[New]: aws_vpc_security_group_(ingress|egress)_rule necessitates large resource count increase

Description

The older aws_security_group ingress and egress blocks used to allow us to specify multiple both ipv4 and ipv6 cidr_blocks in the one config, and they accepted arrays with multiple values.

In our case, we have our site behind Cloudflare, so we use data.cloudflare_ip_ranges.cloudflare.ipv4_cidr_blocks and data.cloudflare_ip_ranges.cloudflare.ipv6_cidr_blocks and used to pass them into the cidr_blocks and ipv6_cidr_blocks values, which worked great.

With aws_vpc_securitygroup(ingress|egress)_rule (which is the recommended option), they only accept one CIDR at a time, so we now need to use for_each, convert the data into a set using toset and use for_each. While this works fine, the arrays of ipv4 and ipv6 addresses can't be specified in the same config, and the use of for_each creates many resources.

The result: where previously we had one aws_security_group resource, we now have that plus 50 new ingress rule resources PER security group. So it has ballooned our resource count considerably, which when using services that price per resource, like Terraform Cloud, is a horrible change.

Requested Resource(s) and/or Data Source(s)

Allow aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule to accept both IPv4 and IPv6 at the same time, AND allow arrays of them

Potential Terraform Configuration

resource "aws_vpc_security_group_ingress_rule" "app_https_via_cloudflare" {
  security_group_id = aws_security_group.app.id
  description       = "HTTPS via Cloudflare"
  ip_protocol       = "tcp"
  from_port         = 443
  to_port           = 443
  cidr_ipv4         = data.cloudflare_ip_ranges.cloudflare.ipv4_cidr_blocks
  cidr_ipv6         = data.cloudflare_ip_ranges.cloudflare.ipv6_cidr_blocks
}



### References

_No response_

### Would you like to implement a fix?

None

hashicorp / terraform-provider-aws