This chapter covers two Infrastructure as Code (IaC) tools on Google Cloud: Deployment Manager, Google's native declarative service, and Terraform, the industry-standard open-source tool. For the ACE exam, approximately 10-15% of questions touch IaC concepts, with a strong emphasis on comparing the two tools, understanding their resource lifecycles, and knowing when to use each. You must be able to interpret Deployment Manager configurations (YAML + Python/Jinja templates) and Terraform HCL, understand state management, and recognize the differences in drift detection and preview modes. This chapter gives you the exact details tested on the exam, including default behaviors, command syntax, and common misconfigurations.
Jump to a section
Imagine you are building a house. Google Deployment Manager is like hiring a general contractor who only works with a specific set of pre-approved blueprints from a catalog. You fill out a form (the YAML config) specifying which blueprint (template) to use, and the contractor orders the exact materials, hires the subs, and builds each room exactly per plan. If you need a non-standard window, you must create a new blueprint using Python or Jinja and submit it for approval. The contractor keeps a state file of what was built, but only in his own notebook — you can't see it unless he shows you. Terraform, on the other hand, is like hiring a custom architect who brings their own detailed plans and a shared project management tool (the state file). The architect defines every nail and beam in HCL (HashiCorp Configuration Language), and the tool tracks the exact current state of the house in a central file. When you decide to add a sunroom, the architect compares the desired state (new plan) with the current state (the file) and produces a list of changes: 'Remove wall here, pour foundation there.' If a subcontractor builds a window 2 inches too wide, Terraform detects the drift and alerts you. Deployment Manager has no such drift detection — it only sees what it last declared, not what actually exists. In GCP, Terraform is the custom architect with a shared ledger; Deployment Manager is the contractor with a limited catalog and no independent audit.
What Are Deployment Manager and Terraform?
Infrastructure as Code (IaC) is the practice of managing cloud resources through machine-readable definition files rather than manual CLI or GUI operations. On GCP, two primary IaC tools exist: Google Cloud Deployment Manager (native) and Terraform by HashiCorp (third-party but deeply integrated). Both allow you to define, deploy, and manage resources declaratively, but they differ in architecture, state management, and ecosystem.
Deployment Manager is a Google-managed service that interprets YAML configuration files, optionally augmented with Python or Jinja templates, to create and manage GCP resources. It is tightly coupled with GCP APIs and requires no external state storage — Google maintains the state internally. However, it only supports GCP resources (not multi-cloud) and lacks built-in drift detection.
Terraform is a CLI-based tool that uses HashiCorp Configuration Language (HCL) to define infrastructure. It stores state in a local or remote backend (e.g., Cloud Storage) and supports hundreds of providers (GCP, AWS, Azure, etc.). Terraform performs drift detection by comparing the state file with real-world resources during planning. The ACE exam tests your ability to choose between these tools based on requirements like multi-cloud, state management, and advanced provisioning logic.
How Deployment Manager Works
When you submit a Deployment Manager config, the following sequence occurs:
You define resources in a YAML file (config.yaml) with an optional schema and templates. Templates (Python or Jinja) allow parameterization and reuse.
You run gcloud deployment-manager deployments create my-deployment --config config.yaml.
Deployment Manager validates the config against the resource schemas and expands any templates.
It calls the relevant GCP APIs in dependency order (based on metadata.dependsOn or implicit references).
Resources are created, and the deployment state is stored in Google's internal database (not directly accessible to you).
To update, you modify the config and run gcloud deployment-manager deployments update my-deployment --config new-config.yaml. Deployment Manager computes the diff between the new config and the stored state, then applies changes.
To delete, run gcloud deployment-manager deployments delete my-deployment, which tears down all resources in the deployment.
Key components:
- Config file (YAML): defines resources array, each with name, type, and properties.
- Templates (Python/Jinja): reusable building blocks that accept input variables and output resource definitions.
