Add a catalog-syncer service account. (#26)

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>

Author: mattmoor

README.md

@@ -59,9 +59,12 @@ No modules.
 |------|------|
 | [google-beta_google_iam_workload_identity_pool.chainguard_pool](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool) | resource |
 | [google-beta_google_iam_workload_identity_pool_provider.chainguard_provider](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_member.catalog-syncer-push](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_service.iamcredentials-api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
+| [google_service_account.catalog-syncer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account.chainguard_canary](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account_iam_binding.allow_canary_impersonation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [google_service_account_iam_binding.catalog-syncer-impersonation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 
 ## Inputs
 

catalog-syncer.tf

@@ -0,0 +1,22 @@
+// The service account to impersonate
+resource "google_service_account" "catalog-syncer" {
+  project    = var.project_id
+  account_id = "chainguard-catalog-syncer"
+  depends_on = [google_project_service.iamcredentials-api]
+}
+
+// Allow the provider (mapped token) to impersonate this service account if
+// the subject matches what we expect.
+resource "google_service_account_iam_binding" "catalog-syncer-impersonation" {
+  service_account_id = google_service_account.catalog-syncer.name
+  role               = "roles/iam.workloadIdentityUser"
+  members            = [for id in var.group_ids : "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.chainguard_pool.name}/attribute.sub/catalog-syncer:${id}"]
+}
+
+// Grant the service account permissions to access the resources it
+// needs to fulfill its purpose.
+resource "google_project_iam_member" "catalog-syncer-push" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.catalog-syncer.email}"
+}