docker-swarm-security-groups.tf

locals {
  instanceTcpPorts = ["${var.ssh_port}", 80, 433, 7946]
  instanceUdpPorts = [7946, 4789]

  managerTcpPorts  = ["${var.ssh_port}", 80, 433, 2377, 7946]
  managerUdpPorts  = [7946, 4789]
}

resource "scaleway_security_group" "swarm_instance" {
  name        = "swarm_instances"
  description = "Allow SSH, HTTP(S) and internal Swarm traffic"

  inbound_default_policy  = "drop"
  outbound_default_policy = "accept"
  stateful                = true

  dynamic "inbound_rule" {
    for_each = local.tcpPorts
    content {
      action    = "accept"
      port      = inbound_rule.value
      protocol  = "TCP"
    }
  }

  dynamic "inbound_rule" {
    for_each = local.udpPorts
    content {
      action    = "accept"
      port      = inbound_rule.value
      protocol  = "UDP"
    }
  }
}

resource "scaleway_security_group" "swarm_manager" {
  name        = "swarm_managers"
  description = "Allow SSH, HTTP(S) and internal Swarm traffic"

  inbound_default_policy  = "drop"
  outbound_default_policy = "accept"
  stateful                = true

  dynamic "inbound_rule" {
    for_each = local.managerTcpPorts
    content {
      action    = "accept"
      port      = inbound_rule.value
      protocol  = "TCP"
    }
  }

  dynamic "inbound_rule" {
    for_each = local.managerUdpPorts
    content {
      action    = "accept"
      port      = inbound_rule.value
      protocol  = "UDP"
    }
  }
}

That's indeed a really clean way to do that @kindermoumoute! Thanks!
I will adapt this gist and my code at https://github.com/ironPeakServices/infrastructure/blob/feat/dockersecurity/modules/node/security-groups.tf
I might split it up so the swarm manager ports are not being exposed on regular swarm instances.