- Schema files (YAML): define input parameters and their constraints for templates.
- Type providers: allow Deployment Manager to manage non-Google resources (e.g., external APIs) via REST endpoints.
Default values and timers: Deployment Manager uses a default timeout of 60 minutes per deployment operation. If an operation exceeds this, it fails. You can set a custom timeout using the --timeout flag (in seconds).
How Terraform Works
Terraform follows a distinct workflow:
Init: terraform init initializes the working directory, downloads provider plugins (e.g., hashicorp/google), and configures the backend.
Plan: terraform plan reads the current state from the backend, compares it with the configuration files, and produces an execution plan showing what will be created, modified, or destroyed.
Apply: terraform apply executes the plan, calling GCP APIs in dependency order. It updates the state file after each resource operation.
Destroy: terraform destroy tears down all resources defined in the configuration.
State management is central to Terraform. The state file (terraform.tfstate) maps resources to their real-world IDs and attributes. By default, it is stored locally, but for teams, you must use a remote backend like Google Cloud Storage (GCS) with versioning enabled. The ACE exam emphasizes that state files contain sensitive data (e.g., VM passwords) and must be secured with encryption and access controls.
Drift detection: When you run terraform plan, Terraform refreshes the state by querying the GCP API for each resource. If someone manually modified a resource (e.g., changed a VM's machine type via the Console), Terraform detects the drift and proposes a change to revert it (or you can import the change with terraform import). This is a key difference from Deployment Manager, which does not automatically detect drift.
Comparing Lifecycle and Dependencies
Both tools handle resource dependencies. In Deployment Manager, you can set metadata.dependsOn with a list of resource names, or use implicit references (e.g., referencing a network name in a VM's networkInterfaces). In Terraform, dependencies are inferred from references (e.g., google_compute_instance.my_vm.network_interface[0].network = google_compute_network.my_net.self_link), or you can use depends_on meta-argument.
Deployment Manager supports preview mode via --preview flag, which shows what will change without actually applying it. Terraform's terraform plan serves the same purpose. However, Deployment Manager's preview does not show the full diff for complex templates; Terraform's plan is more detailed.
Configuration Syntax Examples
Deployment Manager YAML:
resources:
- name: my-vm
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-11
networkInterfaces:
- network: global/networks/defaultTerraform HCL:
resource "google_compute_instance" "my_vm" {
name = "my-vm"
machine_type = "n1-standard-1"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
}
}Advanced Features
Deployment Manager templates allow looping and conditionals via Python or Jinja. For example, a Python template can generate multiple VMs based on a list of names:
resources = []
for i in range(3):
resources.append({
'name': f'vm-{i}',
'type': 'compute.v1.instance',
'properties': { ... }
})Terraform modules provide reusable infrastructure components. You can call a module from the registry or a local path:
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 4.0"
network_name = "my-vpc"
project_id = var.project_id
}Interaction with Other GCP Services
Both tools integrate with Cloud IAM for permissions. Deployment Manager uses the service account associated with the deployment (by default the Google APIs service account). Terraform uses the credentials configured in the provider block (e.g., a service account key file). Both can leverage Cloud Audit Logs to track changes.
For secrets, Terraform can reference Cloud Secret Manager via data.google_secret_manager_secret_version. Deployment Manager can use type: gcp-types/secretmanager-v1:projects.locations.secrets.versions.access but requires more effort.
Exam-Relevant Defaults and Limits
Deployment Manager: Maximum deployment size is 10 MB (compressed). Maximum number of resources per deployment is 500. Templates can be up to 1 MB.
Terraform: No hard resource limit per state, but large states (>1000 resources) may cause slow planning. Use terraform state commands to manage state.
Both: Resource names must be unique per project for global resources (e.g., VPC networks) and per region for regional resources.
