diff --git a/common/ports.tf b/common/ports.tf
index ebb8931..c1a1164 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -1,37 +1,48 @@
-# ports = list of list of
-#   from_port
-#   to_port
-#   proto
-#   description
-#   cidr_block
-#   list of: all, external (more added as needed)
-
-# example only.  Use your own values as appropraite
-
 locals {
-  n_all         = ["0.0.0.0/0"]
-  n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
-  source_groups = ["all", "external"]
-
-  ports = [
-    [80, 80, "tcp", "http", local.n_census, ["external"]],
-    [443, 443, "tcp", "https", local.n_census, ["external"]],
-    [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
-    [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
-  ]
+  ports = var.ingress_port_list
 
-  #  ingress_networks = var.ingress_networks
-  ingress_networks = []
-  #  egress_networks  = var.egress_networks
-  egress_networks = local.n_all
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
 
-  # these are ignored
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
-  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
-  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { for s in local.source_groups :
-    s => [for p in local.p_map : p if contains(p["source_group"], s)]
-  }
+  p_fields = ["from", "to", "proto", "description", "cidr"]
+  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in compress(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { "external" = compress(concat(local.p_map, var.ingress_port_map)) }
+
+  p_self_fields  = ["from", "to", "proto", "description"]
+  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
+  self_port_map  = compress(concat(local.self_port_list, var.ingress_self_port_map))
 }
+
+# locals {
+#   n_all         = ["0.0.0.0/0"]
+#   n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+#   source_groups = ["all", "external"]
+# 
+#   ports = [
+#     [80, 80, "tcp", "http", local.n_census, ["external"]],
+#     [443, 443, "tcp", "https", local.n_census, ["external"]],
+#     [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+#     [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
+#   ]
+# 
+#   #  ingress_networks = var.ingress_networks
+#   ingress_networks = []
+#   #  egress_networks  = var.egress_networks
+#   egress_networks = local.n_all
+# 
+#   # these are ignored
+#   ingress_sg = var.ingress_security_groups
+#   egress_sg  = var.egress_security_groups
+# 
+#   p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+#   p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
+#   port_map = { for s in local.source_groups :
+#     s => [for p in local.p_map : p if contains(p["source_group"], s)]
+#   }
+# }
+# 
+# 
diff --git a/common/resources.tf b/common/resources.tf
index 44311a3..6f64276 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -39,7 +39,7 @@ resource "aws_security_group" "this_security_group" {
 
   # ingress self (list with one or zero items)
   dynamic "ingress" {
-    for_each = local.self
+    for_each = local.self_port_map
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"