0
0
Terraformcloud~20 mins

Least privilege for Terraform service accounts - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Terraform Least Privilege Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
security
intermediate
2:00remaining
Identify the least privilege IAM role for Terraform to manage Compute Instances

You want to give a Terraform service account permission to create, update, and delete Compute Engine instances only. Which IAM role grants the least privilege for this task?

Aroles/editor
Broles/compute.admin
Croles/compute.instanceAdmin.v1
Droles/owner
Attempts:
2 left
💡 Hint

Look for the role that limits permissions to managing instances only, not the entire project.

Best Practice
intermediate
2:00remaining
Choose the best practice for Terraform service account key management

Which practice is best to securely manage Terraform service account keys?

AUse short-lived credentials and rotate keys regularly, storing them in a secure secrets manager
BCreate long-lived service account keys and store them in Terraform code repository
CShare service account keys with all team members via email
DUse the default Compute Engine service account without restrictions
Attempts:
2 left
💡 Hint

Think about minimizing risk if keys are exposed.

Configuration
advanced
2:00remaining
Determine the Terraform IAM binding for least privilege on Cloud Storage buckets

You want a Terraform service account to only read and write objects in a specific Cloud Storage bucket. Which IAM binding configuration grants the least privilege?

Terraform
resource "google_storage_bucket_iam_member" "terraform_sa_access" {
  bucket = "my-terraform-bucket"
  role   = role
  member = "serviceAccount:terraform-sa@example.iam.gserviceaccount.com"
}
Arole = "roles/storage.objectAdmin"
Brole = "roles/storage.admin"
Crole = "roles/storage.objectViewer"
Drole = "roles/storage.objectCreator"
Attempts:
2 left
💡 Hint

Consider which role allows both reading and writing objects but not managing the bucket itself.

Architecture
advanced
2:00remaining
Select the best architecture to enforce least privilege for Terraform across multiple projects

You manage multiple GCP projects and want Terraform service accounts to have least privilege access only to their assigned projects. What architecture best supports this?

AUse user credentials instead of service accounts for Terraform
BCreate separate service accounts per project with scoped IAM roles limited to each project
CUse a single service account with editor role in the organization
DCreate one service account with owner role in all projects
Attempts:
2 left
💡 Hint

Think about isolating permissions per project to reduce risk.

service_behavior
expert
2:00remaining
What happens if Terraform service account lacks permission to create a resource?

Terraform runs a plan and apply to create a Compute Engine instance, but the service account lacks the required IAM permission. What is the expected behavior?

ATerraform applies changes partially and skips the resource without error
BTerraform silently ignores the missing permission and logs a warning
CTerraform creates the resource with limited features
DTerraform fails the apply step with a permission denied error and stops execution
Attempts:
2 left
💡 Hint

Consider how Terraform handles errors during resource creation.