GCP Professional Data Engineer Practice Question

Your organization is migrating multiple analytics projects to Google Cloud. For regulatory reasons, every new resource-including BigQuery datasets-must reside exclusively in the europe-west3 region. Infrastructure is provisioned through a centralized Terraform-based CI/CD pipeline managed at the folder level that contains dozens of projects. What is the most effective way to programmatically guarantee that engineers cannot create resources outside europe-west3 in either existing or future projects while keeping day-to-day operational effort low?

Create a custom IAM role that includes bigquery.datasets.create and add an IAM condition limiting its use to europe-west3, then bind this role to all engineering service accounts.
Define an organization policy at the folder root that sets the constraints/gcp.resourceLocations list policy to allow only the europe-west3 region, and manage it with a Terraform google_org_policy_policy resource.
Set each project's BigQuery default dataset location to europe-west3 in Terraform modules and monitor Cloud Logging for any deviations.
Place all projects in a VPC Service Controls perimeter restricted to europe-west3 so that resource creations outside the region are automatically blocked.

Report Issue

Answer Description

The Organization Policy Service lets you define location constraints that automatically apply to every project under a folder or organization. By authoring a policy that sets the constraints/gcp.resourceLocations list policy to allow only in:regions/europe-west3 (and denying all others) and enforcing it at the folder root, any API call or IaC tool-including Terraform-will be rejected by the control plane if it attempts to create a resource in another region. No additional per-project configuration is required, so ongoing operational overhead is minimal.

Creating custom IAM roles with conditional permissions cannot filter resource creation by region; IAM Conditions evaluate request attributes such as resource name or method but do not offer a built-in condition for location during creation. Setting each project's default BigQuery location or relying on BigQuery Reservations does not stop users from specifying a different region when they create datasets or other resources. VPC Service Controls limit data exfiltration between service perimeters but do not restrict where new resources can be instantiated. Therefore, applying the gcp.resourceLocations organization policy at the folder (or organization) level is the only option that programmatically enforces the required regional restriction across all projects.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.