diff --git a/main.tf b/main.tf
index 7b66568c..c5b8cf80 100644
--- a/main.tf
+++ b/main.tf
@@ -1,8 +1,9 @@
 locals {
   # VPC - existing or new?
-  vpc_id             = var.vpc_id == "" ? module.vpc.vpc_id : var.vpc_id
-  private_subnet_ids = coalescelist(module.vpc.private_subnets, var.private_subnet_ids, [""])
-  public_subnet_ids  = coalescelist(module.vpc.public_subnets, var.public_subnet_ids, [""])
+  vpc_id              = var.vpc_id == "" ? module.vpc.vpc_id : var.vpc_id
+  efs_sg_ingress_cidr = [ var.cidr == "" ? data.aws_vpc.this.cidr : var.cidr ]
+  private_subnet_ids  = coalescelist(module.vpc.private_subnets, var.private_subnet_ids, [""])
+  public_subnet_ids   = coalescelist(module.vpc.public_subnets, var.public_subnet_ids, [""])
 
   # Atlantis
   atlantis_image = var.atlantis_image == "" ? "ghcr.io/runatlantis/atlantis:${var.atlantis_version}" : var.atlantis_image
@@ -137,6 +138,10 @@ data "aws_route53_zone" "this" {
   private_zone = var.route53_private_zone
 }
 
+data "aws_vpc" "this" {
+  id = local.vpc_id
+}
+
 ################################################################################
 # Secret for webhook
 ################################################################################
@@ -383,7 +388,8 @@ module "efs_sg" {
   vpc_id      = local.vpc_id
   description = "Security group allowing access to the EFS storage"
 
-  ingress_cidr_blocks = [var.cidr]
+  ingress_cidr_blocks = local.efs_sg_ingress_cidr
+
   ingress_with_source_security_group_id = [{
     rule                     = "nfs-tcp",
     source_security_group_id = module.atlantis_sg.security_group_id