diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index 7678f1a45..962ddabb0 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -942,9 +942,9 @@ module "sole-tenancy" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L273) | Instance name. | string | ✓ | |
-| [network_interfaces](variables.tf#L285) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | |
-| [project_id](variables.tf#L365) | Project id. | string | ✓ | |
-| [zone](variables.tf#L478) | Compute zone. | string | ✓ | |
+| [network_interfaces](variables.tf#L285) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | |
+| [project_id](variables.tf#L370) | Project id. | string | ✓ | |
+| [zone](variables.tf#L483) | Compute zone. | string | ✓ | |
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | object({…}) | | {…} |
| [attached_disks](variables.tf#L37) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | list(object({…})) | | [] |
| [boot_disk](variables.tf#L82) | Boot disk properties. | object({…}) | | {…} |
@@ -964,16 +964,16 @@ module "sole-tenancy" {
| [metadata](variables.tf#L261) | Instance metadata. | map(string) | | {} |
| [min_cpu_platform](variables.tf#L267) | Minimum CPU platform. | string | | null |
| [network_attached_interfaces](variables.tf#L278) | Network interfaces using network attachments. | list(string) | | [] |
-| [network_tag_bindings](variables.tf#L301) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle. | map(string) | | {} |
-| [options](variables.tf#L308) | Instance options. | object({…}) | | {…} |
-| [project_number](variables.tf#L370) | Project number. Used in tag bindings to avoid a permadiff. | string | | null |
-| [scratch_disks](variables.tf#L376) | Scratch disks configuration. | object({…}) | | {…} |
-| [service_account](variables.tf#L388) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | object({…}) | | {} |
-| [shielded_config](variables.tf#L398) | Shielded VM configuration of the instances. | object({…}) | | null |
-| [snapshot_schedules](variables.tf#L408) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} |
-| [tag_bindings](variables.tf#L451) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle. | map(string) | | {} |
-| [tag_bindings_immutable](variables.tf#L458) | Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed. | map(string) | | null |
-| [tags](variables.tf#L472) | Instance network tags for firewall rule targets. | list(string) | | [] |
+| [network_tag_bindings](variables.tf#L306) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle. | map(string) | | {} |
+| [options](variables.tf#L313) | Instance options. | object({…}) | | {…} |
+| [project_number](variables.tf#L375) | Project number. Used in tag bindings to avoid a permadiff. | string | | null |
+| [scratch_disks](variables.tf#L381) | Scratch disks configuration. | object({…}) | | {…} |
+| [service_account](variables.tf#L393) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | object({…}) | | {} |
+| [shielded_config](variables.tf#L403) | Shielded VM configuration of the instances. | object({…}) | | null |
+| [snapshot_schedules](variables.tf#L413) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} |
+| [tag_bindings](variables.tf#L456) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle. | map(string) | | {} |
+| [tag_bindings_immutable](variables.tf#L463) | Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed. | map(string) | | null |
+| [tags](variables.tf#L477) | Instance network tags for firewall rule targets. | list(string) | | [] |
## Outputs
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index e05d7e49e..38c75f0a9 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -259,9 +259,10 @@ resource "google_compute_instance" "default" {
nic_type = config.value.nic_type
stack_type = config.value.stack_type
dynamic "access_config" {
- for_each = config.value.nat ? [""] : []
+ for_each = config.value.nat || config.value.network_tier != null ? [""] : []
content {
- nat_ip = try(config.value.addresses.external, null)
+ nat_ip = try(config.value.addresses.external, null)
+ network_tier = try(config.value.network_tier, null)
}
}
dynamic "alias_ip_range" {
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index 4446e0b31..7ac8ef67b 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -295,7 +295,12 @@ variable "network_interfaces" {
internal = optional(string)
external = optional(string)
}), null)
+ network_tier = optional(string)
}))
+ validation {
+ condition = alltrue([for v in var.network_interfaces : contains(["STANDARD", "PREMIUM"], coalesce(v.network_tier, "PREMIUM"))])
+ error_message = "Allowed values for network tier are: 'STANDARD' or 'PREMIUM'"
+ }
}
variable "network_tag_bindings" {