From 0ac74a399a654c5d3ac4bd73f2d1df5f4dc06d99 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 10:38:32 -0400
Subject: [PATCH 01/16] add ingress self port list

---
 CHANGELOG.md                  |  4 ++++
 common/README.md              |  6 +++++-
 common/resources.tf           | 14 +++++++-------
 common/variables.common.tf    |  4 ++--
 common/variables.port_list.tf | 35 +++++++++++++++++++++++++++++++++++
 common/version.tf             |  2 +-
 custom/README.md              |  4 +++-
 custom/ports.tf               |  6 ++++++
 custom/variables.port_list.tf |  1 +
 custom/variables.tf           | 20 --------------------
 sas/README.md                 |  6 +++++-
 sas/ports.tf                  |  3 +++
 sas/variables.port_list.tf    |  1 +
 13 files changed, 73 insertions(+), 33 deletions(-)
 create mode 100644 common/variables.port_list.tf
 create mode 120000 custom/variables.port_list.tf
 create mode 120000 sas/variables.port_list.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b4a9417..0c47590 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,10 @@
   - custom
     - create custom submodule, requires port list passed
 
+* v2.2.1 -- 20211022
+  - custom
+    - add ingress_self_* option
+
 # OLDER
 
 ## web
diff --git a/common/README.md b/common/README.md
index 6c851f6..f9076de 100644
--- a/common/README.md
+++ b/common/README.md
@@ -30,11 +30,15 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
diff --git a/common/resources.tf b/common/resources.tf
index 41d3adb..44311a3 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -3,7 +3,7 @@ locals {
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
   ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
   egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
-  self                      = var.enable_self ? [1] : []
+  self                      = var.enable_self ? local.self_ports : []
 }
 
 resource "aws_security_group" "this_security_group" {
@@ -20,7 +20,7 @@ resource "aws_security_group" "this_security_group" {
       from_port   = p.value["from"]
       to_port     = p.value["to"]
       protocol    = p.value["proto"]
-      cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
     }
   }
 
@@ -42,10 +42,10 @@ resource "aws_security_group" "this_security_group" {
     for_each = local.self
     iterator = sg
     content {
-      description = "${local.short_description}: from self"
-      from_port   = 0
-      to_port     = 0
-      protocol    = -1
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
       self        = true
     }
   }
@@ -56,7 +56,7 @@ resource "aws_security_group" "this_security_group" {
     from_port   = 0
     to_port     = 0
     protocol    = -1
-    cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
+    cidr_blocks = distinct(flatten(compact(concat(local.egress_networks, var.egress_networks))))
   }
 
   # egress security group ids (all)
diff --git a/common/variables.common.tf b/common/variables.common.tf
index d001a04..f77bdcd 100644
--- a/common/variables.common.tf
+++ b/common/variables.common.tf
@@ -17,9 +17,9 @@ variable "ingress_networks" {
 }
 
 variable "egress_networks" {
-  description = "List of egress networks (with all pre-defined egress ports)"
+  description = "List of egress networks (with all pre-defined egress ports) (default: any)"
   type        = list(string)
-  default     = []
+  default     = ["0.0.0.0/0"]
 }
 
 variable "ingress_security_groups" {
diff --git a/common/variables.port_list.tf b/common/variables.port_list.tf
new file mode 100644
index 0000000..b8ae4d8
--- /dev/null
+++ b/common/variables.port_list.tf
@@ -0,0 +1,35 @@
+variable "ingress_port_list" {
+  description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
+  #  type        = list(tuple([number, number, any, string, list]))
+  default = []
+}
+
+variable "ingress_port_map" {
+  description = "Ingress port list of objects: from, to, proto, description and cidr(list)"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+    cidr        = list(string)
+  }))
+  default = []
+}
+
+variable "ingress_self_port_list" {
+  description = "Ingress port list of 4-tuple: from, to, proto, description"
+  #  type        = list(tuple([number, number, any, string]))
+  default = [[0, 0, -1, "all"]]
+}
+
+variable "ingress_self_port_map" {
+  description = "Ingress self access port list of objects: from, to, proto, description"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+  }))
+  default = []
+}
+
diff --git a/common/version.tf b/common/version.tf
index d3e2658..548c682 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.0"
+  _module_version = "2.2.2"
 }
diff --git a/custom/README.md b/custom/README.md
index 5fb675f..78c68c5 100644
--- a/custom/README.md
+++ b/custom/README.md
@@ -94,13 +94,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
diff --git a/custom/ports.tf b/custom/ports.tf
index 554dbd1..75e7619 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -11,4 +11,10 @@ locals {
   p_fields = ["from", "to", "proto", "description", "cidr"]
   p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
   port_map = { "external" = local.p_map }
+
+  # ingres
+  #variables.port_list.tf:variable "ingress_self_port_list" {
+  #variables.port_list.tf:variable "ingress_self_port_map" {
+  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
+  self_ports     = local.self_port_list
 }
diff --git a/custom/variables.port_list.tf b/custom/variables.port_list.tf
new file mode 120000
index 0000000..d95b5f4
--- /dev/null
+++ b/custom/variables.port_list.tf
@@ -0,0 +1 @@
+../common/variables.port_list.tf
\ No newline at end of file
diff --git a/custom/variables.tf b/custom/variables.tf
index 4297e14..408b982 100644
--- a/custom/variables.tf
+++ b/custom/variables.tf
@@ -14,23 +14,3 @@ variable "short_description" {
   type        = string
   default     = ""
 }
-
-
-variable "ingress_port_list" {
-  description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
-  #  type        = list(tuple([number, number, any, string, list]))
-  default = []
-}
-
-variable "ingress_port_map" {
-  description = "Ingress port list of objects: from, to, proto, description and cidr(list)"
-  type = list(object({
-    from        = number
-    to          = number
-    proto       = any
-    description = string
-    cidr        = list(string)
-  }))
-  default = []
-}
-
diff --git a/sas/README.md b/sas/README.md
index 6881ff9..8d294d4 100644
--- a/sas/README.md
+++ b/sas/README.md
@@ -100,11 +100,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `""` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
diff --git a/sas/ports.tf b/sas/ports.tf
index 9dd888d..3cc43f1 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -45,4 +45,7 @@ locals {
   port_map = { for s in local.source_groups :
     s => [for p in local.p_map : p if contains(p["source_group"], s)]
   }
+
+  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
+  self_ports     = local.self_port_list
 }
diff --git a/sas/variables.port_list.tf b/sas/variables.port_list.tf
new file mode 120000
index 0000000..d95b5f4
--- /dev/null
+++ b/sas/variables.port_list.tf
@@ -0,0 +1 @@
+../common/variables.port_list.tf
\ No newline at end of file

From 29e7608cc5c1cf490ce8febe815d22b88f9a9801 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:01:36 -0400
Subject: [PATCH 02/16] refine the self stuff

---
 common/ports.tf     | 71 ++++++++++++++++++++++++++-------------------
 common/resources.tf |  2 +-
 2 files changed, 42 insertions(+), 31 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index ebb8931..c1a1164 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -1,37 +1,48 @@
-# ports = list of list of
-#   from_port
-#   to_port
-#   proto
-#   description
-#   cidr_block
-#   list of: all, external (more added as needed)
-
-# example only.  Use your own values as appropraite
-
 locals {
-  n_all         = ["0.0.0.0/0"]
-  n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
-  source_groups = ["all", "external"]
-
-  ports = [
-    [80, 80, "tcp", "http", local.n_census, ["external"]],
-    [443, 443, "tcp", "https", local.n_census, ["external"]],
-    [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
-    [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
-  ]
+  ports = var.ingress_port_list
 
-  #  ingress_networks = var.ingress_networks
-  ingress_networks = []
-  #  egress_networks  = var.egress_networks
-  egress_networks = local.n_all
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
 
-  # these are ignored
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
-  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
-  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { for s in local.source_groups :
-    s => [for p in local.p_map : p if contains(p["source_group"], s)]
-  }
+  p_fields = ["from", "to", "proto", "description", "cidr"]
+  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in compress(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { "external" = compress(concat(local.p_map, var.ingress_port_map)) }
+
+  p_self_fields  = ["from", "to", "proto", "description"]
+  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
+  self_port_map  = compress(concat(local.self_port_list, var.ingress_self_port_map))
 }
+
+# locals {
+#   n_all         = ["0.0.0.0/0"]
+#   n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+#   source_groups = ["all", "external"]
+# 
+#   ports = [
+#     [80, 80, "tcp", "http", local.n_census, ["external"]],
+#     [443, 443, "tcp", "https", local.n_census, ["external"]],
+#     [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+#     [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
+#   ]
+# 
+#   #  ingress_networks = var.ingress_networks
+#   ingress_networks = []
+#   #  egress_networks  = var.egress_networks
+#   egress_networks = local.n_all
+# 
+#   # these are ignored
+#   ingress_sg = var.ingress_security_groups
+#   egress_sg  = var.egress_security_groups
+# 
+#   p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+#   p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
+#   port_map = { for s in local.source_groups :
+#     s => [for p in local.p_map : p if contains(p["source_group"], s)]
+#   }
+# }
+# 
+# 
diff --git a/common/resources.tf b/common/resources.tf
index 44311a3..6f64276 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -39,7 +39,7 @@ resource "aws_security_group" "this_security_group" {
 
