VPC Service Controls lets you isolate resources of a supported multi-tenant Google Cloud service to mitigate data exfiltration risks. You can use Terraform to add a project in a folder to a service perimeter.
To automatically add a folder to a service perimeter, you can use Cloud Run functions. When the function detects a new project being added to the folder, it executes the Terraform script to add the new project to the perimeter. Similarly, the function automatically removes projects from the perimeter if they are moved out of the folder.
For more information, see Automatically secured folder.