Kestra CloudRun Module — Configuration Guide
Kestra is an open-source data orchestration and scheduling platform (Apache 2.0 licence). It allows you to build, schedule, and monitor ETL/ELT pipelines, batch jobs, and workflow automation through a YAML-based flow definition and a rich plugin ecosystem. This module deploys Kestra on Google Cloud Run in standalone mode (server, worker, and scheduler in a single container) with a PostgreSQL 15 backend and GCS artifact storage.
Kestra CloudRun is a wrapper module built on top of App CloudRun. It delegates all GCP infrastructure provisioning to App CloudRun (Cloud Run service, Cloud SQL, networking, Secret Manager, GCS, CI/CD) and uses a Kestra Common sub-module to supply Kestra-specific application configuration, secret generation, and storage bucket definitions.
Note: Variables marked as platform-managed are set and maintained by the platform. You do not normally need to change them.
How This Guide Is Structured
This guide documents variables that are unique to Kestra_CloudRun or that have Kestra-specific defaults differing from the App_CloudRun base module. For variables with identical semantics, refer to the App_CloudRun Configuration Guide.
Key differences from App CloudRun defaults:
| Feature | App CloudRun default | Kestra CloudRun default |
|---|
container_port | 8080 | 8080 |
cpu_limit | "1000m" | "2000m" |
memory_limit | "512Mi" | "4Gi" |
min_instance_count | 0 | 1 |
max_instance_count | 1 | 1 |
container_image_source | "prebuilt" | "custom" |
execution_environment | "gen1" | "gen2" |
enable_cloudsql_volume | false | true |
enable_redis | false | false (fixed) |
| Health probe path | varies | /health |
The following behaviours are set automatically and cannot be overridden via user variables.
| Behaviour | Detail |
|---|
| Admin password auto-generated | A 24-character random KESTRA_BASICAUTH_PASSWORD is generated by Kestra Common and stored in Secret Manager as <resource_prefix>-admin-password. Injected via module_explicit_secret_values (bypasses Secret Manager read-after-write delays). |
| GCS bucket always provisioned | Kestra Common provisions a -kestra-storage GCS bucket. Its name is injected automatically as KESTRA_STORAGE_GCS_BUCKET. |
| PostgreSQL queue and repository | KESTRA_QUEUE_TYPE=postgres and KESTRA_REPOSITORY_TYPE=postgres are always injected. Kestra uses PostgreSQL as both its execution queue and flow repository in standalone mode. |
| Redis is disabled | enable_redis = false is hardcoded in main.tf. Kestra standalone mode uses PostgreSQL for queuing. |
| socat Unix-socket bridge | The custom Dockerfile installs socat and replaces the entrypoint with entrypoint.sh. On Cloud Run, the Cloud SQL Auth Proxy creates a Unix socket; Java JDBC cannot connect via Unix sockets natively, so entrypoint.sh bridges the socket to TCP 127.0.0.1:5432 using socat. On GKE, the Auth Proxy sidecar already exposes TCP, so the bridge is skipped. |
| Service URL pre-computed | The predicted Cloud Run URL (https://<resource_prefix>-<project_number>.<region>.run.app) is passed to Kestra_Common and injected as a Kestra configuration variable before deployment. |
| Fixed environment variables | MICRONAUT_SERVER_PORT=8080, KESTRA_QUEUE_TYPE=postgres, KESTRA_REPOSITORY_TYPE=postgres, KESTRA_STORAGE_TYPE=gcs, KESTRA_BASICAUTH_ENABLED=true, KESTRA_BASICAUTH_USERNAME=admin, DATASOURCES_POSTGRES_DRIVERCLASSNAME, ENDPOINTS_ALL_PORT, and two Flyway baseline variables are always injected. |
| Scripts directory | Resolved as abspath("${module.kestra_app.path}/scripts") — points to Kestra Common's bundled scripts directory. |
execution_environment normalised | The platform UI may send "EXECUTION_ENVIRONMENT_GEN2" — this is normalised to "gen2" before passing to App CloudRun. |
backup_format normalised | Lowercased before passing to App CloudRun (UI may send uppercase "SQL"). |
| Variable | Default | Description |
|---|
module_description | (long description) | Platform UI description. Do not modify unless customising. |
module_documentation | "https://docs.radmodules.dev/docs/modules/Kestra_CloudRun" | External documentation URL. |
module_dependency | ["Services GCP"] | Platform modules that must be deployed first. |
module_services | ["Cloud Run", "Cloud Run Jobs", "Cloud Build", "Artifact Registry", "Cloud Storage", "Cloud SQL (PostgreSQL 15)", "VPC Network", "Serverless VPC Access", "Secret Manager", "Cloud IAM", "Cloud Logging", "Cloud Monitoring", "Health Checks", "Webhooks", "Filestore (NFS)"] | GCP services consumed. |
credit_cost | 50 | Platform credits consumed on deployment. |
require_credit_purchases | false | Enforces credit balance check before deploy. |
enable_purge | true | Permits full resource deletion on destroy. |
public_access | true | Controls platform catalogue visibility. |
deployment_id | "" | Auto-generated suffix. Set explicitly to pin resource names across Terraform runs. |
resource_creator_identity | "rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com" | Service account used by Terraform. |
§2 · Project & Identity (Group 1)
| Variable | Default | Description |
|---|
project_id | (required) | GCP project ID. Must be 6–30 chars, lowercase letters/numbers/hyphens. |
tenant_deployment_id | "demo" | Short suffix appended to resource names. 1–20 lowercase alphanumeric characters and hyphens. |
support_users | [] | Emails granted IAM access and added to monitoring alert channels. |
resource_labels | {} | Labels applied to all module-managed resources. |
§3 · Application Identity (Group 2)
| Variable | Default | Description |
|---|
application_name | "kestra" | Base name for the Cloud Run service, Artifact Registry repo, and Secret Manager secrets. Do not change after initial deployment — changing it forces resource recreation. |
application_version | "latest" | Version tag applied to the container image. Increment to trigger a new build and rollout (e.g. "0.17.0"). |
display_name | "Kestra Data Orchestration" | Human-readable name in the platform UI and Cloud Run console. |
description | "Kestra Data Orchestration - ETL/ELT pipeline and workflow orchestration on Cloud Run" | Brief description of the deployment. |
deploy_application | true | Set false to provision supporting infrastructure without deploying the container. |
§4 · Runtime & Scaling (Group 3)
| Variable | Default | Options / Format | Description |
|---|
cpu_limit | "2000m" | CPU quantity | CPU limit per Cloud Run container instance. Kestra (Java JVM) benefits from at least 2 vCPUs for concurrent pipeline execution. |
memory_limit | "4Gi" | Memory quantity | Memory limit per container. Kestra requires a minimum of 2Gi; 4Gi is recommended for typical workloads. |
container_port | 8080 | Integer | Port Kestra listens on. Must match MICRONAUT_SERVER_PORT. |
min_instance_count | 1 | Integer ≥ 0 | Kestra (Java JVM) has a slow cold start — keep at 1 for production. |
max_instance_count | 1 | Integer ≥ 1 | Kestra standalone mode is single-instance. Set to 1 to avoid conflicting state. |
timeout_seconds | 300 | Integer 0–3600 | Maximum request timeout for the Cloud Run service. |
execution_environment | "gen2" | gen1, gen2 | "gen2" is required for GCS Fuse volume mounts. Also accepted as "EXECUTION_ENVIRONMENT_GEN2" (normalised automatically). |
ingress_settings | "all" | all, internal, internal-and-cloud-load-balancing | Controls which traffic sources can reach the Cloud Run service. |
vpc_egress_setting | "PRIVATE_RANGES_ONLY" | ALL_TRAFFIC, PRIVATE_RANGES_ONLY | Routes VPC traffic. Use "ALL_TRAFFIC" for strict egress control. |
container_protocol | "http1" | http1, h2c | HTTP protocol version for the Cloud Run backend. |
enable_image_mirroring | true | bool | Mirrors the container image into Artifact Registry before deployment. |
enable_cloudsql_volume | true | bool | Injects Cloud SQL Auth Proxy sidecar. Required for the Unix socket bridge. |
cloudsql_volume_mount_path | "/cloudsql" | Path string | Filesystem path for the Cloud SQL Auth Proxy Unix socket. |
service_annotations | {} | map(string) | Custom annotations applied to the Cloud Run service. |
