Scope iam.serviceAccounts.setIamPolicy to runner SAs via a separate role by carolinetaymor-qz · Pull Request #42 · gitpod-io/terraform-google-ona-runner

carolinetaymor-qz · 2026-05-13T22:31:02Z

Hi! Continuing the run of mostly security-focused patches from our vendored copy of this module — same context as #37 and #38.

The runner's project-level custom role currently includes iam.serviceAccounts.getIamPolicy and iam.serviceAccounts.setIamPolicy, which lets the runner manage IAM on every service account in the project. The module already uses per-SA bindings for roles/iam.serviceAccountUser (only on the runner, environment_vm, and proxy_vm SAs); this PR extends the same scoping to the getIamPolicy/setIamPolicy permissions.

What changes:

Drop iam.serviceAccounts.getIamPolicy and iam.serviceAccounts.setIamPolicy from the runner's project-level custom role.
Add a new small custom role runner_sa_iam_manager holding only those two permissions.
Bind the new role at the SA level (via google_service_account_iam_member) on the runner, environment_vm, and proxy_vm SAs — not at the project level.

Effect: the runner can still manage IAM policies on the three SAs it actually attaches to instances and instance templates, but can no longer touch IAM on unrelated service accounts in the project.

Migration note

Existing deployments will see a one-time delta on next apply: the two permissions drop from the existing runner custom role, the new *_sa_iam_mgr custom role is created, and three google_service_account_iam_member resources are created. No state moves needed; the resource graph just expands.

Testing

terraform fmt clean
terraform validate clean
No variable or output changes, so terraform-docs regen isn't needed
We've been running this in our fork for a while with no problems

Audit reference

This came out of the same security audit on our vendored copy — audit item N1.

…sion 20260423.709 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.709 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.709 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24833398304

…sion 20260423.730 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.730 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.730 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24834288194

…sion 20260423.749 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.749 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.749 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24835122060

…sion 20260423.772 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.772 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.772 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24836131839

…sion 20260423.828 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.828 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.828 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24838856689

…sion 20260423.924 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.924 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.924 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843487777

…sion 20260423.929 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.929 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.929 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843571511

…sion 20260423.930 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.930 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.930 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843748708

…sion 20260423.932 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.932 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.932 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843881075

…sion 20260423.938 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.938 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.938 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24844158391

…sion 20260423.962 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.962 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.962 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24845325517

…sion 20260423.1005 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1005 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1005 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24847216815

…sion 20260423.1127 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1127 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1127 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24852658827

…sion 20260423.1279 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1279 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1279 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24859264177

…sion 20260424.485 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.485 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.485 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24878995283

…sion 20260424.494 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.494 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.494 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879337014

…sion 20260424.495 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.495 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.495 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879379090

…sion 20260424.506 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.506 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.506 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879848745

…sion 20260424.570 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.570 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.570 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24882408876

…sion 20260424.582 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.582 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.582 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24882918747

…sion 20260424.671 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.671 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.671 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24885962016

…sion 20260424.670 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.670 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.670 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24886366850

…sion 20260424.732 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.732 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.732 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24888745667

…sion 20260424.757 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.757 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.757 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889761511

…sion 20260424.761 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.761 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.761 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889903677

…sion 20260424.762 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.762 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.762 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889961860

…sion 20260424.828 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.828 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.828 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24892823610

…sion 20260424.868 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.868 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.868 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24894676503

…sion 20260424.1022 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.1022 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.1022 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24901675353

…sion 20260424.1056 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.1056 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.1056 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24903101319

…sion 20260511.863 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.863 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.863 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25675855898

…sion 20260511.1034 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1034 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1034 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25685295370

…sion 20260511.1168 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1168 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1168 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25692239776

…sion 20260511.1259 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1259 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1259 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25696832910

The proxy load-balancer health checks currently work because GCP's health-check ranges hit the proxy regardless of firewall tagging in the default project state. The 'allow-health-check' tag pairs with the existing health-check firewall rule (allow_health_checks) so the intent is explicit and the rule isn't a no-op if firewall posture tightens. Surfaced by a security audit on the vendored copy of this module.

