diff --git a/modules/apigee/README.md b/modules/apigee/README.md
index a4be05599..d209a6a81 100644
--- a/modules/apigee/README.md
+++ b/modules/apigee/README.md
@@ -359,13 +359,13 @@ module "apigee" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L131) | Project ID. | string | ✓ | |
+| [project_id](variables.tf#L132) | Project ID. | string | ✓ | |
| [addons_config](variables.tf#L17) | Addons configuration. | object({…}) | | null |
| [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | map(object({…})) | | {} |
| [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | map(list(string)) | | {} |
| [environments](variables.tf#L46) | Environments. | map(object({…})) | | {} |
-| [instances](variables.tf#L74) | Instances ([REGION] => [INSTANCE]). | map(object({…})) | | {} |
-| [organization](variables.tf#L99) | Apigee organization. If set to null the organization must already exist. | object({…}) | | null |
+| [instances](variables.tf#L74) | Instances ([REGION] => [INSTANCE]). | map(object({…})) | | {} |
+| [organization](variables.tf#L100) | Apigee organization. If set to null the organization must already exist. | object({…}) | | null |
## Outputs
diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf
index 480d19feb..0c8f6bcfa 100644
--- a/modules/apigee/main.tf
+++ b/modules/apigee/main.tf
@@ -113,6 +113,7 @@ resource "google_apigee_nat_address" "apigee_nat" {
}
name = each.key
instance_id = each.value
+ activate = var.instances[each.key].activate_nat
}
resource "google_apigee_instance_attachment" "instance_attachments" {
diff --git a/modules/apigee/variables.tf b/modules/apigee/variables.tf
index e8d1ffb66..b7f9aa6d8 100644
--- a/modules/apigee/variables.tf
+++ b/modules/apigee/variables.tf
@@ -79,6 +79,7 @@ variable "instances" {
disk_encryption_key = optional(string)
display_name = optional(string)
enable_nat = optional(bool, false)
+ activate_nat = optional(bool, false)
environments = optional(list(string), [])
name = optional(string)
runtime_ip_cidr_range = optional(string)
diff --git a/tests/modules/apigee/test_apigee_nat_activate.tfvars b/tests/modules/apigee/test_apigee_nat_activate.tfvars
new file mode 100644
index 000000000..d313605c3
--- /dev/null
+++ b/tests/modules/apigee/test_apigee_nat_activate.tfvars
@@ -0,0 +1,24 @@
+project_id = "my-project"
+organization = {
+ display_name = "My Organization"
+ description = "My Organization"
+ runtime_type = "CLOUD"
+ billing_type = "Pay-as-you-go"
+ database_encryption_key = "123456789"
+ analytics_region = "europe-west1"
+ disable_vpc_peering = true
+}
+environments = {
+ apis-test = {
+ display_name = "APIs test"
+ description = "APIs Test"
+ envgroups = ["test"]
+ }
+}
+instances = {
+ europe-west1 = {
+ environments = ["europe-west1"]
+ enable_nat = true
+ activate_nat = true
+ }
+}
\ No newline at end of file
diff --git a/tests/modules/apigee/test_apigee_nat_activate.yaml b/tests/modules/apigee/test_apigee_nat_activate.yaml
new file mode 100644
index 000000000..3bf65d5b7
--- /dev/null
+++ b/tests/modules/apigee/test_apigee_nat_activate.yaml
@@ -0,0 +1,45 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_apigee_environment.environments["apis-test"]:
+ description: APIs Test
+ display_name: APIs test
+ name: apis-test
+ google_apigee_instance.instances["europe-west1"]:
+ description: Terraform-managed
+ disk_encryption_key_name: null
+ display_name: null
+ location: europe-west1
+ name: instance-europe-west1
+ google_apigee_organization.organization[0]:
+ analytics_region: europe-west1
+ authorized_network: null
+ billing_type: Pay-as-you-go
+ description: null
+ display_name: null
+ project_id: my-project
+ retention: DELETION_RETENTION_UNSPECIFIED
+ runtime_database_encryption_key_name: '123456789'
+ runtime_type: CLOUD
+ disable_vpc_peering: true
+ google_apigee_nat_address.apigee_nat["europe-west1"]:
+ activate: true
+
+counts:
+ google_apigee_environment: 1
+ google_apigee_instance: 1
+ google_apigee_instance_attachment: 1
+ google_apigee_organization: 1
+ google_apigee_nat_address: 1
\ No newline at end of file
diff --git a/tests/modules/apigee/tftest.yaml b/tests/modules/apigee/tftest.yaml
index 6449de757..8452a0b89 100644
--- a/tests/modules/apigee/tftest.yaml
+++ b/tests/modules/apigee/tftest.yaml
@@ -28,3 +28,4 @@ tests:
organization_only_psc_mode:
organization_only_vpc_mode:
organization_retention:
+ test_apigee_nat_activate: