diff --git a/locals.tf b/locals.tf
index b2d36c9..e2a0a32 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,5 +1,10 @@
 locals {
   name_prefix    = var.bastion_launch_template_name
   security_group = join("", flatten([aws_security_group.bastion_host_security_group[*].id, var.bastion_security_group_id]))
+
+  // the compact() function checks for null values and gets rid of them 
+  // the length is a check to ensure we dont have an empty array, as an empty array would throw an error for the cidr_block argument 
+  ipv4_cidr_block = length(compact(data.aws_subnet.subnets[*].cidr_block)) == 0 ? null : concat(data.aws_subnet.subnets[*].cidr_block, var.cidrs)
+  ipv6_cidr_block = length(compact(data.aws_subnet.subnets[*].ipv6_cidr_block)) == 0 ? null : concat(data.aws_subnet.subnets[*].ipv6_cidr_block, var.ipv6_cidrs)
 }
 
diff --git a/main.tf b/main.tf
index 1770487..1c79135 100644
--- a/main.tf
+++ b/main.tf
@@ -35,8 +35,8 @@ resource "aws_security_group_rule" "ingress_bastion" {
   from_port        = var.public_ssh_port
   to_port          = var.public_ssh_port
   protocol         = "TCP"
-  cidr_blocks      = compact(concat(data.aws_subnet.subnets.*.cidr_block, var.cidrs))
-  ipv6_cidr_blocks = compact(concat(data.aws_subnet.subnets.*.ipv6_cidr_block, var.ipv6_cidrs))
+  cidr_blocks      = local.ipv4_cidr_block
+  ipv6_cidr_blocks = local.ipv6_cidr_block
 
   security_group_id = local.security_group
 }