… output The cloud-init template includes the auth-proxy TLS private key. data.cloudinit_config.X.rendered drops the sensitive marker from its inputs, so the private key appears in cleartext in Terraform plan output whenever the instance template is replaced. Wrapping the user-data metadata assignment with sensitive() preserves the redaction. Does not affect the runtime exposure of the values via VM metadata — that is a separate concern. Surfaced by a security audit on the vendored copy of this module.

…sion 20260512.33 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.33 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.33 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25705606721

…sion 20260512.576 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.576 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.576 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25726035966

…sion 20260512.618 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.618 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.618 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25728033505

…roxy-health-check-tag Add `allow-health-check` tag to proxy instance template

…nsitive-user-data Wrap `user-data` with `sensitive()` to redact rendered cloud-init in plan output

Add use_authoritative_project_metadata variable (default: true) to let users switch from google_compute_project_metadata (authoritative) to per-key google_compute_project_metadata_item resources. Existing deployments see no change on upgrade. Users who share the GCP project with other metadata sources can opt in by setting the variable to false and running the documented state migration. Co-authored-by: Ona <no-reply@ona.com>

Move migration docs to public Ona documentation instead of the module README. Shorten the variable description to one sentence. Co-authored-by: Ona <no-reply@ona.com>

…sion 20260512.780 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.780 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.780 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25735864156

feat: opt-in non-authoritative project metadata

…sion 20260512.805 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.805 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.805 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25737271252

Co-authored-by: Ona <no-reply@ona.com>

…comment docs: explain why agent_storage needs objectAdmin

…sion 20260512.904 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.904 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.904 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25742856453

…sion 20260512.1178 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.1178 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.1178 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25757626164

…sion 20260513.172 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.172 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.172 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25775221161

…sion 20260513.460 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.460 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.460 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25785292595

…sion 20260513.550 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.550 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.550 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25789519871

…sion 20260513.822 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.822 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.822 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25802810146

…sion 20260513.1137 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.1137 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.1137 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25803531708

…sion 20260513.1150 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.1150 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.1150 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25820484676

Move getIamPolicy/setIamPolicy on service accounts out of the runner's project-level custom role and into a new runner_sa_iam_manager custom role bound at the SA level on the three SAs the runner already manages (runner, environment_vm, proxy_vm). This is the same per-SA scoping pattern already used for roles/iam.serviceAccountUser.

gitpod-next-automation added 30 commits April 23, 2026 11:56

gitpod-next-automation and others added 27 commits May 11, 2026 14:31

Merge pull request gitpod-io#37 from carolinetaymor-qz/caroline/a14-p…

0fbf27c

…roxy-health-check-tag Add `allow-health-check` tag to proxy instance template

Merge pull request gitpod-io#38 from carolinetaymor-qz/caroline/n9-se…

ac3a34e

…nsitive-user-data Wrap `user-data` with `sensitive()` to redact rendered cloud-init in plan output

fix: revert README changes, shorten variable description

9b36644

Move migration docs to public Ona documentation instead of the module README. Shorten the variable description to one sentence. Co-authored-by: Ona <no-reply@ona.com>

Merge pull request gitpod-io#40 from gitpod-io/nv/opt-in-metadata-item

d021035

feat: opt-in non-authoritative project metadata

docs: explain why agent_storage needs objectAdmin

f785d03

Co-authored-by: Ona <no-reply@ona.com>

Merge pull request gitpod-io#41 from gitpod-io/nan/agent-storage-iam-…

61d2935

…comment docs: explain why agent_storage needs objectAdmin

carolinetaymor-qz requested a review from nandajavarma as a code owner May 13, 2026 22:31

carolinetaymor-qz mentioned this pull request May 13, 2026

RFC: scope secretmanager.secrets.setIamPolicy with IAM condition on secret name prefix #43

Open

easyCZ force-pushed the main branch from c611352 to 13592eb Compare May 21, 2026 14:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scope iam.serviceAccounts.setIamPolicy to runner SAs via a separate role#42

Scope iam.serviceAccounts.setIamPolicy to runner SAs via a separate role#42
carolinetaymor-qz wants to merge 467 commits into
gitpod-io:mainfrom
carolinetaymor-qz:caroline/n1-scope-sa-set-iam-policy

carolinetaymor-qz commented May 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

carolinetaymor-qz commented May 13, 2026

Migration note

Testing

Audit reference

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants