Skip to main content

Activepieces on Google Cloud Run

This document provides a comprehensive reference for the modules/Activepieces_CloudRun Terraform module. It covers architecture, IAM, configuration variables, Activepieces-specific behaviours, and operational patterns for deploying Activepieces on Google Cloud Run (v2).

1. Module Overview

Activepieces is an open-source, Apache 2.0-licensed no-code workflow automation platform for connecting apps, APIs, and data sources. Activepieces CloudRun is a wrapper module built on top of App CloudRun. It uses App CloudRun for all GCP infrastructure provisioning and injects Activepieces-specific application configuration, secrets, database initialisation, and queue configuration via Activepieces Common.

Key Capabilities:

  • Compute: Cloud Run v2 (Gen2), Node.js container, scale-to-zero supported (min_instance_count = 0 by default). Custom image build via Cloud Build wraps the upstream activepieces/activepieces image.
  • Data Persistence: Cloud SQL PostgreSQL 15 with Cloud SQL Auth Proxy sidecar (enable_cloudsql_volume = true by default). The db-init.sh script handles socket detection and the pgvector extension for AI features. GCS data bucket provisioned automatically by Activepieces Common.
  • Security: AP_ENCRYPTION_KEY and AP_JWT_SECRET auto-generated and stored in Secret Manager. Inherits Cloud Armor WAF, IAP, Binary Authorization, and VPC Service Controls from App CloudRun.
  • Queue Mode: Memory-based queue by default (AP_QUEUE_MODE = MEMORY). Set enable_redis = true to switch to Redis queue mode (AP_QUEUE_MODE = REDIS), required for horizontal scaling.
  • Webhooks: ingress_settings = 'all' is the default so external systems can POST to Activepieces webhook endpoints. Enabling IAP will block public webhooks.
  • CI/CD: Cloud Build custom image pipeline by default; Cloud Deploy progressive delivery optional.

Project & Application Identity

VariableGroupTypeDefaultDescription
project_id1stringGCP project ID. Required.
tenant_deployment_id1string'demo'Short suffix appended to all resource names.
support_users1list(string)[]Email recipients for monitoring alerts.
resource_labels1map(string){}Labels applied to all provisioned resources.
application_name2string'activepieces'Base resource name. Do not change after initial deployment.
display_name2string'Activepieces Workflow Automation'Human-readable name shown in the GCP Console. Note: uses display_name alias, not application_display_name.
description2string'Activepieces - Open source workflow automation platform'Cloud Run service description. Note: uses description alias, not application_description.
application_version2string'latest'Container image version tag. Increment to deploy a new release.

Wrapper architecture: Activepieces CloudRun calls Activepieces Common to build an application_config object containing Activepieces environment variables, the AP_ENCRYPTION_KEY and AP_JWT_SECRET secrets, database initialisation job configuration, probe settings, and the data GCS bucket definition. module_env_vars is empty (all env vars are set inside Activepieces Common). module_secret_env_vars carries Activepieces Common-generated secret IDs. module_storage_buckets carries the data bucket provisioned by Activepieces Common. scripts_dir is resolved to ${module.activepieces_app.path}/scripts.

Naming note: Unlike Django, which uses application_display_name and application_description, Activepieces CloudRun uses display_name and description aliases. These are mapped to the App CloudRun display name and description fields inside Activepieces Common's config output.

2. IAM & Access Control

Activepieces_CloudRun delegates all IAM provisioning to App_CloudRun. The Cloud Run SA, Cloud Build SA, IAP service agent, and password rotation role sets are identical to those in App_CloudRun §2.

Activepieces auto-generated secrets and IAM: Activepieces Common creates two Secret Manager secrets during provisioning: AP_ENCRYPTION_KEY and AP_JWT_SECRET. These are injected into the Cloud Run revision via module_secret_env_vars. The Cloud Run SA requires roles/secretmanager.secretAccessor, which is already granted by App CloudRun. The DB_PASSWORD and ROOT_PASSWORD secrets are provisioned automatically by App CloudRun.

Database initialisation identity: The db-init Cloud Run Job runs under the Cloud Run SA. It connects to Cloud SQL via the Auth Proxy sidecar (since enable_cloudsql_volume = true by default). The db-init.sh script auto-detects the socket path at runtime.

GCS data bucket IAM: Activepieces Common provisions a GCS data bucket and the application SA is granted storage access by App CloudRun.

120-second IAM propagation delay: Inherited from App CloudRun — the Activepieces service is not deployed until the delay completes, preventing secret-read failures on the first revision start.

Webhook access: Public access is required for Activepieces webhook endpoints. ingress_settings = 'all' is the default. Enabling IAP (enable_iap = true) will require Google identity authentication and will block unauthenticated webhook calls from external systems.

3. Core Service Configuration

A. Compute (Cloud Run)

Activepieces is a Node.js application with significant memory requirements. The default resource limits (cpu_limit = "2000m", memory_limit = "2Gi") reflect the minimum recommended for production use. Unlike Django (which uses a container_resources object), Activepieces CloudRun exposes cpu_limit and memory_limit as individual top-level variables.

Scale-to-zero is enabled by default (min_instance_count = 0). Note: when running in memory queue mode, cold starts cause any in-flight workflow execution data held in memory to be lost. Set min_instance_count = 1 for production deployments or when using memory queue mode with long-running workflows.

Container image: container_image_source is hardcoded to 'custom' inside Activepieces Common. Cloud Build wraps the official activepieces/activepieces image with the entrypoint.sh script. The application_version tag controls which upstream image version is pulled.

Cloud SQL Auth Proxy: enable_cloudsql_volume defaults to true. The Cloud SQL Auth Proxy sidecar is injected. db-init.sh detects the socket automatically.

VariableGroupDefaultDescription
deploy_application3trueSet false for infrastructure-only deployment (SQL, storage, secrets).
cpu_limit3'2000m'CPU limit per instance (2 vCPUs). Minimum 1 vCPU required; 2 vCPUs recommended for production.
memory_limit3'2Gi'Memory limit per instance. Minimum 512Mi; 2Gi recommended for production.
min_instance_count300 enables scale-to-zero. Set ≥1 to eliminate cold starts and maintain webhook availability.
max_instance_count31Increase for high-traffic deployments. Requires Redis queue mode for safe horizontal scaling.
container_port38080Activepieces default port.
execution_environment3'gen2'Gen2 required for NFS mounts and GCS Fuse.
timeout_seconds3300Max request duration.
enable_cloudsql_volume3trueInjects Cloud SQL Auth Proxy sidecar. db-init.sh auto-detects the socket path.
cloudsql_volume_mount_path3'/cloudsql'Base path for the Auth Proxy Unix socket mount.
enable_image_mirroring3trueMirrors the container image into Artifact Registry.
max_revisions_to_retain37Maximum number of Cloud Run revisions to keep. Set to 0 to disable pruning.
traffic_split3[]Percentage-based canary/blue-green traffic allocation.
container_protocol3'http1''http1' or 'h2c'.
service_annotations3{}Advanced Cloud Run annotations.
service_labels3{}Labels applied to the Cloud Run service.

Differences from App CloudRun defaults:

VariableApp CloudRunActivepieces CloudRunReason
cpu_limit (via container_resources)"1000m""2000m"Activepieces requires more CPU for workflow execution
memory_limit (via container_resources)"512Mi""2Gi"Activepieces Node.js runtime requires significant memory
enable_cloudsql_volumetruetrueSame default

B. Database (Cloud SQL — PostgreSQL)

Activepieces requires PostgreSQL 15Activepieces Common hardcodes database_type = "POSTGRES_15". The db-init.sh script installs the pgvector extension (required for AI-powered workflow features).

Activepieces CloudRun uses db_name and db_user — aliases that differ from App CloudRun's application_database_name / application_database_user. These are wired into Activepieces Common's config output and forwarded correctly.

pgvector extension: The db-init.sh script installs CREATE EXTENSION IF NOT EXISTS vector as a PostgreSQL superuser during the db-init job. This is required for Activepieces AI piece integrations that use vector similarity search.

VariableGroupDefaultDescription
db_name11'activepieces_db'PostgreSQL database name. Do not change after initial deployment.
db_user11'ap_user'PostgreSQL application user. Password auto-generated and stored in Secret Manager.
database_password_length1132Auto-generated password length. Range: 16–64.
enable_auto_password_rotation11falseAutomated zero-downtime password rotation.
rotation_propagation_delay_sec1190Seconds to wait after rotation before restarting the service.

C. Storage (NFS & GCS)

NFS is disabled by default (enable_nfs = false). Unlike Django, Activepieces does not require shared NFS storage by default — workflow execution state is stored in PostgreSQL. Enable NFS if co-locating Redis with an NFS server VM, or if the deployment requires shared file access.

GCS data bucket: Activepieces Common automatically provisions a dedicated data bucket (suffix ap-data). Additional GCS buckets can be defined via storage_buckets.

VariableGroupDefaultDescription
enable_nfs10falseProvisions an NFS volume. Required only if co-locating Redis with the NFS server.
nfs_mount_path10'/mnt/nfs'Container path where the NFS share is mounted.
nfs_instance_name8""Name of an existing NFS GCE VM to use.
nfs_instance_base_name8'app-nfs'Base name for the inline NFS GCE VM.
create_cloud_storage10trueSet false to skip additional bucket creation. The ap-data bucket from Activepieces Common is always provisioned.
storage_buckets10[{ name_suffix = "data" }]Additional GCS buckets beyond the auto-provisioned data bucket.
gcs_volumes10[]GCS buckets to mount via GCS Fuse (requires gen2).
manage_storage_kms_iam10falseCreates CMEK KMS keyring and enables CMEK encryption on storage buckets.
enable_artifact_registry_cmek10falseEnables CMEK encryption for container images in Artifact Registry.

D. Networking

Public ingress is required for Activepieces webhook endpoints. The default ingress_settings = 'all' allows external systems to POST to webhook URLs.

VariableGroupDefaultDescription
ingress_settings4'all''all' — required for webhook endpoints; 'internal' — VPC only (disables webhooks); 'internal-and-cloud-load-balancing' — forces traffic through the HTTPS LB.
vpc_egress_setting4'PRIVATE_RANGES_ONLY''PRIVATE_RANGES_ONLY' routes only RFC 1918 traffic via VPC. 'ALL_TRAFFIC' routes all egress via VPC.

E. Initialization & Bootstrap

When initialization_jobs = [] (the default), Activepieces Common substitutes a single default db-init job (execute_on_apply = true). This creates the PostgreSQL database and user, grants privileges, and installs the pgvector extension.

Unlike Django, there is no separate db-migrate job — Activepieces runs its own database migrations automatically on application startup.

The db-init job uses postgres:15-alpine and executes Activepieces_Common/scripts/db-init.sh.

VariableGroupDefaultDescription
initialization_jobs12[]One-shot Cloud Run Jobs. Empty list triggers the default db-init job with execute_on_apply = true. Custom jobs can be provided to override.
cron_jobs12[]Not referenced — this variable is defined for UI consistency but is not forwarded to App CloudRun in the current module version. Setting it has no effect on the deployed Cloud Run service. Use initialization_jobs for one-off tasks.

4. Advanced Security

A. Cloud Armor WAF

When enable_cloud_armor = true, a Global HTTPS Load Balancer with a Cloud Armor WAF policy is provisioned in front of Cloud Run.

Activepieces consideration: Webhook endpoints receive unauthenticated POST requests from external services. Ensure that Cloud Armor WAF rules do not block valid webhook traffic. Add webhook source IPs to admin_ip_ranges if needed, or configure WAF rules to allow traffic from trusted sources.

VariableGroupDefaultDescription
enable_cloud_armor9falseProvisions Global HTTPS LB + Cloud Armor WAF. Required for custom domains, CDN, and DDoS protection.
admin_ip_ranges9[]CIDR ranges exempted from WAF rules.

B. Identity-Aware Proxy (IAP)

Warning: Enabling IAP (enable_iap = true) will require Google identity authentication for all requests, including webhook endpoints. This will block external webhook triggers from third-party services. Only enable IAP if Activepieces is used in an internal-only context where webhook endpoints are not needed.

VariableGroupDefaultDescription
enable_iap4falseEnables IAP natively on the Cloud Run service. Will block public webhook endpoints.
iap_authorized_users4[]Users/service accounts granted access. Format: 'user:email' or 'serviceAccount:sa@...'.
iap_authorized_groups4[]Google Groups granted access. Format: 'group:name@example.com'.

C. Binary Authorization

VariableGroupDefaultDescription
enable_binary_authorization7falseEnforces image attestation. Requires a Binary Authorization policy and attestor pre-configured in the project.

D. VPC Service Controls

VariableGroupDefaultDescription
enable_vpc_sc21falseRegisters module API calls within the project's VPC-SC perimeter. A perimeter must already exist before enabling.
vpc_cidr_ranges21[]VPC subnet CIDR ranges for the VPC-SC network access level.
vpc_sc_dry_run21trueWhen true, VPC-SC violations are logged but not blocked.
organization_id21""GCP Organization ID for the VPC-SC Access Context Manager policy.
enable_audit_logging21falseEnables detailed Cloud Audit Logs for all supported services.

E. Secret Manager Integration

Activepieces Common auto-generates two secrets: AP_ENCRYPTION_KEY (32-character hex string for credential encryption) and AP_JWT_SECRET (32-character random string for JWT signing). These are injected via module_secret_env_vars.

VariableGroupDefaultDescription
secret_environment_variables5{}Map of env var name → Secret Manager secret ID. Resolved at runtime by Cloud Run.
secret_rotation_period5'2592000s'Frequency at which Secret Manager emits rotation notifications. Default: 30 days.
secret_propagation_delay530Seconds to wait after secret creation before dependent resources proceed.

5. Traffic & Ingress

A. HTTPS Load Balancer

When enable_cloud_armor = true, a Global HTTPS Load Balancer backed by a Serverless NEG is provisioned. Traffic flows: Internet → Cloud Armor → Global HTTPS LB → Serverless NEG → Cloud Run.

Setting ingress_settings = 'internal-and-cloud-load-balancing' forces all Activepieces traffic through the LB, preventing direct *.run.app URL access.

B. Cloud CDN

When enable_cdn = true (requires enable_cloud_armor = true), Cloud CDN is attached to the HTTPS Load Balancer backend.

Activepieces consideration: Cloud CDN is most useful for the Activepieces frontend (static assets). API endpoints and webhooks must not be cached — ensure that Activepieces API responses include appropriate Cache-Control: no-store headers before enabling CDN.

VariableGroupDefaultDescription
enable_cdn9falseEnables Cloud CDN on the HTTPS LB backend. Only effective when enable_cloud_armor = true.

C. Custom Domains

VariableGroupDefaultDescription
application_domains9[]Custom domain names for the HTTPS LB. Google-managed SSL certificates provisioned per domain. DNS must point to the LB IP.

After the first apply, retrieve the LB IP from the Terraform output load_balancer_ip and create an A record. Then update AP_FRONTEND_URL and AP_WEBHOOK_URL_PREFIX environment variables to use the custom domain for correct OAuth redirect and webhook URL generation.

6. CI/CD & Delivery

A. Cloud Build Triggers

When enable_cicd_trigger = true, a Cloud Build GitHub connection and push trigger are provisioned.

VariableGroupDefaultDescription
enable_cicd_trigger7falseProvisions a Cloud Build GitHub trigger.
github_repository_url7""Full HTTPS URL of the GitHub repository.
github_token7""GitHub PAT (repo, admin:repo_hook scopes). Sensitive.
github_app_installation_id7""GitHub App installation ID.
cicd_trigger_config7{ branch_pattern = "^main$" }Advanced trigger config.

B. Cloud Deploy Pipeline

VariableGroupDefaultDescription
enable_cloud_deploy7falseProvisions a Cloud Deploy progressive delivery pipeline. Requires enable_cicd_trigger = true.
cloud_deploy_stages7[dev, staging, prod(approval)]Ordered promotion stages.

7. Reliability & Scheduling

A. Scaling & Concurrency

Important: In the default memory queue mode (AP_QUEUE_MODE = MEMORY), workflow execution state is held in memory. Scaling to max_instance_count > 1 in memory mode will cause workflows to be split across instances and may produce inconsistent execution. Enable Redis queue mode before scaling horizontally.

VariableGroupDefaultDescription
min_instance_count300 enables scale-to-zero. Set ≥1 to prevent cold starts on webhook triggers.
max_instance_count31Increase only when enable_redis = true for consistent queue management.

B. Health Probes

Activepieces CloudRun exposes a dual probe system, consistent with other application modules.

startup_probe / liveness_probe — passed to Activepieces Common to configure how the application container assesses readiness. These target /api/v1/flags — the Activepieces flags API endpoint that responds when the server is ready.

startup_probe_config / health_check_config — passed directly to App CloudRun and configure the Cloud Run infrastructure-level probes.

Activepieces connects to PostgreSQL and applies database migrations on first boot — allow at least 7 minutes on the initial deployment. The default startup_probe settings (initial_delay_seconds = 120, failure_threshold = 10, period_seconds = 30) provide a total startup window of ~5 minutes after the initial delay (120 + 10×30 = 420 seconds).

VariableGroupDefaultDescription
startup_probe13{ enabled=true, type="HTTP", path="/api/v1/flags", initial_delay_seconds=120, timeout_seconds=10, period_seconds=30, failure_threshold=10 }Startup probe used by Activepieces Common. Targets /api/v1/flags. Allow 7+ minutes on first boot.
liveness_probe13{ enabled=true, type="HTTP", path="/api/v1/flags", initial_delay_seconds=30, timeout_seconds=10, period_seconds=30, failure_threshold=3 }Liveness probe used by Activepieces Common.
startup_probe_config13{ enabled=false }Cloud Run infrastructure startup probe. Disabled by default — startup_probe above takes effect instead.
health_check_config13{ enabled=true }Cloud Run infrastructure liveness probe.
uptime_check_config13{ enabled=true, path="/" }Cloud Monitoring uptime check.
alert_policies13[]Cloud Monitoring metric alert policies.

C. Auto Password Rotation

VariableGroupDefaultDescription
enable_auto_password_rotation11falseEnables automated password rotation.
rotation_propagation_delay_sec1190Seconds to wait after writing the new secret before restarting the service.
secret_rotation_period5'2592000s'Rotation frequency. Default: 30 days.

8. Integrations

A. Redis Queue Mode

Redis is disabled by default (enable_redis = false). In the default configuration, AP_QUEUE_MODE = "MEMORY" — workflow jobs are executed in-process. This is suitable for single-instance, low-traffic deployments.

When enable_redis = true:

  • AP_QUEUE_MODE is set to "REDIS"
  • QUEUE_BULL_REDIS_HOST, QUEUE_BULL_REDIS_PORT, and optionally QUEUE_BULL_REDIS_PASSWORD are injected
  • entrypoint.sh constructs and exports AP_REDIS_URL at runtime

If redis_host is left empty and enable_nfs = true, the NFS server VM's IP is used as the Redis host (via the $(NFS_SERVER_IP) platform placeholder). This enables a simple single-VM deployment where Redis is co-located on the NFS server. For production, provision a dedicated Cloud Memorystore instance and set redis_host explicitly.

VariableGroupDefaultDescription
enable_redis20falseSwitches to Redis queue mode. Requires redis_host or enable_nfs = true.
redis_host20""Redis hostname or IP. Empty defaults to NFS server IP when enable_nfs = true.
redis_port20'6379'Redis TCP port. Note: type is string, not number.
redis_auth20""Redis AUTH password. Sensitive — never stored in state in plaintext.

Validation: A precondition in Activepieces GKE's validation.tf enforces that when enable_redis = true, either redis_host must be set or enable_nfs must be true. The same logic applies logically for the CloudRun variant.

B. Backup Import & Recovery

Activepieces CloudRun uses backup_uri (not backup_file as in Django). backup_uri is mapped to App CloudRun's backup_file parameter internally.

VariableGroupDefaultDescription
backup_schedule6'0 2 * * *'Cron expression (UTC) for automated daily backups.
backup_retention_days67Days to retain backup files in GCS.
enable_backup_import6falseTriggers a one-time restore on apply.
backup_source6'gcs''gcs' (full GCS URI) or 'gdrive' (Google Drive file ID).
backup_uri6""Full GCS URI (e.g., gs://my-bucket/backup.sql) or Google Drive file ID. Maps to backup_file in App CloudRun.
backup_format6'sql'Backup file format. Options: sql, tar, gz, tgz, tar.gz, zip.

C. Custom SQL Scripts

VariableGroupDefaultDescription
enable_custom_sql_scripts8falseRuns custom SQL scripts from GCS after provisioning.
custom_sql_scripts_bucket8""GCS bucket containing SQL scripts.
custom_sql_scripts_path8""Path prefix within the bucket.
custom_sql_scripts_use_root8falseRun scripts as the root DB user.

D. Observability & Alerting

VariableGroupDefaultDescription
uptime_check_config13{ enabled=true, path="/" }Cloud Monitoring uptime check.
alert_policies13[]Metric alert policies.
support_users1[]Email addresses notified by uptime and alert policy triggers.

9. Platform-Managed Behaviours

BehaviourImplementationDetail
PostgreSQL 15 requireddatabase_type = "POSTGRES_15" hardcoded by Activepieces CommonOnly PostgreSQL 15 is supported. database_type is not exposed as a variable.
pgvector extensionInstalled by db-init job via Activepieces_Common/scripts/db-init.shCREATE EXTENSION IF NOT EXISTS vector is run as the postgres superuser. Required for AI-powered workflow pieces. The script is idempotent.
AP_ENCRYPTION_KEYAuto-generated 32-char hex string stored in Secret Manager by Activepieces CommonInjected via module_secret_env_vars. Do not set in environment_variables.
AP_JWT_SECRETAuto-generated 32-char random string stored in Secret Manager by Activepieces CommonInjected via module_secret_env_vars. Do not set in environment_variables.
AP_POSTGRES_ mapping*entrypoint.sh in Activepieces CommonPlatform-standard DB_HOST, DB_NAME, DB_USER, DB_PASSWORD are mapped to Activepieces-specific AP_POSTGRES_HOST, AP_POSTGRES_DATABASE, AP_POSTGRES_USERNAME, AP_POSTGRES_PASSWORD at runtime.
AP_FRONTEND_URL / AP_WEBHOOK_URL_PREFIXSet to predicted service URL at plan time; corrected at runtime by entrypoint.sh from CLOUDRUN_SERVICE_URLEnsures webhook URLs and OAuth redirects always use the actual service URL, not a stale predicted URL.
Memory queue mode by defaultAP_QUEUE_MODE = "MEMORY" unless enable_redis = trueSingle-instance operation. Do not scale max_instance_count > 1 in memory mode.
GCS data bucketProvisioned by Activepieces Common, injected via module_storage_bucketsA dedicated GCS bucket (suffix ap-data) is provisioned for Activepieces data.
NFS disabled by defaultenable_nfs = falseUnlike Django, NFS is opt-in. Enable only if co-locating Redis or requiring shared filesystem access.
module_env_vars is emptymodule_env_vars = {}All Activepieces environment variables are set inside Activepieces Common's config.environment_variables. No additional env vars are injected via module_env_vars.
scripts_dir resolutionabspath("${module.activepieces_app.path}/scripts")Points to Activepieces_Common/scripts/. Initialization scripts are sourced from there.

10. Variable Reference

All user-configurable variables exposed by Activepieces CloudRun, sorted by UI group then order. Group 0 variables are reserved for platform metadata.

VariableGroupDefaultDescription
module_description0(Activepieces Cloud Run platform text)Platform metadata: module description.
module_documentation0https://docs.radmodules.dev/docs/modules/Activepieces_CloudRunPlatform metadata: documentation URL.
module_dependency0['Services GCP']Platform metadata: required modules.
module_services0(GCP service list)Platform metadata: GCP services consumed.
credit_cost050Platform metadata: deployment credit cost.
require_credit_purchases0falsePlatform metadata: enforces credit balance check.
enable_purge0truePermits full deletion of module resources on destroy.
public_access0truePlatform catalogue visibility.
deployment_id0""Deployment ID suffix. Auto-generated if empty.
resource_creator_identity0(platform SA)Service account used by Terraform to manage resources.
project_id1GCP project ID. Required.
tenant_deployment_id1'demo'Short suffix appended to all resource names.
support_users1[]Email addresses for monitoring alerts.
resource_labels1{}Labels applied to all provisioned resources.
application_name2'activepieces'Base resource name. Do not change after initial deployment.
display_name2'Activepieces Workflow Automation'Human-readable name. Alias for application_display_name.
description2'Activepieces - Open source workflow automation platform'Service description. Alias for application_description.
application_version2'latest'Container image version tag.
deploy_application3trueSet false for infrastructure-only deployment.
cpu_limit3'2000m'CPU limit per instance.
memory_limit3'2Gi'Memory limit per instance.
min_instance_count300 = scale-to-zero. Set ≥1 to eliminate cold starts.
max_instance_count31Set >1 only when enable_redis = true.
container_port38080TCP port Activepieces listens on.
execution_environment3'gen2'Gen2 required for NFS and GCS Fuse.
timeout_seconds3300Max request duration (0–3600).
enable_cloudsql_volume3trueInjects Cloud SQL Auth Proxy sidecar.
cloudsql_volume_mount_path3'/cloudsql'Base path for Auth Proxy Unix socket.
enable_image_mirroring3trueMirrors container image into Artifact Registry.
max_revisions_to_retain37Maximum Cloud Run revisions to retain.
traffic_split3[]Canary/blue-green traffic allocation.
container_protocol3'http1''http1' or 'h2c'.
service_annotations3{}Advanced Cloud Run annotations.
service_labels3{}Labels applied to the Cloud Run service.
ingress_settings4'all''all' required for webhooks; 'internal' disables public access.
vpc_egress_setting4'PRIVATE_RANGES_ONLY''PRIVATE_RANGES_ONLY' or 'ALL_TRAFFIC'.
enable_iap4falseEnables IAP. Will block webhook endpoints.
iap_authorized_users4[]Users/SAs granted IAP access.
iap_authorized_groups4[]Google Groups granted IAP access.
environment_variables5{}Additional plain-text env vars. Do not set AP_ENCRYPTION_KEY, AP_JWT_SECRET, or AP_POSTGRES_* here.
secret_environment_variables5{}Secret Manager references injected as env vars.
secret_propagation_delay530Seconds to wait after secret creation.
secret_rotation_period5'2592000s'Secret Manager rotation notification frequency.
backup_schedule6'0 2 * * *'Cron expression (UTC) for automated backups.
backup_retention_days67Days to retain backup files in GCS.
enable_backup_import6falseTriggers a one-time restore on apply.
backup_source6'gcs''gcs' (full GCS URI) or 'gdrive' (file ID).
backup_uri6""GCS URI or Google Drive file ID. Maps to backup_file in App CloudRun.
backup_format6'sql'Backup format: sql, tar, gz, tgz, tar.gz, zip.
enable_cicd_trigger7falseProvisions a Cloud Build GitHub trigger.
github_repository_url7""Full HTTPS URL of the GitHub repository.
github_token7""GitHub PAT. Sensitive.
github_app_installation_id7""GitHub App installation ID.
cicd_trigger_config7{ branch_pattern = "^main$" }Advanced Cloud Build trigger config.
enable_cloud_deploy7falseProvisions a Cloud Deploy progressive delivery pipeline.
cloud_deploy_stages7[dev, staging, prod(approval)]Ordered Cloud Deploy promotion stages.
enable_binary_authorization7falseEnforces image attestation on deployment.
enable_custom_sql_scripts8falseRuns SQL scripts from GCS after provisioning.
custom_sql_scripts_bucket8""GCS bucket containing SQL scripts.
custom_sql_scripts_path8""Path prefix within the bucket.
custom_sql_scripts_use_root8falseRun scripts as the root DB user.
nfs_instance_name8""Name of an existing NFS GCE VM to use.
nfs_instance_base_name8'app-nfs'Base name for the inline NFS GCE VM.
enable_cloud_armor9falseProvisions Global HTTPS LB + Cloud Armor WAF.
admin_ip_ranges9[]CIDR ranges exempted from WAF rules.
application_domains9[]Custom domains with Google-managed SSL certificates.
enable_cdn9falseEnables Cloud CDN on the HTTPS LB backend.
max_images_to_retain97Maximum container images to keep in Artifact Registry.
delete_untagged_images9trueAutomatically deletes untagged container images.
image_retention_days930Days after which images are eligible for deletion.
create_cloud_storage10trueSet false to skip GCS bucket creation.
storage_buckets10[{ name_suffix = "data" }]Additional GCS buckets to provision.
enable_nfs10falseProvisions NFS shared storage. Off by default (unlike Django).
nfs_mount_path10'/mnt/nfs'Container path where NFS is mounted.
gcs_volumes10[]GCS buckets to mount via GCS Fuse.
manage_storage_kms_iam10falseCreates CMEK KMS keyring and enables CMEK encryption.
enable_artifact_registry_cmek10falseEnables CMEK encryption for container images.
db_name11'activepieces_db'PostgreSQL database name. Do not change after initial deployment.
db_user11'ap_user'PostgreSQL application user.
database_password_length1132Auto-generated password length (16–64).
enable_auto_password_rotation11falseAutomated zero-downtime password rotation.
rotation_propagation_delay_sec1190Seconds to wait after rotation before restarting the service.
initialization_jobs12[]One-shot Cloud Run Jobs. Empty list triggers the default db-init job (execute_on_apply=true).
cron_jobs12[]Not referenced — not forwarded to App CloudRun. Has no effect in this module version.
startup_probe13{ path="/api/v1/flags", initial_delay_seconds=120, failure_threshold=10, ... }Activepieces Common startup probe. Allow 7+ minutes on first boot.
liveness_probe13{ path="/api/v1/flags", initial_delay_seconds=30, failure_threshold=3, ... }Activepieces Common liveness probe.
startup_probe_config13{ enabled=false }Cloud Run infrastructure startup probe. Disabled — startup_probe takes effect.
health_check_config13{ enabled=true }Cloud Run infrastructure liveness probe.
uptime_check_config13{ enabled=true, path="/" }Cloud Monitoring uptime check.
alert_policies13[]Cloud Monitoring metric alert policies.
enable_redis20falseSwitches to Redis queue mode. Required for max_instance_count > 1.
redis_host20""Redis hostname/IP. Empty defaults to NFS server IP when enable_nfs = true.
redis_port20'6379'Redis TCP port (string type).
redis_auth20""Redis AUTH password. Sensitive.
enable_vpc_sc21falseRegisters API calls within the project's VPC-SC perimeter.
vpc_cidr_ranges21[]VPC subnet CIDR ranges for the VPC-SC network access level.
vpc_sc_dry_run21trueWhen true, VPC-SC violations are logged but not blocked.
organization_id21""GCP Organization ID for the VPC-SC policy.
enable_audit_logging21falseEnables detailed Cloud Audit Logs for all supported services.

Configuration Pitfalls & Sensible Defaults

Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).

VariableSensible DefaultRiskConsequence of Incorrect Value
AP_ENCRYPTION_KEY (auto-generated 32-char hex secret)Auto-generated and stored in Secret ManagerCriticalThe encryption key is used to encrypt all connection credentials and flow step secrets. Changing it after first run permanently corrupts all stored credentials — they cannot be decrypted and must be re-entered. The key must be exactly 32 hex characters (16 random bytes).
AP_JWT_SECRET (auto-generated secret)Auto-generated and stored in Secret ManagerCriticalUsed to sign all user session tokens. Rotating it immediately invalidates all active user sessions, forcing all users to log out and re-authenticate. Do not rotate without a maintenance window.
application_name"activepieces"CriticalImmutable after first deploy. Changing it renames all GCP resources, triggering full recreation and data loss.
db_name"activepieces"CriticalImmutable after first deploy. Changing it causes Activepieces to connect to a new empty database, losing all flows, connections, and execution history.
AP_FRONTEND_URL / AP_WEBHOOK_URL_PREFIX (injected from service_url)Predicted Cloud Run service URLCriticalBoth must match the actual public service URL. Incorrect values break webhook triggers from external systems and OAuth callbacks. After deployment, verify the predicted URL matches the Cloud Run service URL.
enable_redistrueHighActivepieces defaults to REDIS queue mode when Redis is enabled (AP_QUEUE_MODE = "REDIS"). Without Redis and with max_instance_count > 1, the queue mode falls back to MEMORY, meaning each instance maintains its own in-memory queue — causing duplicate flow executions and lost runs.
redis_host"" (uses NFS server IP when enable_nfs = true)HighWhen enable_redis = true and redis_host is empty and enable_nfs = false, the Redis connection string is blank and Activepieces fails to connect to Redis at startup.
AP_EXECUTION_MODE (injected as "UNSANDBOXED")"UNSANDBOXED"MediumActivepieces is deployed in unsandboxed mode by default because Cloud Run does not support sandboxed execution (which requires privileged containers). Changing to "SANDBOXED" via environment_variables will cause container startup failures.
memory_limit"2Gi"HighActivepieces runs flow steps in-process. Values below 1Gi cause OOM kills during concurrent flow executions with multiple active steps.
cpu_limit"1000m"MediumLow CPU limits cause execution throttling, especially for flows that process large payloads or run JavaScript/TypeScript code steps. Increase to 2000m for production workloads.
min_instance_count0MediumScale-to-zero causes cold-start delays of 5–15 seconds for incoming webhook triggers after idle. Set to 1 for time-sensitive webhook flows in production.
max_instance_count1HighIncreasing above 1 without Redis changes the queue mode to MEMORY per-instance, causing duplicate executions. Only increase with enable_redis = true.
enable_nfstrueHighActivepieces stores flow artifacts and binary data at the NFS mount path. Without NFS, any file-handling steps lose their data on container restart.
AP_SIGN_UP_ENABLED (injected as "true")"true"HighLeaving sign-up enabled in production allows anyone with the service URL to create an account. Override via environment_variables = { AP_SIGN_UP_ENABLED = "false" } after creating the initial admin user.
enable_iapfalseHighEnabling IAP without valid iap_authorized_users or iap_authorized_groups causes all requests to return 403.
ingress_settings"all"MediumSetting to "internal" blocks all webhook callbacks from external services. Use "internal-and-cloud-load-balancing" with Cloud Armor for production.
vpc_egress_setting"PRIVATE_RANGES_ONLY"MediumSetting to "all-traffic" routes all outbound calls through the VPC connector. If VPC firewall rules block egress to external APIs, all flow steps that call external services will fail.
backup_schedule"0 2 * * *" (daily at 02:00)MediumEnsure the backup schedule is aligned with your RPO. Activepieces execution history and connections are stored in PostgreSQL and are only recoverable from backups.
enable_binary_authorizationfalseMediumEnabling with "REQUIRE_ATTESTATION" blocks all deployments unless the Activepieces image has a valid attestation. Use "ALWAYS_ALLOW" initially.
enable_cloud_armorfalseMediumActivepieces webhooks are publicly accessible by default. Enable Cloud Armor to enforce IP allowlists for the admin UI and restrict webhook ingress in production.
enable_vpc_scfalseMediumRequires organization_id to be set. If empty, VPC-SC is silently skipped regardless of enable_vpc_sc.
secret_propagation_delay30 secondsLowToo short a delay may cause the application to start before Secret Manager has propagated new secret versions, resulting in startup failures on first deploy.
enable_auto_password_rotationfalseMediumEnabling without tuning rotation_propagation_delay_sec can cause brief authentication failures during the propagation window between database password rotation and application restart.

Destroying Resources

Known Deletion Issue: Serverless IPv4 Address Release

When destroying a Cloud Run deployment, you may encounter an error similar to:

Error: Error waiting for Subnetwork to be deleted: The following serverless IPv4 address(es) on subnet ... are still in use.

Cause: GCP holds serverless IPv4 addresses on the VPC subnet asynchronously after a Cloud Run service is deleted. These addresses are released by GCP approximately 20–30 minutes after the Cloud Run service is removed. Terraform/OpenTofu cannot complete the subnet or VPC deletion until they are fully released.

Resolution: Wait 20–30 minutes after the initial destroy attempt, then re-run the destroy command:

tofu destroy

The second run will succeed once GCP has released the reserved addresses.