diff --git a/examples/complete/README.md b/examples/complete/README.md
index be8c6cdc..d655529e 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -39,12 +39,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_ipv4_ipv6_example"></a> [ipv4\_ipv6\_example](#module\_ipv4\_ipv6\_example) | ../../ | n/a |
 | <a name="module_main_sg"></a> [main\_sg](#module\_main\_sg) | ../../ | n/a |
 | <a name="module_only_rules"></a> [only\_rules](#module\_only\_rules) | ../../ | n/a |
+| <a name="module_prefix_list"></a> [prefix\_list](#module\_prefix\_list) | ../../ | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_prefix_list.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/prefix_list) | data source |
+| [aws_prefix_list.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/prefix_list) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index cd824efb..2f00a1c2 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -66,7 +66,8 @@ module "complete_sg" {
   ingress_ipv6_cidr_blocks = ["2001:db8::/64"]
 
   # Prefix list ids to use in all ingress rules in this module.
-  # ingress_prefix_list_ids = ["pl-123456"]
+  # ingress_prefix_list_ids = [data.aws_prefix_list.s3.id, data.aws_prefix_list.dynamodb.id]
+
   # Open for all CIDRs defined in ingress_cidr_blocks
   ingress_rules = ["https-443-tcp"]
 
@@ -399,3 +400,40 @@ module "only_rules" {
     },
   ]
 }
+
+###################################
+# Security group with prefix lists
+###################################
+
+data "aws_prefix_list" "s3" {
+  filter {
+    name   = "prefix-list-name"
+    values = ["com.amazonaws.eu-west-1.s3"]
+  }
+}
+
+data "aws_prefix_list" "dynamodb" {
+  filter {
+    name   = "prefix-list-name"
+    values = ["com.amazonaws.eu-west-1.dynamodb"]
+  }
+}
+
+module "prefix_list" {
+  source = "../../"
+
+  name        = "pl-sg"
+  description = "Security group with prefix list"
+  vpc_id      = data.aws_vpc.default.id
+
+  ingress_prefix_list_ids = [data.aws_prefix_list.s3.id, data.aws_prefix_list.dynamodb.id]
+  ingress_with_cidr_blocks = [
+    {
+      from_port       = 9100
+      to_port         = 9100
+      protocol        = 6 # "tcp"
+      description     = "Arbitrary TCP port"
+      prefix_list_ids = join(",", [data.aws_prefix_list.s3.id, data.aws_prefix_list.dynamodb.id])
+    },
+  ]
+}
diff --git a/main.tf b/main.tf
index 6ca0aaf9..85374990 100644
--- a/main.tf
+++ b/main.tf
@@ -194,14 +194,14 @@ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "ingress"
 
-  cidr_blocks = split(
+  cidr_blocks = compact(split(
     ",",
     lookup(
       var.ingress_with_cidr_blocks[count.index],
       "cidr_blocks",
       join(",", var.ingress_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.ingress_prefix_list_ids
   description = lookup(
     var.ingress_with_cidr_blocks[count.index],
@@ -233,14 +233,14 @@ resource "aws_security_group_rule" "computed_ingress_with_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "ingress"
 
-  cidr_blocks = split(
+  cidr_blocks = compact(split(
     ",",
     lookup(
       var.computed_ingress_with_cidr_blocks[count.index],
       "cidr_blocks",
       join(",", var.ingress_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.ingress_prefix_list_ids
   description = lookup(
     var.computed_ingress_with_cidr_blocks[count.index],
@@ -284,14 +284,14 @@ resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "ingress"
 
-  ipv6_cidr_blocks = split(
+  ipv6_cidr_blocks = compact(split(
     ",",
     lookup(
       var.ingress_with_ipv6_cidr_blocks[count.index],
       "ipv6_cidr_blocks",
       join(",", var.ingress_ipv6_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.ingress_prefix_list_ids
   description = lookup(
     var.ingress_with_ipv6_cidr_blocks[count.index],
@@ -323,14 +323,14 @@ resource "aws_security_group_rule" "computed_ingress_with_ipv6_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "ingress"
 
-  ipv6_cidr_blocks = split(
+  ipv6_cidr_blocks = compact(split(
     ",",
     lookup(
       var.computed_ingress_with_ipv6_cidr_blocks[count.index],
       "ipv6_cidr_blocks",
       join(",", var.ingress_ipv6_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.ingress_prefix_list_ids
   description = lookup(
     var.computed_ingress_with_ipv6_cidr_blocks[count.index],
@@ -570,14 +570,14 @@ resource "aws_security_group_rule" "egress_with_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "egress"
 
-  cidr_blocks = split(
+  cidr_blocks = compact(split(
     ",",
     lookup(
       var.egress_with_cidr_blocks[count.index],
       "cidr_blocks",
       join(",", var.egress_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.egress_prefix_list_ids
   description = lookup(
     var.egress_with_cidr_blocks[count.index],
@@ -609,14 +609,14 @@ resource "aws_security_group_rule" "computed_egress_with_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "egress"
 
-  cidr_blocks = split(
+  cidr_blocks = compact(split(
     ",",
     lookup(
       var.computed_egress_with_cidr_blocks[count.index],
       "cidr_blocks",
       join(",", var.egress_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.egress_prefix_list_ids
   description = lookup(
     var.computed_egress_with_cidr_blocks[count.index],
@@ -660,14 +660,14 @@ resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "egress"
 
-  ipv6_cidr_blocks = split(
+  ipv6_cidr_blocks = compact(split(
     ",",
     lookup(
       var.egress_with_ipv6_cidr_blocks[count.index],
       "ipv6_cidr_blocks",
       join(",", var.egress_ipv6_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.egress_prefix_list_ids
   description = lookup(
     var.egress_with_ipv6_cidr_blocks[count.index],
@@ -699,14 +699,14 @@ resource "aws_security_group_rule" "computed_egress_with_ipv6_cidr_blocks" {
   security_group_id = local.this_sg_id
   type              = "egress"
 
-  ipv6_cidr_blocks = split(
+  ipv6_cidr_blocks = compact(split(
     ",",
     lookup(
       var.computed_egress_with_ipv6_cidr_blocks[count.index],
       "ipv6_cidr_blocks",
       join(",", var.egress_ipv6_cidr_blocks),
     ),
-  )
+  ))
   prefix_list_ids = var.egress_prefix_list_ids
   description = lookup(
     var.computed_egress_with_ipv6_cidr_blocks[count.index],