Add option to attach roles just on the created SA instead of at the project level in workload-identity module

[rrajvans]

TL;DR

Add option to attach roles/iam.serviceAccountOpenIdTokenCreator & roles/iam.serviceAccountTokenCreator just on the SA itself instead at the project level

Terraform Resources

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam

Detailed design

Change field roles to roles_project_level to clarify these roles are granted at project level

Create optional list field roles_sa_level to clarify these roles are granted on the GCP Service account

roles_sa_level will allow only roles/iam.serviceAccountTokenCreator & roles/iam.serviceAccountOpenIdTokenCreator taken from https://cloud.google.com/iam/docs/service-account-permissions. roles/iam.serviceAccountUser not needed as the SA already has that role on itself. We'll use `validate` to check if the user provided list should not be greater than 2 and  specifies one of the above 2 roles for each value.

We'll add a https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member in https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/modules/workload-identity/main.tf and use for_each to attach these roles at the SA level.

Additional information

Our team faced the issue where we wanted to attach roles/iam.serviceAccountTokenCreator on the GCP SA itself but the roles field in workload-identity module gives roles to the SA at the project level which can be a security risk. We had to use this module to attach the role on the SA itself. It would be nice to have the option to specify roles on the SA itself within the workload-identity module. Please let me know if this sounds good. If yes, I can start working on it. Thanks!