diff --git a/aws/rds/main.tf b/aws/rds/main.tf
index 51c2aa5..4c815aa 100644
--- a/aws/rds/main.tf
+++ b/aws/rds/main.tf
@@ -75,7 +75,7 @@ resource "aws_security_group" "sg_on_rds_instance" {
   vpc_id      = var.vpc_id
 
   ingress {
-    cidr_blocks     = concat([local.table_xi_office_cidr_block], var.sg_cidr_blocks)
+    cidr_blocks     = var.expose_to_txi_office ? concat([local.table_xi_office_cidr_block], var.sg_cidr_blocks) : var.sg_cidr_blocks
     from_port       = local.port
     protocol        = "tcp"
     security_groups = var.security_groups_for_ingress
diff --git a/aws/rds/variables.tf b/aws/rds/variables.tf
index 71a3c18..8509e50 100644
--- a/aws/rds/variables.tf
+++ b/aws/rds/variables.tf
@@ -141,3 +141,9 @@ variable "vpc_security_group_ids" {
   default     = []
 }
 
+
+variable "expose_to_txi_office" {
+  description = "include TXI Office IP in security group"
+  type        = bool
+  default     = true
+}