GCP Associate Cloud Engineer Practice Question

Your company is moving its Terraform workflows to Google Cloud. Several engineers in different regions will run terraform apply against the same infrastructure code. Security mandates that the state file must be encrypted at rest, previous versions must be recoverable if someone deletes or corrupts the file, and simultaneous runs must not corrupt the state. Which approach best satisfies all requirements with minimal operational overhead?

Provision a Filestore share mounted over VPN from engineer laptops and point the Terraform local backend path to that shared directory.
Keep the local backend and commit the state file to Cloud Source Repositories after every apply so that Git history preserves older versions.
Store the state file as a secret in Secret Manager, keep using the local backend, and grant engineers Secret Manager access via IAM.
Create a regional Cloud Storage bucket dedicated to Terraform state, enable object versioning and a locked retention policy, enforce uniform bucket-level access, and configure the Terraform gcs backend to use this bucket.

Report Issue

Answer Description

A Cloud Storage bucket used with the Terraform gcs backend provides highly available remote state and automatically handles state locking by using object generation preconditions. Enabling object versioning ensures that earlier state files can be recovered, and a retention policy locked through Bucket Lock prevents accidental or malicious deletion within the defined period. Cloud Storage encrypts all data at rest automatically (and can optionally use CMEK), so the solution meets encryption, recovery, and concurrency requirements without additional services. Secret Manager, source-controlled local state, or Filestore shares either do not provide automatic locking, easy version recovery, or both.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.