Practice PCDE Bootstrapping a Google Cloud Organisation for DevOps questions with full explanations on every answer.
Start practicing
Bootstrapping a Google Cloud Organisation for DevOps — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A DevOps engineer is setting up a new Google Cloud organization for their company. They need to ensure that all projects are created within a structured hierarchy that separates production, staging, development, and sandbox environments. Which folder structure BEST supports this requirement?
2An organization wants to enforce that all Compute Engine instances in their Google Cloud organization are created with Shielded VM enabled. What is the MOST effective way to enforce this requirement?
3A financial services company is using Terraform to manage their Google Cloud infrastructure. They have multiple environments (dev, staging, prod) and want to use a single Terraform configuration with separate state files per environment. They also need to store the Terraform state securely in a shared backend. Which approach should they use?
4A DevOps team wants to implement policy-as-code to enforce that all Terraform configurations comply with security rules before deployment. Which tool is most appropriate for pre-commit policy checks on Terraform plans?
5An organization wants to centralize cost management across multiple projects. They need to analyze spending trends and set budget alerts. Which combination of services should they use?
6What is the primary benefit of using Workload Identity Federation over service account keys when authenticating workloads running outside Google Cloud?
7A company is adopting GitOps for managing their Kubernetes infrastructure with Config Sync. They want to ensure that any changes to the cluster's desired state are automatically applied from a Git repository. Which branching strategy is MOST suitable for this workflow?
8An organization wants to restrict the creation of Compute Engine instances in their Google Cloud organization to only certain regions. Which organization policy constraint should they use?
9A DevOps engineer is designing a shared VPC topology for a multi-project environment. Which service project permission allows a project to use subnets from a host project?
10A company wants to implement granular cost tracking for their cloud resources. They need to attribute costs to specific teams and environments. Which approach should they use?
11A DevOps team is using Terraform to manage infrastructure. They have a module that creates a Cloud Storage bucket. They want to reference the bucket's URL in another part of the configuration without hardcoding. Which approach should they use?
12A DevOps engineer is setting up CI/CD for a microservice application. They want to use Cloud Build to deploy to Google Kubernetes Engine (GKE) only if the build passes tests. Which Cloud Build configuration approach should they use?
13An organization wants to enforce that no Compute Engine instances have public IP addresses. Which TWO methods can achieve this? (Choose TWO.)
14A company is adopting Infrastructure as Code with Terraform and wants to enforce policy as code using Open Policy Agent (OPA). Which THREE components are required to implement this in a CI/CD pipeline? (Choose THREE.)
15A DevOps engineer is designing a landing zone for a large enterprise. Which THREE components are essential for a well-architected landing zone? (Choose THREE.)
16An organization wants to enforce that all Compute Engine VMs are created with Shielded VM features enabled to protect against rootkits and boot-level malware. Which Google Cloud mechanism should be used?
17A DevOps team is designing a landing zone for a multi-team organization. They need to separate environments (prod, staging, dev) and also provide isolated projects for each team's sandbox testing. The team wants to centrally manage networking and security through a shared VPC. Which folder structure best supports this design?
18A company uses Terraform to manage infrastructure. They have a monolithic Terraform configuration that manages all projects in a single state file. As the organization grows, the configuration becomes slow and error-prone. The team wants to adopt a modular approach with separate state files for each project while reusing common modules. Which strategy should they follow?
19An organization wants to enforce that Compute Engine instances cannot have public IP addresses. Which organization policy constraint should be applied?
20A team is adopting GitOps for infrastructure. They want to ensure that all Terraform configuration changes are automatically applied after merging to the main branch. Which CI/CD approach best supports this?
21A company uses a shared VPC with multiple service projects. The network team wants to allow a DevOps team to create Cloud Run services in a service project but prevent them from creating Cloud Run services with public access (allowUnauthenticated invocations). What is the best approach?
22An organization wants to implement policy-as-code to validate Terraform plans against security policies before applying them. They are using Terraform Cloud (TFE). Which tool is natively integrated with Terraform Cloud for policy checks?
23A team manages infrastructure across multiple Google Cloud projects using Terraform. They want to centralize state file management in a GCS bucket and ensure that each project's state is isolated. Which backend configuration best achieves this?
24A company needs to track costs across different teams and projects. They want to see detailed breakdowns by team, environment, and application. Which GCP feature should they use to tag resources for cost analysis?
25A DevOps engineer is bootstrapping a new organization. They need to set up a centralized logging project to collect audit logs from all projects. What is the required step to enable cross-project log sinks?
26A company uses Terraform with remote state stored in GCS. They want to prevent concurrent `terraform apply` runs for the same configuration to avoid state corruption. Which feature should they use?
