Add support for service account IAM variables to pf

[ludoo]

This PR extends the project factory so that its fundamental design principle -- that the pf mostly wraps modules and exposes their full interface -- is also true for service accounts.

The practical use cases for this change are several, for example:

• assigning compute/networkUser role on shared VPC hosts to GCE service accounts
• assigning arbitrary additive project/storage/folder/org/billing roles to application-level service accounts

The project factory interface for service accounts still supports as its default use case assigning roles to the project defined in YAML where the service accounts is created, with a slight change in names: where before we used iam_project_roles to specify the list of roles for the current project, we now use iam_self_roles as the previous name clashes with the underlying service account module's interface.

The new interface looks like this:

```yaml
service_accounts:
  be-0: {}
  fe-1:
    display_name: GCE frontend service account.
    iam_self_roles:
      - roles/storage.objectViewer
    iam_project_roles:
      my-host-project:
        - roles/compute.networkUser