diff --git a/modules/single-port-sg-src/README.md b/modules/single-port-sg-src/README.md
new file mode 100644
index 00000000..5700b438
--- /dev/null
+++ b/modules/single-port-sg-src/README.md
@@ -0,0 +1,5 @@
+## Single Port Security Group Rule
+
+Create an `aws_security_group_rule` to allow ingress on some port.
+
+TODO: support both TCP and UDP, use count to enable/disable.
diff --git a/modules/single-port-sg-src/main.tf b/modules/single-port-sg-src/main.tf
new file mode 100644
index 00000000..f75e698e
--- /dev/null
+++ b/modules/single-port-sg-src/main.tf
@@ -0,0 +1,67 @@
+/**
+ * ## Single Port Security Group Rule
+ *
+ * Create an `aws_security_group_rule` to allow ingress on some port.
+ *
+ */
+
+variable "security_group_id" {
+  description = "security group to attach the ingress rules to"
+  type        = string
+}
+
+variable "source_security_group" {
+  description = "The SG that this SG allows ingress from"
+  type        = string
+}
+
+variable "description" {
+  description = "Use this string to add a description for the SG rule"
+  type        = string
+}
+
+variable "port" {
+  description = "The port to open"
+  type        = string
+}
+
+variable "tcp" {
+  description = "true/false to enables the tcp ingress"
+  default     = "true"
+  type        = string
+}
+
+variable "udp" {
+  description = "true/false to enables the udp ingress"
+  default     = "false"
+  type        = string
+}
+
+locals {
+  tcp = "${var.tcp ? 1 : 0}"
+  udp = "${var.udp ? 1 : 0}"
+}
+
+# ingress rule for tcp, if enabled
+resource "aws_security_group_rule" "tcp_ingress" {
+  count                 = local.tcp
+  type                  = "ingress"
+  description           = "${var.description} (tcp)"
+  from_port             = var.port
+  to_port               = var.port
+  protocol              = "tcp"
+  security_group_id     = var.security_group_id
+  source_security_group = var.source_security_group
+}
+
+# ingress rule for udp, if enabled
+resource "aws_security_group_rule" "udp_ingress" {
+  count                 = local.udp
+  type                  = "ingress"
+  description           = "${var.description} (udp)"
+  from_port             = var.port
+  to_port               = var.port
+  protocol              = "udp"
+  security_group_id     = var.security_group_id
+  source_security_group = var.source_security_group
+}
diff --git a/modules/single-port-sg-src/versions.tf b/modules/single-port-sg-src/versions.tf
new file mode 100644
index 00000000..ac97c6ac
--- /dev/null
+++ b/modules/single-port-sg-src/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/single-port-sg/main.tf b/modules/single-port-sg/main.tf
index 705e3f5f..84bec946 100644
--- a/modules/single-port-sg/main.tf
+++ b/modules/single-port-sg/main.tf
@@ -3,8 +3,6 @@
  *
  * Create an `aws_security_group_rule` to allow ingress on some port.
  *
- * TODO: support both TCP and UDP, use count to enable/disable.
- *
  */
 
 variable "security_group_id" {