diff --git a/rs-green-side.tf b/rs-green-side.tf
index b938b0f..5dcbdfd 100644
--- a/rs-green-side.tf
+++ b/rs-green-side.tf
@@ -69,7 +69,8 @@ resource "aws_instance" "green_vpn_inst" {
 
   ami                    = data.aws_ami.green_vpn_inst_ubuntu.id
   instance_type          = var.green_vpn_endpoint_instancetype
-  vpc_security_group_ids = length(var.allowed_networks_ssh) > 0 ? [aws_security_group.green_vpn_inst_ipsec.id, aws_security_group.green_vpn_inst_green_traffic.id, aws_security_group.green_vpn_inst_ssh.id] : [aws_security_group.green_vpn_inst_ipsec.id, aws_security_group.green_vpn_inst_green_traffic.id]
+
+  vpc_security_group_ids = concat([aws_security_group.green_vpn_inst_ipsec.id, aws_security_group.green_vpn_inst_green_traffic.id], try(aws_security_group.green_vpn_inst_ssh[0].id,[]))
   subnet_id              = module.green_vpc.public_subnets[0]
   key_name               = var.green_vpn_inst_keyname == "" ? aws_key_pair.green_vpn_inst[0].key_name : var.green_vpn_inst_keyname
   source_dest_check      = "false"
@@ -145,6 +146,9 @@ resource "aws_security_group" "green_vpn_inst_ipsec" {
 
 
 resource "aws_security_group" "green_vpn_inst_ssh" {
+
+  count = length(var.green_vpn_inst_allowed_networks_ssh) > 0 ? 1 : 0
+
   name        = "vpn_inst_ssh"
   description = "Allow SSH from specified networks for management"
   vpc_id      = module.green_vpc.vpc_id