diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ae3a00919..9da01495ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 - add `id` output to service account module
 - add support for secrets to cloud function module
 - new binary authorization module
+- add `consumer_accept_list` option to `apigee-x-instance` module.
 
 **FAST**
 
diff --git a/modules/apigee-x-instance/README.md b/modules/apigee-x-instance/README.md
index 7ad1f98b38..492b1234e1 100644
--- a/modules/apigee-x-instance/README.md
+++ b/modules/apigee-x-instance/README.md
@@ -49,12 +49,13 @@ module "apigee-x-instance" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [apigee_org_id](variables.tf#L32) | Apigee Organization ID. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L49) | Apigee instance name. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L54) | Compute region. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L55) | Apigee instance name. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L60) | Compute region. | <code>string</code> | ✓ |  |
 | [apigee_envgroups](variables.tf#L17) | Apigee Environment Groups. | <code title="map&#40;object&#40;&#123;&#10;  environments &#61; list&#40;string&#41;&#10;  hostnames    &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [apigee_environments](variables.tf#L26) | Apigee Environment Names. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [disk_encryption_key](variables.tf#L43) | Customer Managed Encryption Key (CMEK) self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for disk and volume encryption (required for PAID Apigee Orgs only). | <code>string</code> |  | <code>null</code> |
-| [ip_range](variables.tf#L37) | Customer-provided CIDR blocks of length 22 and 28 for the Apigee instance (e.g. `10.0.0.0/22,10.1.0.0/28`). | <code>string</code> |  | <code>null</code> |
+| [consumer_accept_list](variables.tf#L37) | List of projects (id/number) that can privately connect to the service attachment. | <code>list&#40;string&#41;</code> |  | <code>null</code> |
+| [disk_encryption_key](variables.tf#L49) | Customer Managed Encryption Key (CMEK) self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for disk and volume encryption (required for PAID Apigee Orgs only). | <code>string</code> |  | <code>null</code> |
+| [ip_range](variables.tf#L43) | Customer-provided CIDR blocks of length 22 and 28 for the Apigee instance (e.g. `10.0.0.0/22,10.1.0.0/28`). | <code>string</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/apigee-x-instance/main.tf b/modules/apigee-x-instance/main.tf
index 1ef2c66b1f..83e53b5fdf 100644
--- a/modules/apigee-x-instance/main.tf
+++ b/modules/apigee-x-instance/main.tf
@@ -20,6 +20,7 @@ resource "google_apigee_instance" "apigee_instance" {
   location                 = var.region
   ip_range                 = var.ip_range
   disk_encryption_key_name = var.disk_encryption_key
+  consumer_accept_list     = var.consumer_accept_list
 }
 
 resource "google_apigee_instance_attachment" "apigee_instance_attchment" {
diff --git a/modules/apigee-x-instance/variables.tf b/modules/apigee-x-instance/variables.tf
index 681dd1dc29..117e15fdc9 100644
--- a/modules/apigee-x-instance/variables.tf
+++ b/modules/apigee-x-instance/variables.tf
@@ -34,6 +34,12 @@ variable "apigee_org_id" {
   type        = string
 }
 
+variable "consumer_accept_list" {
+  description = "List of projects (id/number) that can privately connect to the service attachment."
+  type        = list(string)
+  default     = null
+}
+
 variable "ip_range" {
   description = "Customer-provided CIDR blocks of length 22 and 28 for the Apigee instance (e.g. `10.0.0.0/22,10.1.0.0/28`)."
   type        = string
diff --git a/tests/modules/apigee_x_instance/fixture/main.tf b/tests/modules/apigee_x_instance/fixture/main.tf
index 19373a3b1a..95d792a427 100644
--- a/tests/modules/apigee_x_instance/fixture/main.tf
+++ b/tests/modules/apigee_x_instance/fixture/main.tf
@@ -25,4 +25,8 @@ module "apigee-x-instance" {
     "eval1",
     "eval2"
   ]
+  consumer_accept_list = [
+    "project1",
+    "project2"
+  ]
 }
diff --git a/tests/modules/apigee_x_instance/test_plan.py b/tests/modules/apigee_x_instance/test_plan.py
index c99f17d70c..71bdf0b63b 100644
--- a/tests/modules/apigee_x_instance/test_plan.py
+++ b/tests/modules/apigee_x_instance/test_plan.py
@@ -28,17 +28,28 @@ def test_resource_count(resources):
 
 def test_instance_attachment(resources):
   "Test Apigee Instance Attachments."
-  attachments = [r['values'] for r in resources if r['type']
-                 == 'google_apigee_instance_attachment']
+  attachments = [
+      r['values']
+      for r in resources
+      if r['type'] == 'google_apigee_instance_attachment'
+  ]
   assert len(attachments) == 2
   assert set(a['environment'] for a in attachments) == set(['eval1', 'eval2'])
 
 
 def test_instance(resources):
   "Test Instance."
-  instances = [r['values'] for r in resources if r['type']
-               == 'google_apigee_instance']
+  instances = [
+      r['values'] for r in resources if r['type'] == 'google_apigee_instance'
+  ]
   assert len(instances) == 1
   assert instances[0]['ip_range'] == '10.0.0.0/22,10.1.0.0/28'
   assert instances[0]['name'] == 'my-test-instance'
   assert instances[0]['location'] == 'europe-west1'
+
+
+def test_instance_consumer_accept_list(resources):
+  instances = [
+      r['values'] for r in resources if r['type'] == 'google_apigee_instance'
+  ]
+  assert instances[0]['consumer_accept_list'] == ['project1', 'project2']