So this makes a Google SA. Attaches some Roles to it (optional) and then the most important bit, it adds the `roles/iam.workloadIdentityUser` role. Notice the kubernetes service account and namespace are in the `member` line.

workload-identity.tf

resource "google_service_account" "gsa" {
  account_id   = local.gsa_name
  display_name = "${var.name} K8s Service Account"
  project      = var.project_id
}

resource "google_project_iam_member" "gsa-roles" {
  count   = length(var.gsa_roles)
  project = var.project_id
  role    = var.gsa_roles[count.index]
  member  = "serviceAccount:${google_service_account.gsa.email}"
}

resource "google_service_account_iam_member" "gsa-kda-policy-binding" {
  service_account_id = google_service_account.gsa.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${kubernetes_service_account.ksa.metadata.0.name}]"
}

kubernetes_service_account.ksa.metadata.0.name is because we actually used terraform to make that kubernetes service account :)