Your team of five engineers manages several Google Cloud projects with Terraform executed from their local workstations. The Terraform state file is currently committed to Cloud Source Repositories, and concurrent terraform apply commands sometimes overwrite one another, corrupting the state. Management also wants the ability to restore any previous version of the state file without running extra servers. Which approach best meets both requirements using only Google-managed services?
Store the terraform.tfstate file in a private Artifact Registry repository and enable vulnerability scanning to detect conflicting state updates.
Keep the state file in Cloud Source Repositories but enforce branch protection rules and mandatory pull-request reviews before every git push.
Create a dedicated Cloud Storage bucket, enable Object Versioning and uniform bucket-level access, configure the Terraform gcs backend with that bucket and a prefix, and grant the team's service account the roles/storage.objectAdmin role.
Move the Terraform backend to Cloud SQL, enable point-in-time recovery, and control access with Cloud IAM roles on the database.
Storing Terraform state in a Cloud Storage (GCS) backend satisfies both needs. The GCS backend automatically uses the object's generation numbers to provide optimistic state locking, preventing simultaneous writes from different operators. By enabling Object Versioning on the bucket, every change to terraform.tfstate is preserved as a new generation, so any earlier version can be restored if corruption occurs. Granting the team's automation identity the Storage Object Admin role supplies the necessary permissions to read, write, and delete object versions.
Moving the backend to Cloud SQL would require custom scripts because Cloud SQL is not an officially supported Terraform backend. Artifact Registry does not provide state-locking features, and relying on branch protection in Cloud Source Repositories avoids direct file conflicts but offers no transactional locking or built-in versioned backups.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Object Versioning in Google Cloud Storage?
Open an interactive chat with Bash
How does the Terraform GCS backend prevent simultaneous writes?
Open an interactive chat with Bash
What permissions does roles/storage.objectAdmin provide?
Open an interactive chat with Bash
What is Terraform state, and why is it important?
Open an interactive chat with Bash
How does enabling Object Versioning in Cloud Storage help prevent state corruption?
Open an interactive chat with Bash
Why isn't Cloud SQL a suitable Terraform backend, despite supporting features like point-in-time recovery?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .