 seconds to load)
+20 examples, 0 failures
+
+       Finished verifying <default-aws> (0m9.03s).
+-----> Kitchen is finished. (0m9.40s)
+```
+
+This will destroy any existing test resources, create the resources afresh, run the tests, report back, and destroy the resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| region | - | string | `eu-west-1` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| region | Region we created the resources in. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/test_fixture_endpoint/main.tf b/examples/test_fixture_endpoint/main.tf
new file mode 100644
index 000000000..24774754f
--- /dev/null
+++ b/examples/test_fixture_endpoint/main.tf
@@ -0,0 +1,43 @@
+provider "aws" {
+  region = "${var.region}"
+}
+
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  source              = "../.."
+  name                = "test-example"
+  cidr                = "10.0.0.0/16"
+  azs                 = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"]
+  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets      = ["10.0.101.0/24", "10.0.102.0/24"]
+  enable_nat_gateway  = true
+  single_nat_gateway  = true
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  enable_s3_endpoint   = true
+  enable_ssm_endpoint  = true
+
+  ssm_endpoint_security_group_ids = ["${aws_security_group.input_interface_endpoint.id}"]
+
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+}
+
+resource "aws_security_group" "input_interface_endpoint" {
+  name        = "input_interface_endpoint"
+  description = "Allow https inbound traffic"
+
+  vpc_id = "${module.vpc.vpc_id}"
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/8"]
+  }
+}
diff --git a/examples/test_fixture_endpoint/outputs.tf b/examples/test_fixture_endpoint/outputs.tf
new file mode 100644
index 000000000..4c89ae958
--- /dev/null
+++ b/examples/test_fixture_endpoint/outputs.tf
@@ -0,0 +1,4 @@
+output "region" {
+  description = "Region we created the resources in."
+  value       = "${var.region}"
+}
diff --git a/examples/test_fixture_endpoint/variables.tf b/examples/test_fixture_endpoint/variables.tf
new file mode 100644
index 000000000..a3986dc92
--- /dev/null
+++ b/examples/test_fixture_endpoint/variables.tf
@@ -0,0 +1,3 @@
+variable "region" {
+  default = "eu-west-1"
+}
diff --git a/main.tf b/main.tf
index 091c36585..1a93822ca 100644
--- a/main.tf
+++ b/main.tf
@@ -393,6 +393,29 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
   route_table_id  = "${aws_route_table.public.id}"
 }
 
+#######################
+# VPC Endpoint for SSM
+#######################
+data "aws_vpc_endpoint_service" "ssm" {
+  count = "${var.create_vpc && var.enable_ssm_endpoint && var.enable_dns_hostnames && var.enable_dns_support ? 1 : 0}"
+
+  service = "ssm"
+}
+
+resource "aws_vpc_endpoint" "ssm" {
+  count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ssm.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids = [ "${var.ssm_endpoint_security_group_ids}" ]
+
+  # Only a single subnet within an AZ is supported.
+  subnet_ids          = [ "${concat(aws_subnet.private.*.id)}" ]
+  private_dns_enabled = true
+}
+
 ##########################
 # Route table association
 ##########################
diff --git a/outputs.tf b/outputs.tf
index c19aba155..6350dc46f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -208,6 +208,11 @@ output "vpc_endpoint_dynamodb_id" {
   value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}"
 }
 
+output "vpc_endpoint_ssm_id" {
+  description = "The ID of VPC endpoint for SSM"
+  value       = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}"
+}
+
 output "vgw_id" {
   description = "The ID of the VPN Gateway"
   value       = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}"
diff --git a/variables.tf b/variables.tf
index 8694fbfa4..2ecb5031b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -163,6 +163,17 @@ variable "enable_s3_endpoint" {
   default     = false
 }
 
+variable "enable_ssm_endpoint" {
+  description = "Should be true if you want to provision an SSM interface endpoint to the VPC"
+  default     = false
+}
+
+variable "ssm_endpoint_security_group_ids" {
+  description = "List of security group IDs applied to the SSM interface endpoint."
+  type        = "list"
+  default     = []
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   default     = true