Make service agents work in different universes (GoogleCloudPlatform#2894)

* Make service agents work in different universes

* Use templatestring and two passes for service agent emails

* Fix tests

Author: juliocc

blueprints/data-solutions/bq-ml/README.md

@@ -97,5 +97,5 @@ module "test" {
   prefix     = "prefix"
 }
 
-# tftest modules=9 resources=69
+# tftest modules=9 resources=70
 ```

blueprints/data-solutions/data-playground/README.md

@@ -84,5 +84,5 @@ module "test" {
     parent             = "folders/467898377"
   }
 }
-# tftest modules=8 resources=68
+# tftest modules=8 resources=69
 ```

blueprints/data-solutions/vertex-mlops/README.md

@@ -72,7 +72,7 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=11 resources=90
+# tftest modules=11 resources=91
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -128,5 +128,5 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=13 resources=95 e2e
+# tftest modules=13 resources=96 e2e
 ```

modules/project/README.md

@@ -269,7 +269,7 @@ service_agents = {
     "email" = "[email protected]"
     "iam_email" = "serviceAccount:[email protected]"
     "is_primary" = false
-    "role" = "roles/container.nodeServiceAgent"
+    "role" = "roles/container.defaultNodeServiceAgent"
   }
 }
 ```

modules/project/service-agents.tf

@@ -26,17 +26,31 @@ locals {
     for agent in local._service_agents_data :
     coalesce(agent.api, "cloudservices") => agent... # cloudservices api is null
   }
+  _universe_domain = (
+    var.universe == null
+    ? ""
+    : "${var.universe.prefix}-system."
+  )
   # map of service agent name => agent details for this project
-  _project_service_agents = merge([
+  _project_service_agents_0 = merge([
     for api in concat(local.services, ["cloudservices"]) : {
       for agent in lookup(local._service_agents_by_api, api, []) :
       (agent.name) => merge(agent, {
-        email      = format(agent.identity, local.project.number)
-        iam_email  = "serviceAccount:${format(agent.identity, local.project.number)}"
-        create_jit = api == "cloudservices" || contains(local.available_services, api)
+        email = (
+          var.universe == null || api != "cloudservices"
+          ? templatestring(agent.identity, { project_number = local.project.number, universe_domain = local._universe_domain })
+          : format("%s@cloudservices.%siam.gserviceaccount.com", local.project.number, local._universe_domain)
+        )
       })
     }
   ]...)
+  _project_service_agents = {
+    for k, v in local._project_service_agents_0 :
+    k => merge(v, {
+      iam_email  = "serviceAccount:${v.email}"
+      create_jit = v.api == null ? false : contains(local.available_services, v.api)
+    })
+  }
   # list of APIs with primary agents that should be created for the
   # current project, if the user requested it
   primary_service_agents = [