How do I create the workload identity IAM bindings in terraform?

Hey folks.

The workload identity docs have:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:project-id.svc.id.goog[k8s-namespace/ksa-name]" \
  gsa-name@project-id.iam.gserviceaccount.com

Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.

Ideas?