Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.
Something like this should work @tibers. This is what I did. Keep in mind that this will wipe out anything else that you might have configured for it currently. Best to test it out on a test account to see how it works.
resource "google_service_account_iam_binding" "workload_identity_binding" {
service_account_id = google_service_account.service_account.name
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${var.project}.svc.id.goog[<namespace>/<ksa>]"
]