diff --git a/emr/README.md b/emr/README.md
index 490056a..aea2ed1 100644
--- a/emr/README.md
+++ b/emr/README.md
@@ -57,6 +57,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.cidr_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
diff --git a/emr/main.tf b/emr/main.tf
index 7421006..b3e5068 100644
--- a/emr/main.tf
+++ b/emr/main.tf
@@ -69,16 +69,23 @@ locals {
 locals {
   _sg = yamldecode(file("${path.module}/settings.yml"))
   sg  = { for sg in local._sg["security-groups"] : sg.name => merge(sg, { ingress_networks = flatten(distinct(compact(concat(local.ingress_networks, sg.vpc_cidr ? [data.aws_vpc.this_vpc.cidr_block] : [])))) }) }
-  sg2 = [for k, v in local.sg : { for i in v.ingress : format("%v:%v:%v", k, i.from, i.proto) => merge(i, {
+  sg_c1 = flatten([for k, v in local.sg : [for i in v.ingress : merge(i, {
     key         = k,
     label       = format("%v:%v:%v", k, i.from, i.proto)
     cidr_blocks = try(i.cidr_blocks, null) == "incoming" ? local.ingress_networks : []
-  }) }]
-  sg3 = [for k, v in local.sg : { for i in try(v.ingress_security_groups, []) : format("%v:%v", k, i) => merge(v, {
+    }
+  )]])
+  sg_cidr = flatten([for sg in local.sg_c1 : [for c in sg.cidr_blocks : merge(sg, {
+    cidr_label = format("%v:%v", sg.label, c)
+    cidr_block = c
+    }
+  )]])
+  sg_sg = flatten([for k, v in local.sg : [for i in try(v.ingress_security_groups, []) : merge(v, {
     key                 = k,
     label               = format("%v:%v", k, i)
     security_group_name = i
-  }) }]
+    }
+  )]])
 }
 
 
@@ -89,14 +96,6 @@ resource "aws_security_group" "sg" {
   description = trimspace(format("%v %v", var.description_prefix, each.value.description))
   vpc_id      = var.vpc_id
 
-  egress {
-    description = "ALL"
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = local.egress_networks
-  }
-
   ##   dynamic "ingress" {
   ##     for_each = { for i in each.value.ingress : format("%v:%v", i.from, i.proto) => merge({ label = format("%v:%v", i.from, i.proto) }, i) }
   ##     iterator = p
@@ -119,7 +118,21 @@ resource "aws_security_group" "sg" {
   )
 }
 
-# self
+# egress: all
+resource "aws_vpc_security_group_egress_rule" "all" {
+  for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id }
+
+  security_group_id = each.value
+  description       = "ALL"
+  from_port         = 0
+  to_port           = 0
+  ip_protocol       = -1
+  #  cidr_block = local.egress_networks
+  cidr_block = local.n_all
+}
+
+
+# ingress: self
 resource "aws_vpc_security_group_ingress_rule" "self" {
   for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id if try(v.self, false) }
 
@@ -131,8 +144,9 @@ resource "aws_vpc_security_group_ingress_rule" "self" {
   referenced_security_group_id = each.value
 }
 
+# ingress: by security_group
 resource "aws_vpc_security_group_ingress_rule" "security_group" {
-  for_each = { for x in local.sg3 : x.label => x }
+  for_each = { for x in local.sg_sg : x.label => x }
 
   security_group_id            = aws_security_group.sg[each.value.key].id
   description                  = "self"
@@ -142,100 +156,15 @@ resource "aws_vpc_security_group_ingress_rule" "security_group" {
   referenced_security_group_id = aws_security_group.sg[each.value.security_group_name].id
 }
 
-##   # ingress with prefix lists
-##   dynamic "ingress" {
-##     for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([])
-##     iterator = p
-##     content {
-##       description     = "${local.short_description}: ${p.value["description"]}"
-##       from_port       = p.value["from"]
-##       to_port         = p.value["to"]
-##       protocol        = p.value["proto"]
-##       prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id]
-##     }
-##   }
-## 
-## 
-##   # ingress security group ids (all)
-##   dynamic "ingress" {
-##     for_each = local.ingress_sg
-##     iterator = sg
-##     content {
-##       description     = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
-##       from_port       = 0
-##       to_port         = 0
-##       protocol        = -1
-##       security_groups = [sg.value]
-##     }
-##   }
-## 
-## 
-##   # ingress self (list with one or zero items)
-##   dynamic "ingress" {
-##     for_each = local.self
-##     iterator = sg
-##     content {
-##       description = "${local.short_description}: from self"
-##       from_port   = 0
-##       to_port     = 0
-##       protocol    = -1
-##       self        = true
-##     }
-##   }
-## 
-## 
-## 
-##   # egress security group ids (all)
-##   dynamic "egress" {
-##     for_each = local.egress_sg
-##     iterator = sg
-##     content {
-##       description     = "${local.short_description}: ${local.egress_sg_names[sg]}"
-##       from_port       = 0
-##       to_port         = 0
-##       protocol        = -1
-##       security_groups = [sg]
-##     }
-##   }
-## 
-##   # egress with prefix lists
-##   dynamic "egress" {
-##     for_each = length(var.egress_prefix_list_names) > 0 ? local.port_map["external"] : toset([])
-##     iterator = p
-##     content {
-##       description     = "${local.short_description}: ${local.egress_sg_names[sg]}"
-##       from_port       = 0
-##       to_port         = 0
-##       protocol        = -1
-##       prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id]
-##     }
-##   }
-
-
-## resource "aws_vpc_security_group_ingress_rule" "example" {
-##   security_group_id = aws_security_group.example.id
-## 
-##   cidr_ipv4   = "10.0.0.0/8"
-##   from_port   = 80
-##   ip_protocol = "tcp"
-##   to_port     = 80
-## }
-## 
-## @@@
-## 
-##   {
-##     "description" = "EMR Service Access"
-##     "ingress" = [
-##       {
-##         "from" = 9443
-##         "proto" = "tcp"
-##         "security_groups" = "emr-master-node"
-##         "short" = "Master Node"
-##         "to" = 9443
-##       },
-##     ]
-##     "name" = "emr-service-access"
-##     "self" = false
-##     "vpc_cidr" = false
-##   },
-## 
+# ingress: by cidr_block
+resource "aws_vpc_security_group_ingress_rule" "cidr_block" {
+  for_each = { for x in local.sg_cb : x.cidr_label => x }
+
+  security_group_id = aws_security_group.sg[each.value.key].id
+  description       = x.description
+  from_port         = x.from
+  to_port           = x.to
+  ip_protocol       = x.protocol
+  cidr_block        = x.cidr_block
+}
+