diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ba45548..a0925b0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.64.1
+    rev: v1.68.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
index c013ef2..db840bf 100644
--- a/README.md
+++ b/README.md
@@ -296,6 +296,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_create"></a> [create](#input\_create) | Controls if EKS resources should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_aws_auth_configmap"></a> [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
+| <a name="input_create_cluster_primary_security_group_tags"></a> [create\_cluster\_primary\_security\_group\_tags](#input\_create\_cluster\_primary\_security\_group\_tags) | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | `bool` | `true` | no |
 | <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Determines if a security group is created for the cluster or use the existing `cluster_security_group_id` | `bool` | `true` | no |
 | <a name="input_create_cni_ipv6_iam_policy"></a> [create\_cni\_ipv6\_iam\_policy](#input\_create\_cni\_ipv6\_iam\_policy) | Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy) | `bool` | `false` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index a3589cb..3702dd1 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -125,7 +125,6 @@ module "eks" {
   # EKS Managed Node Group(s)
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
-    disk_size      = 50
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     attach_cluster_primary_security_group = true
diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
index 308f05a..941509a 100644
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -114,7 +114,6 @@ module "eks" {
 
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
-    disk_size      = 50
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     # We are using the IRSA created below for permissions
@@ -133,6 +132,8 @@ module "eks" {
       create_launch_template = false
       launch_template_name   = ""
 
+      disk_size = 50
+
       # Remote access cannot be specified with a launch template
       remote_access = {
         ec2_ssh_key               = aws_key_pair.this.key_name
@@ -254,7 +255,6 @@ module "eks" {
       EOT
 
       capacity_type        = "SPOT"
-      disk_size            = 256
       force_update_version = true
       instance_types       = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
       labels = {
diff --git a/examples/self_managed_node_group/main.tf b/examples/self_managed_node_group/main.tf
index e1f7caf..eb25655 100644
--- a/examples/self_managed_node_group/main.tf
+++ b/examples/self_managed_node_group/main.tf
@@ -96,7 +96,7 @@ module "eks" {
   }
 
   self_managed_node_group_defaults = {
-    disk_size = 50
+    create_security_group = false
   }
 
   self_managed_node_groups = {
@@ -216,7 +216,6 @@ module "eks" {
       echo "you are free little kubelet!"
       EOT
 
-      disk_size     = 256
       instance_type = "m6i.large"
 
       launch_template_name            = "self-managed-ex"
diff --git a/main.tf b/main.tf
index 61ae843..da4edb6 100644
--- a/main.tf
+++ b/main.tf
@@ -63,7 +63,7 @@ resource "aws_ec2_tag" "cluster_primary_security_group" {
   # This should not affect the name of the cluster primary security group
   # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2006
   # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2008
-  for_each = { for k, v in merge(var.tags, var.cluster_tags) : k => v if local.create && k != "Name" }
+  for_each = { for k, v in merge(var.tags, var.cluster_tags) : k => v if local.create && k != "Name" && var.create_cluster_primary_security_group_tags }
 
   resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
   key         = each.key
diff --git a/variables.tf b/variables.tf
index d78fb25..2890834 100644
--- a/variables.tf
+++ b/variables.tf
@@ -101,6 +101,12 @@ variable "cluster_tags" {
   default     = {}
 }
 
+variable "create_cluster_primary_security_group_tags" {
+  description = "Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation"
+  type        = bool
+  default     = true
+}
+
 variable "cluster_timeouts" {
   description = "Create, update, and delete timeout configurations for the cluster"
   type        = map(string)