Complete the code to enable encryption at rest for a Cloud Storage bucket.
resource "google_storage_bucket" "secure_bucket" { name = "my-secure-bucket" location = "US" [1] = "AES256" }
The encryption block with AES256 enables encryption at rest for the bucket.
Complete the code to restrict access to a Cloud Storage bucket to only a specific service account.
resource "google_storage_bucket_iam_member" "member" { bucket = google_storage_bucket.secure_bucket.name role = "roles/storage.objectViewer" member = "[1]" }
The member field must specify the service account with the prefix serviceAccount: to restrict access properly.
Fix the error in the firewall rule to allow only HTTPS traffic on port 443.
resource "google_compute_firewall" "https_firewall" { name = "allow-https" network = "default" allow { protocol = "[1]" ports = ["443"] } source_ranges = ["0.0.0.0/0"] }
The firewall protocol must be tcp to allow HTTPS traffic on port 443. 'https' is not a valid protocol name here.
Fill both blanks to create a VPC firewall rule that denies all ingress traffic except from a trusted IP range.
resource "google_compute_firewall" "deny_untrusted" { name = "deny-untrusted-ingress" network = "default" direction = "INGRESS" priority = 1000 action = "[1]" source_ranges = ["[2]"] }
The firewall rule must deny traffic (DENY) and allow only from the trusted IP range 10.1.2.0/24.
Fill all three blanks to define an IAM policy binding that grants the 'roles/storage.admin' role to a user with condition on request time.
resource "google_storage_bucket_iam_binding" "conditional_binding" { bucket = google_storage_bucket.secure_bucket.name role = "[1]" members = ["[2]"] condition { title = "Time-based access" description = "Allow access only during business hours" expression = "request.time [3] timestamp('2024-06-01T17:00:00Z')" } }
The role is roles/storage.admin, the member is the user with prefix user:, and the expression uses '<' to restrict access before the given timestamp.