Skip to main content
Deploy your GCP Runner using the Terraform module. This guide walks through prerequisites, Terraform configuration, deployment, and verification.

Prerequisites

Before starting, ensure you have:
  1. GCP Project with billing enabled, sufficient quotas, and required GCP APIs enabled
  2. VPC and subnet: a custom VPC with a runner subnet. The runner subnet hosts both the runner service and environment VMs. Internal load balancers require additional subnets.
    Optional: Private Google Access. If your runner subnet does not have external internet access, enable Private Google Access on the subnet so VMs can reach GCP services through Google’s internal network. See GCP services and APIs required for the full list of services that need to be reachable.
  3. Domain name that you control with DNS modification capabilities
  4. SSL/TLS certificate with Subject Alternative Names (SANs) for both the root domain and wildcard: yourdomain.com and *.yourdomain.com. Storage location depends on your load balancer mode.
  5. Terraform >= 1.3 and gcloud CLI installed and authenticated
Haven’t decided on a load balancer mode yet? Compare external vs internal options before proceeding.

Create runner in Ona

  1. In the Ona dashboard, go to Settings → Runners and click Set up a new runner
  2. Select Google Cloud Platform as the provider
  3. Enter a name and click Create
The dashboard generates a Terraform configuration example with your Runner ID, Runner Token, and API endpoint pre-filled. Copy these values. You’ll use them in the Terraform setup below.
Store the Runner Token securely. You cannot retrieve it again from the dashboard.

Terraform module setup

Create a directory for your runner configuration and set up the following files. main.tf references the Ona Terraform module with a GCS backend for state storage:
Using a GCS backend stores your Terraform state remotely, enabling team collaboration and protecting against local state loss. Create the bucket beforehand with versioning enabled.
variables.tf declares input variables. Add optional variables from the advanced configuration section as needed:
terraform.tfvars contains the values from the Ona dashboard and your GCP project. See the sections below for the full variable reference.

Required configuration variables

These variables are required for every GCP Runner deployment. Most of them are pre-filled in the Terraform configuration example shown in the Ona dashboard after you create the runner.

Core Authentication Variables

These values are provided by the Ona dashboard when you create the runner.
The api_endpoint value is provided in the Ona dashboard when you create the runner. If your organization uses a custom domain, the endpoint will reflect that domain instead.

GCP Project and Location

Specify the GCP project and region where the runner infrastructure will be created.

Network and Ingress Configuration

Configure how inbound and outbound traffic reaches your runner by specifying your VPC, subnet, and load balancer settings. The runner subnet hosts both the runner service and environment VMs. Recommended CIDR: /16 for non-routable ranges (large deployments) or /24 minimum for routable ranges.

External Load Balancer (Default)

Internal Load Balancer

Creating the certificate secret The certificate_secret_id must point to a Google Secret Manager secret containing both the certificate and private key as a JSON object:
Create the secret using gcloud, replacing the paths with your certificate and key files:
The internal load balancer also requires a proxy-only subnet in your VPC with purpose set to REGIONAL_MANAGED_PROXY. This subnet is not a Terraform module variable. It must exist in your VPC before deployment. GCP uses it internally to allocate proxy instances for the load balancer.Learn more about internal load balancer requirements →

Advanced configuration

The settings below are for organizations with additional network or security requirements, such as corporate proxies, private CAs, encryption key management, or restricted IAM policies. Most deployments do not need these.

HTTP Proxy Configuration

For environments behind corporate firewalls:

Custom CA Certificate

If your network uses a corporate proxy or internal services with certificates signed by a private Certificate Authority, configure the runner to trust your CA certificate: Provide either file_path or content, not both.
This is commonly needed alongside HTTP Proxy Configuration when the proxy performs TLS inspection with a corporate CA.

Customer-Managed Encryption Keys (CMEK)

For compliance with organizational encryption policies:
For additional configurations when using pre-existing CMEK keys, refer to the IAM configuration guide in the Terraform module.

Cross-Zone Restart

Enable cross-zone restart if stopped dual-disk environments should be able to restart in another zone when the original zone has no VM capacity.
This option requires Terraform module v2.0.3 or later. Existing deployments keep their current behavior unless you enable it.

Pre-Created Service Accounts

By default, the Terraform module creates and manages three service accounts for the runner components: If your organization requires service accounts to be created externally (e.g., by a central IAM team), you can provide pre-created service accounts instead. When provided, the module skips creating that service account and uses the one you supply. Each pre-created service account must have the correct IAM roles assigned before deployment. See the IAM configuration guide for the exact roles and permissions required per service account.
You can provide a subset. Any service account left empty will be created and managed by the module automatically. The Terraform deployer account will also need fewer IAM permissions when using pre-created service accounts, since it no longer needs iam.serviceAccounts.create or resourcemanager.projects.setIamPolicy for those accounts.

Custom Images

Some enterprise networks do not allow pulling container images from external registries. In these cases, you can point the runner at images hosted in your own internal registry.
Discouraged unless your network policy strictly requires it. Ona maintains all runner images in a public registry with regular CVE scanning and patching. Custom images break automatic updates and delay security patches. You must sync every release manually. If possible, allowlist Ona’s registry instead.
If you must use custom images, set up an automated pipeline to sync images from Ona’s stable channel to your internal registry (e.g., Artifactory). Contact Ona support for guidance on image synchronization and release notifications.

Shared VPC

If your organization uses a GCP Shared VPC where the VPC is hosted in a separate host project, set vpc_project_id to the project that owns the VPC. When omitted, the module assumes the VPC is in the same project as the runner (project_id).
When using Shared VPC, the runner’s service project must be attached as a service project to the host project, and the subnets used by the runner must be shared with the service project. The service account running Terraform needs compute.networkUser on the shared subnets in the host project.

Project Metadata Mode

By default the module uses google_compute_project_metadata, which is authoritative and removes any project metadata keys not declared in the module. Set use_authoritative_project_metadata = false to use per-key google_compute_project_metadata_item resources instead, which only manage enable-oslogin and gitpod-runner-id.
Before applying with use_authoritative_project_metadata = false on an existing deployment, migrate the Terraform state:
Replace <PROJECT_ID> with your GCP project ID. Adjust the module path if yours differs from ona_runner.

Labels

Apply GCP labels to all resources created by the module. Labels are useful for cost attribution, filtering in billing reports, and organizational policies.
For details on using labels for cost tracking and budgeting, see Costs & Budgeting: Adding labels to Compute Engine instances.

Deploy

Initialize Terraform to download the module, then validate, plan, and apply:
Deployment typically takes 15–20 minutes. The Redis instance creation is usually the longest step.

Post-deployment

After terraform apply completes, retrieve the load balancer IP and configure DNS:
Create A records for both the root domain and wildcard pointing to this IP:
For internal load balancers, ensure your corporate DNS servers can resolve these records and your network can route to the internal IP. Once DNS propagates, verify the runner is healthy:
Then confirm the runner shows as Online in the Ona dashboard under Settings → Runners. Runner details showing Online status with green indicator after successful deployment

Next steps

With your GCP Runner successfully deployed and verified: