At present the aws_network_acl.local_nacl_rules_for_protected_ingress only supports rules for traffic on tcp/443.
I have temporarily added a second resource to create a second rule for this ACL, but we should look at what changes are required to supply multiple values for the from_port and to_port fields allowing us to use one resource for all network ACL entries into the protected subnets

Resolved by removing NACL code from this module and rewriting it in the modernisation-platform repo.