   # ingress self (list with one or zero items)
   dynamic "ingress" {
-    for_each = local.self
+    for_each = local.self_port_map
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"

From 1639f69a415f96fc6c169e75c746b5ad1540bf53 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:10:41 -0400
Subject: [PATCH 03/16] update self port list

---
 custom/README.md   |  5 ++++-
 custom/defaults.tf |  1 +
 custom/main.tf     |  5 ++++-
 custom/ports.tf    | 11 ++++-------
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/custom/README.md b/custom/README.md
index 78c68c5..88c7003 100644
--- a/custom/README.md
+++ b/custom/README.md
@@ -4,7 +4,10 @@ This describes how to use the aws-common-security-groups submodule for  custom.
 for the common security groups to a set of ports of your own doing.
 
 You will need to provide a `ingress_port_list` list of the details, or a `ingress_port_map` which allows for a cleaner structure.
-This creates an egress rule permitting all outbound access.
+This creates an egress rule permitting all outbound access.  If you provide both, it will combine the lists.
+
+You may also provide `ingress_self_port_list` and/or `ingress_self_port_map`, which contains the same fields
+as the `ingress_port_list` excluding the final `cidr` field.  Again, if both are provided, they will be combined.
 
 # Usage
 ## Port list
diff --git a/custom/defaults.tf b/custom/defaults.tf
index d314d14..3488bba 100644
--- a/custom/defaults.tf
+++ b/custom/defaults.tf
@@ -3,5 +3,6 @@ locals {
     name              = "{{ name }}"
     description       = "Security group for application"
     short_description = "SG"
+    self_port_list    = [{ from = 0, to = 0, proto = -1, description = "all" }]
   }
 }
diff --git a/custom/main.tf b/custom/main.tf
index 751a270..e682c31 100644
--- a/custom/main.tf
+++ b/custom/main.tf
@@ -5,7 +5,10 @@
 * for the common security groups to a set of ports of your own doing.
 *
 * You will need to provide a `ingress_port_list` list of the details, or a `ingress_port_map` which allows for a cleaner structure.
-* This creates an egress rule permitting all outbound access.
+* This creates an egress rule permitting all outbound access.  If you provide both, it will combine the lists.
+*
+* You may also provide `ingress_self_port_list` and/or `ingress_self_port_map`, which contains the same fields
+* as the `ingress_port_list` excluding the final `cidr` field.  Again, if both are provided, they will be combined.
 *
 * # Usage
 * ## Port list
diff --git a/custom/ports.tf b/custom/ports.tf
index 75e7619..42b13f0 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -4,17 +4,14 @@ locals {
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
 
-  # these are ignored
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_map = { "external" = local.p_map }
+  port_map = { "external" = compress(concat(local.p_map, var.ingress_port_map)) }
 
-  # ingres
-  #variables.port_list.tf:variable "ingress_self_port_list" {
-  #variables.port_list.tf:variable "ingress_self_port_map" {
-  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
-  self_ports     = local.self_port_list
+  p_self_fields  = ["from", "to", "proto", "description"]
+  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
+  self_port_map  = compress(concat(local.self_port_list, var.ingress_self_port_map))
 }

From 0a6294a7785e61722f11b5b32082dfc2a4edcbe0 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:12:08 -0400
Subject: [PATCH 04/16] fix

---
 common/ports.tf |  6 +++---
 custom/ports.tf |  4 ++--
 sas/ports.tf    | 16 ++++++++--------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index c1a1164..27f8207 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -9,12 +9,12 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in compress(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compress(concat(local.p_map, var.ingress_port_map)) }
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in collapse(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compress(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
 }
 
