Flowise CloudRun Module — Configuration Guide
Flowise is an open-source visual AI workflow builder that lets non-developers construct
LangChain and LlamaIndex pipelines through a drag-and-drop interface. This module deploys
Flowise on Google Cloud Run with a managed Cloud SQL PostgreSQL database and GCS-backed
file storage.
Flowise CloudRun is a wrapper module built on top of App CloudRun. It delegates all
GCP infrastructure provisioning to App CloudRun (Cloud Run service, Cloud SQL, networking,
Secret Manager, GCS, CI/CD) and uses a Flowise Common sub-module to supply
Flowise-specific application configuration, secret generation, and storage bucket
definitions. The Flowise Common outputs feed into App CloudRun's application_config,
module_secret_env_vars, module_storage_buckets, and scripts_dir inputs.
This guide documents variables that are unique to Flowise CloudRun or that have
Flowise-specific defaults differing from the App CloudRun base module. For full
documentation of variables with identical semantics, refer to the
App_CloudRun Configuration Guide.
§1 · Module Overview
What Flowise CloudRun provides
- A Flowise container built from the
flowiseai/flowise base image via a custom
Dockerfile deployed on Cloud Run listening on port 3000.
- A Cloud SQL PostgreSQL 15 instance as the Flowise database backend. All
DATABASE_*
connection variables are injected automatically via flowise-entrypoint.sh.
- Cloud SQL Auth Proxy via Unix socket —
enable_cloudsql_volume = true by default.
This is a user-configurable variable (not hardcoded).
- A GCS bucket (suffixed
-flowise-uploads) provisioned by Flowise Common for
Flowise file storage. Its name is injected automatically as
GOOGLE_CLOUD_STORAGE_BUCKET_NAME.
FLOWISE_PASSWORD auto-generated by Flowise Common and stored in Secret Manager
via module_secret_env_vars. This is the Flowise admin password.- Health probes target
/api/v1/ping, which is Flowise's dedicated health endpoint.
Key differences from App CloudRun defaults
| Feature | App CloudRun default | Flowise CloudRun default |
|---|
container_port | 8080 | 3000 |
cpu_limit | "1000m" | "1000m" |
memory_limit | "512Mi" | "1Gi" |
min_instance_count | 0 | 1 |
max_instance_count | 1 | 1 |
enable_nfs | false | false |
enable_cloudsql_volume | false | true (user-configurable) |
enable_redis | false | false |
enable_image_mirroring | true | true |
container_image_source | "prebuilt" | "custom" |
| Health probe path | /healthz | /api/v1/ping |
| Application database name | — | "flowisedb" |
| Application database user | — | "flowiseuser" |
§2 · IAM & Project Identity
These variables configure the GCP project target, deployment identity, and platform
metadata. Their semantics are identical to the App CloudRun equivalents.
| Variable | Default | Description |
|---|
project_id | (required) | GCP project into which all resources are deployed. |
tenant_deployment_id | "demo" | Short suffix appended to resource names to allow multiple deployments in the same project. |
resource_creator_identity | "rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com" | Service account used by Terraform. Override with a project-specific account for production. |
support_users | [] | Email addresses granted IAM access and added to monitoring alert channels. |
resource_labels | {} | Labels applied to all module-managed resources. |
module_description | (Flowise description string) | Platform UI description. Do not modify unless customising the module. |
module_documentation | "https://docs.radmodules.dev/docs/modules/Flowise_CloudRun" | External documentation URL displayed in the platform UI. |
module_dependency | ["Services GCP"] | Platform modules that must be deployed before this one. |
deployment_id | "" | Optional fixed deployment ID. Auto-generated when blank. |
§3 · Core Service Configuration
§3.A · Application Identity
| Variable | Default | Description |
|---|
application_name | "flowise" | Base name for the Cloud Run service, Artifact Registry repo, and Secret Manager secrets. Do not change after initial deployment — changing it forces resource recreation. |
