I am using the terraform-google-project-factory module to create multiple GCP projects at once. The projects create just fine and I am using the included option to disable the default GCP compute service account and stand-up a new Service Account in each project. The module has an "sa_role" input where I assign "roles/compute.admin" to the new S.A. However, I would also like to assign some additional IAM roles to that Service Account in the same deployment. The sa_role input seems to only take one string value:

module "project-factory" {
  source                  = "terraform-google-modules/project-factory/google"
  version                 = "12.0.0"
  for_each                = toset(local.project_names)
  random_project_id       = true
  name                    = each.key
  org_id                  = local.organization_id
  billing_account         = local.billing_account
  folder_id               = google_folder.DQS.id
  default_service_account = "disable"
  default_network_tier    = "PREMIUM"
  create_project_sa       = true
  auto_create_network     = false
  project_sa_name         = local.service_account
  sa_role                 = ["roles/compute.admin"]
  activate_apis           = ["compute.googleapis.com","storage.googleapis.com","oslogin.googleapis.com",]
}

The output for the Service Account email looks like this:

output "service_account_email" {
  value       = values(module.project-factory)[*].service_account_email
  description = "The email of the default service account"
}

How can I add additional IAM roles to this Service Account in the same main.tf ? This Stack article comes close to what I wish to achieve: Want to assign multiple Google cloud IAM roles against a service account via terraform

However, I do not know how to reference my Service Account email addresses from the outputs.tf to make them available to the members = part of the data google_iam_policy. My question is, how to get this to work with the data google_iam_policy, or is there another better way to do this?