Google Cloud Professional Cloud DevOps Engineer — Question 129

You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs:

Initializing the backend...

Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403

You need to resolve the issue by following Google-recommended practices. What should you do?

Answer options

• A. Change the Terraform code to use local state.
• B. Create a storage bucket with the name specified in the Terraform configuration.
• C. Grant the roles/owner Identity and Access Management (IAM) role to the Cloud Build service account on the project.
• D. Grant the roles/storage.objectAdmin Identity and Access Management (1AM) role to the Cloud Build service account on the state file bucket.

Correct answer: D

Explanation

The correct answer is D because granting the roles/storage.objectAdmin IAM role to the Cloud Build service account allows it to access and manage the objects in the Cloud Storage bucket where the Terraform state is stored. Option A is incorrect as local state is not recommended for collaborative environments. Option B does not resolve permission issues, and Option C provides excessive permissions that are not necessary for this specific problem.