Add conditional grants on security to pf service account in FAST stage 0 (#3338)

fast/stages/0-org-setup/data/folders/security/.config.yaml

@@ -26,3 +26,19 @@ iam_by_principals:
     - roles/viewer
     - roles/resourcemanager.folderViewer
     - roles/resourcemanager.tagViewer
+  $iam_principals:service_accounts/iac-0/iac-pf-rw:
+    - roles/cloudkms.cryptoKeyEncrypterDecrypter
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - roles/cloudkms.viewer
+    - $custom_roles:project_iam_viewer
+iam_bindings:
+  project_factory:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-pf-rw
+    condition:
+      title: Project factory delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          'roles/cloudkms.cryptoKeyEncrypterDecrypter'
+        ])

tests/fast/stages/s0_org_setup/not-simple.yaml

@@ -2619,7 +2619,7 @@ counts:
   google_bigquery_default_service_account: 1
   google_billing_account_iam_member: 5
   google_folder: 8
-  google_folder_iam_binding: 40
+  google_folder_iam_binding: 44
   google_iam_workload_identity_pool: 1
   google_iam_workload_identity_pool_provider: 1
   google_logging_organization_settings: 1
@@ -2648,5 +2648,5 @@ counts:
   google_tags_tag_value_iam_binding: 4
   local_file: 9
   modules: 43
-  resources: 288
+  resources: 292
   terraform_data: 2