Commands Summary
Deployment Manager:
gcloud deployment-manager deployments create my-deployment --config config.yaml
gcloud deployment-manager deployments update my-deployment --config new-config.yaml
gcloud deployment-manager deployments delete my-deployment
gcloud deployment-manager deployments list
gcloud deployment-manager deployments describe my-deploymentTerraform:
terraform init
terraform plan -out=tfplan
terraform apply tfplan
gsutil versioning set on gs://my-bucket # Enable for remote state
gcloud storage buckets create gs://my-bucket --location=us-central1 --uniform-bucket-level-access
gsutil iam ch serviceAccount:terraform-sa@project.iam.gserviceaccount.com:objectAdmin gs://my-bucketDefine Infrastructure Configuration
You start by writing a configuration file. For Deployment Manager, this is a YAML file (config.yaml) that lists resources, their types, and properties. You can also create reusable templates in Python or Jinja. For Terraform, you write .tf files in HCL, defining providers, resources, and variables. This step is purely declarative — you state what you want, not how to achieve it. The ACE exam expects you to recognize correct syntax for both, especially common resource types like compute instances, networks, and storage buckets.
Initialize the Environment
For Deployment Manager, no explicit init step is needed — you just run `gcloud deployment-manager deployments create`. For Terraform, you must run `terraform init` in the directory containing your .tf files. This command downloads the required provider plugins (e.g., `hashicorp/google`) and configures the backend (local or remote). If you use a remote backend like Cloud Storage, the backend configuration must be in a `terraform { backend "gcs" { ... } }` block. Without init, Terraform will fail with a 'no provider' error.
Preview Changes (Optional)
Before applying, you can preview what will change. Deployment Manager uses `--preview` flag with `create` or `update`. Terraform uses `terraform plan` (or `terraform plan -out=tfplan` to save the plan). The plan shows additions, modifications, and deletions. Terraform's plan is more detailed, showing attribute-level diffs. Deployment Manager's preview is less granular and may not show template expansion results. The exam tests that preview does not create any resources — it only simulates the API calls.
Apply Configuration
To create or update resources, you run the apply command. Deployment Manager: `gcloud deployment-manager deployments create` or `update`. Terraform: `terraform apply` (you can pass a saved plan file). Both tools call the GCP APIs in dependency order. Terraform updates the state file after each resource operation. Deployment Manager stores state internally but does not expose it. If an API call fails, the operation may roll back (Deployment Manager) or leave resources in a partial state (Terraform, depending on the provider).
Manage State and Drift
After deployment, Terraform's state file is the source of truth for the next plan. If someone manually changes a resource (e.g., resizes a VM via Console), `terraform plan` will detect the drift and propose to revert it. Deployment Manager does not detect drift — it only compares the new config with the stored config, not the actual resource state. To handle drift in Deployment Manager, you must manually reconcile by importing or recreating. The ACE exam emphasizes this difference: Terraform detects drift; Deployment Manager does not.
Scenario 1: Multi-Cloud Deployment with Terraform
A fintech startup wants to deploy a hybrid infrastructure across GCP and AWS. They choose Terraform because its multi-cloud provider architecture allows them to manage both clouds from a single codebase. They store state in a GCS bucket with versioning and use a remote backend configuration in main.tf:
terraform {
backend "gcs" {
bucket = "my-terraform-state-bucket"
prefix = "prod"
}
}They encounter a common issue: when two engineers run terraform apply simultaneously, the state file can become corrupted. To prevent this, they enable state locking using GCS object lease (Terraform's built-in locking mechanism). The team also uses Terraform Cloud workspaces to separate dev, staging, and prod environments. A mistake they made early on was storing state locally — after a laptop crash, they lost the state and had to manually import 50+ resources. Now they mandate remote state with versioning and enforce access controls via IAM.
