N8N AI CloudRun Module — Configuration Guide
n8n is an open-source workflow automation platform that lets you connect services, run logic, and build AI-powered pipelines through a visual node-based interface. This module deploys n8n on Google Cloud Run alongside two companion AI services: Qdrant (vector database for RAG and document search) and Ollama (local LLM inference for privacy-first AI). Together they form an AI Starter Kit for building intelligent agents, chatbots, and document analysis workflows without external AI API dependencies.
N8N AI CloudRun is a wrapper module built on top of App CloudRun. It delegates all
GCP infrastructure provisioning to App CloudRun (Cloud Run service, Cloud SQL, networking,
Secret Manager, GCS, CI/CD) and uses an N8N AI Common sub-module to supply n8n-specific
application configuration, the AI companion services (Qdrant, Ollama), secret generation, and
NFS-based Redis host discovery. The N8N AI Common outputs feed into App CloudRun's
application_config, module_secret_env_vars, module_storage_buckets, and scripts_dir
inputs.
This guide documents variables that are unique to
N8N AI CloudRunor that have n8n-specific defaults differing from theApp CloudRunbase module. For full documentation of variables with identical semantics, refer to the App_CloudRun Configuration Guide.
§1 · Module Overview
What N8N AI CloudRun provides
- An n8n container (prebuilt image from Docker Hub,
enable_image_mirroring = true) deployed on Cloud Run listening on port5678. - A Cloud SQL PostgreSQL instance as the n8n database backend.
DB_TYPE = "postgresdb"and allDB_POSTGRESDB_*connection variables are injected automatically. - Cloud SQL Auth Proxy via Unix socket —
enable_cloudsql_volume = trueby default. Unlike other wrapper modules, this is a user-configurable variable that can be set tofalseto use TCP if needed. - NFS (Cloud Filestore) enabled by default (
enable_nfs = true) for shared workflow data, credential storage, and AI model persistence across container restarts. - Qdrant vector database and Ollama LLM server deployed as companion Cloud Run
services with internal-only ingress (
INGRESS_TRAFFIC_INTERNAL_ONLY). They are reachable from n8n via VPC but not exposed to the public internet. - Redis enabled by default (
enable_redis = true) for n8n queue mode. Whenredis_host = "", the module auto-discovers the NFS server's internal IP via thenfs_discoverysub-module. - A predicted service URL computed before deployment as
https://<wrapper_prefix>-<project_number>.<region>.run.app. This URL is injected asWEBHOOK_URLandN8N_EDITOR_BASE_URLso n8n webhooks are correctly advertised without requiring a post-deploy re-apply. N8N_ENCRYPTION_KEYandN8N_SMTP_PASSauto-generated byN8N AI Commonand stored in Secret Manager. The encryption key protects all n8n credentials — back it up before destroying the module.
Key differences from App CloudRun defaults
| Feature | App CloudRun default | N8N AI CloudRun default |
|---|---|---|
container_port | 8080 | 5678 |
cpu_limit | "1000m" | "2000m" |
memory_limit | "512Mi" | "4Gi" |
max_instance_count | 1 | 1 |
enable_nfs | false | true |
enable_cloudsql_volume | false | true (user-configurable) |
enable_redis | false | true |
| Health probe path | /healthz | / |
| AI companion services | none | Qdrant + Ollama (optional) |
| Service URL pre-computation | none | predicted before deployment |
§2 · IAM & Project Identity
These variables configure the GCP project target, deployment identity, and platform metadata. Their semantics are identical to the App CloudRun equivalents — refer to App_CloudRun §2 for full detail.
| Variable | Default | Description |
|---|---|---|
project_id | (required) | GCP project into which all resources are deployed. |
tenant_deployment_id | "demo" | Short suffix appended to resource names to allow multiple deployments in the same project. |
resource_creator_identity | "rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com" | Service account used by Terraform. Override with a project-specific account for production. |
support_users | [] | Email addresses granted IAM access and added to monitoring alert channels. |
resource_labels | {} | Labels applied to all module-managed resources. |
module_description | (N8N AI description string) | Platform UI description. Do not modify unless customising the module. |
module_documentation | "https://docs.radmodules.dev/docs/modules/N8N_AI_CloudRun" | External documentation URL displayed in the platform UI. |
module_dependency | ["Services GCP"] | Platform modules that must be deployed before this one. |
deployment_id | "" | Optional fixed deployment ID. Auto-generated when blank. |
§3 · Core Service Configuration
§3.A · Application Identity
Unlike most other wrapper modules, N8N AI CloudRun uses application_display_name directly
(not aliased as display_name). description is also a top-level variable passed to
N8N AI Common (not directly to App CloudRun's application_description).
| Variable | Default | Description |
|---|---|---|
application_name | "n8nai" | Base name for the Cloud Run service, Artifact Registry repo, Secret Manager secrets, and GCS buckets. Do not change after initial deployment — it is embedded in resource names and changing it forces recreation. |
application_display_name | "N8N AI Starter Kit" | Human-readable name shown in the platform UI and Cloud Run console. Passed directly to App CloudRun as application_display_name. |
description | "N8N AI Starter Kit - Workflow automation with Qdrant and Ollama" | Brief description of the deployment. Passed to N8N AI Common and surfaced in Cloud Run service metadata. |
application_version | "2.4.7" | Container image version tag. Increment to trigger a new image pull and deploy a new Cloud Run revision. |
§3.B · Resource Sizing
cpu_limit and memory_limit are exposed as dedicated top-level variables. AI workflow
execution (vector search, LLM calls via Ollama, document processing) is both CPU- and
memory-intensive — the elevated defaults reflect this workload.
| Variable | Default | Description |
|---|---|---|
cpu_limit | "2000m" | CPU limit per container instance. AI nodes and concurrent workflow executions benefit from 2 vCPU. Setting below "1000m" risks throttling on complex AI pipelines. |
memory_limit | "4Gi" | Memory limit per container instance. n8n caches workflow state and credential data; AI nodes processing large document sets can consume 2–3 Gi alone. |
min_instance_count | 0 | Minimum live instances. 0 enables scale-to-zero. Set to 1 to eliminate cold starts and keep webhook listeners active — n8n webhooks only fire while at least one instance is running. |
max_instance_count | 1 | Maximum concurrent instances. Default of 1 ensures workflow state consistency. Increase only after enabling Redis queue mode (enable_redis = true) — without Redis, multiple instances will conflict on credential and workflow state. |
container_port | 5678 | Port n8n binds to inside the container. Must match N8N_PORT, which is injected automatically. Do not change unless overriding the default n8n port. |
timeout_seconds | 300 | Maximum request duration. Increase to 600–900 for workflows that call large LLMs or process many documents in a single request (maximum 3600). |
execution_environment | "gen2" | Cloud Run generation. "gen2" is required for NFS volume mounts. |
deploy_application | true | Set false to provision infrastructure without deploying the container. |
enable_cloudsql_volume | true | Injects the Cloud SQL Auth Proxy sidecar for Unix socket connections to Cloud SQL. Set false only when connecting to Cloud SQL via TCP. Unlike other wrapper modules, this is user-configurable. |
enable_image_mirroring | true | Mirrors the n8n image into Artifact Registry before deployment. Recommended to avoid Docker Hub rate limits in production. |
§3.C · Environment Variables & Secrets
The environment_variables variable has n8n-specific SMTP defaults. The following
platform-managed variables are automatically injected by N8N AI Common and must not be
set in environment_variables — they will be overridden or conflict with the platform's
injected values.
Do not set in environment_variables:
N8N_PORT, DB_TYPE, DB_POSTGRESDB_HOST, DB_POSTGRESDB_PORT,
DB_POSTGRESDB_DATABASE, DB_POSTGRESDB_USER, DB_POSTGRESDB_PASSWORD,
N8N_ENCRYPTION_KEY, WEBHOOK_URL, N8N_EDITOR_BASE_URL, QDRANT_URL,
OLLAMA_HOST, REDIS_HOST, REDIS_PORT.
Default environment_variables (SMTP placeholders):
environment_variables = {
SMTP_HOST = ""
SMTP_PORT = "25"
SMTP_USER = ""
SMTP_PASSWORD = ""
SMTP_SSL = "false"
EMAIL_FROM = "ghost@example.com" # override with your sender address
}
Override these to enable n8n workflow failure alerts and credential sharing emails:
environment_variables = {
SMTP_HOST = "smtp.sendgrid.net"
SMTP_PORT = "587"
SMTP_USER = "apikey"
SMTP_SSL = "true"
EMAIL_FROM = "noreply@example.com"
}
User-configurable variables:
| Variable | Default | Description |
|---|---|---|
environment_variables | (SMTP defaults above) | Plain-text key/value pairs. Use for non-sensitive n8n config such as log level, SMTP settings, or feature flags. |
secret_environment_variables | {} | Map of env var name → Secret Manager secret name. Resolved at runtime; plaintext never stored in Terraform state. |
secret_propagation_delay | 30 | Seconds to wait after secret creation before dependent operations proceed. |
secret_rotation_period | "2592000s" | Pub/Sub rotation notification period (30 days). Set null to disable. |
§3.D · Networking
| Variable | Default | Description |
|---|---|---|
ingress_settings | "all" | "all" is required for public n8n webhook endpoints to receive external HTTP callbacks. Use "internal" only if webhooks are not needed. |
vpc_egress_setting | "PRIVATE_RANGES_ONLY" | Routes only RFC 1918 traffic via VPC. Set "ALL_TRAFFIC" for strict egress or on-premises connectivity. |
cloudsql_volume_mount_path | "/cloudsql" | Container path for the Cloud SQL Auth Proxy Unix socket. |
container_protocol | "http1" | HTTP protocol version. Use "h2c" only if the application supports HTTP/2 cleartext. |
service_annotations | {} | Cloud Run service-level annotations for advanced configuration. |
service_labels | {} | Additional labels applied to the Cloud Run service resource. |
IAP and webhooks: Enabling
enable_iap = trueadds Google identity authentication in front of the Cloud Run service, which blocks public webhook endpoints. Only enable IAP on internal-only n8n deployments that do not receive external webhook callbacks.
§3.E · Initialization & Bootstrap
| Variable | Default | Description |
|---|---|---|
initialization_jobs | [] | Cloud Run jobs executed once during deployment. Use for n8n database schema setup, workflow imports (n8n import:workflow), or credential seeding. |
cron_jobs | [] | Recurring Cloud Run jobs triggered by Cloud Scheduler. Use for periodic workflow exports, cache warm-ups, or maintenance tasks. |
For the initialization_jobs and cron_jobs object schemas refer to
App_CloudRun §3.E.
§4 · Advanced Security
§4.A · Secret Management
Two secrets are auto-generated by N8N AI Common on every deployment:
| Secret | Purpose |
|---|---|
N8N_ENCRYPTION_KEY | 32-character random key that encrypts all n8n credentials (API keys, OAuth tokens, passwords). Back up this secret before destroying the module — credentials encrypted with one key cannot be decrypted with a different key after re-deployment. |
N8N_SMTP_PASS | Placeholder SMTP password. Replace the secret value in Secret Manager with your real SMTP credential before enabling email sending. |
Both are injected via module_secret_env_vars and are never stored in Terraform state.
| Variable | Default | Description |
|---|---|---|
secret_rotation_period | "2592000s" | Duration between rotation Pub/Sub notifications (30 days). Set null to disable. Format: "<seconds>s". |
secret_propagation_delay | 30 | Seconds to wait after secret creation before dependent operations proceed. |
enable_auto_password_rotation | false | Automates database password rotation via Cloud Run + Eventarc. Rotates on the secret_rotation_period schedule. |
rotation_propagation_delay_sec | 90 | Seconds to wait after password rotation before Cloud Run restarts to pick up the new value. |
§4.B · Identity-Aware Proxy (IAP)
Important: Enabling IAP adds Google identity authentication in front of the Cloud Run URL. This blocks all public webhook endpoints — external services cannot POST to n8n webhook URLs. Only enable IAP on internal-only n8n deployments.
| Variable | Default | Description |
|---|---|---|
enable_iap | false | Enables Cloud Run native IAP. When true, configure iap_authorized_users and/or iap_authorized_groups. |
iap_authorized_users | [] | Individual users or service accounts. Format: "user:email@example.com". |
iap_authorized_groups | [] | Google Groups. Format: "group:name@example.com". Preferred for team-level access management. |
§4.C · Cloud Armor & CDN
| Variable | Default | Description |
|---|---|---|
enable_cloud_armor | false | Enables Cloud Armor WAF + Global HTTPS Load Balancer with OWASP Top 10 protection and DDoS mitigation. |
application_domains | [] | Custom domain names. Google-managed SSL certificates are provisioned automatically. DNS must point to the LB IP before cert provisioning. |
enable_cdn | false | Enables Cloud CDN for caching n8n static assets at Google edge locations. Only active when enable_cloud_armor = true. |
admin_ip_ranges | [] | CIDR ranges for administrative access bypass. |
§4.D · VPC Service Controls
| Variable | Default | Description |
|---|---|---|
enable_vpc_sc | false | Restricts GCP API access to a VPC-SC perimeter, preventing data exfiltration. Requires an existing perimeter. |
vpc_cidr_ranges | [] | VPC subnet CIDR ranges for the VPC-SC network access level. Auto-discovered when empty; falls back to 10.0.0.0/8. |
vpc_sc_dry_run | true | When true, VPC-SC violations are logged but not blocked. Set false to actively enforce the perimeter. |
organization_id | "" | GCP Organization ID for the Access Context Manager policy. Auto-discovered from the project when empty. |
enable_audit_logging | false | Enables detailed Cloud Audit Logs (DATA_READ, DATA_WRITE, ADMIN_READ) for all GCP services in the project. |
§4.E · Binary Authorization
| Variable | Default | Description |
|---|---|---|
enable_binary_authorization | false | Enforces Binary Authorization attestation policy. Requires a policy and attestor pre-configured in the project. |
§5 · Traffic & Ingress
§5.A · Ingress Controls
| Variable | Default | Options | Description |
|---|---|---|---|
ingress_settings | "all" | all / internal / internal-and-cloud-load-balancing | "all" is required for n8n to receive external webhook callbacks from third-party services. Use "internal" only if n8n runs without public webhooks. |
vpc_egress_setting | "PRIVATE_RANGES_ONLY" | ALL_TRAFFIC / PRIVATE_RANGES_ONLY | Routes only RFC 1918 outbound traffic via VPC. Set "ALL_TRAFFIC" when all egress must pass through a firewall. |
§5.B · Traffic Management
| Variable | Default | Description |
|---|---|---|
traffic_split | [] | Allocates traffic across Cloud Run revisions for canary or blue-green deployments. All entries must sum to 100. Empty list sends all traffic to the latest revision. |
§5.C · Custom Domains & Load Balancer
| Variable | Default | Description |
|---|---|---|
application_domains | [] | Custom domain names for the Cloud Armor load balancer (e.g. ["n8n.example.com"]). DNS A records must point to the LB IP before SSL certificates can be provisioned. |
enable_cdn | false | Enables Cloud CDN on the load balancer for n8n static asset caching. |
admin_ip_ranges | [] | CIDR ranges for administrative access bypass. |
§6 · CI/CD Integration
§6.A · GitHub & Cloud Build
n8n uses the prebuilt Docker Hub image (enable_image_mirroring = true). The CI/CD
pipeline mirrors the image to Artifact Registry and deploys it — no custom Dockerfile build
is needed unless you extend the base image.
| Variable | Default | Description |
|---|---|---|
enable_cicd_trigger | false | Creates a Cloud Build trigger that builds and deploys on push to the configured branch. |
github_repository_url | "" | Full HTTPS URL of the GitHub repository. Required when enable_cicd_trigger = true. |
github_token | "" | GitHub PAT for repository authentication. Required scopes: repo, admin:repo_hook, workflow. Mutually exclusive with github_app_installation_id. |
github_app_installation_id | "" | Cloud Build GitHub App installation ID. Preferred over PAT for organisation repositories. |
cicd_trigger_config | { branch_pattern = "^main$" } | Controls branch filter, included/ignored paths, trigger name, and build substitutions. |
§6.B · Cloud Deploy Pipelines
| Variable | Default | Description |
|---|---|---|
enable_cloud_deploy | false | Switches from direct Cloud Build deployments to a Cloud Deploy pipeline with defined promotion stages. Requires enable_cicd_trigger = true. |
cloud_deploy_stages | [dev, staging, prod(approval)] | Ordered promotion stages with optional manual approval gates. |
enable_binary_authorization | false | See §4.E. |
§6.C · Artifact Registry Image Lifecycle
| Variable | Default | Description |
|---|---|---|
max_images_to_retain | 7 | Maximum number of recent container images to keep in Artifact Registry. Images beyond this count are eligible for deletion by cleanup policies. Set 0 to disable. |
delete_untagged_images | true | Automatically deletes untagged (dangling) container images from the Artifact Registry repository. |
image_retention_days | 30 | Days after which container images are eligible for deletion. Images within max_images_to_retain are always kept. Set 0 to disable age-based deletion. |
max_revisions_to_retain | 7 | Maximum number of Cloud Run revisions to keep after each deployment. Revisions actively serving traffic are never deleted. Set 0 to disable. |
§7 · Reliability & Data
§7.A · Health Probes
N8N AI CloudRun exposes two probe interfaces: flat objects (startup_probe /
liveness_probe) and structured objects (startup_probe_config / health_check_config).
When both are provided, the structured form (startup_probe_config /
health_check_config) takes precedence. Probe paths target / — n8n does not expose a
dedicated health endpoint.
| Variable | Default | Description |
|---|---|---|
startup_probe | { enabled=true, type="HTTP", path="/", initial_delay_seconds=120, timeout_seconds=3, period_seconds=10, failure_threshold=3 } | Flat startup probe. initial_delay_seconds=120 gives n8n time to connect to Cloud SQL and load workflow state before probing begins. |
liveness_probe | { enabled=true, type="HTTP", path="/", initial_delay_seconds=30, timeout_seconds=5, period_seconds=30, failure_threshold=3 } | Flat liveness probe. initial_delay_seconds=30 avoids false restarts during the post-startup phase. |
startup_probe_config | { enabled=true } | Structured startup probe (takes precedence over startup_probe). Default type is TCP with a 240-second timeout. |
health_check_config | { enabled=true } | Structured liveness probe (takes precedence over liveness_probe). Default is HTTP on / with a 10-second period. |
uptime_check_config | { enabled=true, path="/", check_interval="60s", timeout="10s" } | Cloud Monitoring uptime check from multiple global locations. |
§7.B · Storage
NFS (Cloud Filestore):
| Variable | Default | Description |
|---|---|---|
enable_nfs | true | Provisions a Cloud Filestore NFS instance mounted into the container. Used for n8n workflow data and credential persistence, and as the default Redis host source via nfs_discovery. Requires execution_environment = "gen2". |
nfs_mount_path | "/mnt/nfs" | Container path for the NFS volume. |
nfs_instance_name | "" | Name of an existing NFS GCE VM to target directly. Leave empty for auto-discovery or inline creation. |
nfs_instance_base_name | "app-nfs" | Base name for an inline NFS GCE VM when none is found. The deployment ID is appended for uniqueness. |
GCS buckets:
Qdrant and Ollama store their persistent data on the GCS bucket provisioned via
module_storage_buckets from N8N AI Common: Qdrant at /mnt/gcs/qdrant and Ollama
model weights at /mnt/gcs/ollama/models via GCS Fuse. This persists vector indices and
model files across container restarts.
| Variable | Default | Description |
|---|---|---|
storage_buckets | [{ name_suffix = "data" }] | Additional GCS buckets. The AI data bucket is provisioned separately via module_storage_buckets. |
create_cloud_storage | true | Set false to skip provisioning storage_buckets. |
gcs_volumes | [] | Additional GCS buckets mounted as GCS Fuse volumes into the n8n container. |
manage_storage_kms_iam | false | Creates a CMEK KMS keyring and storage encryption key, grants the GCS service account encrypter/decrypter, and enables CMEK on all buckets. |
enable_artifact_registry_cmek | false | Creates an Artifact Registry KMS key and enables CMEK encryption for container images in Artifact Registry. |
§7.C · Database
n8n requires PostgreSQL. db_name and db_user are aliases for
application_database_name / application_database_user. All DB_POSTGRESDB_*
connection variables are injected automatically.
| Variable | Default | Description |
|---|---|---|
db_name | "n8n_db" | PostgreSQL database name. Injected as DB_POSTGRESDB_DATABASE. Do not change after initial deployment — renaming requires a full backup-restore migration. |
db_user | "n8n_user" | PostgreSQL user. Injected as DB_POSTGRESDB_USER. Password auto-generated, stored in Secret Manager, injected as DB_POSTGRESDB_PASSWORD. |
database_password_length | 32 | Auto-generated password length (16–64 characters). |
enable_auto_password_rotation | false | Automates password rotation via Cloud Run + Eventarc. See §4.A. |
rotation_propagation_delay_sec | 90 | Seconds to wait after rotation before Cloud Run restarts. |
§7.D · Backup & Recovery
| Variable | Default | Description |
|---|---|---|
backup_schedule | "0 2 * * *" | Cron expression (UTC) for the automated backup job. Leave empty to disable. |
backup_retention_days | 7 | Days to retain backup files in GCS before automatic deletion. |
enable_backup_import | false | Triggers a one-time import job to restore the backup. |
backup_source | "gcs" | Source of the backup: "gcs" (full GCS URI) or "gdrive" (Google Drive file ID). |
backup_uri | "" | For GCS: e.g. "gs://my-bucket/backups/n8n.sql". For Google Drive: the file ID. Note: This variable is declared in N8N AI CloudRun but is not currently forwarded to App CloudRun — it has no effect in the current implementation. Backup file location must be configured via the underlying App CloudRun variables instead. |
backup_format | "sql" | Format of the backup file. Accepted: sql, tar, gz, tgz, tar.gz, zip. ("auto" appears in the UI OPTIONS metadata but is rejected by the validation rule — always use an explicit format string.) |
§8 · Integrations
§8.A · AI Components (unique to N8N AI CloudRun)
These variables are exclusive to N8N AI CloudRun — they do not exist in App CloudRun.
They control the Qdrant and Ollama companion services deployed as separate Cloud Run services
with INGRESS_TRAFFIC_INTERNAL_ONLY. Both services are reachable from n8n over the VPC but
are not exposed to the public internet.
| Variable | Default | Description |
|---|---|---|
enable_ai_components | true | Master toggle for the AI stack. Set false to deploy n8n as a standard workflow automation tool without Qdrant or Ollama. When false, QDRANT_URL and OLLAMA_HOST are not injected. |
enable_qdrant | true | Deploys Qdrant as a companion Cloud Run service. Enables RAG pipelines, document embedding search, and AI memory in n8n workflows. Only active when enable_ai_components = true. |
qdrant_version | "latest" | Qdrant Docker image tag. Use a pinned version (e.g. "v1.9.0") in production for reproducible deployments. |
enable_ollama | true | Deploys Ollama LLM server as a companion Cloud Run service. Enables open-source LLM inference (Llama 3, Mistral, Gemma) on your infrastructure — no external AI API keys required. Only active when enable_ai_components = true. |
ollama_version | "latest" | Ollama Docker image tag. Use a pinned version in production. |
ollama_model | "llama3.2" | Default model name for Ollama. Common options: "llama3.2" (recommended), "mistral", "gemma2". Note: This variable is declared in N8N AI CloudRun but is not currently forwarded to N8N AI Common — it has no effect in the current implementation. Model selection must be configured at the Ollama service level directly. |
AI service resource allocation (platform-managed, not user-configurable):
| Service | CPU | Memory | Scaling | GCS persistence path |
|---|---|---|---|---|
| Qdrant | 1 vCPU | 1 Gi | Fixed: 1 instance | /mnt/gcs/qdrant |
| Ollama | inherits cpu_limit | inherits memory_limit | Fixed: 1 instance | /mnt/gcs/ollama/models |
Note: Ollama's CPU and memory limits are not independently configurable — they are inherited from the
cpu_limitandmemory_limitvariables set on the main n8n container. The defaults (2000m/4Gi) therefore apply to both n8n and Ollama simultaneously.
§8.B · Redis Cache
Redis enables n8n queue mode for reliable multi-instance workflow execution. When
enable_redis = true and redis_host = "", the module auto-discovers the NFS server's
internal IP via nfs_discovery and uses it as the Redis host. redis_port is a string
type.
| Variable | Default | Description |
|---|---|---|
enable_redis | true | Injects REDIS_HOST and REDIS_PORT into the n8n container. Required for max_instance_count > 1 to avoid workflow state conflicts. |
redis_host | "" | Redis server hostname or IP. When empty and NFS is enabled, auto-discovered from the NFS server. Override with a Cloud Memorystore IP for production. |
redis_port | "6379" | Redis port (string type). Change if the Redis instance uses a non-default port. |
redis_auth | "" | Redis AUTH password. Leave empty for unauthenticated Redis. Treated as sensitive. |
§8.C · Custom SQL Scripts
| Variable | Default | Description |
|---|---|---|
enable_custom_sql_scripts | false | Runs .sql files from a GCS bucket against the n8n PostgreSQL database after provisioning. Use for schema extensions or seed data. |
custom_sql_scripts_bucket | "" | GCS bucket name (without gs://) containing the SQL scripts. |
custom_sql_scripts_path | "" | Path prefix within the bucket. Files run in lexicographic order. |
custom_sql_scripts_use_root | false | Run scripts as the root database user for elevated privileges. |
§8.D · Observability
| Variable | Default | Description |
|---|---|---|
uptime_check_config | { enabled=true, path="/", check_interval="60s", timeout="10s" } | Cloud Monitoring uptime check probing the n8n service from multiple global locations. |
alert_policies | [] | Cloud Monitoring alert policies. Each monitors a metric and notifies support_users when thresholds are exceeded. |
service_annotations | {} | Cloud Run service annotations. |
service_labels | {} | Additional labels on the Cloud Run service. |
§9 · Platform-Managed Behaviours
The following behaviours are applied automatically by N8N AI CloudRun and cannot be
overridden via tfvars.
| Behaviour | Detail |
|---|---|
N8N_PORT = "5678" injected | n8n's port is always set to 5678. The container_port variable defaults to 5678 to match. Do not set N8N_PORT in environment_variables. |
DB_TYPE = "postgresdb" injected | PostgreSQL is the only supported n8n database backend. |
DB_POSTGRESDB_* injected | DB_POSTGRESDB_HOST, DB_POSTGRESDB_PORT, DB_POSTGRESDB_DATABASE, DB_POSTGRESDB_USER, and DB_POSTGRESDB_PASSWORD are injected automatically from the Cloud SQL instance and Secret Manager. |
N8N_ENCRYPTION_KEY auto-generated | A 32-character random key generated by N8N AI Common, stored in Secret Manager, and injected via module_secret_env_vars. Back up before destroying the module — existing credentials cannot be decrypted with a different key. |
N8N_SMTP_PASS auto-generated | Placeholder SMTP password generated by N8N AI Common. Override the Secret Manager value with a real credential before enabling email. |
WEBHOOK_URL and N8N_EDITOR_BASE_URL pre-computed | Set to the predicted Cloud Run service URL (https://<wrapper_prefix>-<project_number>.<region>.run.app) before the service is created. Webhooks are correctly advertised without a post-deploy re-apply. |
QDRANT_URL injected when enable_qdrant = true | Set to the internal URL of the Qdrant companion service. Only accessible within the VPC. |
OLLAMA_HOST injected when enable_ollama = true | Set to the internal URL of the Ollama companion service. Only accessible within the VPC. |
REDIS_HOST / REDIS_PORT injected when enable_redis = true | REDIS_PORT is the value of redis_port. REDIS_HOST is redis_host if set; otherwise auto-discovered from the NFS server internal IP via nfs_discovery. |
| Qdrant and Ollama use internal-only ingress | Both companion services are deployed with INGRESS_TRAFFIC_INTERNAL_ONLY. They cannot be reached from the public internet. |
| GCS Fuse persistence for AI data | Qdrant stores its vector index at /mnt/gcs/qdrant and Ollama stores model weights at /mnt/gcs/ollama/models on the auto-provisioned GCS bucket. |
scripts_dir | Set to N8N AI Common's bundled scripts/ directory. Cannot be overridden. |
§10 · Variable Reference
Complete reference of all N8N AI CloudRun variables, their defaults, and UI metadata groups.
| Variable | Default | Group |
|---|---|---|
module_description | (N8N AI description) | 0 |
module_documentation | "https://docs.radmodules.dev/docs/modules/N8N_AI_CloudRun" | 0 |
module_dependency | ["Services GCP"] | 0 |
module_services | (list of GCP services) | 0 |
credit_cost | 50 | 0 |
require_credit_purchases | false | 0 |
enable_purge | true | 0 |
public_access | true | 0 |
deployment_id | "" | 0 |
resource_creator_identity | "rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com" | 0 |
project_id | (required) | 1 |
tenant_deployment_id | "demo" | 1 |
support_users | [] | 1 |
resource_labels | {} | 1 |
application_name | "n8nai" | 2 |
application_display_name | "N8N AI Starter Kit" | 2 |
description | "N8N AI Starter Kit - Workflow automation with Qdrant and Ollama" | 2 |
application_version | "2.4.7" | 2 |
deploy_application | true | 3 |
cpu_limit | "2000m" | 3 |
memory_limit | "4Gi" | 3 |
min_instance_count | 0 | 3 |
max_instance_count | 1 | 3 |
container_port | 5678 | 3 |
execution_environment | "gen2" | 3 |
timeout_seconds | 300 | 3 |
enable_cloudsql_volume | true | 3 |
service_annotations | {} | 3 |
service_labels | {} | 3 |
enable_image_mirroring | true | 3 |
traffic_split | [] | 3 |
container_protocol | "http1" | 3 |
cloudsql_volume_mount_path | "/cloudsql" | 3 |
ingress_settings | "all" | 4 |
vpc_egress_setting | "PRIVATE_RANGES_ONLY" | 4 |
enable_iap | false | 4 |
iap_authorized_users | [] | 4 |
iap_authorized_groups | [] | 4 |
environment_variables | (SMTP defaults) | 5 |
secret_environment_variables | {} | 5 |
secret_propagation_delay | 30 | 5 |
secret_rotation_period | "2592000s" | 5 |
backup_schedule | "0 2 * * *" | 6 |
backup_retention_days | 7 | 6 |
enable_backup_import | false | 6 |
backup_source | "gcs" | 6 |
backup_uri | "" | 6 |
backup_format | "sql" | 6 |
enable_cicd_trigger | false | 7 |
github_repository_url | "" | 7 |
github_token | "" | 7 |
github_app_installation_id | "" | 7 |
cicd_trigger_config | { branch_pattern = "^main$" } | 7 |
enable_cloud_deploy | false | 7 |
cloud_deploy_stages | [dev, staging, prod(approval)] | 7 |
enable_binary_authorization | false | 7 |
enable_custom_sql_scripts | false | 8 |
custom_sql_scripts_bucket | "" | 8 |
custom_sql_scripts_path | "" | 8 |
custom_sql_scripts_use_root | false | 8 |
enable_cloud_armor | false | 9 |
admin_ip_ranges | [] | 9 |
application_domains | [] | 9 |
enable_cdn | false | 9 |
create_cloud_storage | true | 10 |
storage_buckets | [{ name_suffix = "data" }] | 10 |
enable_nfs | true | 10 |
nfs_mount_path | "/mnt/nfs" | 10 |
gcs_volumes | [] | 10 |
db_name | "n8n_db" | 11 |
db_user | "n8n_user" | 11 |
database_password_length | 32 | 11 |
enable_auto_password_rotation | false | 11 |
rotation_propagation_delay_sec | 90 | 11 |
initialization_jobs | [] | 12 |
cron_jobs | [] | 12 |
startup_probe | { path="/", initial_delay_seconds=120, period_seconds=10, failure_threshold=3 } | 13 |
liveness_probe | { path="/", initial_delay_seconds=30, period_seconds=30, failure_threshold=3 } | 13 |
startup_probe_config | { enabled=true } | 13 |
health_check_config | { enabled=true } | 13 |
uptime_check_config | { enabled=true, path="/", check_interval="60s" } | 13 |
alert_policies | [] | 13 |
enable_redis | true | 20 |
redis_host | "" | 20 |
redis_port | "6379" | 20 |
redis_auth | "" | 20 |
enable_ai_components | true | 21 |
enable_qdrant | true | 21 |
qdrant_version | "latest" | 21 |
enable_ollama | true | 21 |
ollama_version | "latest" | 21 |
ollama_model | "llama3.2" | 21 |
enable_vpc_sc | false | 22 |
vpc_cidr_ranges | [] | 22 |
vpc_sc_dry_run | true | 22 |
organization_id | "" | 22 |
enable_audit_logging | false | 22 |
nfs_instance_name | "" | 10 |
nfs_instance_base_name | "app-nfs" | 10 |
manage_storage_kms_iam | false | 10 |
enable_artifact_registry_cmek | false | 10 |
max_images_to_retain | 7 | 9 |
delete_untagged_images | true | 9 |
image_retention_days | 30 | 9 |
max_revisions_to_retain | 7 | 3 |
Configuration Pitfalls & Sensible Defaults
Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).
| Variable | Sensible Default | Risk | Consequence of Incorrect Value |
|---|---|---|---|
N8N_ENCRYPTION_KEY (auto-generated secret) | Auto-generated 32-char random string stored in Secret Manager | Critical | Changing after first run permanently destroys all saved credentials in every workflow. Never rotate unless you are prepared to re-enter every credential. |
application_name | "n8nai" | Critical | Immutable after first deploy. Changing it renames all GCP resources, triggering full recreation, database loss, and service outage. |
db_name | "n8n_db" | Critical | Immutable after first deploy. Changing it causes n8n to connect to a new empty database, losing all workflows, execution history, and AI pipeline configurations. |
WEBHOOK_URL / N8N_EDITOR_BASE_URL (injected from service_url) | Predicted Cloud Run service URL | Critical | Must match the actual public URL. If wrong, webhook triggers and OAuth callbacks silently fail, breaking all AI workflow integrations. |
enable_ai_components | true | High | Master toggle for the AI stack. Setting to false prevents Qdrant and Ollama from deploying. Both enable_qdrant and enable_ollama require this to be true — plan-time validation blocks the combination if enable_ai_components = false. |
enable_qdrant | true | High | Qdrant is the vector database for RAG pipelines and AI memory nodes. Disabling it with active n8n AI workflows that reference Qdrant causes those workflows to fail at runtime with connection errors. |
enable_ollama | true | High | Ollama serves the local LLM. Disabling it breaks all n8n AI nodes that reference the Ollama endpoint. Use false only if you are exclusively using external AI providers (OpenAI, Anthropic, etc). |
ollama_model | "llama3.2" | Medium | This variable is not referenced by the application module and has no effect on deployment. The actual model must be pulled by the Ollama service at runtime via a separate initialization step or API call. |
qdrant_version | "latest" | Medium | Using "latest" in production means Qdrant can upgrade automatically on restart, potentially changing the binary API format. Pin to a specific version (e.g., "v1.9.0") for production stability. |
ollama_version | "latest" | Medium | Same risk as qdrant_version — unpinned tags cause uncontrolled upgrades. Pin for production. |
enable_redis | true | High | Disabling Redis while max_instance_count > 1 causes split-brain execution. AI workflow pipelines often have long-running multi-step executions that are especially susceptible to duplicate runs. |
redis_host | "" (uses NFS server IP when enable_nfs = true) | High | When enable_redis = true and both redis_host and enable_nfs are empty/false, n8n fails to start due to an empty Redis connection string. |
memory_limit | "4Gi" | High | AI workloads involving embedding generation, vector search, and LLM inference chains consume significantly more memory than standard automation. Values below 4Gi cause frequent OOM kills on AI-heavy workflows. |
cpu_limit | "2000m" | Medium | AI nodes (code execution, embedding, JSON processing) are CPU-intensive. Values below 2000m cause severe throttling on AI pipeline workflows. |
min_instance_count | 0 | Medium | Scale-to-zero with AI components means Qdrant and Ollama also cold-start, introducing 30–60 second delays for the first request after idle. Set to 1 for production AI deployments. |
max_instance_count | 1 | High | Increasing above 1 requires Redis to be enabled and properly configured. AI pipeline steps are stateful and cannot safely be split across instances without queue coordination. |
enable_nfs | true | High | Qdrant stores its vector index at /mnt/gcs/qdrant and Ollama stores model files at /mnt/gcs/ollama/models. Without persistent storage, model files and vector indexes are lost on restart. GCS Fuse volumes are configured automatically when AI components are enabled. |
enable_iap | false | High | Enabling IAP without providing both iap_oauth_client_id and iap_oauth_client_secret blocks all user access to the n8n UI. |
binauthz_evaluation_mode | "ALWAYS_ALLOW" | Medium | Changing to "REQUIRE_ATTESTATION" blocks all deployments (including Qdrant and Ollama sidecar services) unless each image has a valid attestation. Configure attestors before enforcing. |
secret_environment_variables | {} | Medium | External AI provider API keys (e.g., OpenAI, Anthropic, Google AI) must be passed via secret_environment_variables with references to existing Secret Manager secrets, not via plain environment_variables. Passing API keys as plain env vars exposes them in Cloud Run console and audit logs. |
enable_vpc_sc | false | Medium | Requires organization_id to be explicitly set. If left empty, VPC-SC is silently skipped. |
vpc_sc_dry_run | true | Low | Leaving dry-run enabled in production means VPC-SC rules are logged but not enforced. |
ingress_settings | "all" | Medium | Setting to "internal" blocks webhook callbacks from external AI APIs and OAuth providers. Use "internal-and-cloud-load-balancing" with Cloud Armor in production. |
Destroying Resources
Known Deletion Issue: Serverless IPv4 Address Release
When destroying a Cloud Run deployment, you may encounter an error similar to:
Error: Error waiting for Subnetwork to be deleted: The following serverless IPv4 address(es) on subnet ... are still in use.
Cause: GCP holds serverless IPv4 addresses on the VPC subnet asynchronously after a Cloud Run service is deleted. These addresses are released by GCP approximately 20–30 minutes after the Cloud Run service is removed. Terraform/OpenTofu cannot complete the subnet or VPC deletion until they are fully released.
Resolution: Wait 20–30 minutes after the initial destroy attempt, then re-run the destroy command:
tofu destroy
The second run will succeed once GCP has released the reserved addresses.