diff --git a/nacls/README.md b/nacls/README.md
index e3697f5..abf8000 100644
--- a/nacls/README.md
+++ b/nacls/README.md
@@ -9,11 +9,13 @@ each specific nacl. This creates both a public and a private NACL.
 module "nacls" {
   source               = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls"
   vpc_id               = var.vpc_id
-  public_subnets_ids   = [ for s in module.subnets.public_subnets_ids : s.id ]
-  private_subnets_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
   vpc_full_name        = var.vpc_full_name
+  public_subnets_ids   = module.subnets.public_subnets_ids
+  private_subnets_ids  = module.subnets.private_subnets_ids
 
   # optional
+  public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
+  private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
   vpc_name             = var.vpc_name
   vpc_short_name       = var.vpc_short_name
 
@@ -52,7 +54,9 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs (not objects) | `list(string)` | `[]` | no |
 | <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs (not objects) | `list(string)` | `[]` | no |
 | <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
diff --git a/nacls/main.tf b/nacls/main.tf
index e65d535..5726414 100644
--- a/nacls/main.tf
+++ b/nacls/main.tf
@@ -10,11 +10,13 @@
 * module "nacls" {
 *   source               = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls"
 *   vpc_id               = var.vpc_id
-*   public_subnets_ids   = [ for s in module.subnets.public_subnets_ids : s.id ]
-*   private_subnets_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
 *   vpc_full_name        = var.vpc_full_name
+*   public_subnets_ids   = module.subnets.public_subnets_ids
+*   private_subnets_ids  = module.subnets.private_subnets_ids
 *
 *   # optional
+*   public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
+*   private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
 *   vpc_name             = var.vpc_name
 *   vpc_short_name       = var.vpc_short_name
 * 
@@ -30,6 +32,9 @@ locals {
     "boc:tf_module_version" = local._module_version
     "boc:created_by"        = "terraform"
   }
+
+  public_ids  = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id]
+  private_ids = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id]
 }
 
 #---
@@ -37,7 +42,7 @@ locals {
 #---
 resource "aws_network_acl" "private" {
   vpc_id     = var.vpc_id
-  subnet_ids = [for subnet in var.private_subnets_ids : subnet.id]
+  subnet_ids = local.private_ids
 
   tags = merge(
     local.base_tags,
@@ -51,7 +56,7 @@ resource "aws_network_acl" "private" {
 #---
 resource "aws_network_acl" "public" {
   vpc_id     = var.vpc_id
-  subnet_ids = [for subnet in var.public_subnets_ids : subnet.id]
+  subnet_ids = local.public_ids
 
   tags = merge(
     local.base_tags,
diff --git a/nacls/variables.tf b/nacls/variables.tf
new file mode 100644
index 0000000..15ab89b
--- /dev/null
+++ b/nacls/variables.tf
@@ -0,0 +1,11 @@
+variable "public_subnet_ids" {
+  description = "List of public subnet IDs (not objects)"
+  type        = list(string)
+  default     = []
+}
+
+variable "private_subnet_ids" {
+  description = "List of private subnet IDs (not objects)"
+  type        = list(string)
+  default     = []
+}