fix: restrict runner security group to only ingress (#3564)

Runner security group is currently open.

This patch removes the default ingress rule security group to deny
everything.

More info on [this
documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#removing-all-ingress-and-egress-rules).

modules/runners/main.tf

@@ -197,6 +197,8 @@ resource "aws_security_group" "runner_sg" {
 
   vpc_id = var.vpc_id
 
+  ingress = []
+
   dynamic "egress" {
     for_each = var.egress_rules
     iterator = each