fix: Cloud Ops permission errors (#931)

terraform/03_gke_cluster.tf

@@ -142,6 +142,43 @@ data "google_compute_default_service_account" "default" {
   ]
 }
 
+# Give service account Observability permissions
+resource "google_project_iam_member" "trace_role" {
+  project = data.google_project.project.project_id
+  role    = "roles/cloudtrace.agent"
+  member  = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  depends_on = [data.google_compute_default_service_account.default]
+}
+
+resource "google_project_iam_member" "monitoring_role" {
+  project = data.google_project.project.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  depends_on = [data.google_compute_default_service_account.default]
+}
+
+
+resource "google_project_iam_member" "profiler_role" {
+  project = data.google_project.project.project_id
+  role    = "roles/cloudprofiler.agent"
+  member  = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  depends_on = [data.google_compute_default_service_account.default]
+}
+
+resource "google_project_iam_member" "debugger_role" {
+  project = data.google_project.project.project_id
+  role    = "roles/clouddebugger.agent"
+  member  = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  depends_on = [data.google_compute_default_service_account.default]
+}
+
+resource "google_project_iam_member" "logging_role" {
+  project = data.google_project.project.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  depends_on = [data.google_compute_default_service_account.default]
+}
+
 # Create GSA/KSA binding: let IAM auth KSAs as a svc.id.goog member name
 resource "google_service_account_iam_binding" "set_gsa_binding" {
   service_account_id = data.google_compute_default_service_account.default.name // google_service_account.set_gsa.name