feat: allow passing roles to created Workload Identity service account (terraform-google-modules#708)

Author: MeNsaaH

modules/workload-identity/README.md

@@ -20,6 +20,7 @@ module "my-app-workload-identity" {
  name = "my-application-name"
  namespace = "default"
  project_id = "my-gcp-project-name"
+ roles = ["roles/storage.Admin", "roles/compute.Admin"]
 }
 ```
 
@@ -75,6 +76,7 @@ module "my-app-workload-identity" {
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes |
 | namespace | Namespace for k8s service account | string | `"default"` | no |
 | project\_id | GCP project ID | string | n/a | yes |
+| roles | (optional) A list of roles to be added to the created Service account | list(string) | `<list>` | no |
 | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no |
 
 ## Outputs

modules/workload-identity/main.tf

@@ -64,3 +64,12 @@ resource "google_service_account_iam_member" "main" {
  role = "roles/iam.workloadIdentityUser"
  member = local.k8s_sa_gcp_derived_name
 }
+
+
+resource "google_project_iam_member" "workload_identity_sa_bindings" {
+ for_each = toset(var.roles)
+
+ project = var.project_id
+ role = each.value
+ member = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

modules/workload-identity/variables.tf

@@ -59,3 +59,9 @@ variable "automount_service_account_token" {
  default = false
  type = bool
 }
+
+variable "roles" {
+ type = list(string)
+ default = []
+ description = "(optional) A list of roles to be added to the created Service account"
+}