From a5b786c2e06405442d7e777e038438c1d25ea663 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Sat, 31 May 2025 18:11:07 +0200
Subject: [PATCH] Interpolate egress_to resources in enforced perimeter config
 (#3127)

---
 modules/vpc-sc/perimeters.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/vpc-sc/perimeters.tf b/modules/vpc-sc/perimeters.tf
index 32faad850..ecf92fc33 100644
--- a/modules/vpc-sc/perimeters.tf
+++ b/modules/vpc-sc/perimeters.tf
@@ -289,8 +289,13 @@ resource "google_access_context_manager_service_perimeter" "regular" {
             for_each = policy.value.to == null ? [] : [""]
             content {
               external_resources = policy.value.to.external_resources
-              resources          = policy.value.to.resources
-              roles              = policy.value.to.roles
+              resources = flatten([
+                for r in policy.value.to.resources : try(
+                  var.factories_config.context.resource_sets[r],
+                  [local.project_number[r]], [r]
+                )
+              ])
+              roles = policy.value.to.roles
               dynamic "operations" {
                 for_each = toset(policy.value.to.operations)
                 iterator = o