diff --git a/README.md b/README.md
index 1122903c41..9a500c2470 100644
--- a/README.md
+++ b/README.md
@@ -135,6 +135,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | name | The name of the cluster (required) | string | n/a | yes |
 | network | The VPC network to host the cluster in (required) | string | n/a | yes |
 | network\_policy | Enable network policy addon | string | `"false"` | no |
+| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
index bb521ed4c3..46e5e7710e 100644
--- a/autogen/cluster_regional.tf
+++ b/autogen/cluster_regional.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" {
   region         = "${var.region}"
   node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_regional}"
 
diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
index 557d5b4f90..261fcc04c2 100644
--- a/autogen/cluster_zonal.tf
+++ b/autogen/cluster_zonal.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" {
   zone           = "${var.zones[0]}"
   node_locations = ["${slice(var.zones,1,length(var.zones))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_zonal}"
 
diff --git a/autogen/variables.tf b/autogen/variables.tf
index 407c68fc0b..67ced3b03b 100644
--- a/autogen/variables.tf
+++ b/autogen/variables.tf
@@ -106,6 +106,11 @@ variable "network_policy" {
   default     = false
 }
 
+variable "network_policy_provider" {
+  description = "The network policy provider."
+  default     = "PROVIDER_UNSPECIFIED"
+}
+
 variable "maintenance_start_time" {
   description = "Time window specified for daily maintenance operations in RFC3339 format"
   default     = "05:00"
diff --git a/cluster_regional.tf b/cluster_regional.tf
index ce081d9081..518ef23a9c 100644
--- a/cluster_regional.tf
+++ b/cluster_regional.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" {
   region         = "${var.region}"
   node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_regional}"
 
diff --git a/cluster_zonal.tf b/cluster_zonal.tf
index 8dc2d0c353..9b214db43b 100644
--- a/cluster_zonal.tf
+++ b/cluster_zonal.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" {
   zone           = "${var.zones[0]}"
   node_locations = ["${slice(var.zones,1,length(var.zones))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_zonal}"
 
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index e1978dd332..e7b6cc12a2 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -144,6 +144,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | name | The name of the cluster (required) | string | n/a | yes |
 | network | The VPC network to host the cluster in (required) | string | n/a | yes |
 | network\_policy | Enable network policy addon | string | `"false"` | no |
+| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf
index 34625f72fb..34f21fd9d1 100644
--- a/modules/private-cluster/cluster_regional.tf
+++ b/modules/private-cluster/cluster_regional.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" {
   region         = "${var.region}"
   node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_regional}"
 
diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf
index 9ffdac36a9..692cc1a6a6 100644
--- a/modules/private-cluster/cluster_zonal.tf
+++ b/modules/private-cluster/cluster_zonal.tf
@@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" {
   zone           = "${var.zones[0]}"
   node_locations = ["${slice(var.zones,1,length(var.zones))}"]
 
-  network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+  network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
+
+  network_policy {
+    enabled  = "${var.network_policy}"
+    provider = "${var.network_policy_provider}"
+  }
+
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   min_master_version = "${local.kubernetes_version_zonal}"
 
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 4e376876cb..841501ed69 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -106,6 +106,11 @@ variable "network_policy" {
   default     = false
 }
 
+variable "network_policy_provider" {
+  description = "The network policy provider."
+  default     = "PROVIDER_UNSPECIFIED"
+}
+
 variable "maintenance_start_time" {
   description = "Time window specified for daily maintenance operations in RFC3339 format"
   default     = "05:00"
diff --git a/variables.tf b/variables.tf
index 8a95caab5e..5c22867df7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -106,6 +106,11 @@ variable "network_policy" {
   default     = false
 }
 
+variable "network_policy_provider" {
+  description = "The network policy provider."
+  default     = "PROVIDER_UNSPECIFIED"
+}
+
 variable "maintenance_start_time" {
   description = "Time window specified for daily maintenance operations in RFC3339 format"
   default     = "05:00"