GCP Professional Cloud Architect Practice Question

Your organization is implementing Terraform for three GCP environments (dev, qa, prod). Architects mandate: (1) state must be centrally stored, versioned, and encrypted; (2) all terraform plan and apply operations must run only from Cloud Build; (3) concurrent terraform executions must be prevented; (4) engineers must have read-only access to state files. Which design satisfies all mandates?

Store state locally on the Cloud Build VM and copy it to an encrypted Cloud Storage bucket after each apply; allow engineers Storage Object Admin so they can restore versions when needed.
Create separate Cloud Storage buckets per environment without versioning, authenticate Terraform with developer-owned service-account keys, and run plan/apply from developer laptops while relying on manual workspace locks to avoid concurrent updates.
Adopt a Terraform Cloud remote backend accessed by user API tokens; have engineers run terraform apply from Cloud Shell while Cloud Build runs only terraform plan on pull requests.
Configure a GCS backend that stores per-environment state files under dev/, qa/, and prod/ prefixes in one CMEK-encrypted bucket with object versioning enabled; grant the Cloud Build service account Storage Object Admin on the bucket, give engineers Storage Object Viewer, and run all terraform plan/apply steps from Cloud Build triggers.

Report Issue

Answer Description

Using a Cloud Storage (GCS) backend meets all four requirements when it is configured correctly. Placing the state for every environment under a dedicated, CMEK-protected bucket with object versioning provides centralized storage, automatic version history, and encryption at rest. The GCS backend implements state locking by means of object generation numbers, so simultaneous terraform runs are automatically serialized, preventing corruption. Granting the Cloud Build service account the Storage Object Admin role lets the CI pipeline read, write, and lock state, while giving engineers only Storage Object Viewer satisfies the read-only requirement. Running terraform plan and terraform apply exclusively inside Cloud Build ensures that no other execution path can modify state. The alternative approaches either fail to provide reliable locking, lack versioning, expose state to direct developer writes, or violate the requirement that only Cloud Build performs mutations.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.