Make service agents work in different universes (#2894)

* Make service agents work in different universes

* Use templatestring and two passes for service agent emails

* Fix tests

tests/modules/gke_hub/examples/full.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -235,7 +235,7 @@ values:
   module.project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: gkehub-test
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.project.google_project_iam_member.service_agents["mcsd"]:
     condition: []
     project: gkehub-test

tests/modules/project/examples/basic.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ values:
   module.project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-project
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.project.google_project_service.project_services["container.googleapis.com"]:
     disable_dependent_services: false
     disable_on_destroy: false

tests/modules/project/examples/data.yaml

@@ -360,7 +360,7 @@ values:
   module.project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-project
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.project.google_project_iam_member.service_agents["serverless-robot-prod"]:
     condition: []
     project: test-project

tests/modules/project/examples/iam-authoritative.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@ values:
   module.project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-project
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.project.google_project_service.project_services["container.googleapis.com"]:
     disable_dependent_services: false
     disable_on_destroy: false

tests/modules/project/examples/shared-vpc-auto-grants.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@ values:
   module.service-project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-service
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
     condition: []
     project: test-host

tests/modules/project/examples/shared-vpc-host-project-iam.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -65,7 +65,7 @@ values:
   module.service-project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-service
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
     condition: []
     member: group:organization-admins@example.org

tests/modules/project/examples/shared-vpc.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@ values:
   module.service-project.google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-service
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.service-project.google_project_iam_member.service_agents["serverless-robot-prod"]:
     condition: []
     project: test-service

tests/modules/project_factory/examples/example.yaml

@@ -173,7 +173,7 @@ values:
   module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-pf-dev-ta-app0-be
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]
   : condition: []
     member: group:gcp-devops@example.org
@@ -305,7 +305,7 @@ values:
   module.project-factory.module.projects["teams-iac-0"].google_project_iam_member.service_agents["gkenode"]:
     condition: []
     project: test-pf-teams-iac-0
-    role: roles/container.nodeServiceAgent
+    role: roles/container.defaultNodeServiceAgent
   module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]:
     disable_dependent_services: false
     disable_on_destroy: false