Flowise GKE Module — Configuration Guide
Flowise is an open-source visual AI workflow builder that lets non-developers construct LangChain and LlamaIndex pipelines through a drag-and-drop interface. This module deploys Flowise on GKE Autopilot with a managed Cloud SQL PostgreSQL database, GCS-backed file storage, and optional NFS for shared volumes.
Flowise GKE is a wrapper module built on top of App GKE. It uses App GKE for all GCP infrastructure provisioning (GKE Autopilot cluster, networking, Cloud SQL Auth Proxy, GCS, secrets, CI/CD) and a Flowise Common sub-module to supply Flowise-specific application configuration, secret generation, and storage bucket definitions.
Note: Variables marked as platform-managed are set and maintained by the platform. You do not normally need to change them.
How This Guide Is Structured
This guide documents variables that are unique to Flowise_GKE or that have Flowise-specific defaults differing from the App_GKE base module. For variables with identical semantics, refer to the App_GKE Configuration Guide.
Key differences from App GKE defaults:
| Feature | App GKE default | Flowise GKE default |
|---|
container_port | 8080 | 3000 |
cpu_limit | "1000m" | "1000m" |
memory_limit | "512Mi" | "1Gi" |
min_instance_count | 1 | 1 |
max_instance_count | 1 | 1 |
container_image_source | "prebuilt" | "custom" |
enable_cloudsql_volume | true | true |
enable_redis | false | false (optional) |
session_affinity | "None" | "ClientIP" |
workload_type | "Deployment" | "Deployment" |
| Health probe path | varies | /api/v1/ping |
application_database_name | — | "flowisedb" |
application_database_user | — | "flowiseuser" |
The following behaviours are applied automatically and cannot be overridden via user variables.
| Behaviour | Detail |
|---|
| Admin password auto-generated | A 32-character random FLOWISE_PASSWORD is generated by Flowise Common and stored in Secret Manager as <resource_prefix>-password. Synced directly to a Kubernetes Secret — no Secret Manager read latency. Back up this secret before destroying the module. |
| GCS bucket always provisioned | Flowise Common always provisions a -flowise-uploads GCS bucket. Its name is injected automatically as GOOGLE_CLOUD_STORAGE_BUCKET_NAME via module_env_vars. |
| Database env vars injected via entrypoint | flowise-entrypoint.sh unconditionally maps DB_* → DATABASE_* at container startup. This is required for GKE where alphabetical env var ordering prevents Kubernetes from resolving $(DB_HOST) inside DATABASE_HOST. Do not set DATABASE_HOST, DATABASE_USER, DATABASE_NAME, or DATABASE_PASSWORD directly. |
| Fixed env vars | DATABASE_TYPE=postgres, DATABASE_PORT=5432, FLOWISE_USERNAME, APIKEY_STORAGE_TYPE=db, STORAGE_TYPE=gcs, and GCLOUD_PROJECT are always injected by Flowise Common. |
| Custom container image | container_image_source = "custom" by default. Cloud Build compiles the image from the Dockerfile in Flowise_Common/scripts/. |
| Scripts directory | Resolved as abspath("${module.flowise_app.path}/scripts") — points to Flowise Common's bundled scripts directory. |
| Variable | Default | Description |
|---|
module_description | "Flowise Visual AI Workflow Builder on GKE Autopilot" | Platform UI description. Do not modify unless customising. |
module_documentation | "https://docs.radmodules.dev/docs/modules/Flowise_GKE" | External documentation URL. |
module_dependency | ["Services GCP"] | Platform modules that must be deployed first. |
module_services | ["GKE Autopilot", "Cloud SQL (PostgreSQL 15)", "Cloud Storage", "Secret Manager", "Artifact Registry", "Cloud Build"] | GCP services consumed. |
credit_cost | 150 | Platform credits consumed on deployment. |
require_credit_purchases | false | Enforces credit balance check before deploy. |
enable_purge | true | Permits full resource deletion on destroy. |
public_access | true | Controls platform catalogue visibility. |
deployment_id | "" | Auto-generated suffix. Set explicitly to pin resource names across Terraform runs. |
resource_creator_identity | "rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com" | Service account used by Terraform. |
§2 · Project & Identity (Group 1)
| Variable | Default | Description |
|---|
project_id | (required) | GCP project ID. Must be 6–30 chars, lowercase letters/numbers/hyphens. |
tenant_deployment_id | "demo" | Short suffix appended to resource names. 1–20 lowercase alphanumeric characters and hyphens. |
support_users | [] | Emails granted IAM access and added to monitoring alert channels. |
resource_labels | {} | Labels applied to all module-managed resources. |
region | "us-central1" | Fallback region when network discovery cannot determine region from VPC subnets. |
§3 · Application Identity (Group 2)
| Variable | Default | Description |
|---|
application_name | "flowise" | Base name for GKE workloads, Secret Manager secrets, and Artifact Registry. Do not change after initial deployment — changing it forces resource recreation. |
application_display_name | "Flowise" | Human-readable name in the platform UI and GKE console. |
application_description | "Flowise Visual AI Workflow Builder on GKE" | Brief description. |
application_version | "latest" | Version tag applied to the container image. |
flowise_username | "admin" | Flowise admin username. Injected as FLOWISE_USERNAME. |
deploy_application | true | Set false to provision infrastructure without deploying the GKE workload. |
§4 · Runtime & Scaling (Group 3)
| Variable | Default | Options / Format | Description |
|---|
container_image_source | "custom" | prebuilt, custom | "custom" builds via Cloud Build from the bundled Dockerfile. "prebuilt" deploys container_image directly. |
container_image | "" | Image URI string | Override image URI. Only used when container_image_source = "prebuilt". |
container_port | 3000 | Integer 1–65535 | Port Flowise binds to inside the container. |
container_protocol | "http1" | http1, h2c | HTTP protocol version for the Kubernetes Service backend. |
container_resources | { cpu_limit = "1000m", memory_limit = "1Gi" } | object | CPU/memory limits and optional requests. See object fields below. |
min_instance_count | 1 | Integer 0–1000 | Minimum pod replicas. Keep at 1 to avoid cold starts for AI workflow execution. |
max_instance_count | 1 | Integer 1–1000 | Maximum pod replicas. Must be ≥ min_instance_count. |
timeout_seconds | 300 | Integer 0–3600 | Maximum backend pod response wait time. Increase for long-running AI workflows. |
enable_vertical_pod_autoscaling | false | bool | Enables VPA to automatically adjust CPU/memory requests. |
enable_image_mirroring | true | bool | Mirrors the container image into Artifact Registry before deployment. |
enable_cloudsql_volume | true | bool | Injects Cloud SQL Auth Proxy sidecar for secure database connectivity. |
cloudsql_volume_mount_path | "/cloudsql" | Path string | Filesystem path for the Cloud SQL Auth Proxy Unix socket. |
container_build_config | { enabled = true } | object | Advanced Cloud Build configuration. |
deployment_timeout | 1800 | Integer seconds | Max seconds Terraform waits for the Kubernetes Deployment rollout to complete. |
service_annotations | {} | map(string) | Custom annotations applied to the Kubernetes Service resource. |
service_labels | {} | map(string) | Custom labels applied to the Kubernetes Service resource. |
container_resources object fields:
| Field | Default | Description |
|---|
cpu_limit | "1000m" | CPU limit (e.g. "500m", "2"). |
memory_limit | "1Gi" | Memory limit (e.g. "512Mi", "2Gi"). |
cpu_request | null | CPU request. null omits the field. |
mem_request | null | Memory request. null omits the field. |
ephemeral_storage_limit | null | Ephemeral storage limit. |
ephemeral_storage_request | null | Ephemeral storage request. |
§5 · GKE Backend Configuration (Group 5)
| Variable | Default | Options / Format | Description |
|---|
gke_cluster_name | "" | Cluster name string | Name of the GKE cluster. Leave empty to auto-discover. |
gke_cluster_selection_mode | "primary" | explicit, round-robin, primary | Strategy for choosing the target GKE cluster. |
namespace_name | "" | Namespace string | Kubernetes namespace. Leave empty to auto-generate. |
workload_type | "Deployment" | Deployment, StatefulSet | Kubernetes workload type. Use "Deployment" for Flowise (stateless). |
service_type | "LoadBalancer" | ClusterIP, LoadBalancer, NodePort | Kubernetes Service type. |
session_affinity | "ClientIP" | None, ClientIP | Routes requests from the same client IP to the same pod. "ClientIP" is recommended for the Flowise UI. |
termination_grace_period_seconds | 30 | Integer 0–3600 | Seconds Kubernetes waits after SIGTERM before forcibly terminating. |
enable_multi_cluster_service | false | bool | Enables Multi-Cluster Services by creating a ServiceExport. |
configure_service_mesh | false | bool | Enables Istio service mesh injection for the namespace. |
enable_network_segmentation | false | bool | Creates Kubernetes NetworkPolicy resources to restrict pod-to-pod traffic. |
network_tags | ["nfsserver"] | list(string) | Network tags applied to GKE nodes for VPC firewall rules. |
prereq_gke_subnet_cidr | "10.201.0.0/24" | CIDR string | CIDR for the inline GKE subnet. Must not overlap other subnets. |
§6 · Environment Variables & Secrets (Group 4)
| Variable | Default | Description |
|---|
environment_variables | {} | Static env vars injected into the container. Do not set platform-managed vars (see §Platform-Managed Behaviours). |
secret_environment_variables | {} | Map of env var name to Secret Manager secret name. |
secret_rotation_period | "2592000s" | Rotation notification period. Format: "<N>s". |
secret_propagation_delay | 30 | Seconds to wait after secret creation. Valid range: 0–300. |
§7 · Access & Networking
Identity-Aware Proxy (Group 19)
| Variable | Default | Description |
|---|
enable_iap | false | Enables IAP. Recommended for production. Requires iap_oauth_client_id and iap_oauth_client_secret. |
iap_authorized_users | [] | User allowlist. Format: "user:email@example.com". |
iap_authorized_groups | [] | Group allowlist. Format: "group:name@example.com". |
iap_oauth_client_id | "" | OAuth 2.0 Client ID. Required when enable_iap = true. |
iap_oauth_client_secret | "" | OAuth 2.0 Client Secret. Required when enable_iap = true. |
iap_support_email | "" | Support email for the OAuth consent screen. |
Custom Domain & Static IP (Group 18)
| Variable | Default | Description |
|---|
enable_custom_domain | false | Provisions a Kubernetes Ingress for application_domains. |
application_domains | [] | Custom domain names (e.g. ["flowise.example.com"]). |
reserve_static_ip | true | Provisions a global static external IP. Recommended for production DNS. |
static_ip_name | "" | Name for the static IP. Auto-generated when empty. |
network_name | "" | VPC network name. Auto-discovered when empty. |
Cloud Armor (Group 20)
| Variable | Default | Description |
|---|
enable_cloud_armor | false | Attaches a Cloud Armor security policy to the GKE Ingress backend. |
admin_ip_ranges | [] | Admin CIDR ranges for privileged access. |
cloud_armor_policy_name | "default-waf-policy" | Cloud Armor security policy name. |
enable_cdn | false | Enables Cloud CDN on the GKE Ingress backend. Only active when enable_custom_domain = true. |
VPC Service Controls (Group 21)
| Variable | Default | Description |
|---|
enable_vpc_sc | false | Enforces VPC Service Controls perimeters. |
vpc_cidr_ranges | [] | VPC subnet CIDR ranges for the VPC-SC network access level. |
vpc_sc_dry_run | true | When true, violations are logged but not blocked. |
organization_id | "" | GCP Organization ID. Auto-discovered when empty. |
enable_audit_logging | false | Enables detailed Cloud Audit Logs. |
§8 · Storage (Groups 12–13)
NFS (Group 12)
| Variable | Default | Description |
|---|
enable_nfs | false | Provisions a Cloud Filestore NFS instance. Useful for Flowise workflow file uploads. |
nfs_mount_path | "/mnt/nfs" | Container path for the NFS volume. |
nfs_instance_name | "" | Existing NFS GCE VM name. Auto-discovered when empty. |
nfs_instance_base_name | "app-nfs" | Base name for the inline NFS GCE VM. |
Cloud Storage (Group 13)
Flowise Common always provisions a -flowise-uploads bucket regardless of create_cloud_storage or storage_buckets. Additional buckets can be added via storage_buckets.
| Variable | Default | Description |
|---|
create_cloud_storage | true | Controls whether the module provisions the buckets in storage_buckets. The Flowise uploads bucket is always created by Flowise Common. |
storage_buckets | [{ name_suffix = "data" }] | Additional GCS buckets to provision. |
gcs_volumes | [] | GCS Fuse volumes to mount via CSI into the container. |
manage_storage_kms_iam | false | Creates CMEK KMS keys and enables CMEK encryption on storage buckets. |
enable_artifact_registry_cmek | false | Enables CMEK encryption on container images in Artifact Registry. |
§9 · Database (Group 15)
Flowise requires PostgreSQL. All DATABASE_* connection variables are injected at container startup by flowise-entrypoint.sh.
| Variable | Default | Description |
|---|
database_type | "POSTGRES_15" | Cloud SQL database type. |
application_database_name | "flowisedb" | PostgreSQL database name. Do not change after initial deployment. |
application_database_user | "flowiseuser" | PostgreSQL user. Password auto-generated and stored in Secret Manager. |
database_password_length | 32 | Auto-generated password length. Valid range: 16–64. |
enable_postgres_extensions | false | Enables installation of PostgreSQL extensions. |
postgres_extensions | [] | List of PostgreSQL extensions to install. |
enable_mysql_plugins | false | Not applicable for Flowise (PostgreSQL only). |
mysql_plugins | [] | Not applicable for Flowise (PostgreSQL only). |
sql_instance_name | "" | Existing Cloud SQL instance name. Auto-discovered when empty. |
sql_instance_base_name | "app-sql" | Base name for the inline Cloud SQL instance. |
enable_auto_password_rotation | false | Automates database password rotation via a Kubernetes CronJob. |
rotation_propagation_delay_sec | 90 | Seconds to wait after rotation before restarting GKE pods. |
§10 · Backup & Maintenance (Group 16)
| Variable | Default | Description |
|---|
backup_schedule | "0 2 * * *" | Cron schedule (UTC) for automated database backups. |
backup_retention_days | 7 | Days to retain backup files in GCS. |
enable_backup_import | false | Triggers a one-time database import job during deployment. |
backup_source | "gcs" | Source: "gcs" or "gdrive". |
backup_file | "backup.sql" | Filename of the backup to import. |
backup_format | "sql" | Format of the backup file. Options: sql, tar, gz, tgz, tar.gz, zip, auto. |
§11 · CI/CD & GitHub Integration (Group 11)
| Variable | Default | Description |
|---|
enable_cicd_trigger | false | Creates a Cloud Build trigger that builds and deploys on push. |
github_repository_url | "" | Full HTTPS URL of the GitHub repository. |
github_token | "" | GitHub PAT. Sensitive. |
github_app_installation_id | "" | Cloud Build GitHub App installation ID. |
cicd_trigger_config | { branch_pattern = "^main$" } | Branch filter, included/ignored paths, substitutions. |
enable_cloud_deploy | false | Switches to a Cloud Deploy pipeline. Requires enable_cicd_trigger = true. |
cloud_deploy_stages | [dev, staging, prod(approval)] | Ordered promotion stages. |
enable_binary_authorization | false | Enforces Binary Authorization policy on the GKE cluster. |
binauthz_evaluation_mode | "ALWAYS_ALLOW" | ALWAYS_ALLOW, REQUIRE_ATTESTATION, or ALWAYS_DENY. |
§12 · Custom SQL (Group 17)
| Variable | Default | Description |
|---|
enable_custom_sql_scripts | false | Runs custom SQL scripts from GCS against the application database. |
custom_sql_scripts_bucket | "" | GCS bucket name containing SQL scripts. |
custom_sql_scripts_path | "" | Path prefix within the GCS bucket. |
custom_sql_scripts_use_root | false | Execute scripts as the root database user. |
§13 · Workload Automation (Group 10)
| Variable | Default | Description |
|---|
initialization_jobs | [] | Kubernetes Jobs to run before the application starts. Default db-init job is supplied by Flowise Common. Each job must define command, args, or script_path. |
cron_jobs | [] | Scheduled cluster tasks as Kubernetes CronJobs. |
additional_services | [] | Sidecar or helper GKE services deployed alongside Flowise. |
§14 · Reliability Policies (Group 8)
| Variable | Default | Description |
|---|
enable_pod_disruption_budget | false | Creates a Kubernetes PodDisruptionBudget. |
pdb_min_available | "1" | Minimum pods available during voluntary disruptions. Integer or percentage (e.g. "50%"). |
enable_topology_spread | false | Distributes pods across GKE node zones using TopologySpreadConstraints. |
topology_spread_strict | false | When true, uses DoNotSchedule if spread constraint cannot be satisfied. |
§15 · StatefulSet Configuration (Group 6)
Only relevant when workload_type = "StatefulSet".
| Variable | Default | Description |
|---|
stateful_pvc_enabled | false | Provisions a PVC per pod. |
stateful_pvc_size | "10Gi" | Storage size for each PVC. |
stateful_pvc_mount_path | "/data" | Container path where the PVC is mounted. |
stateful_pvc_storage_class | "standard-rwo" | Kubernetes StorageClass for PVCs. |
stateful_headless_service | true | Creates a headless Service alongside the StatefulSet. |
stateful_pod_management_policy | "OrderedReady" | OrderedReady or Parallel. |
stateful_update_strategy | "RollingUpdate" | RollingUpdate or OnDelete. |
§16 · Observability & Health (Groups 9)
Flowise GKE exposes two parallel sets of probe variables:
| Variable set | Routed to | Configures |
|---|
startup_probe_config, health_check_config | Flowise Common → config.startup_probe / config.liveness_probe | Kubernetes pod probe spec |
(also startup_probe_config, health_check_config) | App GKE directly | App GKE infrastructure probes |
Both the startup and liveness probes target Flowise's dedicated health endpoint /api/v1/ping.
| Variable | Default | Description |
|---|
startup_probe_config | { enabled=true, path="/api/v1/ping", initial_delay_seconds=30, period_seconds=10, failure_threshold=30 } | Startup probe. 30 failures × 10s period = 5 minute startup budget. |
health_check_config | { enabled=true, path="/api/v1/ping", initial_delay_seconds=15, period_seconds=30, failure_threshold=3 } | Liveness probe. |
uptime_check_config | { enabled=true, path="/" } | Cloud Monitoring uptime check from multiple global locations. |
alert_policies | [] | Custom metric alert policies. Each requires name, metric_type, comparison, threshold_value, duration_seconds. |
§17 · Redis (Application-Specific)
Redis is not required for Flowise core functionality. Enable only if your Flowise deployment benefits from a shared cache.
| Variable | Default | Description |
|---|
enable_redis | false | Injects Redis connection variables into the container. |
redis_host | "" | Redis hostname or IP. Required when enable_redis = true. |
redis_port | "6379" | Redis TCP port. |
redis_auth | "" | Redis AUTH password. Sensitive. |
Validation guard: When enable_redis = true, either redis_host must be set or enable_nfs must be true (the NFS server IP is used as the default Redis host). If neither is met, Terraform rejects the configuration.
§18 · Resource Quota (Group 7)
| Variable | Default | Description |
|---|
enable_resource_quota | false | Creates a Kubernetes ResourceQuota in the namespace. |
quota_cpu_requests | "" | Total CPU requests allowed (e.g. "4000m"). |
quota_cpu_limits | "" | Total CPU limits allowed (e.g. "8000m"). |
quota_memory_requests | "" | Total memory requests allowed (e.g. "4Gi"). |
quota_memory_limits | "" | Total memory limits allowed (e.g. "8Gi"). |
quota_max_pods | "" | Maximum pods allowed in the namespace. |
quota_max_services | "" | Maximum Kubernetes Services allowed. |
quota_max_pvcs | "" | Maximum PVCs allowed. |
§19 · Validation Guards
validation.tf enforces the following cross-variable conditions at plan time:
| Guard | Condition |
|---|
| Scaling range | min_instance_count must not exceed max_instance_count. |
| Redis host required | When enable_redis = true, either redis_host must be set or enable_nfs = true. |
| IAP credentials | When enable_iap = true, both iap_oauth_client_id and iap_oauth_client_secret must be provided. |
| CloudSQL sidecar coherence | enable_cloudsql_volume must not be true when database_type = "NONE". |
§20 · Outputs
| Output | Description | Sensitive |
|---|
service_name | Kubernetes service name | — |
namespace | Kubernetes namespace | — |
service_cluster_ip | ClusterIP of the Kubernetes service | — |
stage_service_cluster_ips | Map of stage-specific ClusterIPs | — |
service_external_ip | External LoadBalancer IP (when static IP reserved) | — |
service_url | Service URL | — |
database_instance_name | Cloud SQL instance name | — |
database_name | Application database name | — |
database_user | Application database user | — |
database_password_secret | Secret Manager secret name for database password | — |
database_host | Database host | yes |
database_port | Database port | — |
storage_buckets | Created GCS buckets | — |
network_name | VPC network name | — |
network_exists | Whether the VPC network exists | — |
regions | Available regions in the VPC | — |
nfs_server_ip | NFS server internal IP | yes |
nfs_mount_path | NFS mount path in containers | — |
nfs_share_path | NFS share path on server | — |
container_image | Container image used for the deployment | — |
container_registry | Artifact Registry repository name | — |
monitoring_enabled | Whether monitoring is configured | — |
monitoring_notification_channels | Monitoring notification channel names | — |
deployment_id | Unique deployment identifier | — |
tenant_id | Tenant identifier | — |
resource_prefix | Resource naming prefix | — |
project_id | GCP project ID | — |
project_number | GCP project number | — |
initialization_jobs | Created initialization job names | — |
cron_jobs | Created cron job names | — |
statefulset_name | StatefulSet name (when workload_type = "StatefulSet") | — |
nfs_setup_job | NFS setup job name | — |
db_import_job | Database import job name | — |
deployment_summary | Summary of the deployment | — |
cicd_enabled | Whether CI/CD pipeline is enabled | — |
github_repository_url | GitHub repository URL for CI/CD | — |
github_repository_owner | GitHub repository owner/organization | — |
github_repository_name | GitHub repository name | — |
artifact_registry_repository | Artifact Registry repository | — |
cloudbuild_trigger_name | Cloud Build trigger name | — |
cloudbuild_trigger_id | Cloud Build trigger ID | — |
cicd_configuration | Complete CI/CD configuration | — |
kubernetes_ready | true when GKE cluster endpoint is available and all workloads deployed | — |
Configuration Examples
Basic Deployment
project_id = "my-project-123"
tenant_deployment_id = "demo"
Configuration Pitfalls & Sensible Defaults
Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).
| Variable | Sensible Default | Risk | Consequence of Incorrect Value |
|---|
flowise_username | "admin" | Critical | Default admin username is publicly known. Always change before exposing the service externally — combined with a weak or default password it grants immediate full access to all AI flows. |
FLOWISE_PASSWORD (via Secret Manager) | Auto-generated 32-char random secret | Critical | The module auto-generates the password. If you override it via environment_variables with a weak value, all flows and credentials stored in the DB are accessible. |
FLOWISE_SECRETKEY_OVERWRITE | Not set (Flowise internal default) | Critical | If set initially and later changed or removed, all Flowise credential secrets (LLM API keys, vector-store tokens) in the DB become permanently unreadable. Treat as immutable after first deploy. |
application_database_name | "flowisedb" | High | Changing after the database has been provisioned orphans the existing database. Immutable after first apply. |
application_database_user | "flowiseuser" | High | The database user is created by the db-init job and cannot be renamed without manual Cloud SQL intervention. Immutable after first apply. |
container_resources.memory_limit | "1Gi" | High | Under 512Mi the Node.js/LangChain process is OOM-killed on startup. GKE Autopilot rounds up resource requests to the nearest profile; allocating too little causes the pod to be evicted. Minimum "1Gi"; production with large flow graphs needs "2Gi". |
container_resources.cpu_limit | "1000m" | Medium | Under 500m Flowise flow execution is very slow and readiness probes may time out on GKE. |
container_resources.mem_request | null (defaults to limit) | Medium | On GKE Autopilot, requests determine node provisioning. Setting mem_request far below memory_limit can cause scheduler gaps or burstable throttling. |
STORAGE_TYPE / GCLOUD_PROJECT | "gcs" / project injected | High | Overriding STORAGE_TYPE away from "gcs" causes Flowise to write to the pod's ephemeral disk, which is lost on every pod restart. GKE makes this far more frequent than Cloud Run. |
GOOGLE_CLOUD_STORAGE_BUCKET_NAME | Auto-set from module output | High | Do not override. An incorrect bucket name causes all file uploads to fail silently. |
enable_cloudsql_volume | true | Critical | If false with a Postgres database, the Cloud SQL Auth Proxy sidecar is not injected and the database connection will be refused. The validation guard rejects this at plan time. |
min_instance_count | 1 | Medium | Setting to 0 on GKE with HPA risks scale-to-zero pod eviction. Flowise has a non-trivial startup time (~30 s); scale-to-zero introduces unacceptable first-request latency. |
max_instance_count | 1 | Medium | Flowise stores in-memory flow execution state. Multiple replicas without a shared Redis session store cause flow executions to fail on load-balanced requests. Keep at 1 unless Redis is enabled. |
enable_redis | false | Medium | Required for multi-replica deployments. Enabling without providing redis_host raises a validation error at plan time. |
redis_host | null | High | Must be set when enable_redis = true. If left empty the validation guard will block the apply. If you set enable_nfs = true, the NFS server IP is used as default — only acceptable for local Redis colocated on the NFS host. |
enable_iap | false | High | Leaves Flowise accessible via the load-balancer IP without authentication. Set enable_iap = true and supply iap_oauth_client_id and iap_oauth_client_secret, or configure network policies to restrict access. |
iap_oauth_client_id / iap_oauth_client_secret | "" | High | If enable_iap = true but these are empty, IAP is silently disabled by the validation guard, leaving the service exposed. Both must be non-empty when IAP is enabled. |
database_type | "POSTGRES_15" | Critical | Changing to "NONE" after a deploy drops the Cloud SQL instance. Combined with enable_cloudsql_volume = true the proxy sidecar will fail to start. |
quota_memory_requests / quota_memory_limits | "4Gi" / "8Gi" | High | GKE-specific: values must use binary unit suffixes (Gi, Mi). A bare integer (e.g., "4") is treated as bytes by Kubernetes and blocks all pod scheduling. |
stateful_pvc_enabled | false | Medium | If set to true without specifying workload_type, the module auto-selects StatefulSet. Ensure your replica count and storage class support StatefulSet semantics. |
pdb_min_available | "1" | Medium | Setting to "0" disables the Pod Disruption Budget, allowing node upgrades to evict all Flowise pods simultaneously, causing a full outage during cluster maintenance. |
backup_schedule | "0 2 * * *" | Medium | Removing or disabling means no automated Cloud SQL backups and potential unrecoverable data loss on destructive operations. |
Production Deployment
project_id = "my-project-123"
tenant_deployment_id = "prod"
application_name = "flowise"
application_display_name = "Flowise AI Builder"
application_version = "latest"
flowise_username = "admin"
# Sizing
container_resources = {
cpu_limit = "2000m"
memory_limit = "2Gi"
}
min_instance_count = 1
max_instance_count = 2
# Database
application_database_name = "flowisedb"
application_database_user = "flowiseuser"
database_password_length = 32
# Security
enable_iap = true
iap_oauth_client_id = "your-client-id.apps.googleusercontent.com"
iap_oauth_client_secret = "your-client-secret"
iap_authorized_users = ["user:alice@example.com"]
# Reliability
enable_pod_disruption_budget = true
pdb_min_available = "1"
# Observability
uptime_check_config = {
enabled = true
path = "/api/v1/ping"
check_interval = "60s"
timeout = "10s"
}
# Backup
backup_schedule = "0 2 * * *"
backup_retention_days = 7