fix(project-factory): Correctly interpolate IAM principals in tags (#3704)

* fix(project-factory): Correctly interpolate IAM principals in tags

Moves the processing of `tags` and `tag_bindings` from the `projects` module instance to the `projects-iam` instance.

This fixes a bug where IAM principals for automation service accounts, referenced via `$iam_principals:service_accounts/...`, were not being interpolated within `tags` IAM definitions. The `projects` module was called before the automation service account context was available, leading to the literal string being used instead of the service account email. Processing tags in the `projects-iam` module ensures the full context is available for interpolation.

Adds new tests for both the `project` and `project-factory` modules to validate the fix.

* fix(project-factory): Tag creation is now done in 2 steps.

1st step(projects): Creation of the tags without IAM bindings
2nd step(projects-iam): IAM bindings without creating the tags again
That way we are more backwards compatible as tags and tags values are back to be under  module.project-factory.module.projects["*"].google_tags_tag_*

* fix(modules/project-factory): introduce fix suggested by @ludoo, fix logs

* fix(modules/project-factory): fix linting

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

modules/project-factory/README.md

@@ -47,6 +47,7 @@ The code is meant to be executed by a high level service account with powerful p
 - [Variables](#variables)
 - [Outputs](#outputs)
 - [Tests](#tests)
+  - [Tags with $iam_principals interpolation](#tags-with-iam_principals-interpolation)
 <!-- END TOC -->
 
 ## Folder hierarchy
@@ -927,3 +928,50 @@ services:
   - storage.googleapis.com
 # tftest-file id=test-2 path=data/projects/test-2.yaml
 ```
+
+### Tags with $iam_principals interpolation
+
+This test validates that `$iam_principals:service_accounts/...` interpolation works correctly
+within tags IAM definitions when referencing automation service accounts created by the same
+project-factory.
+
+```hcl
+module "project-factory" {
+  source = "./fabric/modules/project-factory"
+  data_defaults = {
+    billing_account = "012345-67890A-ABCDEF"
+    locations = {
+      storage = "eu"
+    }
+  }
+  data_overrides = {
+    prefix = "test-pf"
+  }
+  factories_config = {
+    projects = "data/projects"
+  }
+}
+# tftest modules=5 resources=9 files=tags-iam-test inventory=tags_iam_principals_bug.yaml
+```
+
+```yaml
+parent: folders/1234567890
+services:
+  - resourcemanager.googleapis.com
+automation:
+  project: test-pf-teams-iac-0
+  service_accounts:
+    rw:
+      description: Read/write automation service account.
+tags:
+  allow-key-creation:
+    description: Allow key creation for automation service account
+    values:
+      allow:
+        description: Allow key creation
+        iam:
+          roles/resourcemanager.tagUser:
+            - $iam_principals:service_accounts/tags-iam-test/automation/rw
+# tftest-file id=tags-iam-test path=data/projects/tags-iam-test.yaml
+```
+

modules/project-factory/projects.tf

@@ -133,7 +133,10 @@ module "projects" {
   tag_bindings = merge(
     each.value.tag_bindings, var.data_merges.tag_bindings
   )
-  tags                    = each.value.tags
+  tags = each.value.tags
+  tags_config = {
+    ignore_iam = true
+  }
   universe                = each.value.universe
   vpc_sc                  = each.value.vpc_sc
   workload_identity_pools = each.value.workload_identity_pools
@@ -186,5 +189,9 @@ module "projects-iam" {
   )
   shared_vpc_host_config    = each.value.shared_vpc_host_config
   shared_vpc_service_config = each.value.shared_vpc_service_config
-  universe                  = each.value.universe
+  tags                      = each.value.tags
+  tags_config = {
+    force_context_ids = true
+  }
+  universe = each.value.universe
 }