diff --git a/emr/README.md b/emr/README.md
index 1f4ea94..490056a 100644
--- a/emr/README.md
+++ b/emr/README.md
@@ -57,6 +57,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_ingress_rule.security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
diff --git a/emr/main.tf b/emr/main.tf
index 3d76e4f..7421006 100644
--- a/emr/main.tf
+++ b/emr/main.tf
@@ -74,7 +74,11 @@ locals {
     label       = format("%v:%v:%v", k, i.from, i.proto)
     cidr_blocks = try(i.cidr_blocks, null) == "incoming" ? local.ingress_networks : []
   }) }]
-  #  sg3 = [ for x in local.sg2: k => merge(v,
+  sg3 = [for k, v in local.sg : { for i in try(v.ingress_security_groups, []) : format("%v:%v", k, i) => merge(v, {
+    key                 = k,
+    label               = format("%v:%v", k, i)
+    security_group_name = i
+  }) }]
 }
 
 
@@ -117,16 +121,26 @@ resource "aws_security_group" "sg" {
 
 # self
 resource "aws_vpc_security_group_ingress_rule" "self" {
-  for_each = { for k, v in local.sg : k => v.id if try(local.sg[k].self, false) }
-
-  security_group_id = aws_security_group.example.id
-  description       = "self"
-  from_port         = 0
-  to_port           = 0
-  protocol          = -1
-  self              = true
+  for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id if try(v.self, false) }
+
+  security_group_id            = each.value
+  description                  = "self"
+  from_port                    = 0
+  to_port                      = 0
+  ip_protocol                  = -1
+  referenced_security_group_id = each.value
 }
 
+resource "aws_vpc_security_group_ingress_rule" "security_group" {
+  for_each = { for x in local.sg3 : x.label => x }
+
+  security_group_id            = aws_security_group.sg[each.value.key].id
+  description                  = "self"
+  from_port                    = 0
+  to_port                      = 0
+  ip_protocol                  = -1
+  referenced_security_group_id = aws_security_group.sg[each.value.security_group_name].id
+}
 
 ##   # ingress with prefix lists
 ##   dynamic "ingress" {