N8N CloudRun Module — Configuration Guide

n8n is an open-source workflow automation platform that lets you connect services, run logic, and build automated pipelines through a visual node-based interface. This module deploys n8n on Google Cloud Run with a managed Cloud SQL PostgreSQL database and GCS-backed storage persistence.

N8N CloudRun is a wrapper module built on top of App CloudRun. It delegates all GCP infrastructure provisioning to App CloudRun (Cloud Run service, Cloud SQL, networking, Secret Manager, GCS, CI/CD) and uses an N8N Common sub-module to supply n8n-specific application configuration, secret generation, and service URL pre-computation. The N8N Common outputs feed into App CloudRun's application_config, module_secret_env_vars, module_storage_buckets, and scripts_dir inputs.

This guide documents variables that are unique to N8N CloudRun or that have n8n-specific defaults differing from the App CloudRun base module. For full documentation of variables with identical semantics, refer to the App_CloudRun Configuration Guide.

---

§1 · Module Overview

What N8N CloudRun provides

• An n8n container (prebuilt image from Docker Hub, enable_image_mirroring = true) deployed on Cloud Run listening on port 5678.
• A Cloud SQL PostgreSQL instance as the n8n database backend. DB_TYPE = "postgresdb" and all DB_POSTGRESDB_* connection variables are injected automatically.
• Cloud SQL Auth Proxy via Unix socket — enable_cloudsql_volume = true by default. This is a user-configurable variable (not hardcoded).
• NFS (Cloud Filestore) enabled by default (enable_nfs = true) for shared workflow data, credential storage, and execution history persistence across container restarts.
• Redis enabled by default (enable_redis = true) for n8n queue mode. When redis_host = "", the $(NFS_SERVER_IP) runtime placeholder is used — the NFS server IP is resolved by App CloudRun at container startup, not pre-computed at Terraform apply time.
• A predicted service URL computed before deployment as https://<resource_prefix>-<project_number>.<region>.run.app. Injected as WEBHOOK_URL and N8N_EDITOR_BASE_URL so n8n webhooks are correctly advertised without requiring a post-deploy re-apply.
• N8N_ENCRYPTION_KEY and N8N_SMTP_PASS auto-generated by N8N Common and stored in Secret Manager via module_secret_env_vars. The encryption key protects all n8n credentials — back it up before destroying the module.

N8N CloudRun vs N8N AI CloudRun: This module is the standard n8n workflow automation deployment. It does not include Qdrant vector database or Ollama LLM server. Use N8N AI CloudRun when you need the full AI stack (RAG pipelines, local LLMs).

Key differences from App CloudRun defaults

Feature	App CloudRun default	N8N CloudRun default
container_port	8080	5678
cpu_limit	"1000m"	"2000m"
memory_limit	"512Mi"	"4Gi"
max_instance_count	1	1
enable_nfs	false	true
enable_cloudsql_volume	false	true (user-configurable)
enable_redis	false	true
enable_image_mirroring	true	true
Health probe path	/healthz	/
Service URL pre-computation	none	predicted before deployment

---

§2 · IAM & Project Identity

These variables configure the GCP project target, deployment identity, and platform metadata. Their semantics are identical to the App CloudRun equivalents — refer to App_CloudRun §2 for full detail.

Variable	Default	Description
project_id	(required)	GCP project into which all resources are deployed.
tenant_deployment_id	"demo"	Short suffix appended to resource names to allow multiple deployments in the same project.
resource_creator_identity	"rad-module-creator@tec-rad-ui-2b65.iam.gserviceaccount.com"	Service account used by Terraform. Override with a project-specific account for production.
support_users	[]	Email addresses granted IAM access and added to monitoring alert channels.
resource_labels	{}	Labels applied to all module-managed resources.
module_description	(N8N description string)	Platform UI description. Do not modify unless customising the module.
module_documentation	"https://docs.radmodules.dev/docs/modules/N8N_CloudRun"	External documentation URL displayed in the platform UI.
module_dependency	["Services GCP"]	Platform modules that must be deployed before this one.
deployment_id	""	Optional fixed deployment ID. Auto-generated when blank.

---

§3 · Core Service Configuration

§3.A · Application Identity

display_name and description are passed to N8N Common (not directly to App CloudRun's application_display_name). display_name is an alias for application_display_name in the module interface.

Variable	Default	Description
application_name	"n8n"	Base name for the Cloud Run service, Artifact Registry repo, Secret Manager secrets, and GCS buckets. Do not change after initial deployment — changing it forces resource recreation.
display_name	"N8N Workflow Automation"	Human-readable name in the platform UI and Cloud Run console. Passed to N8N Common as the display name alias.
description	"n8n Workflow Automation - Workflow automation platform"	Brief description of the deployment. Passed to N8N Common and surfaced in Cloud Run service metadata.
application_version	"2.4.7"	Container image version tag. Increment to trigger a new image pull and deploy a new revision.

§3.B · Resource Sizing

cpu_limit and memory_limit are exposed as dedicated top-level variables. Workflow automation with concurrent node execution and large data processing benefits from the elevated defaults.

Variable	Default	Description
cpu_limit	"2000m"	CPU limit per container instance. 2 vCPU is the recommended minimum for active workflow automation with concurrent node execution.
memory_limit	"4Gi"	Memory limit per container instance. n8n caches workflow state and credential data in memory. Setting below 1Gi risks out-of-memory restarts during complex workflow executions.
min_instance_count	0	Minimum live instances. 0 enables scale-to-zero. Set to 1 to eliminate cold starts and keep webhook listeners active.
max_instance_count	1	Maximum concurrent instances. Default 1 ensures workflow state consistency. Enable Redis queue mode (enable_redis = true) before increasing — without Redis, multiple instances conflict on credential and workflow state.
container_port	5678	Port n8n binds to inside the container. Must match N8N_PORT, injected automatically.
timeout_seconds	300	Maximum request duration. Increase to 600–900 for workflows with long-running external API calls or large data processing steps (maximum 3600).
execution_environment	"gen2"	Cloud Run generation. "gen2" is required for NFS volume mounts.
deploy_application	true	Set false to provision infrastructure without deploying the container.
enable_cloudsql_volume	true	Injects the Cloud SQL Auth Proxy sidecar for Unix socket connections. Set false only when connecting to Cloud SQL via TCP.
enable_image_mirroring	true	Mirrors the n8n image into Artifact Registry. Recommended to avoid Docker Hub rate limits in production.

§3.C · Environment Variables & Secrets

The environment_variables variable has n8n-specific SMTP defaults. The following platform-managed variables are automatically injected and must not be set in environment_variables — they will conflict with or be overridden by the platform values.

Do not set in environment_variables: N8N_PORT, DB_TYPE, N8N_ENCRYPTION_KEY, WEBHOOK_URL, N8N_EDITOR_BASE_URL, ENABLE_REDIS, QUEUE_BULL_REDIS_HOST, QUEUE_BULL_REDIS_PORT, QUEUE_BULL_REDIS_PASSWORD, N8N_PROTOCOL, N8N_DIAGNOSTICS_ENABLED, N8N_METRICS, N8N_SECURE_COOKIE, N8N_DEFAULT_BINARY_DATA_MODE. The DB_POSTGRESDB_* variables are injected at runtime by entrypoint.sh (not by Terraform directly) — do not set them in environment_variables either.

Default environment_variables (SMTP placeholders):

environment_variables = {
  SMTP_HOST     = ""
  SMTP_PORT     = "25"
  SMTP_USER     = ""
  SMTP_PASSWORD = ""
  SMTP_SSL      = "false"
  EMAIL_FROM    = "ghost@example.com"   # override with your sender address
}

Override these to enable n8n workflow failure alerts and credential sharing emails.

Variable	Default	Description
environment_variables	(SMTP defaults above)	Plain-text key/value pairs injected into the Cloud Run revision. Use for non-sensitive n8n config.
secret_environment_variables	{}	Map of env var name → Secret Manager secret name. Resolved at runtime; plaintext never stored in Terraform state.
secret_propagation_delay	30	Seconds to wait after secret creation before dependent operations proceed.
secret_rotation_period	"2592000s"	Pub/Sub rotation notification period (30 days). Set null to disable.

§3.D · Networking

Variable	Default	Description
ingress_settings	"all"	"all" is required for public n8n webhook endpoints to receive external HTTP callbacks. Use "internal" only when webhooks are not needed.
vpc_egress_setting	"PRIVATE_RANGES_ONLY"	Routes only RFC 1918 traffic via VPC. Set "ALL_TRAFFIC" for strict egress or on-premises connectivity.
cloudsql_volume_mount_path	"/cloudsql"	Container path for the Cloud SQL Auth Proxy Unix socket.
container_protocol	"http1"	HTTP protocol version. Use "h2c" only if the application supports HTTP/2 cleartext.
service_annotations	{}	Cloud Run service-level annotations for advanced configuration.
service_labels	{}	Additional labels applied to the Cloud Run service resource.

IAP and webhooks: Enabling enable_iap = true adds Google identity authentication in front of the Cloud Run URL. This blocks all public webhook endpoints. Only enable IAP on internal-only n8n deployments that do not receive external webhook callbacks.

§3.E · Initialization & Bootstrap

Variable	Default	Description
initialization_jobs	[]	Cloud Run jobs executed once during deployment. Passed to N8N Common. Use for n8n database schema setup, workflow imports (n8n import:workflow), or credential seeding.
cron_jobs	[]	Recurring Cloud Run jobs triggered by Cloud Scheduler. Use for periodic workflow exports, cache warm-ups, or maintenance tasks.

For the initialization_jobs and cron_jobs object schemas refer to App_CloudRun §3.E.

---

§4 · Advanced Security

§4.A · Secret Management

Two secrets are auto-generated by N8N Common on every deployment and injected via module_secret_env_vars:

Secret	Purpose
N8N_ENCRYPTION_KEY	32-character random key encrypting all n8n credentials (API keys, OAuth tokens, passwords in workflows). Back up before destroying the module — credentials cannot be decrypted with a different key after re-deployment.
N8N_SMTP_PASS	Placeholder SMTP password. Override the Secret Manager value with a real credential before enabling email sending.

Variable	Default	Description
secret_rotation_period	"2592000s"	Duration between rotation Pub/Sub notifications (30 days). Set null to disable.
secret_propagation_delay	30	Seconds to wait after secret creation before dependent operations proceed.
enable_auto_password_rotation	false	Automates database password rotation via Cloud Run + Eventarc.
rotation_propagation_delay_sec	90	Seconds to wait after rotation before Cloud Run restarts to pick up the new value.

§4.B · Identity-Aware Proxy (IAP)

Important: Enabling IAP blocks all public webhook endpoints. Only enable for internal-only n8n deployments.

Variable	Default	Description
enable_iap	false	Enables Cloud Run native IAP. Configure iap_authorized_users and/or iap_authorized_groups when enabling.
iap_authorized_users	[]	Individual users or service accounts. Format: "user:email@example.com".
iap_authorized_groups	[]	Google Groups. Format: "group:name@example.com".

§4.C · Cloud Armor & CDN

Variable	Default	Description
enable_cloud_armor	false	Enables Cloud Armor WAF + Global HTTPS Load Balancer with OWASP Top 10 protection and DDoS mitigation.
application_domains	[]	Custom domain names. Google-managed SSL certificates are provisioned automatically. DNS must point to the LB IP before cert provisioning.
enable_cdn	false	Enables Cloud CDN for n8n static asset caching. Only active when enable_cloud_armor = true.
admin_ip_ranges	[]	CIDR ranges for administrative access bypass.

§4.D · VPC Service Controls

Variable	Default	Description
enable_vpc_sc	false	Restricts GCP API access to a VPC-SC perimeter, preventing data exfiltration.

§4.E · Binary Authorization

Variable	Default	Description
enable_binary_authorization	false	Enforces Binary Authorization attestation policy. Requires a policy and attestor pre-configured in the project.

---

§5 · Traffic & Ingress

§5.A · Ingress Controls

Variable	Default	Options	Description
ingress_settings	"all"	all / internal / internal-and-cloud-load-balancing	"all" is required for n8n to receive external webhook callbacks. Use "internal" only when webhooks are not needed.
vpc_egress_setting	"PRIVATE_RANGES_ONLY"	ALL_TRAFFIC / PRIVATE_RANGES_ONLY	Routes only RFC 1918 outbound traffic via VPC. Set "ALL_TRAFFIC" for strict egress control.

§5.B · Traffic Management

Variable	Default	Description
traffic_split	[]	Allocates traffic across Cloud Run revisions for canary or blue-green deployments. All entries must sum to 100. Empty list sends all traffic to the latest revision.

§5.C · Custom Domains & Load Balancer

Variable	Default	Description
application_domains	[]	Custom domain names (e.g. ["n8n.example.com"]). Google-managed SSL certificates provisioned automatically. DNS A records must point to the LB IP before cert provisioning.
enable_cdn	false	Enables Cloud CDN for n8n static asset caching. Requires enable_cloud_armor = true.
admin_ip_ranges	[]	CIDR ranges for administrative access bypass.

---

§6 · CI/CD Integration

§6.A · GitHub & Cloud Build

n8n uses the prebuilt Docker Hub image (enable_image_mirroring = true). The CI/CD pipeline mirrors the image into Artifact Registry and deploys it — no custom Dockerfile build is needed unless you extend the base image.

