Complete the code to enable encryption for a Cloud Storage bucket.
resource "google_storage_bucket" "secure_bucket" { name = "my-secure-bucket" location = "US" [1] { kms_key_name = google_kms_crypto_key.my_key.id } }
The encryption block is used to specify the encryption settings for a Cloud Storage bucket in GCP.
Complete the code to grant the least privilege role to a service account.
resource "google_project_iam_member" "least_privilege" { project = "my-project" role = [1] member = "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com" }
The roles/storage.objectViewer role grants read-only access to storage objects, following the least privilege principle.
Fix the error in the firewall rule to allow only HTTPS traffic.
resource "google_compute_firewall" "https_only" { name = "https-firewall" network = "default" allow { protocol = [1] ports = ["443"] } source_ranges = ["0.0.0.0/0"] }
The protocol for HTTPS traffic is tcp, not http or udp.
Fill both blanks to configure a Cloud KMS key ring and key with rotation period.
resource "google_kms_key_ring" "my_key_ring" { name = "my-key-ring" location = [1] project = "my-project" } resource "google_kms_crypto_key" "my_crypto_key" { name = "my-crypto-key" key_ring = google_kms_key_ring.my_key_ring.id rotation_period = [2] }
The key ring location is set to us-central1, a valid GCP region. The rotation period 2592000s equals 30 days, a common rotation interval.
Fill all three blanks to create a secure Cloud SQL instance with private IP and authorized networks.
resource "google_sql_database_instance" "secure_instance" { name = "secure-db" database_version = [1] region = "us-east1" settings { tier = "db-f1-micro" ip_configuration { [2] = "projects/my-project/global/networks/default" authorized_networks { value = [3] } } } }
The database version is set to POSTGRES_14. Enabling private_network allows private IP access. The authorized network 192.168.1.0/24 restricts access to a specific IP range.