You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs:
Initializing the backend…
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403
You need to resolve the issue by following Google-recommended practices. What should you do?
A. Change the Terraform code to use local state.
B. Create a storage bucket with the name specified in the Terraform configuration.
C. Grant the roles/owner Identity and Access Management (IAM) role to the Cloud Build service account on the project.
D. Grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
D
Explanation
A. Change the Terraform code to use local state.
(Not helpful.)
B. Create a storage bucket with the name specified in the Terraform configuration.
(Not helpful.)
C. Grant the roles/owner Identity and Access Management (IAM) role to the Cloud Build service account on the project.
(Granting Basic role is not recommended practice.)
D. Grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.
(To resolve that issue, you should ensure that the Cloud Build service account has the necessary permissions to access the Cloud Storage bucket used for storing Terraform state.
The recommended practice is to grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket. Therefore, the correct answer is option D.)