Scenario 2: Google-Only Infrastructure with Deployment Manager
A large enterprise running exclusively on GCP uses Deployment Manager for its simplicity and tight integration with Google Cloud Console. They deploy a standard three-tier web application (load balancer, managed instance group, Cloud SQL) using a Python template that accepts environment variables. The template generates a config with 20+ resources. They use the --preview flag in CI/CD to validate changes before merging. A challenge they face is that Deployment Manager does not support complex conditionals in YAML alone — they must use Python templates, which require additional testing. They also discovered that Deployment Manager does not automatically detect when a resource is manually deleted; the deployment remains in a 'deployed' state but the resource is gone. To recover, they must run an update with the same config, which recreates the missing resource.
Scenario 3: Hybrid Approach Using Both Tools
A DevOps team uses Terraform for core infrastructure (VPCs, subnets, firewall rules) because of its drift detection and modularity. For application-specific resources that change frequently (e.g., Cloud Functions, Pub/Sub topics), they use Deployment Manager with YAML configs that are generated by their CI/CD pipeline. This hybrid approach leverages the strengths of each tool. The key pitfall is that Terraform state and Deployment Manager state are separate — if both tools manage the same resource, conflicts occur. They mitigate this by clearly dividing resource ownership. For example, Terraform owns networking, Deployment Manager owns serverless resources. They use import commands to bring existing resources under management if needed.
What the ACE Exam Tests
The ACE exam objectives under 'Deploy Implement' (3.1) include: 'Deploy and manage Compute Engine resources using Infrastructure as Code (IaC) tools (e.g., Deployment Manager, Terraform)'. Specific sub-objectives:
Create and manage deployments using Deployment Manager (YAML, Python templates)
Use Terraform to manage GCP resources (HCL, state management)
Compare and contrast Deployment Manager and Terraform
Understand state file management and backend configuration
Recognize drift detection capabilities
Common Wrong Answers and Why
'Deployment Manager supports drift detection.' Wrong. Deployment Manager does not query the actual state of resources; it only compares the new config with the stored config. Terraform does detect drift via refresh during plan.
'Terraform state must be stored locally.' Wrong. For production, state should be stored remotely (e.g., GCS) with locking. Local state is only for experimentation.
'Deployment Manager can manage multi-cloud resources.' Wrong. Deployment Manager is GCP-only. Terraform is multi-cloud.
'You need to run terraform init every time you change the configuration.' Wrong. init is only needed when you add or change providers or modules. For routine config changes, you only need plan and apply.
Specific Numbers and Terms on the Exam
Deployment Manager config file extension: .yaml (not .yml officially, though both work).
Template languages: Python (.py) and Jinja (.jinja or .j2).
Terraform state file: terraform.tfstate (local) or stored in a backend.
Terraform command to refresh state: terraform refresh (or terraform plan -refresh-only).
GCS backend configuration: backend "gcs" { bucket = "..." prefix = "..." }.
State locking: Terraform uses GCS object lease for locking.
Edge Cases and Exceptions
If a Deployment Manager deployment fails partway, resources may be left in an inconsistent state. You must delete the deployment or manually clean up.
Terraform's terraform import can bring existing resources under management, but it does not generate configuration — you must write the HCL manually.
Deployment Manager can manage non-GCP resources via type providers, but this is rarely tested.
Both tools support depends_on for explicit dependencies.
How to Eliminate Wrong Answers
If the question mentions 'multi-cloud', eliminate Deployment Manager.
If the question mentions 'drift detection' or 'state file', lean toward Terraform.
If the question asks about 'native GCP integration' or 'no external state storage', lean toward Deployment Manager.
If the question involves 'Python templates' or 'Jinja', it must be Deployment Manager.
If the question involves 'HCL' or 'modules', it must be Terraform.
Deployment Manager uses YAML configs with optional Python/Jinja templates; Terraform uses HCL.
Terraform detects drift by comparing state with actual resources; Deployment Manager does not.
Terraform state should be stored remotely (e.g., GCS) with versioning and locking for production.
Deployment Manager is GCP-only; Terraform supports multiple cloud providers.