service_labels | {} | map(string) | Custom labels applied to the Cloud Run service. |
traffic_split | [] | list(object) | Traffic allocation across Cloud Run revisions. All entries must sum to 100. Empty sends all traffic to the latest revision. |
max_revisions_to_retain | 7 | Integer 0–100 | Maximum Cloud Run revisions to retain after each deployment. |
max_images_to_retain | 7 | Integer 0–100 | Maximum container images to retain in Artifact Registry. |
delete_untagged_images | true | bool | Automatically deletes untagged images from Artifact Registry. |
image_retention_days | 30 | Integer 0–3650 | Days after which container images are eligible for deletion. |
§5 · Access & Networking
Identity-Aware Proxy (Group 19)
| Variable | Default | Description |
|---|
enable_iap | false | Enables IAP authentication for the Kestra UI. Provides Google identity authentication in addition to Kestra's built-in basic auth. |
iap_authorized_users | [] | User allowlist. Format: "user:email@example.com". |
iap_authorized_groups | [] | Group allowlist. Format: "group:name@example.com". |
Cloud Armor & CDN (Group 9)
| Variable | Default | Description |
|---|
enable_cloud_armor | false | Enables Cloud Armor WAF + Global HTTPS Load Balancer. |
admin_ip_ranges | [] | CIDR ranges for administrative access bypass. |
application_domains | [] | Custom domain names. Only used when enable_cloud_armor = true. |
enable_cdn | false | Enables Cloud CDN. Only active when enable_cloud_armor = true. |
VPC Service Controls (Group 21)
| Variable | Default | Description |
|---|
enable_vpc_sc | false | Enforces VPC Service Controls perimeters. |
vpc_cidr_ranges | [] | VPC subnet CIDR ranges. Auto-discovered from VPC when empty. |
vpc_sc_dry_run | true | When true, violations are logged but not blocked. |
organization_id | "" | GCP Organization ID. Auto-discovered when empty. |
enable_audit_logging | false | Enables detailed Cloud Audit Logs. |
§6 · Environment Variables & Secrets (Group 4)
| Variable | Default | Description |
|---|
environment_variables | {} | Additional static env vars for Kestra. Use for plugin configurations and custom Micronaut properties. Do not set platform-managed vars. |
secret_environment_variables | {} | Map of env var name to Secret Manager secret name. Example: { KESTRA_ENCRYPTION_SECRET = "kestra-enc-key" }. |
secret_propagation_delay | 30 | Seconds to wait after secret creation. Valid range: 0–300. |
secret_rotation_period | "2592000s" | Rotation notification period. Format: "<N>s". |
enable_auto_password_rotation | false | Deploys automated database password rotation. |
rotation_propagation_delay_sec | 90 | Seconds to wait after rotation before Cloud Run restarts. |
Do not set in environment_variables: MICRONAUT_SERVER_PORT, KESTRA_QUEUE_TYPE, KESTRA_REPOSITORY_TYPE, KESTRA_STORAGE_TYPE, KESTRA_STORAGE_GCS_BUCKET, KESTRA_BASICAUTH_ENABLED, KESTRA_BASICAUTH_USERNAME, DATASOURCES_POSTGRES_URL, DATASOURCES_POSTGRES_USERNAME, DATASOURCES_POSTGRES_PASSWORD, or KESTRA_BASICAUTH_PASSWORD. These are injected automatically by Kestra Common and entrypoint.sh.
§7 · Database Backend (Group 11)
Kestra requires PostgreSQL for both its execution queue and flow repository.
| Variable | Default | Description |
|---|
db_name | "kestra" | PostgreSQL database name. Do not change after initial deployment. |
db_user | "kestra" | PostgreSQL application user. |
database_password_length | 32 | Auto-generated password length. Valid range: 16–64. |
§8 · Storage (Groups 8, 10)
NFS (Group 8)
| Variable | Default | Description |
|---|
enable_nfs | false | Provisions a Cloud Filestore NFS instance and mounts it into the Cloud Run service. |
nfs_mount_path | "/mnt/nfs" | Container path for the NFS volume. |
nfs_instance_name | "" | Existing NFS GCE VM name. Auto-discovered when empty. |
nfs_instance_base_name | "app-nfs" | Base name for the inline NFS GCE VM. |
Cloud Storage & GCS Fuse (Group 10)
Kestra Common always provisions a -kestra-storage bucket. Additional buckets can be added via storage_buckets.
| Variable | Default | Description |
|---|
create_cloud_storage | true | Controls whether the module provisions the buckets in storage_buckets. |
storage_buckets | [] | Additional GCS buckets to provision. |
gcs_volumes | [] | GCS buckets mounted as filesystem volumes via GCS Fuse. Requires execution_environment = "gen2". |
manage_storage_kms_iam | false | Creates CMEK KMS keys and enables CMEK encryption on storage buckets. |
enable_artifact_registry_cmek | false | Enables CMEK encryption on container images in Artifact Registry. |
§9 · Backup & Maintenance (Group 16)
| Variable | Default | Description |
|---|
backup_schedule | "0 2 * * *" | Cron schedule (UTC) for automated database backups. |
backup_retention_days | 7 | Days to retain backup files in GCS. |
enable_backup_import | false | Triggers a one-time database import job during deployment. |
backup_source | "gcs" | Source: "gcs" or "gdrive". |
backup_uri | "" | Full URI for the backup. For GCS: gs://bucket/path/backup.sql. For Drive: file ID. |
backup_format | "sql" | Format of the backup file. Normalised to lowercase automatically. |
§10 · CI/CD & GitHub Integration (Group 11)
| Variable | Default | Description |
|---|
enable_cicd_trigger | false | Creates a Cloud Build trigger for automatic builds. |
github_repository_url | "" | Full HTTPS URL of the GitHub repository. |
github_token | "" | GitHub PAT. Sensitive. |
github_app_installation_id | "" | Cloud Build GitHub App installation ID. |
cicd_trigger_config | { branch_pattern = "^main$" } | Branch filter, included/ignored paths, substitutions. |
enable_cloud_deploy | false | Switches to a Cloud Deploy pipeline. Requires enable_cicd_trigger = true. |
cloud_deploy_stages | [dev, staging, prod(approval)] | Ordered promotion stages. |
enable_binary_authorization | false | Enforces Binary Authorization attestation policy. |
§11 · Custom SQL (Group 17)
| Variable | Default | Description |
|---|
enable_custom_sql_scripts | false | Runs custom SQL scripts from GCS against the application database. |
custom_sql_scripts_bucket | "" | GCS bucket name containing SQL scripts. |
custom_sql_scripts_path | "" | Path prefix within the GCS bucket. Scripts executed in alphabetical order. |
custom_sql_scripts_use_root | false | Execute scripts as the root database user. |
§12 · Jobs & Scheduled Tasks (Group 12)
The default db-init job is supplied automatically by Kestra Common (using postgres:15-alpine) when initialization_jobs is empty.
| Variable | Default | Description |
|---|
initialization_jobs | [] | Cloud Run Jobs executed once during deployment. Common uses: schema verification, credential seeding, flow imports. When non-empty, replaces the default db-init job. |
cron_jobs | [] | Recurring Cloud Run Jobs triggered by Cloud Scheduler. |
§13 · Observability & Health (Group 13)
Kestra's health endpoint is /health. Kestra (Java JVM) has a slow startup — the default startup probe allows up to ~14 minutes (initial_delay=30 + period=20 × failure_threshold=40).
Kestra CloudRun exposes four probe variables across two parallel paths:
| Variable | Routed to | Configures |
|---|
startup_probe | Kestra Common → config.startup_probe | Application container startup probe |
liveness_probe | Kestra Common → config.liveness_probe | Application container liveness probe |
startup_probe_config | App CloudRun directly | App CloudRun infrastructure startup probe |
health_check_config | App CloudRun directly | App CloudRun infrastructure liveness probe |
| Variable | Default | Description |
|---|
startup_probe | { enabled=true, type="HTTP", path="/health", initial_delay_seconds=30, timeout_seconds=5, period_seconds=20, failure_threshold=40 } | Application startup probe. |
liveness_probe | { enabled=true, type="HTTP", path="/health", initial_delay_seconds=180, timeout_seconds=5, period_seconds=30, failure_threshold=5 } | Application liveness probe. |
startup_probe_config | { enabled=true, type="TCP", initial_delay_seconds=0, timeout_seconds=300, period_seconds=300, failure_threshold=1 } | App CloudRun startup probe (TCP, no path). |
health_check_config | { enabled=true, type="HTTP", path="/health" } | App CloudRun liveness probe. |
uptime_check_config | { enabled=true, path="/health" } | Cloud Monitoring uptime check from multiple global locations. |
alert_policies | [] | Custom metric alert policies. Each requires name, metric_type, comparison, threshold_value, duration_seconds. |
§14 · Outputs
Outputs are proxied from App CloudRun:
| Output | Description | Sensitive |
|---|
service_name | Cloud Run service name | — |
service_url | Public URL of the Cloud Run service | — |
service_location | GCP region of the Cloud Run service | — |
stage_services | Stage-specific Cloud Run service details | — |
database_instance_name | Cloud SQL instance name | — |
database_name | Application database name | — |
database_user | Application database user | — |
database_password_secret | Secret Manager secret name for database password | — |
database_host | Database host | yes |
database_port | Database port | — |
storage_buckets | Created GCS buckets | — |
network_name | VPC network name | — |
network_exists | Whether the VPC network exists | — |
regions | Available regions in the VPC | — |
nfs_server_ip | NFS server internal IP | yes |
nfs_mount_path | NFS mount path in containers | — |
nfs_share_path | NFS share path on server | — |
container_image | Container image used for the service | — |
container_registry | Artifact Registry repository name | — |
monitoring_enabled | Whether monitoring is configured | — |
monitoring_notification_channels | Monitoring notification channel names | — |
deployment_id | Unique deployment identifier | — |
tenant_id | Tenant identifier | — |
resource_prefix | Resource naming prefix | — |
project_id | GCP project ID | — |
project_number | GCP project number | — |
initialization_jobs | Created initialization job names | — |
nfs_setup_job | NFS setup job name | — |
deployment_summary | Summary of the deployment | — |
cicd_enabled | Whether CI/CD pipeline is enabled | — |
github_repository_url | GitHub repository URL for CI/CD | — |
github_repository_owner | GitHub repository owner/organization | — |
github_repository_name | GitHub repository name | — |
artifact_registry_repository | Artifact Registry repository | — |
cloudbuild_trigger_name | Cloud Build trigger name | — |
cloudbuild_trigger_id | Cloud Build trigger ID | — |
cicd_configuration | Complete CI/CD configuration | — |
Configuration Examples
Basic Deployment
project_id = "my-project-123"
tenant_deployment_id = "demo"
Production Deployment
project_id = "my-project-123"
tenant_deployment_id = "prod"
application_name = "kestra"
display_name = "Kestra Orchestration"
application_version = "0.17.0"
# Sizing (Kestra needs ≥ 2 vCPU, ≥ 2Gi RAM)
cpu_limit = "4000m"
memory_limit = "8Gi"
# Keep warm — slow JVM startup
min_instance_count = 1
max_instance_count = 1
# Database
db_name = "kestra"
db_user = "kestra"
database_password_length = 32
# Security
enable_iap = true
iap_authorized_users = ["user:alice@example.com"]
# Backup
backup_schedule = "0 2 * * *"
backup_retention_days = 14
# Observability
uptime_check_config = {
enabled = true
path = "/health"
check_interval = "60s"
timeout = "10s"
}
# CI/CD
enable_cicd_trigger = true
github_repository_url = "https://github.com/my-org/kestra-flows"
github_token = "ghp_***"
Deployment with GCS Fuse Volume
project_id = "my-project-123"
tenant_deployment_id = "flows"
execution_environment = "gen2"
gcs_volumes = [
{
name = "kestra-flows"
mount_path = "/app/flows"
readonly = false
mount_options = ["implicit-dirs", "stat-cache-ttl=60s"]
}
]
Configuration Pitfalls & Sensible Defaults
Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).
| Variable | Sensible Default | Risk | Consequence of Incorrect Value |
|---|
KESTRA_BASICAUTH_PASSWORD (auto-generated secret) | Auto-generated and stored in Secret Manager | Critical | The admin password is the sole access control gate for the Kestra UI. There is no secondary authentication — losing this password requires a direct database update to reset it. |
KESTRA_BASICAUTH_USERNAME (injected as "admin") | "admin" | High | This is a well-known default. Override via environment_variables = { KESTRA_BASICAUTH_USERNAME = "your-admin-name" } before first deploy to reduce credential-stuffing risk. |
KESTRA_BASICAUTH_ENABLED (injected as "true") | "true" | Critical | Disabling basic auth via environment_variables exposes the Kestra UI and all API endpoints without authentication. Only disable if an upstream authentication proxy (IAP, Cloud Armor) is in place. |
application_name | "kestra" | Critical | Immutable after first deploy. Changing it renames all GCP resources and causes full recreation with data loss. |
db_name | "kestra" | Critical | Immutable after first deploy. Changing it causes Kestra to connect to a new empty database, losing all flow definitions, execution history, triggers, and namespaces. |
KESTRA_QUEUE_TYPE (injected as "postgres") | "postgres" | High | Kestra uses PostgreSQL as both its queue and repository backend in this deployment. Changing via environment_variables to an unsupported backend type causes startup failures — no other queue backend is provisioned. |
KESTRA_REPOSITORY_TYPE (injected as "postgres") | "postgres" | High | Same as KESTRA_QUEUE_TYPE — only the PostgreSQL repository backend is provisioned. Changing this causes Kestra to fail to find flow definitions and execution records. |
KESTRA_STORAGE_TYPE (injected as "gcs") | "gcs" | High | Kestra stores flow inputs, outputs, and internal storage in GCS. Changing this to "local" causes all storage operations to write to ephemeral container filesystem, losing all execution artifacts on restart. |
KESTRA_STORAGE_GCS_BUCKET (auto-set from resource prefix) | "<prefix>-kestra-storage" | High | The GCS bucket is created by the module. Overriding with a non-existent bucket name via environment_variables causes Kestra to fail all flow executions that produce storage outputs. |
memory_limit | "4Gi" | High | Kestra loads all flow definitions and active execution contexts into the JVM heap. Values below 2Gi cause frequent JVM GC pauses and OutOfMemoryErrors under concurrent execution load. The default 4 Gi is the recommended minimum for production. |
cpu_limit | "2000m" | Medium | Kestra's task runners are CPU-intensive. Values below 1000m cause severe execution throttling, especially for flows with parallel task groups. |
min_instance_count | 1 | High | Kestra must remain running to process scheduled triggers and poll for new executions. Scale-to-zero (0) means scheduled flows miss their trigger window during cold starts. Always keep at least 1 instance warm for scheduler-dependent workloads. |
max_instance_count | 1 (Kestra default — single-instance only) | High | Kestra in standalone mode uses PostgreSQL-based queue locking. Running multiple instances without proper Kestra Enterprise configuration causes task double-assignment. Keep max_instance_count = 1 for the Community Edition. |
FLYWAY_DATASOURCES_POSTGRES_BASELINE_ON_MIGRATE (injected as "true") | "true" | High | Required to allow Flyway to baseline against an already-initialized PostgreSQL database (Cloud SQL installs extensions in the public schema by default). Removing this override via environment_variables causes all 52 Kestra migrations to fail on first run with "non-empty schema" errors. |
enable_nfs | true | Medium | Kestra stores flow scripts and execution artifacts via GCS storage. NFS is used for binary data mode. Without NFS, local file operations in flow tasks fail. |
ingress_settings | "all" | Medium | Setting to "internal" blocks all external webhook triggers and flow API calls from outside the VPC. Use "internal-and-cloud-load-balancing" with Cloud Armor for controlled public access. |
enable_iap | false | High | Enabling IAP without valid iap_authorized_users or groups blocks all access to the Kestra UI. The basic auth login page is unreachable when IAP returns 403. |
backup_schedule | "0 2 * * *" (daily at 02:00) | Medium | Kestra's entire state (flows, triggers, namespaces, execution history) lives in PostgreSQL. Ensure the backup schedule aligns with your RPO. |
enable_cloud_armor | false | Medium | The Kestra API and UI are publicly accessible by default. Enable Cloud Armor with admin_ip_ranges to restrict access in production. |
execution_environment | "gen2" | High | NFS mounts require gen2. Changing to gen1 causes NFS mount failures and container startup errors. |
secret_propagation_delay | 30 seconds | Low | Too short a delay may cause the Kestra JVM to start before the KESTRA_BASICAUTH_PASSWORD secret has propagated from Secret Manager, causing the initial login to use a stale password. |
enable_vpc_sc | false | Medium | Requires organization_id. If empty, VPC-SC is silently skipped. |
vpc_sc_dry_run | true | Low | Leaving dry-run enabled means VPC-SC rules are logged but not enforced. |
ENDPOINTS_ALL_PORT (injected as "8080") | "8080" | High | Exposes the Micronaut management endpoints (including /health) on the main server port for Cloud Run startup and liveness probes. Overriding this port via environment_variables breaks health checks, causing continuous container restarts. |
Destroying Resources
Known Deletion Issue: Serverless IPv4 Address Release
When destroying a Cloud Run deployment, you may encounter an error similar to:
Error: Error waiting for Subnetwork to be deleted: The following serverless IPv4 address(es) on subnet ... are still in use.
Cause: GCP holds serverless IPv4 addresses on the VPC subnet asynchronously after a Cloud Run service is deleted. These addresses are released by GCP approximately 20–30 minutes after the Cloud Run service is removed. Terraform/OpenTofu cannot complete the subnet or VPC deletion until they are fully released.
Resolution: Wait 20–30 minutes after the initial destroy attempt, then re-run the destroy command:
The second run will succeed once GCP has released the reserved addresses.