diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae6ecac..cc3a338 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,3 +54,7 @@
 * v1.1.6 -- 20210714
   - flowlogs
     - add tags to resources
+
+* v1.2.0 -- 20211019
+  - vpn
+    - add create variable to create/not-create the resources
diff --git a/common/variables.create.tf b/common/variables.create.tf
new file mode 100644
index 0000000..7613cac
--- /dev/null
+++ b/common/variables.create.tf
@@ -0,0 +1,5 @@
+variable "create" {
+  description = "Flag to indicate whether to create the resources or not (default: true)"
+  type        = bool
+  default     = true
+}
diff --git a/common/version.tf b/common/version.tf
index 6dda06d..1ee6619 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.6"
+  _module_version = "1.2.0"
 }
diff --git a/vpn/README.md b/vpn/README.md
index eaed00c..778f4ac 100644
--- a/vpn/README.md
+++ b/vpn/README.md
@@ -24,6 +24,7 @@ To download the configuration, follow these directions [page 24 from AWS docs](h
 ```hcl
 module "vpn" {
   source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn"
+  create          = true
   vpc_id          = "vpc-1234568"
   vpc_full_name   = "vpc2-dice-dev"
   vpc_environment = "dev"
@@ -71,6 +72,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
 | <a name="input_custom_preshared_keys"></a> [custom\_preshared\_keys](#input\_custom\_preshared\_keys) | List of one or two pre-shared keys to use for the two tunnels.  If only one provided, it will use it for both tunnels. If missing, pre-shared keys will be generated. | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of created route table IDs for privating routing to be used for VPN route propagation | `list(string)` | `[]` | no |
diff --git a/vpn/main.tf b/vpn/main.tf
index fc651b8..0fca4bf 100644
--- a/vpn/main.tf
+++ b/vpn/main.tf
@@ -25,6 +25,7 @@
 * ```hcl
 * module "vpn" {
 *   source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn"
+*   create          = true
 *   vpc_id          = "vpc-1234568"
 *   vpc_full_name   = "vpc2-dice-dev"
 *   vpc_environment = "dev"
@@ -48,11 +49,14 @@ locals {
     bgp_asn_id = v.bgp_asn_id
     ip_address = v.ip_address
   } }
+  _vpn_settings = var.create ? local.vpn_settings : {}
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
     "boc:created_by"        = "terraform"
   }
+
+  vpn_gateway = element(concat(aws_vpn_gateway.vpn[*].id, list("")), 0)
 }
 
 
@@ -60,6 +64,7 @@ locals {
 # vpn gateway (one per vpc)
 #---
 resource "aws_vpn_gateway" "vpn" {
+  count  = var.create ? 1 : 0
   vpc_id = var.vpc_id
 
   tags = merge(
@@ -70,15 +75,16 @@ resource "aws_vpn_gateway" "vpn" {
 }
 
 resource "aws_vpn_gateway_attachment" "vpn" {
+  count          = var.create ? 1 : 0
   vpc_id         = var.vpc_id
-  vpn_gateway_id = aws_vpn_gateway.vpn.id
+  vpn_gateway_id = local.vpn_gateway
 }
 
 #---
 # customer gateway, one per vpc per site
 #---
 resource "aws_customer_gateway" "vpn" {
-  for_each   = local.vpn_settings
+  for_each   = var.create ? local.vpn_settings : {}
   bgp_asn    = each.value.bgp_asn_id
   ip_address = each.value.ip_address
   type       = "ipsec.1"
@@ -94,7 +100,7 @@ resource "aws_customer_gateway" "vpn" {
 # vpn pre-shared key (same for each tunnel per site, one per site)
 #---
 resource "random_string" "tunnel_preshared_key" {
-  for_each         = local.vpn_settings
+  for_each         = var.create ? local.vpn_settings : {}
   length           = 32
   special          = true
   override_special = "._"
@@ -105,9 +111,10 @@ resource "random_string" "tunnel_preshared_key" {
 #  at this time, static routing is not an option.  We can re-code this later if needed
 #---
 resource "aws_vpn_connection" "vpn" {
-  for_each              = local.vpn_settings
-  type                  = "ipsec.1"
-  vpn_gateway_id        = aws_vpn_gateway.vpn.id
+  for_each = var.create ? local.vpn_settings : {}
+  type     = "ipsec.1"
+  #  vpn_gateway_id        = aws_vpn_gateway.vpn.id
+  vpn_gateway_id        = local.vpn_gateway
   customer_gateway_id   = aws_customer_gateway.vpn[each.key].id
   tunnel1_preshared_key = length(var.custom_preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(var.custom_preshared_keys, 0)
   tunnel2_preshared_key = length(var.custom_preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(var.custom_preshared_keys, 1)
@@ -144,9 +151,10 @@ locals {
 
 # use this resource, do not use propagating_vgws on the route tables. Need this for one per route table ID
 resource "aws_vpn_gateway_route_propagation" "vpn" {
-  for_each = { for v in local.vpn_route_table_ids : "${v.site}.${v.route_table_id}" => v }
+  for_each = var.create ? { for v in local.vpn_route_table_ids : "${v.site}.${v.route_table_id}" => v } : {}
 
-  vpn_gateway_id = aws_vpn_gateway.vpn.id
+  #  vpn_gateway_id = aws_vpn_gateway.vpn.id
+  vpn_gateway_id = local.vpn_gateway
   route_table_id = each.value.route_table_id
 }
 
diff --git a/vpn/outputs.tf b/vpn/outputs.tf
index 690591c..3fb3a1b 100644
--- a/vpn/outputs.tf
+++ b/vpn/outputs.tf
@@ -1,6 +1,6 @@
 output "vpn_tunnel_endpoints" {
   description = "VPN Tunnel Endpoint IP Addresses"
-  value = { for k in keys(local.vpn_settings) : k => {
+  value = { for k in keys(local._vpn_settings) : k => {
     site             = k
     customer_address = aws_customer_gateway.vpn[k].ip_address
     bgp_asn          = aws_customer_gateway.vpn[k].bgp_asn
@@ -14,7 +14,7 @@ output "vpn_tunnel_endpoints" {
 
 output "vpn_labels" {
   description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
-  value = { for k in keys(local.vpn_settings) : k => {
+  value = { for k in keys(local._vpn_settings) : k => {
     site  = k
     label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, var.vpc_full_name)
     }
diff --git a/vpn/variables.create.tf b/vpn/variables.create.tf
new file mode 120000
index 0000000..de1275b
--- /dev/null
+++ b/vpn/variables.create.tf
@@ -0,0 +1 @@
+../common/variables.create.tf
\ No newline at end of file