diff --git a/modules/net-swp/README.md b/modules/net-swp/README.md
index 66a64f71ba..53758eb819 100644
--- a/modules/net-swp/README.md
+++ b/modules/net-swp/README.md
@@ -340,26 +340,25 @@ matcher_args:
- service_account:foo
# tftest-file id=2 path=data/policy-rules/service-account-0.yaml schema=policy-rule.schema.json
```
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [gateway_config](variables.tf#L40) | Optional Secure Web Gateway configuration. | object({…}) | ✓ | |
-| [name](variables.tf#L52) | Name of the Secure Web Proxy resource. | string | ✓ | |
-| [network](variables.tf#L57) | Name of the network the Secure Web Proxy is deployed into. | string | ✓ | |
-| [project_id](variables.tf#L107) | Project id of the project that holds the network. | string | ✓ | |
-| [region](variables.tf#L112) | Region where resources will be created. | string | ✓ | |
-| [subnetwork](variables.tf#L132) | Name of the subnetwork the Secure Web Proxy is deployed into. | string | ✓ | |
+| [gateway_config](variables.tf#L40) | Optional Secure Web Gateway configuration. | object({…}) | ✓ | |
+| [name](variables.tf#L53) | Name of the Secure Web Proxy resource. | string | ✓ | |
+| [network](variables.tf#L58) | Name of the network the Secure Web Proxy is deployed into. | string | ✓ | |
+| [project_id](variables.tf#L108) | Project id of the project that holds the network. | string | ✓ | |
+| [region](variables.tf#L113) | Region where resources will be created. | string | ✓ | |
+| [subnetwork](variables.tf#L133) | Name of the subnetwork the Secure Web Proxy is deployed into. | string | ✓ | |
| [certificates](variables.tf#L17) | List of certificates to be used for Secure Web Proxy. | list(string) | | [] |
| [description](variables.tf#L24) | Optional description for the created resources. | string | | "Managed by Terraform." |
| [factories_config](variables.tf#L30) | Path to folder with YAML resource description data files. | object({…}) | | {} |
-| [policy_rules](variables.tf#L62) | Policy rules definitions. Merged with policy rules defined via the factory. | map(object({…})) | | {} |
-| [policy_rules_contexts](variables.tf#L96) | Replacement contexts for policy rules matcher arguments. | object({…}) | | {} |
-| [service_attachment](variables.tf#L117) | PSC service attachment configuration. | object({…}) | | null |
-| [tls_inspection_config](variables.tf#L137) | TLS inspection configuration. | object({…}) | | {} |
-| [url_lists](variables.tf#L158) | URL lists. | map(object({…})) | | {} |
+| [policy_rules](variables.tf#L63) | Policy rules definitions. Merged with policy rules defined via the factory. | map(object({…})) | | {} |
+| [policy_rules_contexts](variables.tf#L97) | Replacement contexts for policy rules matcher arguments. | object({…}) | | {} |
+| [service_attachment](variables.tf#L118) | PSC service attachment configuration. | object({…}) | | null |
+| [tls_inspection_config](variables.tf#L138) | TLS inspection configuration. | object({…}) | | {} |
+| [url_lists](variables.tf#L159) | URL lists. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/net-swp/main.tf b/modules/net-swp/main.tf
index 7ed3dcf05e..471cf5f353 100644
--- a/modules/net-swp/main.tf
+++ b/modules/net-swp/main.tf
@@ -97,6 +97,11 @@ resource "google_network_services_gateway" "default" {
)
network = var.network
subnetwork = var.subnetwork
+ routing_mode = (
+ var.gateway_config.next_hop_routing_mode
+ ? "NEXT_HOP_ROUTING_MODE"
+ : null
+ )
delete_swg_autogen_router_on_destroy = (
var.gateway_config.delete_router_on_destroy
)
diff --git a/modules/net-swp/variables.tf b/modules/net-swp/variables.tf
index 00bc8f5999..cff9e3f49b 100644
--- a/modules/net-swp/variables.tf
+++ b/modules/net-swp/variables.tf
@@ -43,6 +43,7 @@ variable "gateway_config" {
addresses = optional(list(string), [])
delete_router_on_destroy = optional(bool, true)
labels = optional(map(string), {})
+ next_hop_routing_mode = optional(bool, false)
ports = optional(list(string), [443])
scope = optional(string)
})