27A team wants to implement policy-as-code to check Terraform plans for compliance before deployment. They prefer an open-source tool that works with any CI/CD pipeline and can evaluate policies expressed in Rego. Which tool should they use?
28A company is designing a landing zone for a large enterprise with multiple business units. They need to implement cost tracking and billing management. Which TWO actions should they take?
29A DevOps team is adopting trunk-based development for their Terraform configurations. They want to ensure that all changes are tested before being applied to production. Which THREE practices should they implement?
30A company wants to enforce least-privilege IAM for their DevOps team. They need to grant permissions to manage Compute Engine instances but not to delete them. Which TWO approaches should they use?
31A DevOps engineer is bootstrapping a new Google Cloud organization. They need to enforce that all Compute Engine VM instances must use Shielded VM features. Which method should they use?
32A company has a Google Cloud organization with separate folders for development, staging, and production. They want to deploy Terraform using a CI/CD pipeline that runs in a shared tools project. Where should the Terraform state files be stored and how should the pipeline authenticate?
33An organization wants to implement a landing zone with shared VPC, centralized logging, and security projects. Which folder structure best follows Google Cloud's recommended landing zone design?
34A team uses Terraform with remote state stored in a GCS bucket. They are implementing policy as code using Conftest to validate Terraform plans before apply. The Conftest checks run in a CI/CD pipeline. Which approach ensures that Conftest policies are enforced consistently across all Terraform workspaces?
35A DevOps engineer needs to ensure that no Compute Engine VM in the organization can have an external IP address, except for a specific set of approved projects. Which organization policy configuration should they use?
36A company wants to enforce that all Cloud Run services must not be publicly accessible. They need a preventive control rather than a detective one. Which approach should they use?
37An organization uses Terraform to manage infrastructure across multiple teams. They want to implement a branching strategy that supports rapid iteration and continuous integration for infrastructure changes while ensuring that the main branch always reflects the desired state. Which Git branching model is most aligned with GitOps principles for IaC?
38A DevOps engineer needs to set up billing export to analyze costs by team and environment. They have organized projects with labels: team (e.g., 'platform', 'data') and environment (e.g., 'prod', 'dev'). Which billing export configuration should they use?
39A team is migrating from Cloud Deployment Manager to Terraform. They need to manage state for multiple environments (dev, staging, prod) using a single Terraform configuration. Which Terraform feature should they use to achieve this?
40An organization wants to implement privileged access management (PAM) for their Google Cloud environment. They need to grant temporary, just-in-time access to production projects for incident responders. Which GCP service should they use?
41A company wants to ensure that all new projects created in their Google Cloud organization automatically inherit a set of baseline IAM roles for the security team. Which approach should they use?
42A DevOps team uses Terraform Cloud to manage infrastructure. They want to enforce that all Terraform plans must pass a set of policy checks before they can be applied. The policies include restricting resource types and ensuring proper tagging. Which Terraform Cloud feature should they use?
43A company is designing a landing zone in Google Cloud. They need to set up a shared VPC for multiple projects. Which TWO steps should they take? (Choose two.)
44An organization uses Terraform with a GCS backend for state. They want to implement a GitOps workflow where changes merged to the main branch are automatically applied. The CI/CD pipeline uses a service account with Workload Identity Federation. Which THREE components are required? (Choose three.)
45A team wants to enforce that all Compute Engine disks must be encrypted with Customer-Managed Encryption Keys (CMEK) stored in Cloud Key Management Service (KMS). Which TWO steps should they take? (Choose two.)
46An organization wants to enforce that all Compute Engine instances are created in a specific set of regions. Which Google Cloud feature should be used?
47A DevOps team uses Terraform to manage infrastructure. They want to store state files in a shared backend that supports locking and versioning. Which backend meets these requirements?
48A company wants to centralize audit logs and billing data from multiple projects in a single project for analysis. What is the best approach?
49A team uses Terraform with a GCS backend. After a failed apply, the state file is corrupted. How can they recover to the last known good state?
50An organization wants to enforce that no Compute Engine VM has an external IP address. Which approach should be used?
51A DevOps engineer wants to manage Google Cloud resources as code using a declarative language. Which tool is the current industry standard and recommended by Google?
52A team wants to implement GitOps for their Terraform infrastructure. They want to automatically apply changes when a pull request is merged to the main branch. Which approach should they use?
53An organization wants to implement least-privilege IAM for their DevOps team. They need permissions to manage Compute Engine instances but not to create or delete them. Which IAM role should be assigned?
54A company has multiple teams in a GCP organization. They want to isolate environments (prod, staging, dev) and give each team a separate project for development. Which folder structure is recommended?
