Free Access to Google.Professional-Cloud-DevOps-Engineer.v2025-01-09.q159 with Valid Practice Test (Page 26)

Question 121

You are managing an application that runs in Compute Engine The application uses a custom HTTP server to expose an API that is accessed by other applications through an internal TCP/UDP load balancer A firewall rule allows access to the API port from 0.0.0-0/0. You need to configure Cloud Logging to log each IP address that accesses the API by using the fewest number of steps What should you do Bret?

A.Enable Packet Mirroring on the VPC
B.Install the Ops Agent on the Compute Engine instances.
C.Enable logging on the firewall rule
D.Enable VPC Flow Logs on the subnet

Question 122

You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs:
Initializing the backend. ..
Error: Failed to get existing workspaces : querying Cloud Storage failed: googleapi : Error
403
You need to resolve the issue by following Google-recommended practices. What should you do?

A.Change the Terraform code to use local state.
B.Create a storage bucket with the name specified in the Terraform configuration.
C.Grant the roles/ owner Identity and Access Management (IAM) role to the Cloud Build service account on the project.
D.Grant the roles/ storage. objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.

Correct Answer: D

The correct answer is D. Grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.
According to the Google Cloud documentation, Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure1. Cloud Build uses a service account to execute your build steps and access resources, such as Cloud Storage buckets2. Terraform is an open-source tool that allows you to define and provision infrastructure as code3. Terraform uses a state file to store and track the state of your infrastructure4. You can configure Terraform to use a Cloud Storage bucket as a backend to store and share the state file across multiple users or environments5.
The error message indicates that Cloud Build failed to access the Cloud Storage bucket that contains the Terraform state file. This is likely because the Cloud Build service account does not have the necessary permissions to read and write objects in the bucket. To resolve this issue, you need to grant the roles/storage.objectAdmin IAM role to the Cloud Build service account on the state file bucket. This role allows the service account to create, delete, and manage objects in the bucket6. You can use the gcloud command-line tool or the Google Cloud Console to grant this role.
The other options are incorrect because they do not follow Google-recommended practices. Option A is incorrect because it changes the Terraform code to use local state, which is not recommended for production or collaborative environments, as it can cause conflicts, data loss, or inconsistency. Option B is incorrect because it creates a new storage bucket with the name specified in the Terraform configuration, but it does not grant any permissions to the Cloud Build service account on the new bucket. Option C is incorrect because it grants the roles/owner IAM role to the Cloud Build service account on the project, which is too broad and violates the principle of least privilege. The roles/owner role grants full access to all resources in the project, which can pose a security risk if misused or compromised.
Reference:
Cloud Build Documentation, Overview. Service accounts, Service accounts. Terraform by HashiCorp, Terraform by HashiCorp. State, State. Google Cloud Storage Backend, Google Cloud Storage Backend. Predefined roles, Predefined roles. [Granting roles to service accounts for specific resources], Granting roles to service accounts for specific resources. [Local Backend], Local Backend. [Understanding roles], Understanding roles.

Question 123

You are running an application on Compute Engine and collecting logs through Stackdriver. You discover that some personally identifiable information (PII) is leaking into certain log entry fields. You want to prevent these fields from being written in new log entries as quickly as possible. What should you do?

A.Use the fluent-plugin-record-reformer Fluentd output plugin to remove the fields from the log entries in flight.
B.Use the filter-record-transformer Fluentd filter plugin to remove the fields from the log entries in flight.
C.Stage log entries to Cloud Storage, and then trigger a Cloud Function to remove the fields and write the entries to Stackdriver via the Stackdriver Logging API.
D.Wait for the application developers to patch the application, and then verify that the log entries are no longer exposing PII.

Question 124

Your organization wants to increase the availability target of an application from 99 9% to 99 99% for an investment of $2 000 The application's current revenue is S1,000,000 You need to determine whether the increase in availability is worth the investment for a single year of usage What should you do?

A.Calculate the value of improved availability to be $900, and determine that the increase in availability is not worth the investment
B.Calculate the value of improved availability to be $1 000 and determine that the increase in availability is not worth the investment
C.Calculate the value of improved availability to be $1 000 and determine that the increase in availability is worth the investment
D.Calculate the value of improved availability to be $9,000. and determine that the increase in availability is worth the investment

Question 125

You are configuring a Cl pipeline. The build step for your Cl pipeline integration testing requires access to APIs inside your private VPC network. Your security team requires that you do not expose API traffic publicly. You need to implement a solution that minimizes management overhead. What should you do?

A.Use Cloud Build private pools to connect to the private VPC.
B.Use Spinnaker for Google Cloud to connect to the private VPC.
C.Use Cloud Build as a pipeline runner. Configure Internal HTTP(S) Load Balancing for API access.
D.Use Cloud Build as a pipeline runner. Configure External HTTP(S) Load Balancing with a Google Cloud Armor policy for API access.

Question 121

Question 122

Question 123

Question 124

Question 125

Download PDF File