There are easier ways to do this but in one case I had only a string with a comma delimited list of values to use as an input to terraform. I was pretty sure jsonencode and/or jsondecode could handle it but it did not. This is what I ended up doing.

bash script variable used for some other function but also needed in my code. I was after the allowed_cidrs list and has to be formatted like this:

sites1=192.168.1.10/32,sites2=192.168.1.11/32,sites3=192.168.1.13/32,sites4=192.168.1.14/32

in bash I packed the variable like this:

variables="{\"region\":\"${region}\",\"tenancy_id\":\"${tenancy_id}\",\"ip_1\": \"${ip_1}\",\"ip_2\": \"${ip_2}\",\"allowed_cidrs\": \"sites1=192.168.1.10/32,sites2=192.168.1.11/32,sites3=${ip_3},sites4=${ip_4}\"}"

terraform variables

variable "allowed_cidrs" {}
locals {
  pairs = split(",", var.allowed_cidrs)
  allowed_cidrs = {
    for pair in local.pairs :
    split("=", pair)[0] => split("=", pair)[1]
  }
  transformed_list = [
    for key, value in local.allowed_cidrs : {
      description = key
      cidr_block = value
    }
  ]
}
output "allowed_cidrs" {  
  #value = local.allowed_cidrs  
  #value = [for key, value in local.allowed_cidrs : "${key}: ${value}"]
  value = local.transformed_list
}

terraform dynamic block

  dynamic "ingress_security_rules" {
    for_each = local.transformed_list
    content {
        description = format("%s to mysql via NLB", ingress_security_rules.value.description)
        source   = ingress_security_rules.value.cidr_block
        protocol    = local.tcp_protocol_number
        tcp_options {
            max =  local.mysql_port_number_3306
            min =  local.mysql_port_number_3306
        }
    }
  }