Add domain:gitlab.com IAP-secured Web App User for all GCP projects managed by terraform

Problem

In production#5740 (comment 707235844) we faced an issue where no one could access the Prometheus server behind IAP. This resulted into us having to manually add users in pre-prometheus, which worked. We also tried adding gitlab.com to that specific resource, however, we still get access defined, so we can only add specific users and not domains.

Looking at the gitlab-staging gitlab-produciton and gitlab-org-ci they seem to have added this IAM policy on a project level rather than a resource level.

Proposal

Manually add gitlab.com domain to project-level settings in pre to see if this fixes the problem. 👉 https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/14434#note_707308992
Update https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/project to always add roles/iap.httpsResourceAccessor to the gitlab.com domain, similar to what is done in https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/2498
- https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/project/-/merge_requests/57
- https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/project/-/merge_requests/58
Roll it out to existing projects
- pre 👉 https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/3130
- org-ci 👉 https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/3131
- ops and gstg 👉 https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/3132
- gprd 👉 https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/3133

Edited Nov 04, 2021 by Steve Xuereb