Terraformcloud~5 mins

Dynamic blocks in ingress rules in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you want to create multiple similar ingress rules in a security group, writing each rule manually can be repetitive and error-prone. Dynamic blocks in Terraform let you generate these rules automatically from a list, making your configuration cleaner and easier to manage.

When you have many ingress rules with similar structure but different ports or CIDRs.

When you want to update or add ingress rules by just changing a list instead of editing multiple blocks.

When you want to avoid repeating the same code for each ingress rule in your security group.

When you want to keep your Terraform code DRY (Don't Repeat Yourself) and easy to read.

When you need to manage ingress rules dynamically based on variable input or environment.

Config File - main.tf

main.tf

provider "aws" {
  region = "us-east-1"
}

variable "ingress_rules" {
  type = list(object({
    from_port   = number
    to_port     = number
    protocol    = string
    cidr_blocks = list(string)
  }))
  default = [
    {
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
    },
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

resource "aws_security_group" "example" {
  name        = "example-sg"
  description = "Security group with dynamic ingress rules"
  vpc_id      = "vpc-12345678"

  dynamic "ingress" {
    for_each = var.ingress_rules
    content {
      from_port   = ingress.value.from_port
      to_port     = ingress.value.to_port
      protocol    = ingress.value.protocol
      cidr_blocks = ingress.value.cidr_blocks
    }
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

This Terraform file creates an AWS security group with multiple ingress rules generated dynamically.

variable "ingress_rules" defines a list of ingress rule objects with ports, protocol, and CIDR blocks.
dynamic "ingress" block loops over each rule in the list and creates an ingress rule for it.
The content inside the dynamic block sets the properties for each ingress rule.
There is a default egress rule allowing all outbound traffic.
Replace vpc-12345678 with your actual VPC ID.

Commands

This command initializes the Terraform working directory. It downloads the AWS provider plugin and prepares Terraform to run.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.

This command shows what Terraform will do before applying changes. It previews the creation of the security group with dynamic ingress rules.

Terminal

terraform plan

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_security_group.example will be created + resource "aws_security_group" "example" { + description = "Security group with dynamic ingress rules" + id = (known after apply) + name = "example-sg" + vpc_id = "vpc-12345678" + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + protocol = "tcp" + to_port = 80 } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + to_port = 443 } + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + to_port = 0 } } Plan: 1 to add, 0 to change, 0 to destroy.

This command applies the planned changes and creates the security group with the dynamic ingress rules automatically without asking for confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_security_group.example: Creating... aws_security_group.example: Creation complete after 3s [id=sg-0a1b2c3d4e5f6g7h8] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skips interactive approval prompt to apply changes immediately

This command displays the current state of the created resources, showing the security group and its dynamically created ingress rules.

Terminal

terraform show

Expected OutputExpected

aws_security_group.example: id = sg-0a1b2c3d4e5f6g7h8 name = example-sg description = Security group with dynamic ingress rules vpc_id = vpc-12345678 ingress { from_port = 80 to_port = 80 protocol = tcp cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 443 to_port = 443 protocol = tcp cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = -1 cidr_blocks = ["0.0.0.0/0"] }

Key Concept

If you remember nothing else from this pattern, remember: dynamic blocks let you create multiple similar resource blocks from a list, keeping your Terraform code clean and easy to update.

Common Mistakes

Writing multiple ingress blocks manually instead of using a dynamic block.

This causes repetitive code that is hard to maintain and update.

Use a dynamic block with a list variable to generate ingress rules automatically.

Forgetting to use ingress.value inside the dynamic block content.

Terraform will not know which values to use for each ingress rule, causing errors.

Always reference the current item with ingress.value inside the dynamic block.

Not defining the variable type correctly for the list of ingress rules.

Terraform will fail to validate the input and may produce confusing errors.

Define the variable as a list of objects with the correct attributes and types.

Summary

Define a variable list with ingress rule details like ports, protocol, and CIDR blocks.

Use a dynamic block in the security group resource to loop over the list and create ingress rules.

Run terraform init, plan, and apply to create the security group with all rules automatically.