Both tools support preview (Deployment Manager --preview, Terraform plan) before applying changes.
Deployment Manager has a 10 MB compressed config limit and 500 resources per deployment.
Terraform init is required only when adding or changing providers or modules, not for routine config changes.
These come up on the exam all the time. Here's how to tell them apart.
Deployment Manager
Native GCP service — no external tool installation required
State stored internally by Google — not directly accessible
No drift detection — only compares new config with stored config
Config language: YAML + Python/Jinja templates
GCP-only resource management
Terraform
Third-party CLI tool — must be installed and configured
State stored in a local file or remote backend (e.g., GCS)
Drift detection via refresh during plan — compares state with real resources
Config language: HCL (HashiCorp Configuration Language)
Multi-cloud support via providers (GCP, AWS, Azure, etc.)
Mistake
Deployment Manager and Terraform are interchangeable — you can use either for any scenario.
Correct
Deployment Manager is GCP-only and lacks drift detection. Terraform is multi-cloud and has robust drift detection. The choice depends on multi-cloud requirements, state management needs, and team expertise. The exam tests your ability to select the appropriate tool.
Mistake
Terraform state files are safe to store locally for production.
Correct
Local state files are a single point of failure and cannot be shared. For production, you must use a remote backend like GCS with versioning and locking. The exam expects you to know that state files contain sensitive data and must be encrypted.
Mistake
Deployment Manager automatically detects and fixes configuration drift.
Correct
Deployment Manager does not compare the actual resource state with the config. It only compares the new config with the previous config it stored. If someone manually changes a resource, Deployment Manager will not detect it. Terraform does detect drift during plan.
Mistake
You must run terraform plan before every terraform apply.
Correct
While it's best practice, you can run `terraform apply` directly without a separate plan. However, `terraform apply` without a saved plan will still generate a plan and prompt for approval. The exam may test that `terraform plan` is the preview step.
Mistake
Deployment Manager templates can only be written in YAML.
Correct
YAML defines the config, but templates can be written in Python or Jinja to add logic like loops and conditionals. The YAML config references these templates. The exam tests the ability to identify template types.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Deployment Manager is Google's native IaC service, using YAML and templates, with state managed internally and no drift detection. Terraform is a third-party tool using HCL, with state stored in a file (local or remote) and automatic drift detection. Choose Deployment Manager for GCP-only, simple deployments; choose Terraform for multi-cloud, complex state management, and drift detection.
Add a backend block in your Terraform configuration: `terraform { backend "gcs" { bucket = "my-bucket" prefix = "prod" } }`. Then run `terraform init` to migrate state. Ensure the bucket has versioning enabled and appropriate IAM permissions for the service account running Terraform.
No, Deployment Manager does not automatically detect drift. It only compares the new configuration with the previously stored configuration, not the actual state of resources. If a resource is manually modified or deleted, Deployment Manager will not detect it. Terraform does detect drift during `terraform plan`.
Yes, you can use `terraform import` to bring existing resources under Terraform management. However, you must write the HCL configuration manually to match the resource. Terraform does not generate configuration from existing resources — you need to define it yourself.
The default timeout is 60 minutes. You can override it with the `--timeout` flag (in seconds) when creating or updating a deployment. For example: `gcloud deployment-manager deployments create my-deployment --config config.yaml --timeout=1200` (20 minutes).
Use the `--preview` flag with `create` or `update`. Example: `gcloud deployment-manager deployments create my-deployment --config config.yaml --preview`. This shows what resources will be created or modified without actually applying. To apply a preview, use `gcloud deployment-manager deployments update my-deployment --config config.yaml` (without --preview) on the same deployment.
Maximum compressed config size: 10 MB. Maximum resources per deployment: 500. Maximum template size: 1 MB. These limits are tested on the exam. If you exceed them, the deployment will fail.
You've just covered Deployment Manager and Terraform on GCP — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?