1. A platform engineer is setting up a new Terraform Cloud workspace for the production environment. They want every `terraform apply` to require a human to review and approve the plan output before infrastructure changes are made — even when the run is triggered automatically by a VCS push. Which workspace setting should they configure to enforce this behavior?
- A. Set the execution mode to 'Remote' and enable the 'Auto apply' toggle in workspace settings.
- B. Set the execution mode to 'Remote' and leave 'Auto apply' disabled so every run pauses for confirmation after planning.✓ Correct
- C. Set the execution mode to 'Local' so the engineer must manually run `terraform apply` from their workstation.
- D. Attach a Sentinel hard-mandatory policy that blocks all applies until an operator adds an override comment in the run UI.
Explanation
When a Terraform Cloud workspace uses Remote execution mode with 'Auto apply' disabled (the default), every run pauses at the 'planned' state after the plan phase and waits for a user with appropriate permissions to click 'Confirm & Apply'. This is the built-in mechanism for requiring human approval before any apply proceeds, regardless of how the run was triggered. — Option A is wrong because enabling 'Auto apply' causes runs to proceed to apply automatically without human confirmation, which is the opposite of what is required. — Option C is wrong because Local execution mode offloads the plan and apply to the engineer's local machine; Terraform Cloud only stores state. It does not provide a centralized approval gate inside the platform for team-based review. — Option D is wrong because Sentinel policies gate applies based on policy logic, not on a blanket 'pause for human review' pattern. Sentinel is a policy-as-code governance tool and cannot be configured to simply require an operator comment as a generic approval mechanism; the correct purpose-built feature for approval gates is disabling Auto apply.