diff --git a/examples/data-solutions/data-platform-foundations/main.tf b/examples/data-solutions/data-platform-foundations/main.tf
index dcf0bf8a..59a2f33b 100644
--- a/examples/data-solutions/data-platform-foundations/main.tf
+++ b/examples/data-solutions/data-platform-foundations/main.tf
@@ -15,6 +15,20 @@
 # tfdoc:file:description Core locals.
 
 locals {
+  # we cannot reference service accounts directly as they are dynamic
+  _shared_vpc_bindings = {
+    "roles/compute.networkUser" = [
+      "load-robot-df", "load-sa-df-worker",
+      "orch-cloudservices", "orch-robot-df", "orch-robot-gke",
+      "transf-robot-df", "transf-sa-df-worker",
+    ]
+    "roles/composer.sharedVpcAgent" = [
+      "orch-robot-cs"
+    ]
+    "roles/container.hostServiceAgentUser" = [
+      "orch-robot-df"
+    ]
+  }
   groups = {
     for k, v in var.groups : k => "${v}@${var.organization_domain}"
   }
@@ -23,33 +37,31 @@ locals {
   }
   service_encryption_keys = var.service_encryption_keys
   shared_vpc_project      = try(var.network_config.host_project, null)
-  shared_vpc_roles = {
-    "roles/compute.networkUser" = [
-      # load Dataflow service agent and worker service account
-      module.load-project.service_accounts.robots.dataflow,
-      module.load-sa-df-0.iam_email,
-      module.transf-project.service_accounts.robots.dataflow,
-      module.transf-sa-df-0.iam_email,
-      # orchestration Composer service agents
-      module.orch-project.service_accounts.cloud_services,
-      module.orch-project.service_accounts.robots.container-engine,
-      module.orch-project.service_accounts.robots.dataflow,
-    ],
-    "roles/composer.sharedVpcAgent" = [
-      # orchestration Composer service agent
-      module.orch-project.service_accounts.robots.composer
-    ],
-    "roles/container.hostServiceAgentUser" = [
-      # orchestration Composer service agents
-      module.orch-project.service_accounts.robots.dataflow,
-    ]
+  # this is needed so that for_each only uses static values
+  shared_vpc_role_members = {
+    load-robot-df       = module.load-project.service_accounts.robots.dataflow
+    load-sa-df-worker   = module.load-sa-df-0.iam_email
+    orch-cloudservices  = module.orch-project.service_accounts.cloud_services
+    orch-robot-cs       = module.orch-project.service_accounts.robots.composer
+    orch-robot-df       = module.orch-project.service_accounts.robots.dataflow
+    orch-robot-gke      = module.orch-project.service_accounts.robots.container-engine
+    transf-robot-df     = module.transf-project.service_accounts.robots.dataflow
+    transf-sa-df-worker = module.transf-sa-df-0.iam_email
+  }
+  # reassemble in a format suitable for for_each
+  shared_vpc_bindings_map = {
+    for binding in flatten([
+      for role, members in local._shared_vpc_bindings : [
+        for member in members : { role = role, member = member }
+      ]
+    ]) : "${binding.role}-${binding.member}" => binding
   }
   use_shared_vpc = var.network_config != null
 }
 
-resource "google_project_iam_binding" "shared_vpc_roles" {
-  for_each = local.use_shared_vpc ? null : local.shared_vpc_roles
-  project  = try(var.network_config.host_project, null)
-  role     = each.key
-  members  = each.value
+resource "google_project_iam_member" "shared_vpc" {
+  for_each = local.use_shared_vpc ? local.shared_vpc_bindings_map : {}
+  project  = var.network_config.host_project
+  role     = each.value.role
+  member   = lookup(local.shared_vpc_role_members, each.value.member)
 }