This example requires additional permissions beyond the base Terraform service account setup.
First, follow the main Terraform Service Account Permissions documentation to create the base service account with core permissions.
The runner-with-networking example creates additional infrastructure that requires these extra permissions:
roles/dns.admin- Creates DNS managed zones, DNS records, and certificate validation recordsroles/compute.networkAdmin- Creates VPCs, subnets, Cloud Router, Cloud NAT, and firewall rules (already included above)roles/certificatemanager.editor- Creates DNS authorizations for certificate validation (covered by certificatemanager.owner above)
# Set your project and service account details
export PROJECT_ID="your-project-id"
export SA_NAME="gitpod-terraform"
# Add DNS admin role
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/dns.admin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/certificatemanager.editor"Networking Module:
- VPC networks and subnets with private Google access
- Cloud Router and Cloud NAT for outbound internet access
- Firewall rules for traffic control
DNS Module:
- DNS managed zones for domain management
- Certificate Manager DNS authorizations for SSL certificates
- DNS records for certificate validation
Main Example:
- DNS A records for wildcard (
*.domain.com) and root domain routing
Most networking permissions are already covered by the existing roles/compute.admin role from the base setup. Only DNS management requires the additional specific permission.