Variable	Default	Description
enable_cicd_trigger	false	Creates a Cloud Build trigger that builds and deploys on push to the configured branch.
github_repository_url	""	Full HTTPS URL of the GitHub repository. Required when enable_cicd_trigger = true.
github_token	""	GitHub PAT for repository authentication. Required scopes: repo, admin:repo_hook, workflow. Mutually exclusive with github_app_installation_id.
github_app_installation_id	""	Cloud Build GitHub App installation ID. Preferred over PAT for organisation repositories.
cicd_trigger_config	{ branch_pattern = "^main$" }	Controls branch filter, included/ignored paths, trigger name, and build substitutions.

§6.B · Cloud Deploy Pipelines

Variable	Default	Description
enable_cloud_deploy	false	Switches from direct Cloud Build deployments to a Cloud Deploy pipeline with defined promotion stages. Requires enable_cicd_trigger = true.
cloud_deploy_stages	[dev, staging, prod(approval)]	Ordered promotion stages with optional manual approval gates.
enable_binary_authorization	false	See §4.E.

---

§7 · Reliability & Data

§7.A · Health Probes

N8N CloudRun exposes two probe interfaces: flat objects (startup_probe / liveness_probe) and structured objects (startup_probe_config / health_check_config). When both are provided, the structured form takes precedence. Probe paths target / — n8n does not expose a dedicated health endpoint.

Variable	Default	Description
startup_probe	{ enabled=true, type="HTTP", path="/", initial_delay_seconds=120, timeout_seconds=3, period_seconds=10, failure_threshold=3 }	Flat startup probe. initial_delay_seconds=120 gives n8n time to connect to Cloud SQL and load workflow state before probing begins.
liveness_probe	{ enabled=true, type="HTTP", path="/", initial_delay_seconds=30, timeout_seconds=5, period_seconds=30, failure_threshold=3 }	Flat liveness probe. initial_delay_seconds=30 avoids false restarts during the post-startup phase.
startup_probe_config	{ enabled=true }	Structured startup probe (takes precedence over startup_probe). Default type TCP with 240-second timeout.
health_check_config	{ enabled=true }	Structured liveness probe (takes precedence over liveness_probe). Default HTTP on / with 10-second period.
uptime_check_config	{ enabled=true, path="/", check_interval="60s", timeout="10s" }	Cloud Monitoring uptime check from multiple global locations.

§7.B · Storage

Variable	Default	Description
enable_nfs	true	Provisions a Cloud Filestore NFS instance mounted into the container. Used for n8n workflow data, credential, and execution history persistence. Requires execution_environment = "gen2".
nfs_mount_path	"/mnt/nfs"	Container path for the NFS volume. Also the source for the $(NFS_SERVER_IP) Redis host placeholder.
storage_buckets	[{ name_suffix = "data" }]	GCS buckets to provision. N8N Common may provision additional buckets via module_storage_buckets.
create_cloud_storage	true	Set false to skip provisioning storage_buckets.
gcs_volumes	[]	GCS buckets mounted as GCS Fuse volumes into the n8n container.

§7.C · Database

n8n requires PostgreSQL. db_name and db_user are aliases for application_database_name and application_database_user. All DB_POSTGRESDB_* connection variables are injected automatically.

Variable	Default	Description
db_name	"n8n_db"	PostgreSQL database name. Injected as DB_POSTGRESDB_DATABASE. Do not change after initial deployment.
db_user	"n8n_user"	PostgreSQL user. Injected as DB_POSTGRESDB_USER. Password auto-generated and injected as DB_POSTGRESDB_PASSWORD.
database_password_length	32	Auto-generated password length (16–64 characters).
enable_auto_password_rotation	false	Automates password rotation via Cloud Run + Eventarc. See §4.A.
rotation_propagation_delay_sec	90	Seconds to wait after rotation before Cloud Run restarts.

§7.D · Backup & Recovery

backup_uri is the n8n-specific name for backup_file in App CloudRun. The mapping is applied in main.tf (backup_file = var.backup_uri).

Variable	Default	Description
backup_schedule	"0 2 * * *"	Cron expression (UTC) for the automated backup job. Leave empty to disable.
backup_retention_days	7	Days to retain backup files in GCS before automatic deletion.
enable_backup_import	false	Triggers a one-time import job to restore the backup at backup_uri.
backup_source	"gcs"	Source: "gcs" (full GCS URI) or "gdrive" (Google Drive file ID).
backup_uri	""	For GCS: e.g. "gs://my-bucket/backups/n8n.sql". Mapped to backup_file in App CloudRun.
backup_format	"sql"	Format of the backup file. Accepted: sql, gz, tar, tgz, tar.gz, zip. Note: "auto" is not a valid value here (it appears in the UI option list but fails validation).

---

§8 · Integrations

§8.A · Redis (Queue Mode)

Redis enables n8n queue mode, allowing reliable workflow execution and horizontal scaling. When enable_redis = true and redis_host is left empty, the module defaults to using the NFS server IP via the $(NFS_SERVER_IP) runtime placeholder resolved by entrypoint.sh. Override redis_host to point at an external instance such as Cloud Memorystore. The injected environment variables are ENABLE_REDIS, QUEUE_BULL_REDIS_HOST, QUEUE_BULL_REDIS_PORT, and QUEUE_BULL_REDIS_PASSWORD (when redis_auth is set).

Variable	Default	Description
enable_redis	true	Injects ENABLE_REDIS, QUEUE_BULL_REDIS_HOST, and QUEUE_BULL_REDIS_PORT into the Cloud Run service.
redis_host	""	Redis hostname or IP. Leave empty to use $(NFS_SERVER_IP) (NFS server IP resolved at runtime).
redis_port	"6379"	Redis TCP port (string). Injected as QUEUE_BULL_REDIS_PORT.
redis_auth	""	Redis AUTH password. Leave empty if authentication is not enabled.

§8.B · Custom SQL

Custom SQL scripts stored in GCS are run against the database during initialisation, before the application starts. Useful for schema migrations or seeding reference data.

Variable	Default	Description
enable_custom_sql_scripts	false	Runs custom SQL scripts from a GCS bucket against the application database after provisioning.
custom_sql_scripts_bucket	""	GCS bucket name (without gs://) containing the SQL scripts. Required when enable_custom_sql_scripts = true.
custom_sql_scripts_path	""	Path prefix within the GCS bucket from which .sql files are executed in lexicographic order.
custom_sql_scripts_use_root	false	Execute scripts as the root database user instead of the application user. Enable for scripts requiring elevated privileges (e.g., creating extensions or roles).

§8.C · Observability

Variable	Default	Description
uptime_check_config	{ enabled = true, path = "/" }	Cloud Monitoring uptime check. check_interval and timeout use "Ns" format.
alert_policies	[]	List of metric-threshold alert policies. Each entry requires name, metric_type, comparison, threshold_value, duration_seconds.
service_annotations	{}	Kubernetes-style annotations applied to the Cloud Run service resource.
service_labels	{}	Labels applied to the Cloud Run service (in addition to resource_labels).

§8.D · SMTP / Email

n8n has no dedicated SMTP input variables. Configure SMTP via environment_variables:

environment_variables = {
  SMTP_HOST             = "smtp.example.com"
  SMTP_PORT             = "587"
  SMTP_USER             = "noreply@example.com"
  N8N_SMTP_SSL          = "false"
  N8N_SMTP_SENDER       = "noreply@example.com"
  EMAIL_FROM            = "noreply@example.com"
  N8N_EMAIL_MODE        = "smtp"
}

The SMTP password is auto-generated, stored in Secret Manager, and injected as N8N_SMTP_PASS — it cannot be overridden via environment_variables.

---

§9 · Platform-Managed Behaviours

The following are set automatically by the module and cannot be overridden via input variables. They are listed here for diagnostic and integration reference.

Environment Variables (always injected)

Variable	Value / Source	Notes
N8N_PORT	"5678"	Hardcoded to match container_port.
N8N_PROTOCOL	"https"	Sets the public protocol for webhook URL generation.
N8N_DIAGNOSTICS_ENABLED	"true"	Enables usage telemetry. Override in environment_variables to disable.
N8N_METRICS	"true"	Enables Prometheus metrics endpoint.
N8N_SECURE_COOKIE	"false"	Disables secure cookie flag — required because Cloud Run terminates TLS before the container.
N8N_DEFAULT_BINARY_DATA_MODE	"filesystem"	Stores binary workflow data on the GCS Fuse filesystem volume.
DB_TYPE	"postgresdb"	Forces PostgreSQL backend.
DB_POSTGRESDB_HOST	Cloud SQL socket/IP	Resolved at runtime by entrypoint.sh from the DB_HOST platform variable.
DB_POSTGRESDB_DATABASE	var.db_name	Mapped from DB_NAME by entrypoint.sh. Defaults to "n8n_db".
DB_POSTGRESDB_USER	var.db_user	Mapped from DB_USER by entrypoint.sh. Defaults to "n8n_user".
DB_POSTGRESDB_PASSWORD	Secret Manager ref	Mapped from DB_PASSWORD by entrypoint.sh; auto-generated and injected as a secret env var.
N8N_ENCRYPTION_KEY	Secret Manager ref	Auto-generated encryption key; injected as a secret env var.
N8N_SMTP_PASS	Secret Manager ref	Auto-generated SMTP password; injected as a secret env var.
WEBHOOK_URL	Predicted service URL	Pre-computed as https://<resource_prefix>-<project_number>.<region>.run.app before the service is created.
N8N_EDITOR_BASE_URL	Predicted service URL	Same value as WEBHOOK_URL.
ENABLE_REDIS	"true" / "false"	Always injected; reflects the enable_redis variable value.

Conditional Injections

Condition	Variable	Value
always	ENABLE_REDIS	"true" when enable_redis = true; "false" otherwise.
enable_redis = true	QUEUE_BULL_REDIS_HOST	var.redis_host if set; otherwise $(NFS_SERVER_IP) (resolved at runtime by entrypoint.sh).
enable_redis = true	QUEUE_BULL_REDIS_PORT	var.redis_port (default "6379").
enable_redis = true and redis_auth non-empty	QUEUE_BULL_REDIS_PASSWORD	var.redis_auth.

Structural Wiring

Behaviour	Detail
enable_cloudsql_volume	Passed through from var.enable_cloudsql_volume (default true). Not forced.
scripts_dir	Resolved as abspath("${module.n8n_app.path}/scripts") — points to N8N Common's bundled scripts.
backup_file	Mapped from var.backup_uri in main.tf.
module_explicit_secret_values	Receives module.n8n_app.secret_values — the raw generated secret values. Passed to App CloudRun to allow GKE-style direct Kubernetes Secret injection, bypassing Secret Manager read-after-write delays.
Probe resolution	startup_probe_config / health_check_config take precedence over flat startup_probe / liveness_probe variables when both are supplied.

---

§10 · Variable Reference

Complete list of all input variables, grouped by UI section.

Group	Variable	Type	Default	Updatable
0	module_description	string	(long description)	—
0	module_documentation	string	"https://docs.radmodules.dev/docs/modules/N8N_CloudRun"	—
0	module_dependency	list(string)	["Services GCP"]	—
0	module_services	list(string)	(service list)	—
0	credit_cost	number	50	—
0	require_credit_purchases	bool	false	—
0	enable_purge	bool	true	—
0	public_access	bool	true	—
0	deployment_id	string	""	yes
0	resource_creator_identity	string	"rad-module-creator@…"	yes
1	project_id	string	—	yes
1	tenant_deployment_id	string	"demo"	yes
1	support_users	list(string)	[]	yes
1	resource_labels	map(string)	{}	yes
2	application_name	string	"n8n"	—
2	display_name	string	"N8N Workflow Automation"	yes
2	description	string	"n8n Workflow Automation - …"	yes
2	application_version	string	"2.4.7"	yes
3	deploy_application	bool	true	yes
3	cpu_limit	string	"2000m"	yes
3	memory_limit	string	"4Gi"	yes
3	min_instance_count	number	0	yes
3	max_instance_count	number	1	yes
3	container_port	number	5678	—
3	execution_environment	string	"gen2"	yes
3	timeout_seconds	number	300	yes
3	enable_cloudsql_volume	bool	true	yes
3	service_annotations	map(string)	{}	yes
3	service_labels	map(string)	{}	yes
3	enable_image_mirroring	bool	true	yes
3	traffic_split	list(object)	[]	yes
3	max_revisions_to_retain	number	7	yes
3	container_protocol	string	"http1"	yes
3	cloudsql_volume_mount_path	string	"/cloudsql"	yes
4	ingress_settings	string	"all"	yes
4	vpc_egress_setting	string	"PRIVATE_RANGES_ONLY"	yes
4	enable_iap	bool	false	yes
4	iap_authorized_users	list(string)	[]	yes
4	iap_authorized_groups	list(string)	[]	yes
5	environment_variables	map(string)	{ SMTP_HOST = "", … }	yes
5	secret_environment_variables	map(string)	{}	yes
5	secret_rotation_period	string	"2592000s"	yes
5	secret_propagation_delay	number	30	yes
6	backup_schedule	string	"0 2 * * *"	yes
6	backup_retention_days	number	7	yes
6	enable_backup_import	bool	false	yes
6	backup_source	string	"gcs"	yes
6	backup_uri	string	""	yes
6	backup_format	string	"sql"	yes
7	enable_cicd_trigger	bool	false	yes
7	github_repository_url	string	""	yes
7	github_token	string	""	yes
7	github_app_installation_id	string	""	yes
7	cicd_trigger_config	object	{ branch_pattern = "^main$" }	yes
7	enable_cloud_deploy	bool	false	yes
7	cloud_deploy_stages	list(object)	[dev, staging, prod(approval)]	yes
7	enable_binary_authorization	bool	false	yes
8	enable_custom_sql_scripts	bool	false	yes
8	custom_sql_scripts_bucket	string	""	yes
8	custom_sql_scripts_path	string	""	yes
8	custom_sql_scripts_use_root	bool	false	yes
9	enable_cloud_armor	bool	false	yes
9	admin_ip_ranges	list(string)	[]	yes
9	application_domains	list(string)	[]	yes
9	enable_cdn	bool	false	yes
9	max_images_to_retain	number	7	yes
9	delete_untagged_images	bool	true	yes
9	image_retention_days	number	30	yes
10	create_cloud_storage	bool	true	yes
10	storage_buckets	list(object)	[{ name_suffix = "data" }]	yes
10	enable_nfs	bool	true	—
10	nfs_mount_path	string	"/mnt/nfs"	—
10	nfs_instance_name	string	""	yes
10	nfs_instance_base_name	string	"app-nfs"	yes
10	gcs_volumes	list(object)	[]	yes
10	manage_storage_kms_iam	bool	false	yes
10	enable_artifact_registry_cmek	bool	false	yes
11	db_name	string	"n8n_db"	—
11	db_user	string	"n8n_user"	—
11	database_password_length	number	32	yes
11	enable_auto_password_rotation	bool	false	yes
11	rotation_propagation_delay_sec	number	90	yes
12	initialization_jobs	list(object)	[]	yes
12	cron_jobs	list(object)	[]	yes
13	startup_probe	object	(HTTP /, 120s delay)	yes
13	liveness_probe	object	(HTTP /, 30s delay)	yes
13	startup_probe_config	object	(TCP, 240s timeout)	yes
13	health_check_config	object	(HTTP /, 10s period)	yes
13	uptime_check_config	object	{ enabled = true, path = "/" }	yes
13	alert_policies	list(object)	[]	yes
20	enable_redis	bool	true	yes
20	redis_host	string	""	yes
20	redis_port	string	"6379"	yes
20	redis_auth	string	""	yes
21	enable_vpc_sc	bool	false	yes
21	vpc_cidr_ranges	list(string)	[]	yes
21	vpc_sc_dry_run	bool	true	yes
21	organization_id	string	""	yes
21	enable_audit_logging	bool	false	yes

Configuration Pitfalls & Sensible Defaults

Risk levels: Critical (data loss, full outage, security breach) — High (service unavailable or significant degradation) — Medium (degraded function or increased cost) — Low (minor impact).

Variable	Sensible Default	Risk	Consequence of Incorrect Value
N8N_ENCRYPTION_KEY (auto-generated secret)	Auto-generated 32-char random string stored in Secret Manager	Critical	Changing this key after first run permanently loses all saved credentials (OAuth tokens, API keys, passwords) stored in workflows. Never rotate unless you are prepared to re-enter every credential.
application_name	"n8n"	Critical	Immutable after first deploy. Changing it renames all GCP resources, causing a full resource recreation, database loss, and service outage.
db_name	"n8n_db"	Critical	Immutable after first deploy. Changing it after data exists causes n8n to connect to a new empty database, losing all workflows, credentials, and execution history.
WEBHOOK_URL / N8N_EDITOR_BASE_URL (injected from service_url)	Predicted Cloud Run service URL	Critical	Must match the actual public URL of the service. If wrong, all webhook triggers (including OAuth callbacks) will silently fail. After deployment, verify the predicted URL matches the actual Cloud Run service URL.
enable_redis	true	High	n8n defaults to true for queue mode. Disabling Redis while max_instance_count > 1 causes split-brain execution: each instance runs its own queue, producing duplicate and conflicting workflow executions. Keep max_instance_count = 1 when Redis is disabled.
redis_host	"" (uses NFS server IP when enable_nfs = true)	High	When enable_redis = true and redis_host is empty, the module falls back to the NFS server IP. If enable_nfs = false and redis_host is also empty, the Redis connection string is blank and n8n fails to start.
memory_limit	"4Gi"	High	n8n loads all active workflow definitions and holds execution context in memory. Values below 2Gi cause OOM kills under moderate load. The default 4 Gi is the recommended minimum for production with Redis queue mode enabled.
cpu_limit	"2000m"	Medium	Values below 1000m cause throttling on workflow execution, especially for multi-step automations with code nodes.
min_instance_count	0	Medium	Setting to 0 enables scale-to-zero, which causes cold-start delays of 5–15 seconds for the first webhook or scheduled trigger after idle periods. Set to 1 for time-sensitive webhook workloads.
max_instance_count	1	High	Increasing above 1 without enabling Redis leads to split-brain queue processing. Only increase with enable_redis = true.
enable_nfs	true	High	n8n uses filesystem binary data mode by default (N8N_DEFAULT_BINARY_DATA_MODE = "filesystem"). Without NFS, binary data (file attachments, large payloads) is written to the ephemeral container filesystem and lost on every restart or scale event.
nfs_mount_path	"/mnt/nfs"	High	Must match the path configured in n8n's binary data storage settings. Mismatches cause binary attachment writes to fail silently or fall back to in-memory storage.
execution_environment	"gen2"	High	NFS mounts require the gen2 execution environment. Changing to gen1 causes NFS mount failures and container startup errors.
ingress_settings	"all"	Medium	Setting to "internal" blocks all webhook traffic from the public internet, breaking integrations with external services (Slack, GitHub, etc). Use "internal-and-cloud-load-balancing" when combined with Cloud Armor.
vpc_egress_setting	"PRIVATE_RANGES_ONLY"	Medium	Setting to "all-traffic" routes all outbound traffic through the VPC connector, which may block external API calls if the VPC has restrictive firewall rules.
enable_iap	false	High	If enable_iap = true but iap_authorized_users and iap_authorized_groups are both empty, the service is protected by IAP but no users are granted access, causing 403 errors for all requests.
backup_schedule	"0 2 * * *" (daily at 02:00)	Medium	An excessively frequent schedule can increase Cloud SQL costs and I/O pressure. Ensure the schedule aligns with your RPO requirements.
backup_retention_days	7	Medium	Retaining fewer than 3 days of backups is unsafe for production. Increasing above 30 days significantly increases Cloud SQL storage costs.
enable_binary_authorization	false	Medium	Enabling Binary Authorization with binauthz_evaluation_mode = "REQUIRE_ATTESTATION" blocks all deployments unless the n8n image has a valid attestation. Use "ALWAYS_ALLOW" initially and add attestors before enforcing.
enable_cloud_armor	false	Medium	Leaving Cloud Armor disabled exposes the service to unauthenticated traffic at scale. Enable with admin_ip_ranges to restrict access in production environments.
secret_rotation_period	"2592000s" (30 days)	Low	Very short rotation periods (e.g., "3600s") can cause the SMTP password to rotate before n8n reads the new value, causing email-sending failures until the next pod restart. Use the secret_propagation_delay variable to add a buffer.
enable_auto_password_rotation	false	Medium	Enabling this without configuring rotation_propagation_delay_sec correctly can cause the application to use an old password during the propagation window, resulting in authentication failures.
enable_vpc_sc	false	Medium	VPC-SC requires organization_id to be explicitly set. If left empty with enable_vpc_sc = true, VPC-SC perimeter creation is silently skipped with a warning rather than failing the apply.
vpc_sc_dry_run	true	Low	Leaving dry-run mode enabled in production means VPC-SC rules are logged but not enforced. Set to false only after validating perimeter rules in dry-run mode.
organization_id	""	Medium	Required for VPC-SC. If empty, VPC Service Controls are not activated regardless of enable_vpc_sc.

Destroying Resources

Known Deletion Issue: Serverless IPv4 Address Release

When destroying a Cloud Run deployment, you may encounter an error similar to:

Error: Error waiting for Subnetwork to be deleted: The following serverless IPv4 address(es) on subnet ... are still in use.

Cause: GCP holds serverless IPv4 addresses on the VPC subnet asynchronously after a Cloud Run service is deleted. These addresses are released by GCP approximately 20–30 minutes after the Cloud Run service is removed. Terraform/OpenTofu cannot complete the subnet or VPC deletion until they are fully released.

Resolution: Wait 20–30 minutes after the initial destroy attempt, then re-run the destroy command:

tofu destroy

The second run will succeed once GCP has released the reserved addresses.