Challenge - 5 Problems

🎖️

DynamoDB State Locking Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ Configuration

intermediate

2:00remaining

Terraform backend configuration for DynamoDB state locking

Which Terraform backend configuration snippet correctly enables state locking using a DynamoDB table named tf-lock-table in the us-west-2 region?

backend "s3" {
  bucket         = "my-terraform-state"
  key            = "state.tfstate"
  region         = "us-west-2"
  dynamodb_table = "tf-lock-table"
}

backend "s3" {
  bucket         = "my-terraform-state"
  key            = "state.tfstate"
  region         = "us-west-2"
  dynamodb_table = "tf-lock-table"
  encrypt        = false
}

}
eurt =        tpyrcne  
"elbat-kcol-ft" = elbat_bdomanyd  
"2-tsew-su" =         noiger  
"etatsft.etats" =            yek  
"etats-mrofarret-ym" =         tekcub  
{ "3s" dnekcab

backend "s3" {
  bucket         = "my-terraform-state"
  key            = "state.tfstate"
  region         = "us-west-2"
  dynamodb_table = "tf-lock-table"
  encrypt        = true
}

Attempts:

2 left

❓ Architecture

intermediate

2:00remaining

DynamoDB table design for Terraform state locking

Which DynamoDB table design is required to support Terraform state locking correctly?

AA table with a primary key named <code>LockID</code> of type string, with no sort key.

BA table with a composite primary key: partition key <code>LockID</code> (string) and sort key <code>StateID</code> (string).

CA table with a primary key named <code>StateName</code> of type number.

DA table with no primary key but with a global secondary index on <code>LockID</code>.

Attempts:

2 left

❓ service_behavior

advanced

2:00remaining

Effect of missing DynamoDB table on Terraform state locking

What happens when Terraform tries to acquire a lock using a DynamoDB table that does not exist?

ATerraform will create the DynamoDB table automatically and acquire the lock.

BTerraform will fail with an error indicating the DynamoDB table does not exist and stop the operation.

CTerraform will skip locking and proceed with state changes without any warning.

DTerraform will retry indefinitely until the table is created.

Attempts:

2 left

❓ security

advanced

2:00remaining

IAM policy for Terraform to use DynamoDB state locking

Which IAM policy snippet grants the minimum required permissions for Terraform to use DynamoDB state locking on a table named tf-lock-table?

{
  "Effect": "Allow",
  "Action": ["dynamodb:CreateTable", "dynamodb:DeleteTable"],
  "Resource": "arn:aws:dynamodb:*:*:table/tf-lock-table"
}

{
  "Effect": "Allow",
  "Action": ["dynamodb:Scan", "dynamodb:Query"],
  "Resource": "arn:aws:dynamodb:*:*:table/tf-lock-table"
}

{
  "Effect": "Allow",
  "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"],
  "Resource": "arn:aws:dynamodb:*:*:table/tf-lock-table"
}

{
  "Effect": "Allow",
  "Action": ["dynamodb:UpdateItem"],
  "Resource": "arn:aws:dynamodb:*:*:table/tf-lock-table"
}

Attempts:

2 left

✅ Best Practice

expert

3:00remaining

Ensuring high availability for Terraform state locking with DynamoDB

Which approach best ensures high availability and durability for Terraform state locking using DynamoDB in a multi-region AWS setup?

AUse DynamoDB global tables to replicate the lock table across multiple regions and configure Terraform to use the global table endpoint.

BCreate multiple DynamoDB tables in each region and configure Terraform to switch tables based on region manually.

CCreate a single DynamoDB table in one region and configure Terraform to use that region only.

DUse S3 versioning instead of DynamoDB for locking to avoid regional dependency.

Attempts:

2 left