feat: allow passing roles to created Workload Identity service account (

#708)

modules/workload-identity/README.md

@@ -20,6 +20,7 @@ module "my-app-workload-identity" {
   name       = "my-application-name"
   namespace  = "default"
   project_id = "my-gcp-project-name"
+  roles = ["roles/storage.Admin", "roles/compute.Admin"]
 }
 ```
 
@@ -75,6 +76,7 @@ module "my-app-workload-identity" {
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes |
 | namespace | Namespace for k8s service account | string | `"default"` | no |
 | project\_id | GCP project ID | string | n/a | yes |
+| roles | (optional) A list of roles to be added to the created Service account | list(string) | `<list>` | no |
 | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no |
 
 ## Outputs

modules/workload-identity/main.tf

@@ -64,3 +64,12 @@ resource "google_service_account_iam_member" "main" {
   role               = "roles/iam.workloadIdentityUser"
   member             = local.k8s_sa_gcp_derived_name
 }
+
+
+resource "google_project_iam_member" "workload_identity_sa_bindings" {
+  for_each = toset(var.roles)
+
+  project = var.project_id
+  role    = each.value
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

modules/workload-identity/variables.tf

@@ -59,3 +59,9 @@ variable "automount_service_account_token" {
   default     = false
   type        = bool
 }
+
+variable "roles" {
+  type        = list(string)
+  default     = []
+  description = "(optional) A list of roles to be added to the created Service account"
+}