diff --git a/vpc/README.md b/vpc/README.md
index 0d6f0e3..8bc7ab7 100644
--- a/vpc/README.md
+++ b/vpc/README.md
@@ -76,6 +76,7 @@ No modules.
| [enable\_aws\_dns](#input\_enable\_aws\_dns) | Enable use of AWS DNS server. This overrides the settings of vpc\_dns\_servers and enables dns\_support and dns\_hostnames | `bool` | `false` | no |
| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Enable DNS hostnames within the VPC | `bool` | `true` | no |
| [enable\_dns\_support](#input\_enable\_dns\_support) | Enable DNS support within the VPC | `bool` | `true` | no |
+| [enable\_nau\_metrics](#input\_enable\_nau\_metrics) | Enable use of Network Address Usage (nau) metrics for cloudwatch | `bool` | `false` | no |
| [network\_census](#input\_network\_census) | Census Subnets | `list` | [
"148.129.0.0/16",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/vpc/main.tf b/vpc/main.tf
index 76682ed..d8fb34a 100644
--- a/vpc/main.tf
+++ b/vpc/main.tf
@@ -73,7 +73,7 @@ resource "aws_vpc" "vpc" {
cidr_block = var.vpc_cidr_block
enable_dns_support = local.enable_dns_support
enable_dns_hostnames = local.enable_dns_hostnames
- enable_network_address_usage_metrics = true
+ enable_network_address_usage_metrics = var.enable_nau_metrics
tags = merge(
local.base_tags,
diff --git a/vpc/variables.tf b/vpc/variables.tf
index ea54290..cc1e4b7 100644
--- a/vpc/variables.tf
+++ b/vpc/variables.tf
@@ -21,6 +21,12 @@ variable "enable_aws_dns" {
default = false
}
+variable "enable_nau_metrics" {
+ description = "Enable use of Network Address Usage (nau) metrics for cloudwatch"
+ type = bool
+ default = false
+}
+
###
##
## variable "vpc_domain_name" {