Fix/dlpagent (#1868)

Create DLP Service Account on service activation.

blueprints/data-solutions/data-platform-foundations/README.md

@@ -228,7 +228,7 @@ module "data-platform" {
   }
   prefix = "myprefix"
 }
-# tftest modules=43 resources=290
+# tftest modules=43 resources=293
 ```
 
 ## Customizations

blueprints/data-solutions/data-platform-minimal/README.md

@@ -229,7 +229,7 @@ module "data-platform" {
   prefix = "myprefix"
 }
 
-# tftest modules=23 resources=137
+# tftest modules=23 resources=138
 ```
 
 ## Customizations

modules/project/README.md

@@ -219,6 +219,7 @@ This table lists all affected services and roles that you need to grant to servi
 | cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent |
 | cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder |
 | dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent |
+| dlp.googleapis.com | dlp | roles/dlp.serviceAgent |
 | gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent |
 | meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent |
 | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent |

modules/project/service-agents.yaml

@@ -169,6 +169,7 @@
   # dlp                          ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager"
 - name: "dlp"
   service_agent: "service-%s@dlp-api.iam.gserviceaccount.com"
+  jit: true
 - name: "documentai"
   service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com"
 - name: "edgecontainer"