diff --git a/common/ports.tf b/common/ports.tf
index a603624..0896524 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -1,5 +1,5 @@
 locals {
-  ports = var.ingress_port_list
+  ports = []
 
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
@@ -7,14 +7,30 @@ locals {
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in compact(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
+
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }
 
 # locals {
@@ -46,3 +62,5 @@ locals {
 # }
 # 
 # 
+
+
diff --git a/common/resources.tf b/common/resources.tf
index 560ad3a..d6ac551 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -11,6 +11,9 @@ resource "aws_security_group" "this_security_group" {
   description = var.description
   vpc_id      = var.vpc_id
 
+  #---
+  # ingress
+  #---
   # ingresss external port list (list + vpc if enabaled)
   dynamic "ingress" {
     for_each = local.port_map["external"]
@@ -24,6 +27,45 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  # ingress module-defined ports
+  dynamic "ingress" {
+    for_each = local.port_map["module_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress_ports
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress map
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
   # ingress security group ids (all)
   dynamic "ingress" {
     for_each = local.ingress_sg
@@ -37,9 +79,38 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
-  # ingress self (list with one or zero items)
+  #---
+  # ingress self
+  #---
+  # ingress self port list
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_ports"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port map
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_map"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port default
   dynamic "ingress" {
-    for_each = var.enable_self ? local.self_port_map : []
+    for_each = var.enable_self ? local.self_port_map["default"] : []
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"
@@ -50,6 +121,9 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  #---
+  # egress 
+  #---
   # egress all
   egress {
     description = "${local.short_description}: All"
diff --git a/custom/ports.tf b/custom/ports.tf
index 7b5c97e..ece32b8 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -1,5 +1,5 @@
 locals {
-  ports = [[]]
+  ports = []
 
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
@@ -7,13 +7,28 @@ locals {
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_source = length(var.ingress_port_list) > 0 ? tolist(var.ingress_port_list) : tolist(local.ports)
-  p_map       = [for p in local.port_source : zipmap(local.p_fields, p)]
-  port_map    = { "external" = compact(concat(local.p_map, tolist(var.ingress_port_map))) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, tolist(var.ingress_self_port_map)))
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
+
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }
diff --git a/sas/README.md b/sas/README.md
index 8d294d4..5f237db 100644
--- a/sas/README.md
+++ b/sas/README.md
@@ -104,10 +104,10 @@ No modules.
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
 | <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `""` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
diff --git a/sas/ports.tf b/sas/ports.tf
index b9bfc01..57526a9 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -33,19 +33,34 @@ locals {
     [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
   ]
 
-
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
 
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
+
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }