PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #165: Real Exam Question with Answer & Explanation

Question

You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs: Initializing the backend... Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403 You need to resolve the issue by following Google-recommended practices. What should you do?

Options

• AChange the Terraform code to use local state.
• BCreate a storage bucket with the name specified in the Terraform configuration.
• CGrant the roles/owner Identity and Access Management (IAM) role to the Cloud Build service
• DGrant the roles/storage.objectAdmin Identity and Access Management (1AM) role to the Cloud

Explanation

The Cloud Build job is failing with a 403 error when querying Cloud Storage for Terraform state, indicating a permission issue where the Cloud Build service account lacks the necessary IAM role to access the Cloud Storage bucket.

Common mistakes.

• A. Changing to local state would eliminate the Cloud Storage backend issue but is not a recommended practice for collaborative Terraform development in a CI/CD pipeline, as it makes state management difficult for multiple users.
• B. The error Error 403 implies the bucket exists but access is denied; if the bucket was missing, the error would typically be 'bucket not found' or similar.
• C. Granting roles/owner is an overly permissive role and goes against the principle of least privilege, as roles/storage.objectAdmin is sufficient and more secure for managing objects in a specific bucket.

Concept tested. Cloud Build IAM permissions for Cloud Storage Terraform backend

Reference. https://cloud.google.com/terraform/docs/configure-backend#access_control_for_the_backend

No community discussion yet for this question.