diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
index 2e98b9c358..170e80a045 100644
--- a/autogen/main/main.tf.tmpl
+++ b/autogen/main/main.tf.tmpl
@@ -77,8 +77,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/main.tf b/main.tf
index d7f8ebf422..c35934b2db 100644
--- a/main.tf
+++ b/main.tf
@@ -59,8 +59,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
index c1286437d6..a57957bbdb 100644
--- a/modules/beta-private-cluster-update-variant/main.tf
+++ b/modules/beta-private-cluster-update-variant/main.tf
@@ -71,8 +71,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index c1286437d6..a57957bbdb 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -71,8 +71,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
index db9162ef56..055aad1729 100644
--- a/modules/beta-public-cluster/main.tf
+++ b/modules/beta-public-cluster/main.tf
@@ -71,8 +71,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
index decd3f51a1..0ca46454da 100644
--- a/modules/private-cluster-update-variant/main.tf
+++ b/modules/private-cluster-update-variant/main.tf
@@ -59,8 +59,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index decd3f51a1..0ca46454da 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -59,8 +59,8 @@ locals {
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
   default_auto_upgrade = var.regional ? true : false
 
-  cluster_subnet_cidr       = data.google_compute_subnetwork.gke_subnetwork.*.ip_cidr_range
-  cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }
+  cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
+  cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true