Challenge - 5 Problems

🎖️

S3 Backend Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ Configuration

intermediate

2:00remaining

Identify the correct S3 backend configuration for Terraform state

Which option correctly configures Terraform to use an S3 bucket named my-terraform-state in the us-west-2 region with encryption enabled and state locking using DynamoDB table terraform-lock?

terraform {
  backend "s3" {
    bucket = "my-terraform-state"
    region = "us-west-2"
    encryption = true
    dynamodb_table = "terraform-lock"
  }
}

terraform {
  backend "s3" {
    bucket = "my-terraform-state"
    region = "us-west-2"
    encrypt = true
    dynamodb_table = "terraform-lock"
  }
}

terraform {
  backend "s3" {
    bucket = "my-terraform-state"
    region = "us-west-2"
    encrypt = false
    dynamodb_table = "terraform-lock"
  }
}

terraform {
  backend "s3" {
    bucket = "my-terraform-state"
    region = "us-east-1"
    encrypt = true
    dynamodb_table = "terraform-lock"
  }
}

Attempts:

2 left

❓ service_behavior

intermediate

2:00remaining

What happens if the DynamoDB table for state locking is missing?

If you configure Terraform to use an S3 backend with a DynamoDB table for state locking, but the DynamoDB table does not exist, what will happen when you run terraform init?

ATerraform will create the missing DynamoDB table automatically and proceed.

BTerraform will initialize successfully but will not perform state locking, risking concurrent state changes.

CTerraform will fail to initialize and return an error indicating the DynamoDB table is missing.

DTerraform will ignore the DynamoDB table setting and use local locking instead.

Attempts:

2 left

❓ Architecture

advanced

3:00remaining

Choose the best architecture for multi-region Terraform state storage

You want to store Terraform state files in S3 with high availability across multiple AWS regions. Which architecture best achieves this goal?

AUse a single S3 bucket in one region with cross-region replication enabled to replicate state files to other regions.

BUse a single S3 bucket in one region without replication and rely on AWS global infrastructure for availability.

CCreate separate S3 buckets in each region and configure Terraform to switch backend buckets based on region.

DStore state files locally on each developer machine and sync manually across regions.

Attempts:

2 left

❓ security

advanced

2:30remaining

Identify the security best practice for S3 backend state encryption

Which option correctly describes the best practice to secure Terraform state files stored in an S3 backend?

AEnable server-side encryption with AWS KMS keys and restrict bucket access with IAM policies.

BDisable encryption to improve performance and rely on network security only.

CUse client-side encryption only and do not enable any server-side encryption.

DMake the S3 bucket public to allow easy access for all team members.

Attempts:

2 left

✅ Best Practice

expert

3:00remaining

Determine the impact of changing the S3 backend bucket after initial Terraform deployment

You initially configured Terraform to use an S3 backend bucket named bucket-a. After some deployments, you change the backend configuration to use bucket-b without migrating the state file. What will happen when you run terraform plan?

ATerraform will use the local state file and ignore the backend configuration.

BTerraform will automatically migrate the state file from <code>bucket-a</code> to <code>bucket-b</code> and continue normally.

CTerraform will fail with an error about missing state file in <code>bucket-b</code>.

DTerraform will treat the infrastructure as new and attempt to create all resources again.

Attempts:

2 left