diff --git a/fargate-v2.cfndsl.rb b/fargate-v2.cfndsl.rb
index 768ed40..63ddb2f 100644
--- a/fargate-v2.cfndsl.rb
+++ b/fargate-v2.cfndsl.rb
@@ -28,7 +28,7 @@
     EC2_SecurityGroupIngress("IngressRule#{i+1}") do
       Description ingress_rule['desc'] if ingress_rule.has_key?('desc')
       if ingress_rule.has_key?('cidr')
-        CidrIp FnSub(ingress_rule['cidr'])
+        CidrIp ingress_rule['cidr']
       else
         SourceSecurityGroupId ingress_rule.has_key?('source_sg') ? ingress_rule['source_sg'] :  Ref(:SecurityGroup)
       end
diff --git a/spec/security_groups_spec.rb b/spec/security_groups_spec.rb
index 3a72aca..f9ecc7d 100644
--- a/spec/security_groups_spec.rb
+++ b/spec/security_groups_spec.rb
@@ -69,7 +69,8 @@
       expect(ingress).to eq({
         "Description"=>"allow inbound 22 access from cidr",
         "FromPort"=>22, 
-        "CidrIp"=>{"Fn::Sub"=>"10.0.0.1/32"}, 
+        "CidrIp"=>"10.0.0.1/32", 
+        "GroupId" => {"Ref"=>"SecurityGroup"},
         "IpProtocol"=>"tcp", 
         "ToPort"=>22
       })