Allow granting network user role on host project from project module and factory

[simonebruzzechesse]

This PR updates Shared VPC config for project factory and project module for fine grained Shared VPC configuration. It adds the following attributes to shared_vpc_service_config variable:

• subnets_iam: for subnet level IAM binding for non API services identities
• host_project_iam: for granting network user role to identities other than API services

It update project module documentation adding reference for Shared VPC configuration (IAM permissions assigned at subnet level + org policy for restricting subnets available on the newly created project). It provides example usage of the new attributes in 2 examples (with new test cases).

Fixes #1929

This PR

I applicable, I acknowledge that I have:

• Read the contributing guide
• Ran terraform fmt on all modified files
• Regenerated the relevant README.md files using tools/tfdoc.py
• Made sure all relevant tests pass

[ludoo]

wow you're fast :)

[simonebruzzechesse]

wow you're fast :)

Not that fast.. I started workingon this yesterday! :)

[ludoo]

Great work Simo, thanks for this. Dropped a few comments mainly on variable naming and the README wording, once those are addressed this is good to go from my PoV.

[simonebruzzechesse]

Great work Simo, thanks for this. Dropped a few comments mainly on variable naming and the README wording, once those are addressed this is good to go from my PoV.

Thanks for the feedback and comments, I updated the PR with your improvements! WRT what you suggested I just kept the reference example for the Shared VPC being, IMHO, the best configuration which suits most of the use cases. WDYT?

[ludoo]

I don't think it's a reference as I wrote twice :) I would just move the org policy to the project-level IAM example, and scrap the last example.

[ludoo]

Thanks Simo!!!