RFC: scope secretmanager.secrets.setIamPolicy with IAM condition on secret name prefix#43
Open
carolinetaymor-qz wants to merge 467 commits into
Open
Conversation
added 30 commits
April 23, 2026 11:56
…sion 20260423.709 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.709 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.709 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24833398304
…sion 20260423.730 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.730 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.730 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24834288194
…sion 20260423.749 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.749 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.749 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24835122060
…sion 20260423.772 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.772 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.772 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24836131839
…sion 20260423.828 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.828 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.828 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24838856689
…sion 20260423.924 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.924 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.924 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843487777
…sion 20260423.929 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.929 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.929 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843571511
…sion 20260423.930 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.930 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.930 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843748708
…sion 20260423.932 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.932 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.932 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24843881075
…sion 20260423.938 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.938 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.938 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24844158391
…sion 20260423.962 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.962 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.962 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24845325517
…sion 20260423.1005 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1005 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1005 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24847216815
…sion 20260423.1127 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1127 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1127 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24852658827
…sion 20260423.1279 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260423.1279 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260423.1279 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24859264177
…sion 20260424.485 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.485 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.485 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24878995283
…sion 20260424.494 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.494 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.494 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879337014
…sion 20260424.495 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.495 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.495 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879379090
…sion 20260424.506 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.506 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.506 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24879848745
…sion 20260424.570 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.570 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.570 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24882408876
…sion 20260424.582 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.582 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.582 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24882918747
…sion 20260424.671 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.671 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.671 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24885962016
…sion 20260424.670 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.670 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.670 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24886366850
…sion 20260424.732 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.732 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.732 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24888745667
…sion 20260424.757 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.757 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.757 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889761511
…sion 20260424.761 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.761 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.761 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889903677
…sion 20260424.762 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.762 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.762 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24889961860
…sion 20260424.828 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.828 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.828 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24892823610
…sion 20260424.868 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.868 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.868 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24894676503
…sion 20260424.1022 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.1022 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.1022 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24901675353
…sion 20260424.1056 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.1056 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.1056 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/24903101319
…sion 20260511.860 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.860 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.860 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25675759226
…sion 20260511.863 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.863 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.863 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25675855898
…sion 20260511.1034 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1034 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1034 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25685295370
…sion 20260511.1168 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1168 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1168 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25692239776
…sion 20260511.1259 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260511.1259 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260511.1259 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25696832910
The proxy load-balancer health checks currently work because GCP's health-check ranges hit the proxy regardless of firewall tagging in the default project state. The 'allow-health-check' tag pairs with the existing health-check firewall rule (allow_health_checks) so the intent is explicit and the rule isn't a no-op if firewall posture tightens. Surfaced by a security audit on the vendored copy of this module.
… output The cloud-init template includes the auth-proxy TLS private key. data.cloudinit_config.X.rendered drops the sensitive marker from its inputs, so the private key appears in cleartext in Terraform plan output whenever the instance template is replaced. Wrapping the user-data metadata assignment with sensitive() preserves the redaction. Does not affect the runtime exposure of the values via VM metadata — that is a separate concern. Surfaced by a security audit on the vendored copy of this module.
…sion 20260512.33 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.33 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.33 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25705606721
…sion 20260512.576 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.576 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.576 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25726035966
…sion 20260512.618 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.618 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.618 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25728033505
…roxy-health-check-tag Add `allow-health-check` tag to proxy instance template
…nsitive-user-data Wrap `user-data` with `sensitive()` to redact rendered cloud-init in plan output
Add use_authoritative_project_metadata variable (default: true) to let users switch from google_compute_project_metadata (authoritative) to per-key google_compute_project_metadata_item resources. Existing deployments see no change on upgrade. Users who share the GCP project with other metadata sources can opt in by setting the variable to false and running the documented state migration. Co-authored-by: Ona <no-reply@ona.com>
Move migration docs to public Ona documentation instead of the module README. Shorten the variable description to one sentence. Co-authored-by: Ona <no-reply@ona.com>
…sion 20260512.780 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.780 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.780 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25735864156
feat: opt-in non-authoritative project metadata
…sion 20260512.805 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.805 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.805 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25737271252
Co-authored-by: Ona <no-reply@ona.com>
…comment docs: explain why agent_storage needs objectAdmin
…sion 20260512.904 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.904 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.904 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25742856453
…sion 20260512.1178 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260512.1178 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260512.1178 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25757626164
…sion 20260513.172 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.172 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.172 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25775221161
…sion 20260513.460 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.460 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.460 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25785292595
…sion 20260513.550 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.550 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.550 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25789519871
…sion 20260513.822 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.822 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.822 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25802810146
…sion 20260513.1137 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.1137 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.1137 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25803531708
…sion 20260513.1150 This PR updates the runner, proxy, prometheus, and node-exporter image references in locals.tf to use the latest images: - Runner: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260513.1150 - Proxy: us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260513.1150 - Prometheus: us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 - Node-exporter: us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 Auto-generated by: https://github.com/gitpod-io/gitpod-next/actions/runs/25820484676
Add an opt-in variable scope_secret_iam_to_runner_prefix (default false, preserving today's behavior). When set to true: - Drop secretmanager.secrets.getIamPolicy/setIamPolicy from the runner's project-level custom role. - Create a small custom role runner_secret_iam_manager holding only those two permissions, and grant it to the runner SA with an IAM condition restricting the binding to secrets whose resource name starts with var.runner_name. Opt-in because the change narrows the default IAM scope, which could break downstream deployments whose runner SAs manage IAM on non-runner-prefixed secrets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi! Sister PR to #42 (N1), same source — another security-audit item from our vendored copy. Opening this one as an RFC because it's a behavior change with downstream-breakage risk, and I wanted to see how y'all felt about it, rather than assuming. We added the change as an opt-in option, so that the default (opt-out) does not change anything.
Context
The runner's project-level custom role currently includes
secretmanager.secrets.getIamPolicyandsecretmanager.secrets.setIamPolicy, which lets it manage IAM on every secret in the project. The conceptual fix parallels #42: drop the broad permissions, add a smaller role bound with an IAM condition that restricts setIamPolicy to runner-owned secrets only.Unlike the SA case in #42, secrets don't all belong to the runner in an obvious naming sense. Tightening the default would likely break users whose runner SAs manage IAM on secrets that don't follow a
${runner_name}-*convention. So this PR ships the change as opt-in.What
This PR adds a new variable,
scope_secret_iam_to_runner_prefix(defaultfalse, preserving today's behavior). When set totrue:secretmanager.secrets.getIamPolicyand.setIamPolicyare dropped from the runner's project-level custom role.runner_secret_iam_manageris created holding only those two permissions.google_project_iam_memberwith an IAM condition:resource.name.startsWith(\"projects/<project_id>/secrets/<runner_name>\").Users who follow the runner-name-prefix convention for their secrets can opt in; users with arbitrary secret names keep current behavior.
Why
Reduces the runner SA's IAM-management blast radius on Secret Manager from project-level to runner-prefixed secrets only. Same risk-reduction rationale as #42.
Open question
This is the part I'd most like your read on:
use_authoritative_project_metadatais shaped, which seemed like the closest precedent in-tree.Happy to iterate on the variable name, the condition expression (e.g., supporting a configurable prefix instead of hardcoding
runner_name), or the shape generally.Testing
terraform fmtcleanterraform validatecleanboolvariable with defaultfalse, soterraform-docswill pick it up; no behavior change for existing users on applyAudit reference
Same audit as #37, #38, #42 — audit item N2.