application_display_name | "Flowise" | Human-readable name in the platform UI and Cloud Run console. |
application_description | "Flowise Visual AI Workflow Builder on Cloud Run" | Brief description of the deployment. |
application_version | "latest" | Container image version tag. |
flowise_username | "admin" | Flowise admin username. Injected as FLOWISE_USERNAME. Belongs to UIMeta group 2. |
§3.B · Resource Sizing
| Variable | Default | Description |
|---|
cpu_limit | "1000m" | CPU limit per Cloud Run container instance. |
memory_limit | "1Gi" | Memory limit per Cloud Run container instance. |
min_instance_count | 1 | Minimum live instances. Default 1 avoids cold starts for AI workflow requests. Valid range: 0–1000. |
max_instance_count | 1 | Maximum concurrent instances. Valid range: 1–1000. |
container_port | 3000 | Port Flowise binds to inside the container. |
timeout_seconds | 300 | Maximum request duration in seconds. Increase for long-running AI workflow executions (maximum 3600). |
execution_environment | "gen2" | Cloud Run execution environment. "gen2" is recommended and required for NFS volume mounts. |
deploy_application | true | Set false to provision supporting infrastructure without deploying the container. |
enable_cloudsql_volume | true | Injects the Cloud SQL Auth Proxy sidecar for Unix socket connections. |
cloudsql_volume_mount_path | "/cloudsql" | Filesystem path for the Cloud SQL Auth Proxy Unix socket. |
enable_image_mirroring | true | Mirrors the image into Artifact Registry before deployment. |
container_image_source | "custom" | "custom" builds via Cloud Build from the bundled Dockerfile; "prebuilt" deploys container_image directly. |
container_image | "" | Override image URI. Only used when container_image_source = "prebuilt". |
container_protocol | "http1" | HTTP protocol version. |
max_revisions_to_retain | 7 | Maximum Cloud Run revisions to keep. Set to 0 to disable pruning. |
§3.C · Environment Variables & Secrets
The following platform-managed variables are automatically injected and must not be
set in environment_variables — they will conflict or be overridden.
Do not set in environment_variables:
DATABASE_TYPE, DATABASE_PORT, FLOWISE_USERNAME, APIKEY_STORAGE_TYPE,
STORAGE_TYPE, GCLOUD_PROJECT, GOOGLE_CLOUD_STORAGE_BUCKET_NAME,
FLOWISE_PASSWORD.
The DATABASE_HOST, DATABASE_USER, DATABASE_NAME, and DATABASE_PASSWORD variables
are injected at runtime by flowise-entrypoint.sh (mapping platform DB_* variables to
Flowise DATABASE_* names) — do not set them directly.
| Variable | Default | Description |
|---|
environment_variables | {} | Plain-text key/value pairs injected into the Cloud Run revision. Use for non-sensitive Flowise configuration. |
secret_environment_variables | {} | Map of env var name → Secret Manager secret name. Resolved at runtime. |
secret_propagation_delay | 30 | Seconds to wait after secret creation before dependent operations proceed. Valid range: 0–300. |
secret_rotation_period | "2592000s" | Pub/Sub rotation notification period (30 days). Must be in seconds with s suffix. |
§3.D · Networking
| Variable | Default | Description |
|---|
ingress_settings | "all" | "all" permits public access. Use "internal" to restrict to VPC only. Options: all, internal, internal-and-cloud-load-balancing. |
vpc_egress_setting | "PRIVATE_RANGES_ONLY" | Routes only RFC 1918 traffic via VPC. Set "ALL_TRAFFIC" for strict egress control. |
container_protocol | "http1" | HTTP protocol version. Use "h2c" only if the application supports HTTP/2 cleartext. |
service_annotations | {} | Cloud Run service-level annotations. |
service_labels | {} | Additional labels applied to the Cloud Run service resource. |
traffic_split | [] | Traffic allocation across Cloud Run revisions. Entries must sum to 100. Empty sends all traffic to the latest revision. |
§3.E · Initialization & Bootstrap
By default, Flowise Common injects a db-init Cloud Run job using the
postgres:15-alpine image that creates the Flowise database and user role before the
service starts.
| Variable | Default | Description |
|---|
initialization_jobs | [{ name = "db-init", … }] | Cloud Run jobs executed once during deployment. Default provisions the PostgreSQL database and user. Override to supply custom init logic. |
cron_jobs | [] | Recurring Cloud Run jobs triggered by Cloud Scheduler. |
additional_services | [] | Additional Cloud Run services deployed alongside the main Flowise service. |
§4 · Advanced Security
§4.A · Secret Management
One secret is auto-generated by Flowise Common on every deployment and injected via
module_secret_env_vars:
| Secret | Purpose |
|---|
FLOWISE_PASSWORD | 32-character random Flowise admin password. Stored in Secret Manager with the ID <resource_prefix>-password. |
| Variable | Default | Description |
|---|
secret_rotation_period | "2592000s" | Duration between rotation Pub/Sub notifications (30 days). |
secret_propagation_delay | 30 | Seconds to wait after secret creation before dependent operations proceed. |
enable_auto_password_rotation | false | Automates database password rotation via Cloud Run + Eventarc. |
rotation_propagation_delay_sec | 90 | Seconds to wait after rotation before Cloud Run restarts to pick up the new value. |
database_password_length | 32 | Length of the auto-generated database user password. Valid range: 16–64. |
§4.B · Identity-Aware Proxy (IAP)
| Variable | Default | Description |
|---|
enable_iap | false | Enables Cloud Run native IAP. Recommended for production Flowise deployments. |
iap_authorized_users | [] | Individual users. Format: "user:email@example.com". |
iap_authorized_groups | [] | Google Groups. Format: "group:name@example.com". |
§4.C · Cloud Armor & CDN
| Variable | Default | Description |
|---|
enable_cloud_armor | false | Enables Cloud Armor WAF + Global HTTPS Load Balancer. |
application_domains | [] | Custom domain names. Google-managed SSL certificates are provisioned automatically. |
enable_cdn | false | Enables Cloud CDN. Only active when enable_cloud_armor = true. |
admin_ip_ranges | [] | CIDR ranges for administrative access bypass. |
§4.D · VPC Service Controls
| Variable | Default | Description |
|---|
enable_vpc_sc | false | Restricts GCP API access to a VPC-SC perimeter. |
vpc_cidr_ranges | [] | VPC subnet CIDR ranges for the VPC-SC network access level. |
vpc_sc_dry_run | true | When true, violations are logged but not blocked. |
organization_id | "" | GCP Organization ID for VPC-SC Access Context Manager. Auto-discovered when empty. |
enable_audit_logging | false | Enables detailed Cloud Audit Logs. |
§4.E · Binary Authorization
| Variable | Default | Description |
|---|
enable_binary_authorization | false | Enforces Binary Authorization attestation policy on the Cloud Run service. |
§5 · CI/CD Integration
§5.A · GitHub & Cloud Build
Flowise uses the custom Dockerfile build path by default (container_image_source = "custom"). Cloud Build compiles the image from Flowise_Common/scripts/Dockerfile.
| Variable | Default | Description |
|---|
enable_cicd_trigger | false | Creates a Cloud Build trigger that builds and deploys on push to the configured branch. |
github_repository_url | "" | Full HTTPS URL of the GitHub repository. Required when enable_cicd_trigger = true. |
github_token | "" | GitHub PAT for repository authentication. Required scopes: repo, admin:repo_hook, workflow. |
github_app_installation_id | "" | Cloud Build GitHub App installation ID. Alternative to PAT. |
cicd_trigger_config | { branch_pattern = "^main$" } | Controls branch filter, included/ignored paths, trigger name, and build substitutions. |
§5.B · Cloud Deploy Pipelines
| Variable | Default | Description |
|---|
enable_cloud_deploy | false | Switches to a Cloud Deploy pipeline with defined promotion stages. Requires enable_cicd_trigger = true. |
cloud_deploy_stages | [dev, staging, prod(approval)] | Ordered promotion stages with optional manual approval gates. |
container_build_config | { enabled = true } | Advanced Cloud Build configuration. Supports dockerfile_path, context_path, build_args, and artifact_repo_name. |
§6 · Reliability & Data
§6.A · Health Probes
Flowise exposes a dedicated health endpoint at /api/v1/ping. Both the startup and
liveness probes target this path.
| Variable | Default | Description |
|---|
startup_probe | { enabled=true, type="HTTP", path="/api/v1/ping", initial_delay_seconds=60, timeout_seconds=5, period_seconds=10, failure_threshold=3 } | Flat startup probe passed to Flowise Common. |
liveness_probe | { enabled=true, type="HTTP", path="/api/v1/ping", initial_delay_seconds=30, timeout_seconds=5, period_seconds=30, failure_threshold=3 } | Flat liveness probe passed to Flowise Common. |
startup_probe_config | { enabled=true, path="/api/v1/ping", initial_delay_seconds=30, period_seconds=10, failure_threshold=30 } | Structured startup probe passed directly to App CloudRun. |
health_check_config | { enabled=true, path="/api/v1/ping" } | Structured liveness probe passed directly to App CloudRun. |
uptime_check_config | { enabled=true, path="/" } | Cloud Monitoring uptime check from multiple global locations. |
§6.B · Storage
| Variable | Default | Description |
|---|
enable_nfs | false | Provisions a Cloud Filestore NFS instance mounted into the container. Useful for Flowise workflow and API key file storage. Requires execution_environment = "gen2". |
nfs_mount_path | "/mnt/nfs" | Container path for the NFS volume. |
nfs_instance_name | "" | Name of an existing NFS GCE VM. Leave empty to auto-discover. |
nfs_instance_base_name | "app-nfs" | Base name for the inline NFS GCE VM. |
create_cloud_storage | true | Set false to skip GCS bucket provisioning. |
storage_buckets | [{ name_suffix = "data" }] | GCS buckets to provision. Flowise Common always provisions an additional -flowise-uploads bucket. |
gcs_volumes | [] | GCS buckets mounted as GCS Fuse volumes into the container. |
manage_storage_kms_iam | false | Creates CMEK KMS keys and enables CMEK encryption on storage buckets. |
enable_artifact_registry_cmek | false | Enables CMEK encryption on container images in Artifact Registry. |
§6.C · Database
Flowise requires PostgreSQL. All DATABASE_* connection variables are injected at
container startup by flowise-entrypoint.sh.
| Variable | Default | Description |
|---|
application_database_name | "flowisedb" | PostgreSQL database name. Do not change after initial deployment. |
application_database_user | "flowiseuser" | PostgreSQL user. Password auto-generated and stored in Secret Manager. |
database_password_length | 32 | Auto-generated password length. Valid range: 16–64. |
enable_auto_password_rotation | false | Automates password rotation. |
rotation_propagation_delay_sec | 90 | Seconds to wait after rotation before Cloud Run restarts. |
§6.D · Backup & Recovery
| Variable | Default | Description |
|---|
backup_schedule | "0 2 * * *" | Cron expression (UTC) for the automated backup job. |
backup_retention_days | 7 | Days to retain backup files in GCS. |
enable_backup_import | false | Triggers a one-time import job to restore a backup at deployment time. |
backup_source | "gcs" | Source: "gcs" or "gdrive". |
backup_file | "backup.sql" | Filename of the backup to import. |
backup_format | "sql" | Format of the backup file. Options: sql, tar, gz, tgz, tar.gz, zip, auto. |
§7 · Integrations
§7.A · Redis (optional)
Redis is not required for Flowise core functionality but may improve performance for large
workflow executions.
| Variable | Default | Description |
|---|
enable_redis | false | Injects Redis connection variables into the Cloud Run service. |
redis_host | null | Redis hostname or IP. Required when enable_redis = true. |
redis_port | "6379" | Redis TCP port. |
redis_auth | "" | Redis AUTH password. Sensitive — leave empty if authentication is not enabled. |
§7.B · Custom SQL
| Variable | Default | Description |
|---|
enable_custom_sql_scripts | false | Runs custom SQL scripts from a GCS bucket against the application database. |
custom_sql_scripts_bucket | "" | GCS bucket name containing the SQL scripts. |
custom_sql_scripts_path | "" | Path prefix within the GCS bucket. |
custom_sql_scripts_use_root | false | Execute scripts as the root database user. |
§7.C · Observability
| Variable | Default | Description |
|---|
uptime_check_config | { enabled = true, path = "/" } | Cloud Monitoring uptime check. |
alert_policies | [] | List of metric-threshold alert policies. Each requires name, metric_type, comparison, threshold_value, duration_seconds. |
service_annotations | {} | Annotations applied to the Cloud Run service resource. |
service_labels | {} | Labels applied to the Cloud Run service. |
§7.D · Artifact Registry Cleanup
| Variable | Default | Description |
|---|
max_images_to_retain | 7 | Maximum number of container images to keep in Artifact Registry. Set to 0 to disable. |
delete_untagged_images | true | Automatically deletes untagged container images. |
image_retention_days | 30 | Days after which images are eligible for deletion. Set to 0 to disable. |
The following are set automatically by the module and cannot be overridden via input
variables.
Environment Variables (always injected)
| Variable | Value / Source | Notes |
|---|
DATABASE_TYPE | "postgres" | Forces PostgreSQL backend. |
DATABASE_PORT | "5432" | PostgreSQL port. |
FLOWISE_USERNAME | var.flowise_username (default "admin") | Flowise admin username. |
APIKEY_STORAGE_TYPE | "db" | Stores API keys in the database. |
STORAGE_TYPE | "gcs" | Flowise file storage backend. |
GCLOUD_PROJECT | var.project_id | GCP project for GCS access. |
GOOGLE_CLOUD_STORAGE_BUCKET_NAME | Name of the first provisioned storage bucket | The -flowise-uploads bucket created by Flowise Common. Injected via module_env_vars. |
DATABASE_HOST | Cloud SQL Auth Proxy socket/IP | Resolved at runtime by flowise-entrypoint.sh from the platform DB_HOST variable. |
DATABASE_USER | var.application_database_user | Mapped from DB_USER by flowise-entrypoint.sh. |
DATABASE_NAME | var.application_database_name | Mapped from DB_NAME by flowise-entrypoint.sh. |
DATABASE_PASSWORD | Secret Manager ref | Mapped from DB_PASSWORD by flowise-entrypoint.sh. |
FLOWISE_PASSWORD | Secret Manager ref | Auto-generated admin password from Flowise Common. |
Structural Wiring
| Behaviour | Detail |
|---|
scripts_dir | Resolved as abspath("${module.flowise_app.path}/scripts") — points to Flowise Common's bundled scripts/ directory containing the Dockerfile and flowise-entrypoint.sh. |
module_secret_env_vars | Receives module.flowise_app.secret_ids — maps FLOWISE_PASSWORD to its Secret Manager secret ID. |
module_env_vars | Contains GOOGLE_CLOUD_STORAGE_BUCKET_NAME mapped to the first bucket from Flowise Common.storage_buckets. |
| DB variable remapping | flowise-entrypoint.sh maps platform DB_* variables to Flowise DATABASE_* naming convention unconditionally, handling both Cloud Run and GKE env var ordering constraints. |
container_build_config | Merges Flowise Common's defaults with dockerfile_path = "Dockerfile" and context_path = ".". |
§9 · Variable Reference
Complete list of all input variables, grouped by UI section.
| Group | Variable | Type | Default | Updatable |
|---|
| 0 | module_description | string | (long description) | — |
| 0 | module_documentation | string | "https://docs.radmodules.dev/docs/modules/Flowise_CloudRun" | — |
| 0 | module_dependency | list(string) | ["Services GCP"] | — |
| 0 | module_services | list(string) | (service list) | — |
| 0 | credit_cost | number | 50 | — |
| 0 | require_credit_purchases | bool | false | — |
| 0 | enable_purge | bool | true | — |
| 0 | public_access | bool | true | — |
| 0 | deployment_id | string | "" | yes |
| 0 | resource_creator_identity | string | "rad-module-creator@…" | yes |
| 1 | project_id | string | — | yes |
| 1 | tenant_deployment_id | string | "demo" | yes |
| 1 | support_users | list(string) | [] | yes |
| 1 | resource_labels | map(string) | {} | yes |
| 2 | application_name | string | "flowise" | — |
| 2 | application_display_name | string | "Flowise" | yes |
| 2 | application_description | string | "Flowise Visual AI Workflow Builder on Cloud Run" | yes |
| 2 | application_version | string | "latest" | yes |
| 2 | flowise_username | string | "admin" | yes |
| 3 | deploy_application | bool | true | yes |
| 3 | container_image_source | string | "custom" | yes |
| 3 | container_image | string | "" | yes |
| 3 | container_build_config | object | { enabled = true } | yes |
| 3 | enable_image_mirroring | bool | true | yes |
| 3 | cpu_limit | string | "1000m" | yes |
| 3 | memory_limit | string | "1Gi" | yes |
| 3 | min_instance_count | number | 1 | yes |
| 3 | max_instance_count | number | 1 | yes |
| 3 | container_port | number | 3000 | yes |
| 3 | container_protocol | string | "http1" | yes |
| 3 | execution_environment | string | "gen2" | yes |
| 3 | timeout_seconds | number | 300 | yes |
| 3 | enable_cloudsql_volume | bool | true | yes |
| 3 | cloudsql_volume_mount_path | string | "/cloudsql" | yes |
| 3 | traffic_split | list(object) | [] | yes |
| 3 | service_annotations | map(string) | {} | yes |
| 3 | service_labels | map(string) | {} | yes |
| 3 | max_revisions_to_retain | number | 7 | yes |
| 4 | ingress_settings | string | "all" | yes |
| 4 | vpc_egress_setting | string | "PRIVATE_RANGES_ONLY" | yes |
| 4 | enable_iap | bool | false | yes |
| 4 | iap_authorized_users | list(string) | [] | yes |
| 4 | iap_authorized_groups | list(string) | [] | yes |
| 5 | environment_variables | map(string) | {} | yes |
| 5 | secret_environment_variables | map(string) | {} | yes |
| 5 | secret_rotation_period | string | "2592000s" | yes |
| 5 | secret_propagation_delay | number | 30 | yes |
| 6 | backup_schedule | string | "0 2 * * *" | yes |
| 6 | backup_retention_days | number | 7 | yes |
| 6 | enable_backup_import | bool | false | yes |
| 6 | backup_source | string | "gcs" | yes |
| 6 | backup_file | string | "backup.sql" | yes |
| 6 | backup_format | string | "sql" | yes |
| 7 | enable_cicd_trigger | bool | false | yes |
| 7 | github_repository_url | string | "" | yes |
| 7 | github_token | string | "" | yes |
| 7 | github_app_installation_id | string | "" | yes |
| 7 | cicd_trigger_config | object | { branch_pattern = "^main$" } | yes |
| 7 | enable_cloud_deploy | bool | false | yes |
| 7 | cloud_deploy_stages | list(object) | [dev, staging, prod(approval)] | yes |
| 7 | enable_binary_authorization | bool | false | yes |
| 8 | enable_custom_sql_scripts | bool | false | yes |
| 8 | custom_sql_scripts_bucket | string | "" | yes |
| 8 | custom_sql_scripts_path | string | "" | yes |
| 8 | custom_sql_scripts_use_root | bool | false | yes |
| 9 | enable_cloud_armor | bool | false | yes |
| 9 | admin_ip_ranges | list(string) | [] | yes |
| 9 | application_domains | list(string) | [] | yes |
| 9 | enable_cdn | bool | false | yes |
| 9 | max_images_to_retain | number | 7 | yes |
| 9 | delete_untagged_images | bool | true | yes |
| 9 | image_retention_days | number | 30 | yes |
| 10 | create_cloud_storage | bool | true | yes |
| 10 | storage_buckets | list(object) | [{ name_suffix = "data" }] | yes |
| 10 | enable_nfs | bool | false | yes |
| 10 | nfs_mount_path | string | "/mnt/nfs" | yes |
| 10 | nfs_instance_name | string | "" | yes |
| 10 | nfs_instance_base_name | string | "app-nfs" | yes |
| 10 | gcs_volumes | list(object) | [] | yes |
| 10 | manage_storage_kms_iam | bool | false | yes |
| 10 | enable_artifact_registry_cmek | bool | false | yes |
| 11 | application_database_name | string | "flowisedb" | yes |
| 11 | application_database_user | string | "flowiseuser" | yes |
| 11 | database_password_length | number | 32 | yes |
| 11 | enable_auto_password_rotation | bool | false | yes |
| 11 | rotation_propagation_delay_sec | number | 90 | yes |
| 12 | initialization_jobs | list(object) | [{ name = "db-init", … }] | yes |
| 12 | cron_jobs | list(object) | [] | yes |
| 12 | additional_services | list(object) | [] | yes |
| 13 | startup_probe | object | (HTTP /api/v1/ping, 60s delay) | yes |
| 13 | liveness_probe | object | (HTTP /api/v1/ping, 30s delay) | yes |
| 13 | startup_probe_config | object | (HTTP /api/v1/ping, 30s delay, 30 threshold) | yes |
| 13 | health_check_config | object | (HTTP /api/v1/ping) | yes |
| 13 | uptime_check_config | object | { enabled = true, path = "/" } | yes |
| 13 | alert_policies | list(object) | [] | yes |
| 20 | enable_redis | bool | false | yes |
| 20 | redis_host | string | null | yes |
| 20 | redis_port | string | "6379" | yes |
| 20 | redis_auth | string | "" | yes |
| 21 | enable_vpc_sc | bool | false | yes |
| 21 | vpc_cidr_ranges | list(string) | [] | yes |
| 21 | vpc_sc_dry_run | bool | true | yes |
| 21 | organization_id | string | "" | yes |
| 21 | enable_audit_logging | bool | false | yes |
§10 · Outputs
| Output | Description | Sensitive |
|---|
service_name | Name of the Cloud Run service | — |
service_url | Public URL of the Cloud Run service | — |
service_location | GCP region of the Cloud Run service | — |
stage_services | Map of stage names to Cloud Run service details (for Cloud Deploy) | — |
database_instance_name | Name of the Cloud SQL instance | — |
database_name | Name of the application database | — |
database_user | Name of the application database user | — |
database_password_secret | Secret Manager secret name for the database password | — |
database_host | Database host IP address | yes |
database_port | Database port | — |
storage_buckets | Created GCS storage buckets | — |
network_name | VPC network name | — |
network_exists | Whether the VPC network exists | — |
regions | Available regions in the VPC | — |
nfs_server_ip | NFS server internal IP | yes |
nfs_mount_path | NFS mount path in containers | — |
nfs_share_path | NFS share path on server | — |
container_image | Container image used for the service | — |
container_registry | Artifact Registry repository name | — |
monitoring_enabled | Whether monitoring is configured | — |
monitoring_notification_channels | Monitoring notification channel names | — |
uptime_check_names | Uptime check configuration names | — |
deployment_id | Unique deployment identifier | — |
tenant_id | Tenant identifier | — |
resource_prefix | Resource naming prefix | — |
project_id | GCP project ID | — |
project_number | GCP project number | — |
initialization_jobs | Created initialization job names | — |
nfs_setup_job | NFS setup job name | — |
deployment_summary | Summary of the deployment | — |
cicd_enabled | Whether CI/CD pipeline is enabled | — |
github_repository_url | GitHub repository URL connected for CI/CD | — |
github_repository_owner | GitHub repository owner/organization | — |
github_repository_name | GitHub repository name | — |
artifact_registry_repository | Artifact Registry repository for container images | — |
cloudbuild_trigger_name | Cloud Build trigger name for CI/CD | — |
cloudbuild_trigger_id | Cloud Build trigger ID for CI/CD | — |
cicd_configuration | Complete CI/CD configuration details | — |
Configuration Pitfalls & Sensible Defaults
Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).
| Variable | Sensible Default | Risk | Consequence of Incorrect Value |
|---|
flowise_username | "admin" | Critical | Default admin username is publicly known. Always change before exposing the service externally — combined with a weak or default password it grants immediate full access to all AI flows. |
FLOWISE_PASSWORD (via Secret Manager) | Auto-generated 32-char random secret | Critical | The module auto-generates the password; if you override it with a weak value via environment_variables, all flows and credentials stored in the DB are accessible to any attacker who guesses it. |
FLOWISE_SECRETKEY_OVERWRITE | Not set (Flowise internal default) | Critical | If set initially and later changed or removed, all Flowise credential secrets (LLM API keys, vector-store tokens) stored in the database are permanently unreadable. Treat this as immutable after first deploy. |
application_database_name | "flowisedb" | High | Changing this after the database has been provisioned orphans the old database and causes Flowise to fail on startup until a new database is initialised. Immutable after first apply. |
application_database_user | "flowiseuser" | High | Same as above — the database user is created in the db-init job and cannot be renamed without manual Cloud SQL intervention. Immutable after first apply. |
STORAGE_TYPE / GCLOUD_PROJECT | "gcs" / project injected | High | Overriding STORAGE_TYPE to anything other than "gcs" breaks the GCS-backed file storage. Flowise will fall back to local disk, which is ephemeral on Cloud Run and lost on each new revision. |
GOOGLE_CLOUD_STORAGE_BUCKET_NAME | Auto-set from module output | High | Do not override this env var. The module sets it from module.flowise_app.storage_buckets[0].name. An incorrect bucket name causes all file uploads to fail silently. |
memory_limit | "1Gi" | High | Flowise loads LangChain/LlamaIndex into Node.js. Under 512Mi the process is OOM-killed immediately on startup, causing perpetual cold-start failures. Minimum recommended is "1Gi"; production with large flow graphs needs "2Gi". |
cpu_limit | "1000m" | Medium | Under 500m Flowise flow execution becomes very slow and health-check timeouts may kill the container. Set to at least "1000m". |
min_instance_count | 1 | High | Setting to 0 on Cloud Run enables scale-to-zero but causes cold starts of 10–20 s for every inbound request when Flowise is idle. Combined with downstream LLM latency, this frequently triggers client timeouts. |
max_instance_count | 1 | Medium | Flowise stores in-memory flow execution state. Running more than one instance without a shared Redis session store causes flow executions to fail when load-balanced to a different instance. Keep at 1 unless Redis is configured. |
APIKEY_STORAGE_TYPE | "db" | High | Changing to "json" reverts to file-based API key storage, which is lost on every Cloud Run revision deployment. Always keep "db". |
DATABASE_TYPE | "postgres" (hardcoded) | Critical | Hard-coded in the Common module. Do not override to "sqlite" via environment_variables — SQLite on Cloud Run is ephemeral and all flow definitions are lost on the next revision. |
enable_cloudsql_volume | true | Critical | If set to false with a Postgres database, the Cloud SQL Auth Proxy sidecar is not injected and the database connection will be refused. The module's GKE validation guard rejects this combination at plan time. |
enable_iap | false | High | Leaving IAP disabled exposes the Flowise UI directly to the internet over Cloud Run's public URL. At minimum set ingress_settings = "internal-and-cloud-load-balancing" or enable IAP to restrict access. |
ingress_settings | "all" | High | The default allows traffic from any source. For internal-only deployments set to "internal-and-cloud-load-balancing" to restrict to VPC and load-balancer traffic. |
startup_probe.failure_threshold | 30 (= 300 s total) | Medium | Reducing this below 10 causes Cloud Run to restart the container before Flowise has finished its DB migrations on first boot. |
liveness_probe.path | "/api/v1/ping" | High | Changing the probe path to a non-existent endpoint causes continuous liveness failures and rolling restarts once the app is running. |
enable_redis | false | Medium | Without Redis, Flowise cannot share session/queue state across instances. Only relevant when max_instance_count > 1. Enabling Redis without providing redis_host raises a validation error. |
backup_schedule | "0 2 * * *" | Medium | Leaving the backup schedule at default is safe; removing or disabling it means no automated Cloud SQL backups and potential unrecoverable data loss. |
vpc_egress_setting | "private-ranges-only" | Medium | Set to "all-traffic" only if Flowise must call public LLM APIs through an egress NAT. Leaving at default reduces egress costs and attack surface. |
secret_rotation_period | "720h" | Low | Very short rotation periods (e.g., "24h") cause frequent secret version churn; ensure rotation_propagation_delay_sec is set high enough that all running instances pick up the new secret before the old version expires. |
Destroying Resources
Known Deletion Issue: Serverless IPv4 Address Release
When destroying a Cloud Run deployment, you may encounter an error similar to:
Error: Error waiting for Subnetwork to be deleted: The following serverless IPv4 address(es) on subnet ... are still in use.
Cause: GCP holds serverless IPv4 addresses on the VPC subnet asynchronously after a Cloud Run service is deleted. These addresses are released by GCP approximately 20–30 minutes after the Cloud Run service is removed. Terraform/OpenTofu cannot complete the subnet or VPC deletion until they are fully released.
Resolution: Wait 20–30 minutes after the initial destroy attempt, then re-run the destroy command:
The second run will succeed once GCP has released the reserved addresses.