CCNA Pcde Bootstrapping Org Questions

9 of 84 questions · Page 2/2 · Pcde Bootstrapping Org topic · Answers revealed

76
MCQmedium

A team uses Terraform to manage infrastructure. They want to ensure that all Terraform code passes policy checks before being applied. They use Terraform Cloud. Which built-in feature allows them to define policies that are checked during the plan phase?

A.`terraform validate`
B.Sentinel
C.Conftest
D.OPA (Open Policy Agent)
AnswerB

Sentinel is Terraform Cloud's native policy framework for plan-time checks.

Why this answer

Sentinel is Terraform Cloud's built-in policy-as-code framework that allows teams to define and enforce policies during the plan phase. It integrates directly with Terraform Cloud's run lifecycle, enabling policy checks to be evaluated against the planned infrastructure changes before they are applied. This ensures compliance and governance without requiring external tools.

Exam trap

The trap here is that candidates may confuse `terraform validate` (a syntax checker) with a policy enforcement tool, or assume that external policy engines like OPA or Conftest are built into Terraform Cloud, when in fact Sentinel is the native policy-as-code solution.

How to eliminate wrong answers

Option A is wrong because `terraform validate` is a CLI command that checks configuration syntax and internal consistency, but it does not support custom policy definitions or integrate with Terraform Cloud's plan-phase checks. Option C is wrong because Conftest is an open-source policy testing tool that works with OPA and can be used with Terraform, but it is not a built-in feature of Terraform Cloud; it requires external setup and integration. Option D is wrong because OPA (Open Policy Agent) is a general-purpose policy engine that can be used with Terraform via external tools like Conftest, but it is not a built-in feature of Terraform Cloud and does not natively integrate into the plan phase without additional configuration.

77
Multi-Selectmedium

A company wants to implement security controls for Compute Engine VMs across their organization. Which THREE organization policies can enforce VM security? (Choose 3)

Select 3 answers
A.`compute.requireShieldedVm`
B.`storage.uniformBucketLevelAccess`
C.`compute.vmExternalIpAccess`
D.`compute.trustedImageProjects`
E.`iam.disableServiceAccountKeyCreation`
AnswersA, C, D

Requires all VMs to use Shielded VM features.

Why this answer

These three policies enforce VM security: external IP restriction, shielded VM requirement, and trusted image projects.

78
Multi-Selecthard

An organization wants to enforce that no Compute Engine instances have external IP addresses except for a specific project. Which TWO steps should they take? (Choose 2)

Select 2 answers
A.In the exception project, override the policy to allow.
B.Add a firewall rule to block traffic to external IPs.
C.Remove the external IP from all instances manually.
D.Create an organization policy with constraint `compute.vmExternalIpAccess` set to deny.
E.Use VPC Service Controls to restrict external access.
AnswersA, D

Use policy inheritance with an allow at the project folder.

Why this answer

Set an organization policy to disable external IP at the organization level, then create a policy exception for the allowed project. Alternatively, use a constraint with an exception.

79
MCQeasy

A company needs to track costs across different teams and projects. They want to see detailed breakdowns by team, environment, and application. Which GCP feature should they use to tag resources for cost analysis?

A.Billing budgets
B.Network tags
C.Resource labels
D.Billing export to BigQuery
AnswerC

Labels allow you to organize resources and are used in billing reports to break down costs.

Why this answer

Labels are key-value pairs that can be attached to resources for cost allocation and reporting. Tags are also available but are used for networking and IAM, not primarily for cost tracking. Billing budgets and export are complementary but not for tagging.

80
MCQhard

A company uses Terraform to manage infrastructure. They have a monolithic Terraform configuration that manages all projects in a single state file. As the organization grows, the configuration becomes slow and error-prone. The team wants to adopt a modular approach with separate state files for each project while reusing common modules. Which strategy should they follow?

A.Create a single Terraform module for all resources and call it with different variables for each project, using the same state file.
B.Keep the monolithic configuration but use Terraform workspaces to create separate state files for each project.
C.Split the monolithic configuration into separate root modules per project, store state in GCS buckets with prefix per project, and use terraform_remote_state data sources to share outputs between modules.
D.Use Cloud Deployment Manager with separate YAML templates for each project and a central state stored in Cloud Storage.
AnswerC

This enables independent state management and reuse of outputs across projects.

Why this answer

Terraform workspaces are used to manage multiple state files within a single root module but are not designed for separate project state files. Remote state data sources allow reading outputs from other state files, enabling modular architecture. Using separate root modules for each project with remote state dependencies is the recommended approach for large environments.

81
MCQmedium

A team manages infrastructure across multiple Google Cloud projects using Terraform. They want to centralize state file management in a GCS bucket and ensure that each project's state is isolated. Which backend configuration best achieves this?

A.Use a single bucket with a separate prefix for each project; configure the backend for each project with its own prefix.
B.Use a separate bucket for each project.
C.Use local state files and commit them to Git.
D.Store all state files in the same bucket under the same prefix and use workspaces.
AnswerA

This isolates state files by project using prefixes.

Why this answer

Terraform backend configuration allows specifying a GCS bucket and prefix. Using a separate prefix per project (e.g., `project-a/terraform.tfstate`) isolates state files. Workspaces are not needed; the prefix approach is simpler.

82
MCQeasy

An organization wants to enforce that all Compute Engine VMs are created with Shielded VM features enabled to protect against rootkits and boot-level malware. Which Google Cloud mechanism should be used?

A.Organization policies
B.Resource labels
C.Service accounts
D.IAM roles
AnswerA

Organization policies can enforce constraints like requiring Shielded VMs across the organization.

Why this answer

Organization policies allow you to define constraints that apply to all resources under an organization. The `compute.requireShieldedVm` constraint enforces that VMs must have Shielded VM enabled. IAM roles and service accounts control access but not resource properties.

Labels are for metadata, not enforcement.

83
MCQhard

A team is migrating to GCP and wants to use Cloud Deployment Manager for infrastructure. They have existing Terraform modules. What is the best approach?

A.Use Deployment Manager only for new resources and Terraform for existing.
B.Convert Terraform modules to Deployment Manager templates manually.
C.Run Terraform as a subprocess within Deployment Manager.
D.Use Terraform with a GCS backend; avoid Deployment Manager.
AnswerD

Terraform is the preferred tool; no need to switch.

Why this answer

Option D is correct because the team already has existing Terraform modules, and using Terraform with a GCS backend allows them to continue leveraging their investment in Terraform without rewriting or bridging tools. Cloud Deployment Manager is a native Google Cloud IaC tool, but it does not natively import or execute Terraform configurations; forcing a migration or hybrid approach introduces unnecessary complexity and risk. The best practice is to standardize on one IaC tool, and since Terraform is already in use, using it with a GCS backend for state management is the most efficient and reliable path.

Exam trap

The trap here is that candidates assume Cloud Deployment Manager is the 'native' GCP tool and must be used, but the question tests whether you recognize that existing Terraform modules should be preserved and that forcing a migration or hybrid approach is anti-pattern.

How to eliminate wrong answers

Option A is wrong because maintaining two separate IaC tools (Deployment Manager for new resources and Terraform for existing) creates fragmentation, increases the risk of configuration drift, and adds operational overhead with no clear benefit. Option B is wrong because manually converting Terraform modules to Deployment Manager templates is time-consuming, error-prone, and negates the value of existing tested modules; it also introduces a manual translation step that can introduce bugs. Option C is wrong because running Terraform as a subprocess within Deployment Manager is not a supported integration pattern, adds unnecessary complexity, and defeats the purpose of using a single declarative tool; Deployment Manager cannot natively execute Terraform or manage its state.

84
MCQmedium

A company is adopting GitOps for managing their Kubernetes infrastructure with Config Sync. They want to ensure that any changes to the cluster's desired state are automatically applied from a Git repository. Which branching strategy is MOST suitable for this workflow?

A.One branch per cluster, with manual merge from development to production branches.
B.Trunk-based development where all changes are merged into the main branch frequently, and Config Sync watches the main branch.
C.Gitflow with separate develop and release branches, merging to main only for production releases.
D.Feature branching with long-lived branches per environment (dev, staging, prod).
AnswerB

Trunk-based development ensures that main branch is always the single source of truth, which is ideal for GitOps.

Why this answer

Trunk-based development with short-lived feature branches and direct commits to main (or a single release branch) is the simplest and most aligned with GitOps principles where main branch represents the desired state.

← PreviousPage 2 of 2 · 84 questions total

Ready to test yourself?

Try a timed practice session using only Pcde Bootstrapping Org questions.

CCNA Pcde Bootstrapping Org Questions — Page 2 of 2 | Courseiva