fix: replace authoritative project metadata with non-authoritative items

google_compute_project_metadata is authoritative — on first apply it
deletes all other project-level metadata (OS Login config, SSH keys,
etc.) managed outside this module.

Switch to google_compute_project_metadata_item which only manages the
individual keys this module needs, leaving other metadata untouched.

Co-authored-by: Ona <no-reply@ona.com>

Author: nandajavarma

runner-vm.tf

@@ -354,11 +354,17 @@ resource "google_compute_health_check" "runner" {
 
 
 # Resource tagging for lifecycle management
-resource "google_compute_project_metadata" "runner_metadata" {
+# Use google_compute_project_metadata_item (non-authoritative) instead of
+# google_compute_project_metadata to avoid clobbering other project metadata
+# (OS Login config, SSH keys, etc.) managed outside this module.
+resource "google_compute_project_metadata_item" "enable_oslogin" {
   project = var.project_id
+  key     = "enable-oslogin"
+  value   = "TRUE"
+}
 
-  metadata = {
-    "enable-oslogin"   = "TRUE"
-    "gitpod-runner-id" = var.runner_id
-  }
+resource "google_compute_project_metadata_item" "runner_id" {
+  project = var.project_id
+  key     = "gitpod-runner-id"
+  value   = var.runner_id
 }