Add resource argument in loop from list of strings

Question

I'm trying to set up a Digital Ocean Database Firewall, which uses the below syntax:

resource "digitalocean_database_firewall" "example-fw" {
  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = "192.168.1.1"
  }

  rule {
    type  = "ip_addr"
    value = "192.0.2.0"
  }
}

I have a variable which is a list of whitelisted IPs that should be added to the firewall, along with the VPC IP block. I first tried to add these using for_each:

# Postgres firewall (only allow connection inside VPC)
resource "digitalocean_database_firewall" "vpc-fw" {
  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = digitalocean_vpc.app_vpc.ip_range
  }
}

# Postgres firewall (allow connections from whitelisted IPs)
resource "digitalocean_database_firewall" "whitelisted-fw" {
  for_each = toset(var.db_allowed_ips)

  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = each.key
  }
}

However it seems you can only have one firewall resource per cluster as only the last IP is saved and shows on the dashboard.

I also tried using for_each in the rule block but this throws an error that it can only appear in module or resource blocks.

I've also tried passing the list to value directly, but it only supports strings and not lists.

How can I add a rule { } block for each IP in var.db_allowed_ips and digitalocean_vpc.app_vpc.ip_range?

Answer 1

You can achieve this with a dynamic block:

resource "digitalocean_database_firewall" "whitelisted-fw" {
  cluster_id = digitalocean_database_cluster.app.id

  dynamic "rule" {
    for_each = toset(var.db_allowed_ips)

    content {
      type  = "ip_addr"
      value = each.value
    }
  }
}

I believe the for_each meta-argument at the dynamic block scope accepts values of list(string), but nothing is lost by being safe and using the normal type conversion to set(string).