refactor(compute-engine): support multiple VMs via instances map

[Lexxick]

Summary

Reworks compute-engine to manage many VMs via an instances map (for_each), and stops the module from hard-coding environment identity. Mirrors the github component's repositories pattern.

Changes

• Multi-VM: single hard-coded instance → instances map fanned out with for_each. VM name = <env>-<key> (e.g. postiz → dev-postiz). Per-VM spec (machine_type, boot_image, boot_disk_size_gb, zone, assign_public_ip, startup_script, network_tags) moved into each map entry, all optional() with cost-safe defaults.
• IAM: OS Login + IAP grants fan out member × VM via setproduct on stable keys — adding a VM or member never reindexes existing grants.
• Env identity out of the module: project_id is now required (no dev-project default → forgotten value fails loudly); access_members defaults to [] (no SSH) instead of named engineers.
• Outputs: collapse to a single instances map keyed by VM key (name, instance_id, internal_ip, zone, ssh_command).
• Docs: compute-engine/README.md + CHANGELOG [Unreleased] updated; fixed a stale VM-name string in the instances var description.

Type

• feat - [ ] fix - [x] refactor - [ ] docs - [ ] ci - [ ] chore

⚠️ Breaking: state re-keys google_compute_instance.this → this["<key>"] (IAM members too) — consumers must terragrunt state mv or recreate, and must now set project_id + access_members explicitly.

How to Verify

1. cd compute-engine/terraform && terraform fmt -check && terraform validate → clean.
2. In infra-environments-dev, set instances = { ... } + project_id, run terragrunt plan — one VM per map key, no external IP, OS Login + IAP grants per member × VM.
3. gcloud compute ssh <env>-<key> --tunnel-through-iap (from instances[<key>].ssh_command).

[opariffazman]

@Lexxick — review follow-ups to fix (rest LGTM, fmt/validate pass):

Docs (2 nits, output keying):

• CHANGELOG.md [Unreleased] says outputs are "keyed by VM name" — actually keyed by the map key (short name), not the full <env>-<key> VM name. Change to "keyed by VM key" to match outputs.tf (for k, vm ... : k =>).
• compute-engine/README.md "What it creates" header reads as if the output key is the VM name. Same fix — it's the short key, not <env>-<key>.

Optional — input validation (parity with github.repositories, which has a validation block):
VM name <env>-<key> must be RFC1035 (lowercase, digits, hyphens, ≤63, start w/ letter). A bad key (uppercase, _, too long) fails at apply, not plan. Cheap guard on the instances var:

validation {
  condition     = alltrue([for k in keys(var.instances) : can(regex("^[a-z][a-z0-9-]*$", k))])
  error_message = "Each instances key must be lowercase alphanumeric/hyphen and start with a letter (RFC1035)."
}

Non-blocking. Docs worth fixing before merge; validation is your call.