55An organization wants to enforce that all Cloud Run services are not publicly accessible. Which organization policy should they use?
56A DevOps engineer is using Terraform and wants to reference outputs from another Terraform configuration that manages networking. Which approach should they use?
57An organization wants to track cloud costs per team and per project. They have already enabled billing export to BigQuery. What additional step should they take to enable cost attribution?
58A DevOps team is designing a landing zone on GCP. They want to centralize networking, logging, and security. Which TWO projects should they create? (Choose 2)
59An organization wants to enforce policy as code for Terraform configurations. Which TWO tools can be used to validate Terraform plans against custom policies before apply? (Choose 2)
60A company wants to implement security controls for Compute Engine VMs across their organization. Which THREE organization policies can enforce VM security? (Choose 3)
61A company is setting up a new Google Cloud organization. The DevOps team wants to enforce that all Compute Engine instances are created only in us-central1 or europe-west1. Which approach should they use?
62A team manages Terraform state for multiple projects using a single GCS bucket. They need to ensure that state operations are not concurrent to avoid corruption. What should they do?
63An organization wants to use a GitOps workflow for infrastructure deployment with Terraform. They use GitHub as the source of truth and want to automatically apply Terraform changes when a pull request is merged to the main branch. They need to review Terraform plans before apply. Which solution meets these requirements?
64A DevOps engineer needs to create a custom IAM role that allows only the permission to create Compute Engine instances, but not to modify or delete them. What is the best practice for defining this role?
65A company has multiple GCP projects and wants to audit all IAM policy changes. They need a solution that captures who made the change, what was changed, and when. The solution should be cost-effective and require minimal setup. What should they use?
66A team uses Terraform to manage infrastructure. They want to ensure that all Terraform code passes policy checks before being applied. They use Terraform Cloud. Which built-in feature allows them to define policies that are checked during the plan phase?
67An organization wants to set up a landing zone with separate projects for development, staging, and production environments. They also need a shared VPC for networking and a centralized logging project. Which folder structure aligns with Google Cloud best practices?
68What is the purpose of a Google Cloud organization node in the resource hierarchy?
69A company wants to implement least-privilege IAM for their DevOps team. The team needs to manage Compute Engine instances and Cloud Storage buckets, but not delete resources. Which approach is recommended?
70A team uses Terraform with a GCS backend for state. They want to use remote state from another project to read output values. What Terraform configuration element is used to retrieve outputs from a different state file?
71A company needs to control cost by setting a budget alert on their billing account. They want to be notified when spending exceeds 80% of the budget. What should they configure?
72Which Git branching strategy is recommended for infrastructure as code in a DevOps environment to enable continuous delivery?
73A company wants to enforce that all Compute Engine VMs have Shielded VM features enabled. Which mechanism should they use?
74A team is migrating to GCP and wants to use Cloud Deployment Manager for infrastructure. They have existing Terraform modules. What is the best approach?
75An organization wants to restrict the creation of Cloud SQL instances outside of specific regions. Which organization policy constraint should they use?
76A company wants to implement a landing zone with centralized logging and monitoring. Which TWO services should they use to collect and analyze logs from all projects? (Choose 2)
77A team uses Terraform and wants to enforce policy checks before code is committed to the repository. Which TWO tools can be used for pre-commit policy as code checks? (Choose 2)
78A company wants to implement least-privilege access for service accounts. Which THREE practices should they follow? (Choose 3)
79An organization wants to enforce that no Compute Engine instances have external IP addresses except for a specific project. Which TWO steps should they take? (Choose 2)
80A company wants to set up cost tracking by project, environment, and team. Which THREE methods should they use? (Choose 3)
81A DevOps team is bootstrapping a new Google Cloud organization. They want to enforce that all Compute Engine instances must use Shielded VM features (Secure Boot, vTPM, Integrity Monitoring). Which organization policy should they set at the organization level?
82An organization uses Terraform to manage infrastructure across multiple projects. They want to use a single shared Terraform state file for their production environment but isolate state for development environments. The team uses Terraform Cloud workspaces. Which state management approach is most appropriate?
83A company wants to enforce that no Compute Engine instances are created with external IP addresses unless explicitly allowed. Which organization policy constraint should be used?
84A DevOps team is designing a landing zone in Google Cloud. They need to set up a folder structure that supports multiple teams and environments. Which TWO practices should they follow? (Choose 2)
The Bootstrapping a Google Cloud Organisation for DevOps domain covers the key concepts tested in this area of the PCDE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCDE domains — no account required.
The Courseiva PCDE question bank contains 84 questions in the Bootstrapping a Google Cloud Organisation for DevOps domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Bootstrapping a Google Cloud Organisation for DevOps domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included