Context improvements: "all service accounts" principal in folder, org, project modules; custom roles in factory condition vars for FAST stage 0 (#3548)

* iam principalsets

* fix folder

* add custom roles to factory condition vars in stage 0

* project shared vpc IAM

tests/modules/organization/context.tfvars

@@ -49,7 +49,8 @@ iam = {
     "$iam_principals:myuser"
   ]
   "roles/viewer" = [
-    "$iam_principals:mysa"
+    "$iam_principals:mysa",
+    "$iam_principalsets:service_accounts/all"
   ]
 }
 iam_by_principals = {

tests/modules/organization/context.yaml

@@ -104,6 +104,7 @@ values:
   google_organization_iam_binding.authoritative["roles/viewer"]:
     condition: []
     members:
+    - principalSet://cloudresourcemanager.googleapis.com/organizations/1234567890/type/ServiceAccount
     - serviceAccount:test@test-project.iam.gserviceaccount.com
     org_id: '1234567890'
     role: roles/viewer