Using nslookup to dynamically resolve IPs and inject them into Terraform-managed security groups is not recommended.

Pod or workload IPs are ephemeral: In Kubernetes or cloud environments, IPs often change due to scaling, rescheduling, or restarts. Any DNS-based IP resolution will likely become outdated quickly. And Terraform is declarative, not dynamic: It’s designed for infrastructure as code, not for reacting to real-time data like changing DNS records. This approach introduces state drift and breaks the idempotency of Terraform.

You should look at the following solutions:

• Reference the security group of your EKS node group:
  Instead of allowing individual IPs, allow the security group attached to your EKS nodes to access the RDS database. This way, any pod running on those nodes will automatically be allowed, and the rule remains stable.

• Use the CIDR blocks of your EKS subnets:
  If you’re running workloads in specific private subnets, authorize the CIDRs of those subnets in your RDS security group. This is a static and reliable way to allow access from your cluster.

• Use PrivateLink or VPC Peering:
  If your workloads and RDS are in different VPCs, use VPC Peering or AWS PrivateLink to securely connect them, then authorize the appropriate subnets or security groups.