Challenge - 5 Problems

🎖️

Remote State Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

1:30remaining

Understanding remote state data source usage

What is the primary purpose of using a terraform_remote_state data source in a cross-project setup?

ATo share outputs from one Terraform project with another securely and reliably.

BTo encrypt Terraform state files using a custom key.

CTo automatically backup Terraform state files to a local machine.

DTo deploy resources in multiple cloud providers simultaneously.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Correct remote state data source configuration

Which of the following Terraform code snippets correctly configures a remote state data source to read outputs from a different project stored in an S3 backend?

data "terraform_remote_state" "vpc" {
  backend = "s3"
  bucket = "my-terraform-states"
  key    = "vpc/terraform.tfstate"
  region = "us-east-1"
}

data "terraform_remote_state" "vpc" {
  backend = "gcs"
  config = {
    bucket = "my-terraform-states"
    key    = "vpc/terraform.tfstate"
    region = "us-east-1"
  }
}

terraform_remote_state "vpc" {
  backend = "s3"
  config = {
    bucket = "my-terraform-states"
    key    = "vpc/terraform.tfstate"
    region = "us-east-1"
  }
}

data "terraform_remote_state" "vpc" {
  backend = "s3"
  config = {
    bucket = "my-terraform-states"
    key    = "vpc/terraform.tfstate"
    region = "us-east-1"
  }
}

Attempts:

2 left

❓ Architecture

advanced

2:30remaining

Cross-project remote state access architecture

In a multi-project Terraform setup, what is the best architectural practice to ensure secure and reliable access to remote state data across projects?

AStore all Terraform states in a single shared backend bucket with strict IAM policies limiting access per project.

BUse local state files and manually copy outputs between projects to avoid backend complexity.

CAllow all projects to use the same AWS IAM role with full access to all state files for simplicity.

DStore state files in separate buckets without any access restrictions to speed up deployments.

Attempts:

2 left

❓ service_behavior

advanced

2:00remaining

Behavior of remote state data source on state changes

What happens to the terraform_remote_state data source when the remote state it references is updated by another project?

ATerraform requires deleting the local state file to detect changes in the remote state.

BTerraform caches the remote state permanently and never updates it unless manually refreshed.

CTerraform fetches the latest remote state data during the next plan or apply operation automatically.

DTerraform throws an error if the remote state changes between runs to prevent inconsistencies.

Attempts:

2 left

❓ security

expert

3:00remaining

Preventing unauthorized access to remote state in cross-project setups

Which IAM policy configuration best prevents unauthorized access to a Terraform remote state stored in an S3 bucket used by multiple projects?

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:*"],
    "Resource": "arn:aws:s3:::terraform-states/*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::terraform-states/project-a/*",
    "Condition": {
      "StringEquals": {"aws:PrincipalTag/Project": "project-a"}
    }
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::terraform-states/project-b/*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::terraform-states/*"
  }]
}

Attempts:

2 left