 # locals {
diff --git a/custom/ports.tf b/custom/ports.tf
index 42b13f0..8b8a90f 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -9,9 +9,9 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_map = { "external" = compress(concat(local.p_map, var.ingress_port_map)) }
+  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compress(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
 }
diff --git a/sas/ports.tf b/sas/ports.tf
index 3cc43f1..7a2630a 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -33,19 +33,19 @@ locals {
     [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
   ]
 
+
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
 
-  # these are ignored
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
-  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
-  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { for s in local.source_groups :
-    s => [for p in local.p_map : p if contains(p["source_group"], s)]
-  }
+  p_fields = ["from", "to", "proto", "description", "cidr"]
+  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
 
-  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
-  self_ports     = local.self_port_list
+  p_self_fields  = ["from", "to", "proto", "description"]
+  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
+  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
 }

From cab52bc9af7a937fb448ec250544fbbb6e66d03c Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:15:22 -0400
Subject: [PATCH 05/16] fix

---
 common/resources.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/resources.tf b/common/resources.tf
index 6f64276..26f5c4d 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -3,7 +3,7 @@ locals {
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
   ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
   egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
-  self                      = var.enable_self ? local.self_ports : []
+  #  self                      = var.enable_self ? local.self_ports : []
 }
 
 resource "aws_security_group" "this_security_group" {
@@ -39,7 +39,7 @@ resource "aws_security_group" "this_security_group" {
 
   # ingress self (list with one or zero items)
   dynamic "ingress" {
-    for_each = local.self_port_map
+    for_each = var.enable_self ? local.self_port_map : {}
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"

From ef70ec9b9b022c44e464a43a6717845c90fa4b1b Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:17:04 -0400
Subject: [PATCH 06/16] fix

---
 common/ports.tf | 6 +++---
 custom/ports.tf | 4 ++--
 sas/ports.tf    | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index 27f8207..a603624 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -9,12 +9,12 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in collapse(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in compact(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
 }
 
 # locals {
diff --git a/custom/ports.tf b/custom/ports.tf
index 8b8a90f..64ff02b 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -9,9 +9,9 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
+  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
 }
diff --git a/sas/ports.tf b/sas/ports.tf
index 7a2630a..b9bfc01 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -43,9 +43,9 @@ locals {
   p_fields = ["from", "to", "proto", "description", "cidr"]
   #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
   p_map    = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = collapse(concat(local.p_map, var.ingress_port_map)) }
+  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = collapse(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
 }

From 7f467688f1fde26aee2bde87bcb43fe2f2e36e41 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:18:38 -0400
Subject: [PATCH 07/16] fix

---
 common/resources.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/resources.tf b/common/resources.tf
index 26f5c4d..560ad3a 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -39,7 +39,7 @@ resource "aws_security_group" "this_security_group" {
 
   # ingress self (list with one or zero items)
   dynamic "ingress" {
-    for_each = var.enable_self ? local.self_port_map : {}
+    for_each = var.enable_self ? local.self_port_map : []
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"

From 9d7fc62cb50886184d4177d7d7d965023605dff5 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:29:19 -0400
Subject: [PATCH 08/16] fix

---
 common/README.md              | 6 +++---
 common/variables.port_list.tf | 6 +++---
 custom/README.md              | 6 +++---
 custom/ports.tf               | 5 +++--
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/common/README.md b/common/README.md
index f9076de..7eecd34 100644
--- a/common/README.md
+++ b/common/README.md
@@ -34,11 +34,11 @@ No modules.
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
-| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
-| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
diff --git a/common/variables.port_list.tf b/common/variables.port_list.tf
index b8ae4d8..93d0041 100644
--- a/common/variables.port_list.tf
+++ b/common/variables.port_list.tf
@@ -1,7 +1,7 @@
 variable "ingress_port_list" {
   description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
   #  type        = list(tuple([number, number, any, string, list]))
-  default = []
+  default = [[]]
 }
 
 variable "ingress_port_map" {
@@ -13,7 +13,7 @@ variable "ingress_port_map" {
     description = string
     cidr        = list(string)
   }))
-  default = []
+  default = [{}]
 }
 
 variable "ingress_self_port_list" {
@@ -30,6 +30,6 @@ variable "ingress_self_port_map" {
     proto       = any
     description = string
   }))
-  default = []
+  default = [{}]
 }
 
diff --git a/custom/README.md b/custom/README.md
index 88c7003..609dea7 100644
--- a/custom/README.md
+++ b/custom/README.md
@@ -101,11 +101,11 @@ No modules.
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
-| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
-| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
diff --git a/custom/ports.tf b/custom/ports.tf
index 64ff02b..7a72c3f 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -1,5 +1,5 @@
 locals {
-  ports = var.ingress_port_list
+  ports = [[]]
 
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
@@ -8,7 +8,8 @@ locals {
   egress_sg  = var.egress_security_groups
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
+  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
+  p_map    = length(var.ingress_port_list) > 0 ? [for p in flatten(compact(concat(local.ports, var.ingress_port_list))) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
   port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]

From e7f27b0b4febf514a35f5453078ecf2e51955229 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:31:42 -0400
Subject: [PATCH 09/16] update

---
 common/README.md              | 6 +++---
 common/variables.port_list.tf | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/common/README.md b/common/README.md
index 7eecd34..5520593 100644
--- a/common/README.md
+++ b/common/README.md
@@ -35,10 +35,10 @@ No modules.
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
-| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
-| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
diff --git a/common/variables.port_list.tf b/common/variables.port_list.tf
index 93d0041..25b9d58 100644
--- a/common/variables.port_list.tf
+++ b/common/variables.port_list.tf
@@ -13,13 +13,13 @@ variable "ingress_port_map" {
     description = string
     cidr        = list(string)
   }))
-  default = [{}]
+  default = []
 }
 
 variable "ingress_self_port_list" {
   description = "Ingress port list of 4-tuple: from, to, proto, description"
   #  type        = list(tuple([number, number, any, string]))
-  default = [[0, 0, -1, "all"]]
+  default = [[]]
 }
 
 variable "ingress_self_port_map" {
@@ -30,6 +30,6 @@ variable "ingress_self_port_map" {
     proto       = any
     description = string
   }))
-  default = [{}]
+  default = []
 }
 

From 71839f8e2b6b3b83dcd510efb221ecd4baaa567e Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:34:51 -0400
Subject: [PATCH 10/16] fix

---
 custom/README.md | 6 +++---
 custom/ports.tf  | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/custom/README.md b/custom/README.md
index 609dea7..14241a5 100644
--- a/custom/README.md
+++ b/custom/README.md
@@ -102,10 +102,10 @@ No modules.
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
-| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
-| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | <pre>[<br>  {}<br>]</pre> | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
diff --git a/custom/ports.tf b/custom/ports.tf
index 7a72c3f..7c53124 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -9,8 +9,9 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in flatten(compact(concat(local.ports, var.ingress_port_list))) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  port_source = length(var.ingress_port_list) > 0 ? var.ingress_port_list : local.ports
+  p_map       = [for p in local.port_source : zipmap(local.p_fields, p)]
+  port_map    = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]

From 8341361dff14bce2fe99af56f60a55ac32fb9aa5 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 11:39:16 -0400
Subject: [PATCH 11/16] fix

---
 custom/ports.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/custom/ports.tf b/custom/ports.tf
index 7c53124..7b5c97e 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -9,11 +9,11 @@ locals {
 
   p_fields = ["from", "to", "proto", "description", "cidr"]
   #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_source = length(var.ingress_port_list) > 0 ? var.ingress_port_list : local.ports
+  port_source = length(var.ingress_port_list) > 0 ? tolist(var.ingress_port_list) : tolist(local.ports)
   p_map       = [for p in local.port_source : zipmap(local.p_fields, p)]
-  port_map    = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  port_map    = { "external" = compact(concat(local.p_map, tolist(var.ingress_port_map))) }
 
   p_self_fields  = ["from", "to", "proto", "description"]
   self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
+  self_port_map  = compact(concat(local.self_port_list, tolist(var.ingress_self_port_map)))
 }

From 04edd3c70eb0e7467a78a280ff4c48bcaa720e5d Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 12:04:51 -0400
Subject: [PATCH 12/16] try to fix

---
 common/ports.tf     | 32 +++++++++++++++----
 common/resources.tf | 78 +++++++++++++++++++++++++++++++++++++++++++--
 custom/ports.tf     | 31 +++++++++++++-----
 sas/README.md       |  4 +--
 sas/ports.tf        | 29 +++++++++++++----
 5 files changed, 148 insertions(+), 26 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index a603624..0896524 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -1,5 +1,5 @@
 locals {
-  ports = var.ingress_port_list
+  ports = []
 
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
@@ -7,14 +7,30 @@ locals {
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in compact(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
+
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }
 
 # locals {
@@ -46,3 +62,5 @@ locals {
 # }
 # 
 # 
+
+
diff --git a/common/resources.tf b/common/resources.tf
index 560ad3a..d6ac551 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -11,6 +11,9 @@ resource "aws_security_group" "this_security_group" {
   description = var.description
   vpc_id      = var.vpc_id
 
+  #---
+  # ingress
+  #---
   # ingresss external port list (list + vpc if enabaled)
   dynamic "ingress" {
     for_each = local.port_map["external"]
@@ -24,6 +27,45 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  # ingress module-defined ports
+  dynamic "ingress" {
+    for_each = local.port_map["module_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress_ports
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress map
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
   # ingress security group ids (all)
   dynamic "ingress" {
     for_each = local.ingress_sg
@@ -37,9 +79,38 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
-  # ingress self (list with one or zero items)
+  #---
+  # ingress self
+  #---
+  # ingress self port list
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_ports"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port map
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_map"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port default
   dynamic "ingress" {
-    for_each = var.enable_self ? local.self_port_map : []
+    for_each = var.enable_self ? local.self_port_map["default"] : []
     iterator = sg
     content {
       description = "${local.short_description}: self ${sg.value["description"]}"
@@ -50,6 +121,9 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  #---
+  # egress 
+  #---
   # egress all
   egress {
     description = "${local.short_description}: All"
diff --git a/custom/ports.tf b/custom/ports.tf
index 7b5c97e..ece32b8 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -1,5 +1,5 @@
 locals {
-  ports = [[]]
+  ports = []
 
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
@@ -7,13 +7,28 @@ locals {
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  port_source = length(var.ingress_port_list) > 0 ? tolist(var.ingress_port_list) : tolist(local.ports)
-  p_map       = [for p in local.port_source : zipmap(local.p_fields, p)]
-  port_map    = { "external" = compact(concat(local.p_map, tolist(var.ingress_port_map))) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, tolist(var.ingress_self_port_map)))
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
+
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }
diff --git a/sas/README.md b/sas/README.md
index 8d294d4..5f237db 100644
--- a/sas/README.md
+++ b/sas/README.md
@@ -104,10 +104,10 @@ No modules.
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
 | <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `""` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
diff --git a/sas/ports.tf b/sas/ports.tf
index b9bfc01..57526a9 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -33,19 +33,34 @@ locals {
     [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
   ]
 
-
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
 
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
+  # ports
   p_fields = ["from", "to", "proto", "description", "cidr"]
-  #  p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
-  p_map    = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
+
+  port_map = {
+    "external"      = []
+    "module_ports"  = p_list1
+    "ingress_ports" = p_list2
+    "ingress_map"   = p_list3
+  }
 
-  p_self_fields  = ["from", "to", "proto", "description"]
-  self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
-  self_port_map  = compact(concat(local.self_port_list, var.ingress_self_port_map))
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = local._defaults["self_port_list"]
+
+  self_port_map = {
+    "ingress_ports" = sp_list1
+    "ingress_map"   = sp_list2
+    "default"       = sp_list3
+  }
 }

From 453f54a709b438aa58c7bf39efca86b943750c28 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 13:10:59 -0400
Subject: [PATCH 13/16] fix

---
 common/ports.tf | 14 ++++++--------
 custom/ports.tf | 12 ++++++------
 sas/ports.tf    | 12 ++++++------
 3 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index 0896524..8c84a43 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -15,9 +15,9 @@ locals {
 
   port_map = {
     "external"      = []
-    "module_ports"  = p_list1
-    "ingress_ports" = p_list2
-    "ingress_map"   = p_list3
+    "module_ports"  = local.p_list1
+    "ingress_ports" = local.p_list2
+    "ingress_map"   = local.p_list3
   }
 
   # self ports
@@ -27,9 +27,9 @@ locals {
   sp_list3      = local._defaults["self_port_list"]
 
   self_port_map = {
-    "ingress_ports" = sp_list1
-    "ingress_map"   = sp_list2
-    "default"       = sp_list3
+    "ingress_ports" = local.sp_list1
+    "ingress_map"   = local.sp_list2
+    "default"       = local.sp_list3
   }
 }
 
@@ -62,5 +62,3 @@ locals {
 # }
 # 
 # 
-
-
diff --git a/custom/ports.tf b/custom/ports.tf
index ece32b8..1131fe3 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -15,9 +15,9 @@ locals {
 
   port_map = {
     "external"      = []
-    "module_ports"  = p_list1
-    "ingress_ports" = p_list2
-    "ingress_map"   = p_list3
+    "module_ports"  = local.p_list1
+    "ingress_ports" = local.p_list2
+    "ingress_map"   = local.p_list3
   }
 
   # self ports
@@ -27,8 +27,8 @@ locals {
   sp_list3      = local._defaults["self_port_list"]
 
   self_port_map = {
-    "ingress_ports" = sp_list1
-    "ingress_map"   = sp_list2
-    "default"       = sp_list3
+    "ingress_ports" = local.sp_list1
+    "ingress_map"   = local.sp_list2
+    "default"       = local.sp_list3
   }
 }
diff --git a/sas/ports.tf b/sas/ports.tf
index 57526a9..6c27e46 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -47,9 +47,9 @@ locals {
 
   port_map = {
     "external"      = []
-    "module_ports"  = p_list1
-    "ingress_ports" = p_list2
-    "ingress_map"   = p_list3
+    "module_ports"  = local.p_list1
+    "ingress_ports" = local.p_list2
+    "ingress_map"   = local.p_list3
   }
 
   # self ports
@@ -59,8 +59,8 @@ locals {
   sp_list3      = local._defaults["self_port_list"]
 
   self_port_map = {
-    "ingress_ports" = sp_list1
-    "ingress_map"   = sp_list2
-    "default"       = sp_list3
+    "ingress_ports" = local.sp_list1
+    "ingress_map"   = local.sp_list2
+    "default"       = local.sp_list3
   }
 }

From 5a122b01953af3d9f0e09ec77e92b9c86f9885fb Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 13:16:37 -0400
Subject: [PATCH 14/16] fix self

---
 custom/ports.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/custom/ports.tf b/custom/ports.tf
index 1131fe3..06a2067 100644
--- a/custom/ports.tf
+++ b/custom/ports.tf
@@ -24,7 +24,7 @@ locals {
   p_self_fields = ["from", "to", "proto", "description"]
   sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
   sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
-  sp_list3      = local._defaults["self_port_list"]
+  sp_list3      = length(var.ingress_self_port_list) == 0 && length(var.ingress_self_port_map) == 0 ? local._defaults["self_port_list"] : []
 
   self_port_map = {
     "ingress_ports" = local.sp_list1

From cc0f09235d77e6eceebfcbada4c8b142735ac9b8 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 13:16:45 -0400
Subject: [PATCH 15/16] fix self

---
 common/ports.tf | 2 +-
 sas/ports.tf    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/ports.tf b/common/ports.tf
index 8c84a43..18d9795 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -24,7 +24,7 @@ locals {
   p_self_fields = ["from", "to", "proto", "description"]
   sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
   sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
-  sp_list3      = local._defaults["self_port_list"]
+  sp_list3      = length(var.ingress_self_port_list) == 0 && length(var.ingress_self_port_map) == 0 ? local._defaults["self_port_list"] : []
 
   self_port_map = {
     "ingress_ports" = local.sp_list1
diff --git a/sas/ports.tf b/sas/ports.tf
index 6c27e46..a554cbf 100644
--- a/sas/ports.tf
+++ b/sas/ports.tf
@@ -56,7 +56,7 @@ locals {
   p_self_fields = ["from", "to", "proto", "description"]
   sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
   sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
-  sp_list3      = local._defaults["self_port_list"]
+  sp_list3      = length(var.ingress_self_port_list) == 0 && length(var.ingress_self_port_map) == 0 ? local._defaults["self_port_list"] : []
 
   self_port_map = {
     "ingress_ports" = local.sp_list1

From 65d81adcc7452a5f56d286ee5cd4759cf4d85d91 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 25 Oct 2021 13:19:11 -0400
Subject: [PATCH 16/16] v2.2.2: make ingress_self* work

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c47590..f3bafbe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,11 @@
   - custom
     - add ingress_self_* option
 
+* v2.2.2 -- 20211025
+  - custom
+    - make ingress_self stuff work
+    - fix missing default egress
+
 # OLDER
 
 ## web