GCP Professional Cloud Architect Practice Question

Your platform team wants to standardize IaC workflows across dozens of projects. Requirements: 1) Terraform state must be versioned and encrypted at rest in Google Cloud. 2) Concurrent pipelines must be prevented from corrupting state. 3) All applies must run from a controlled build environment, not from engineers' laptops. Which approach satisfies all requirements while adding the least operational overhead?

Use Terraform Cloud as the backend but allow engineers to execute terraform locally; archive execution logs to Cloud Storage for auditing.
Check the tfstate file into the Git repository, enforce branch protection, and have developers run terraform from a shared Cloud Shell instance.
Configure the Terraform GCS backend to store state in a Cloud Storage bucket with object versioning and CMEK enabled, and run plan/apply steps from Cloud Build using a dedicated least-privilege service account.
Invoke Deployment Manager templates from Cloud Functions on a schedule and keep deployment state in Firestore documents.

Report Issue

Answer Description

Storing Terraform state in a Cloud Storage bucket with object versioning fulfills the need for state history, while CMEK (or default encryption) secures data at rest. The GCS backend implements a lock file that blocks simultaneous writers, protecting the state from concurrent corruption. Running plan/apply steps inside Cloud Build keeps execution in a centrally managed environment and removes the need for developers to have direct apply permissions or local state. The other options either lack versioned, remotely-locked state, violate the controlled execution requirement, or use services (Deployment Manager, Terraform Cloud SaaS) that do not meet the stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.