diff --git a/example/main.tf b/example/main.tf
index 1a1d1dc..f30582e 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -13,8 +13,8 @@ module "vpc" {
   enable_nat_gateway = true
   enable_per_az_nat_gateway = true
 
-  nacl_public_custom = [
-    {
+  nacl_public_custom = {
+    allow_https = {
       rule_number = 1000
       egress = false
       protocol = 6
@@ -23,7 +23,25 @@ module "vpc" {
       from_port = 443
       to_port = 443
     }
-  ]
+    allow_http = {
+      rule_number = 1001
+      egress = false
+      protocol = 6
+      rule_action = "allow"
+      cidr_block = "0.0.0.0/0"
+      from_port = 80
+      to_port = 80
+    }
+    allow_ssh = {
+      rule_number = 1002
+      egress = false
+      protocol = 6
+      rule_action = "allow"
+      cidr_block = "0.0.0.0/0"
+      from_port = 22
+      to_port = 22
+    }
+  }
 
   tags = {
     Owner      = "Foo"
diff --git a/nacls-private.tf b/nacls-private.tf
index 48a4bfd..f63e8d4 100644
--- a/nacls-private.tf
+++ b/nacls-private.tf
@@ -89,20 +89,6 @@ resource "aws_network_acl_rule" "private_all_ephemeral_udp_egress" {
   to_port = 65535
 }
 
-resource "aws_network_acl_rule" "private_custom" {
-  count = var.nacl_private_custom != null ? length(var.nacl_private_custom) : 0
-
-  network_acl_id = aws_network_acl.private.id
-
-  rule_number = var.nacl_private_custom[count.index].rule_number
-  egress = var.nacl_private_custom[count.index].egress
-  protocol = var.nacl_private_custom[count.index].protocol
-  rule_action = var.nacl_private_custom[count.index].rule_action
-  cidr_block = var.nacl_private_custom[count.index].cidr_block
-  from_port = var.nacl_private_custom[count.index].from_port
-  to_port = var.nacl_private_custom[count.index].to_port
-}
-
 resource "aws_network_acl_rule" "private_allow_http_egress" {
   count = var.nacl_allow_all_http ? 1 : 0
 
@@ -130,3 +116,17 @@ resource "aws_network_acl_rule" "private_allow_https_egress" {
   from_port = 443
   to_port = 443
 }
+
+resource "aws_network_acl_rule" "private_custom" {
+  for_each = var.nacl_private_custom
+
+  network_acl_id = aws_network_acl.private.id
+
+  rule_number = each.value.rule_number
+  egress = each.value.egress
+  protocol = each.value.protocol
+  rule_action = each.value.rule_action
+  cidr_block = each.value.cidr_block
+  from_port = each.value.from_port
+  to_port = each.value.to_port
+}
diff --git a/nacls-public.tf b/nacls-public.tf
index 408fc3e..c9dab23 100644
--- a/nacls-public.tf
+++ b/nacls-public.tf
@@ -89,20 +89,6 @@ resource "aws_network_acl_rule" "public_all_ephemeral_udp_egress" {
   to_port = 65535
 }
 
-resource "aws_network_acl_rule" "public_custom" {
-  count = var.nacl_public_custom != null ? length(var.nacl_public_custom) : 0
-
-  network_acl_id = aws_network_acl.public.id
-
-  rule_number = var.nacl_public_custom[count.index].rule_number
-  egress = var.nacl_public_custom[count.index].egress
-  protocol = var.nacl_public_custom[count.index].protocol
-  rule_action = var.nacl_public_custom[count.index].rule_action
-  cidr_block = var.nacl_public_custom[count.index].cidr_block
-  from_port = var.nacl_public_custom[count.index].from_port
-  to_port = var.nacl_public_custom[count.index].to_port
-}
-
 resource "aws_network_acl_rule" "public_allow_http_egress" {
   count = var.nacl_allow_all_http ? 1 : 0
 
@@ -130,3 +116,17 @@ resource "aws_network_acl_rule" "public_allow_https_egress" {
   from_port = 443
   to_port = 443
 }
+
+resource "aws_network_acl_rule" "public_custom" {
+  for_each = var.nacl_public_custom
+
+  network_acl_id = aws_network_acl.public.id
+
+  rule_number = each.value.rule_number
+  egress = each.value.egress
+  protocol = each.value.protocol
+  rule_action = each.value.rule_action
+  cidr_block = each.value.cidr_block
+  from_port = each.value.from_port
+  to_port = each.value.to_port
+}
diff --git a/nacls-secure.tf b/nacls-secure.tf
index 1263924..4b5d45e 100644
--- a/nacls-secure.tf
+++ b/nacls-secure.tf
@@ -113,20 +113,6 @@ resource "aws_network_acl_rule" "secure_block_public_egress" {
   cidr_block = local.public_tier_subnet
 }
 
-resource "aws_network_acl_rule" "secure_custom" {
-  count = var.nacl_secure_custom != null ? length(var.nacl_secure_custom) : 0
-
-  network_acl_id = aws_network_acl.secure.id
-
-  rule_number = var.nacl_secure_custom[count.index].rule_number
-  egress = var.nacl_secure_custom[count.index].egress
-  protocol = var.nacl_secure_custom[count.index].protocol
-  rule_action = var.nacl_secure_custom[count.index].rule_action
-  cidr_block = var.nacl_secure_custom[count.index].cidr_block
-  from_port = var.nacl_secure_custom[count.index].from_port
-  to_port = var.nacl_secure_custom[count.index].to_port
-}
-
 resource "aws_network_acl_rule" "secure_allow_http_egress" {
   count = var.nacl_allow_all_http ? 1 : 0
 
@@ -154,3 +140,17 @@ resource "aws_network_acl_rule" "secure_allow_https_egress" {
   from_port = 443
   to_port = 443
 }
+
+resource "aws_network_acl_rule" "secure_custom" {
+  for_each = var.nacl_secure_custom
+
+  network_acl_id = aws_network_acl.secure.id
+
+  rule_number = each.value.rule_number
+  egress = each.value.egress
+  protocol = each.value.protocol
+  rule_action = each.value.rule_action
+  cidr_block = each.value.cidr_block
+  from_port = each.value.from_port
+  to_port = each.value.to_port
+}
diff --git a/variables.tf b/variables.tf
index ce13b6f..f9928b9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -146,48 +146,23 @@ variable "nacl_block_public_to_secure" {
 }
 
 variable "nacl_public_custom" {
-  type = list(object({
-    rule_number = number,
-    egress = bool,
-    protocol = number,
-    rule_action = string,
-    cidr_block = string,
-    from_port = string,
-    to_port = string
-  }))
+  type = map
   description = "List of custom nacls to apply to the public tier"
-  default = null
+  default = {}
 }
 
 variable "nacl_private_custom" {
-  type = list(object({
-    rule_number = number,
-    egress = bool,
-    protocol = number,
-    rule_action = string,
-    cidr_block = string,
-    from_port = string,
-    to_port = string
-  }))
+  type = map
   description = "List of custom nacls to apply to the private tier"
-  default = null
+  default = {}
 }
 
 variable "nacl_secure_custom" {
-  type = list(object({
-    rule_number = number,
-    egress = bool,
-    protocol = number,
-    rule_action = string,
-    cidr_block = string,
-    from_port = string,
-    to_port = string
-  }))
+  type = map
   description = "List of custom nacls to apply to the secure tier"
-  default = null
+  default = {}
 }
 
-
 variable "tags" {
   type        = map(string)
   description = "Tags applied to all resources"
diff --git a/versions.tf b/versions.tf
index 35a5879..4b1ac87 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-    required_version = ">= 0.12.0"
+    required_version = ">= 0.12.6"
 
     required_providers {
         aws = ">= 2.7.0"