HashiCorp Terraform-Associate-004 HashiCorp Certified: Terraform Associate (004) (HCTA0-004) Exam Practice Test

terraform init is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It initializes a working directory containing Terraform configuration files and downloads any required providers and modules. The other commands are used for different purposes, such as importing existing resources, switching between workspaces, generating execution plans, etc.

Infrastructure as code (IaC) is a way of managing and provisioning cloud infrastructure using programming techniques instead of manual processes1. IaC has many advantages over using a graphical user interface (GUI) for provisioning infrastructure, such as:

•Versioning: IaC allows you to store your infrastructure configuration in a version control system, such as Git, and track changes over time. This enables you to roll back to previous versions, compare differences, and collaborate with other developers2.

•Reusability: IaC allows you to create reusable modules and templates that can be applied to different environments, such as development, testing, and production. This reduces duplication, improves consistency, and speeds up deployment3.

•Sharing: IaC allows you to share your infrastructure configuration with other developers, teams, or organizations, and leverage existing code from open source repositories or registries. This fosters best practices, innovation, and standardization4.

•Risk reduction: IaC reduces the risk of human error, configuration drift, and security breaches that can occur when provisioning infrastructure manually or using a GUI. IaC also enables you to perform automated testing, validation, and compliance checks on your infrastructure before deploying it5.

References =

•1: What is Infrastructure as Code? Explained for Beginners - freeCodeCamp.org

•2: The benefits of Infrastructure as Code - Microsoft Community Hub

•3: Infrastructure as Code : Best Practices, Benefits & Examples - Spacelift

•4: 5 Benefits of Infrastructure as Code (IaC) for Modern Businesses in the Cloud

•5: The 7 Biggest Benefits of Infrastructure as Code - DuploCloud

Terraform validate reports configuration consistency errors, such as declaring a resource identifier more than once. This means that the same resource type and name combination is used for multiple resource blocks, which is not allowed in Terraform. For example, resource " aws_instance " " example " {...} cannot be used more than once in the same configuration. Terraform validate does not report errors related to module versions, state differences, or formatting issues, as these are not relevant for checking the configuration syntax and structure. References = [Validate Configuration], [Resource Syntax]

terraform validateonlychecks the configuration’s syntax and internal consistency—itdoes notinteract with provider APIs or check if the infrastructure settings are correct.

It ensures that the Terraform code is syntactically correct and follows proper HCL structure.

However, it doesnotverify if resources are valid according to the provider API or if the credentials are correct.

To verify actual infrastructure settings, use terraform plan, which interacts with the provider APIs.

Official Terraform Documentation Reference:

terraform validate - HashiCorp Documentation

The terraform state list command lists all resources that are managed by Terraform in the current state file1. The terraform state show command shows the attributes of a single resource in the state file2. By using these two commands, you can compare the VM IDs in your list with the ones in the state file and identify which one is managed by Terraform.

The terraform taint command marks a resource as tainted, which means it will be destroyed and recreated on the next apply. This way, you can replace the VM instance without affecting the database or other resources. References = [Terraform Taint]

When running a terraform apply -refresh-only, Terraform does not reference the configuration files, but only the state file, credentials, and cloud provider. The purpose of this command is to update the state file with the current status of the real resources, without making any changes to them1.

Rationale for Correct Answer: With immutable infrastructure, you don’t modify running servers/resources in place; you replace them with new versions built from a known image/artifact. This reduces configuration drift and “snowflake” issues, making deployments and rollbacks more predictable—often resulting in less operational complexity compared with troubleshooting in-place changes.

Analysis of Incorrect Options (Distractors):

A: Incorrect—immutable infrastructure specifically avoids in-place upgrades.

B: Not the best answer—upgrades can be fast in some setups, but “quicker” is not guaranteed; replacing infrastructure may take time depending on provisioning and rollout strategy.

C: Incorrect—immutability doesn’t inherently mean upgrades are “automatic”; automation is a separate practice/tooling choice.

Key Concept: Immutable vs mutable infrastructure; replace instead of modify to reduce drift and simplify operations.

This is the best time to run terraform validate, as it will check your code for syntax errors, typos, and missing arguments before you attempt to create a plan. The other options are either incorrect or unnecessary.

Detailed Explanation:

Rationale for Correct Answer:Module input variables are set by providing arguments in the module block whose names match the module’s declared variables. Since the module expects servers, you pass it directly as servers = 3. This is the standard Terraform module input pattern.

Analysis of Incorrect Options (Distractors):

A: Incorrect. var.servers is how you reference an input variable in expressions, not how you assign a module input. Module inputs are set as arguments, not through the var. namespace.

B: Incorrect. Terraform module blocks do not use an inputs = { ... } argument (that pattern is common in some other tools, but not Terraform).

D: Incorrect. inputs.servers is not valid HCL syntax for setting module input arguments.

Key Concept:Passing input variables to modules by setting arguments on the module block.

Rationale for Correct Answer:

D: Many remote backends support state locking, preventing concurrent operations from corrupting state and enabling safer team collaboration.

E: Remote state often supports encryption at rest (for example, via the remote storage system’s server-side encryption), improving security of sensitive values that may reside in state.

Analysis of Incorrect Options (Distractors):

A: Incorrect—remote state does not prevent drift; drift can still occur if changes are made outside Terraform.

B: Incorrect—credentials for providers are still required; remote state doesn’t remove that need (though a platform like HCP Terraform can centralize variable/credential management).

C: Incorrect—remote backends do not inherently make plan/apply faster; latency can even increase. Performance depends on environment and backend behavior.

Key Concept: Benefits of remote state: collaboration via locking and improved security controls for state storage.

Rationale for Correct Answers:

C. terraform.tfvars securely managed: Acceptable if distributed securely outside version control.

D. HCP Terraform/Terraform Cloud sensitive variables: Official best practice for team-based workflows.

E. Vault: HashiCorp Vault is designed for secret management and integrates well with Terraform.

Analysis of Incorrect Options:

A: Storing plaintext secrets on shared drives is insecure.

B: Checking secrets into version control is a major security risk.

Key Concept:

Sensitive values should be managed securely in Vault, HCP Terraform, or securely shared .tfvars files — never in plaintext or version control.

You must initialize your working directory before running terraform validate, as it will ensure that all the required plugins and modules are installed and configured properly. If you skip this step, you may encounter errors or inconsistencies when validating your configuration files.

The reason why the apply fails after adding a new provider to the configuration and immediately running terraform apply in the CD using the local backend is because Terraform needs to install the necessary plugins first. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. Each provider has a source address that determines where to downloadit from. When Terraform encounters a new provider in the configuration, it needs to run terraform init first to install the provider plugins in a local directory. Without the plugins, Terraform cannot communicate with the provider and perform the desired actions. References = [Provider Requirements], [Provider Installation]

Sensitive values such as API tokens should be stored in a secure way, either in Terraform Cloud variables marked as sensitive or in HashiCorp Vault. Storing secrets in version control systems or plaintext files is not recommended.

The default “local” Terraform backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure3.

None of the above methods prevent credentials from being stored in the state file. Terraform stores the provider configuration in the state file, which may include sensitive information such as credentials. This is a potential security risk and should be avoided if possible. To prevent credentials from being stored in the state file, you can use one of the following methods:

Use environment variables to pass credentials to the provider. This way, the credentials are not part of the provider configuration and are not stored in the state file. However, this method may not work for some providers that require credentials to be set in the provider block.

Use dynamic credentials to authenticate with your cloud provider. This way, Terraform Cloud or Enterprise will request temporary credentials from your cloud provider for each run and use them to provision your resources. The credentials are not stored in the state file and are revoked after the run is completed. This method is supported for AWS, Google Cloud Platform, Azure, and Vault. References = : [Sensitive Values in State] : Authenticate providers with dynamic credentials

The terraform import command is used to import existing infrastructure into your Terraform state. This command takes the existing resource and associates it with a resource defined in your Terraform configuration, updating the state file accordingly. It does not generate configuration for the resource, only the state.

terraform initdoes not create a main.tf file.

Itinitializesthe Terraform working directory, downloads provider plugins, and configures the backend.

Terraform does not generate an example configuration (main.tf); users must create it manually.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

Detailed Explanation:

Rationale for Correct Answer:Terraform requires provider aliases when you configure the same provider multiple times in one configuration. You must define the second AWS provider with an alias, then explicitly tell the resource to use it with the provider meta-argument:

provider " aws " {

region = " us-east-1 "

}

provider " aws " {

alias = " west "

region = " us-west-2 "

}

resource " aws_instance " " example_us_west_2 " {

provider = aws.west

ami = data.aws_ami.ubuntu.id

instance_type = " t3.micro "

}

This is a core Terraform objective: selecting the correct provider configuration for a resource when multiple instances exist.

Analysis of Incorrect Options (Distractors):

B: Incorrect. Provider blocks do not support the syntax provider " aws " " west " { ... }. Aliasing is done with alias = " west " .

C: Incorrect. You cannot invent a new provider type name like aws_west. The provider remains aws; you differentiate configurations via alias.

D: Incorrect. Terraform will not automatically choose between multiple provider configurations for the same provider; you must disambiguate using aliases and provider = ....

Key Concept:Provider aliases and the provider meta-argument for multi-region (or multi-account) deployments.

Not all modules published on the official Terraform Module Registry have been verified by HashiCorp. While HashiCorp verifies some modules, there are many community-contributed modules that are not verified. Verified modules have a " Verified " badge indicating that HashiCorp has reviewed them for security and best practices, but the registry also includes unverified modules.

This is the meta-argument that you must include in any non-default provider configurations, as it allows you to give a friendly name to the configuration and reference it in other parts of your code. The other options are either invalid or irrelevant for this purpose.

Rationale for Correct Answer (True):

When terraform apply completes successfully, Terraform prints output values. Outputs from both root and child modules are displayed, but child module outputs must be explicitly exposed through the root module outputs to be visible at the CLI.

Analysis of Incorrect Option:

False: Incorrect, because Terraform does display output values, but only if they are exposed from child modules to the root module.

Key Concept:

Outputs help you extract important information (e.g., IP addresses, resource IDs) from your configuration.

Terraform providers are not always installed from the Internet. There are other ways to install provider plugins, such as from a local mirror or cache, from a local filesystem directory, or from a network filesystem. These methods can be useful for offline or air-gapped environments, or for customizing the installation process. You can configure the provider installation methods using the provider_installation block in the CLI configuration file.

Details

Rationale for Correct Answer:The primary purpose of Infrastructure as Code (IaC) is to define, provision, and manage infrastructure using code. Exam

Analysis of Incorrect Options (Distractors):

A. To provision infrastructure cheaply. Incorrect because cost reduction may be a benefit, but it is not the primary goal of IaC.

C. To define a vendor-agnostic API. Incorrect because IaC tools may support multiple providers, but their purpose is not to define APIs.

D. To define a pipeline to test and deliver software. Incorrect because this refers to CI/CD pipelines, not IaC.

Key Concept:IaC enables automation, consistency, and version-controlled infrastructure management through code.

This is a secure way to protect sensitive data in the state file, as it will be encrypted at rest and in transit2. The other options are not recommended, as they could lead to data loss, errors, or security breaches.

You need to write Terraform configuration files for the existing infrastructure that you want to import into Terraform, otherwise Terraform will not know how to manage it. The configuration files should match the type and name of the resources that you want to import.

This is where Terraform saves resource state when using a remote backend or Terraform Cloud integration, as it allows you to store and manage your state file in a remote location, such as a cloud storage service or Terraform Cloud’s servers. This enables collaboration, security, and scalability for your Terraform infrastructure.

Terraform keeps track of the infrastructure state via the state file. When you initially ran terraform plan, Terraform determined that the port should be changed from80 to 443. However, since another team member manually modified the load balancer, Terraform ' s local state file is now outdated.

When you run terraform apply, Terraform willcompare the expected state (from the plan) with the actual state (from the provider API).

Since the port is already set to443, but the local state file still shows80, Terraform willfail with an errordue to the state mismatch.

To resolve this, you should run terraform refresh or use terraform apply -refresh-only to update the local state before applying changes.

Official Terraform Documentation Reference:

State Management - HashiCorp Documentation

Managing Drift in Terraform

If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform init3. This will ensure that you use the same provider versions across different machines and runs.

The terraform plan command does not update the state file. Instead, it reads the current state and the configuration files to determine what changes would be made to bring the real-world infrastructure into the desired state defined in the configuration. The plan operation is a read-only operation and does not modify the state or the infrastructure. It is the terraform apply command that actually applies changes and updates the state file.References = Terraform ' s official guidelines and documentation clarify the purpose of the terraform plan command, highlighting its role in preparing and showing an execution plan without making any changes to the actual state or infrastructure .

The provider for theaws_vpcresource isaws, as the resource type begins withaws_, which denotes that it is managed by the AWS provider.

The error messageindicates an authentication issue (403 - Access Denied), which requiresdebugging Terraform logs.

Setting TF_LOG=DEBUG enablesdetailed logs, providing insights into API requests, state loading, and authentication errors.

Terraformdoes not log errors in /var/log/terraform.log or syslog, making optionsC and D incorrect.

A (terraform login)is only relevant forTerraform Cloud, but this error appears to be related toprovider authentication.

Official Terraform Documentation Reference:

Debugging Terraform

Rationale for Correct Answer: To save an execution plan to a file, Terraform uses the -out flag: terraform plan -out=tfplan. That produces a plan file that can later be applied with terraform apply tfplan.

Analysis of Incorrect Options (Distractors):

A: This is an apply command with a variable file flag; it does not create a plan file.

B: -target expects a resource address (like aws_instance.example), not a plan filename.

C: -generate-config-out is used with configuration generation workflows (e.g., from import), not for saving a plan.

Key Concept: Creating and saving plan files with terraform plan -out=....

Detailed Explanation:

Rationale for Correct Answer: In Terraform, data sources are referenced using the format:data. < DATA_SOURCE_TYPE > . < NAME > . < ATTRIBUTE >

In this case:

Data source type = aws_ami

Name = web

Attribute = id

Therefore, the correct reference is:

data.aws_ami.web.id

This follows Terraform syntax for accessing attributes from data sources, which is a key concept in configuration authoring.

Analysis of Incorrect Options (Distractors):

B. aws_ami.web.id Incorrect because this format is used for resources, not data sources.

C. web.id Incorrect because it omits both the data prefix and the resource type.

D. data.web.id Incorrect because it is missing the data source type (aws_ami).

Key Concept: Proper referencing of data sources using data. < type > . < name > . < attribute > syntax.

Rationale for Correct Answer: Remote state storage is configured using a backend block, which lives inside the top-level terraform block (for example, terraform { backend " s3 " { ... } }). Backends control where Terraform stores state (local vs remote), locking, and related settings—this is squarely in the Terraform configuration’s global settings area, not in resources or providers.

Analysis of Incorrect Options (Distractors):

A (The resource block): Resources define infrastructure objects (e.g., servers, buckets). They do not configure where Terraform stores state.

B (The provider block): Providers configure how Terraform talks to an API (credentials/regions/features). They don’t define state storage.

C (The data block): Data sources read existing infrastructure; they are unrelated to backend/state storage configuration.

Key Concept: Backends and remote state configuration using terraform { backend ... }.

Terraform workspaces allow you to create multiple states but still be associated with your current code. Workspaces are like “environments” (e.g. staging, production) for the same configuration. You can use workspaces to spin up a copy of your production deployment for testing purposes without having to configure a new state backend. Terraform data sources, local values, and modules are not features that allow you to create multiple states. References = Workspaces and How to Use Terraform Workspaces

The terraform fmt command is used to format Terraform configuration files to a canonical format and style. This ensures that all team members are using a consistent style, making the code easier to read and maintain. It automatically applies Terraform ' s standard formatting conventions to your configuration files, helping maintain consistency across the team ' s codebase.

Module version is optional to reference a module on the Terraform Module Registry. If you omit the version constraint, Terraform will automatically use the latest available version of the module

This command will upgrade the plugins to the latest acceptable version within the version constraints specified in the configuration. The other commands do not have an -upgrade option.

Rationale for Correct Answer: Terraform can store state in a remote backend (remote location) configured in the terraform block (for example, terraform { backend " s3 " { ... } } or terraform { cloud { ... } }). Remote backends store the state outside the local filesystem and often add collaboration features like locking.

Analysis of Incorrect Options (Distractors):

B: Incorrect—CLI configuration files (like .terraformrc / terraform.rc) control CLI behavior (credentials helpers, plugin cache, etc.), but backend/state storage is configured in the Terraform configuration (terraform block) and initialized with terraform init.

C: Incorrect—Terraform must persist state between runs; in-memory storage would be lost when the process ends.

D: Incorrect—environment variables can influence behavior (e.g., credentials, logging), but Terraform does not store state in environment variables.

Key Concept: Configuring remote backends for state storage via the terraform block.

To output returned values from a child module in the Terraform CLI output, you need to declare the output in both the child module and the root module. The child module output will return the value to the root module, and the root module output will display the value in the CLI. References = [Terraform Outputs]

The Terraform collection type that should be used to store key/value pairs is map. A map is a collection of values that are accessed by arbitrary labels, called keys. The keys and values can be of any type, but the keys must be unique within a map. For example, var = { key1 = " value1 " , key2 = " value2 " } is a map with two key/value pairs. Maps are useful for grouping related values together, such as configuration options or metadata. References = [Collection Types], [Map Type Constraints]

C (✅Correct)– If changes require aresource replacement(e.g., changing an immutable attribute like instance type), Terraform willdestroy and recreate the resource.

E (✅Correct)– Terraform only appliesthe configuration in the current directory or workspace.

Detailed Explanation:

Rationale for Correct Answer:In Terraform, a data source reference follows the format:

data. < DATA_SOURCE_TYPE > . < NAME > . < ATTRIBUTE >

Here:

Data source type = vsphere_datacenter

Name = dc

Attribute = id

Therefore, the correct reference is:

data.vsphere_datacenter.dc.id

This correctly retrieves the id attribute from the declared data source and passes it to the resource argument.

Analysis of Incorrect Options (Distractors):

B. data.vsphere_datacenter.dc — Incorrect because it references the entire data object, not a specific attribute like id.

C. data.dc.id — Incorrect because it omits the data source type (vsphere_datacenter), making the reference invalid.

D. vsphere_datacenter.dc.id — Incorrect because it is missing the data. prefix required for data sources.

Key Concept:Proper data source referencing syntax: data. < type > . < name > . < attribute > .

The description argument for Terraform variables and outputs is purely for documentation purposes and isnotstored in the Terraform state file.

Terraform variables and outputs can have descriptions for readability and clarity in .tf files.

However, these descriptions are not retained in the Terraform state file.

The state file only stores actual values and references needed for resource management, not metadata such as descriptions.

Official Terraform Documentation Reference:

Terraform Variables - HashiCorp Documentation

Terraform Outputs - HashiCorp Documentation

Sentinel policies are checked after the plan stage of a Terraform run, but before it can be confirmed or the terraform apply is executed3. This allows you to enforce rules on your infrastructure before it is created or modified.

Rationale for Correct Answer:terraform destroy removes all resources currently tracked in the Terraform state file by issuing destroy requests to the configured providers. It does not delete configuration files or providers themselves.

Analysis of Incorrect Options (Distractors):

B: Terraform never deletes configuration files.

C: Terraform only destroys resources it manages, not all provider infrastructure.

D: Terraform does not delete the state file by default.

Key Concept:terraform destroy enforces removal of all managed infrastructure.

It is not a best practice to store secret data in the same version control repository as your Terraform configuration, as it could expose your sensitive information to unauthorized parties or compromise your security. You should use environment variables, vaults, or other mechanisms to store and provide secret data to Terraform.

Rationale for Correct Answer (D):

terraform state list shows all resources currently managed by Terraform. terraform state show < resource > provides detailed attributes, including the VM ID. This lets you match the Terraform-managed instance with the actual infrastructure.

Analysis of Incorrect Options:

A: Importing is not needed since one VM is already in state.

B: terraform apply doesn’t show which VM ID is managed, it only refreshes attributes.

C: Removing state entries is destructive and may lead to losing state data unnecessarily.

Key Concept:

The state file is Terraform’s source of truth for which resources it manages.

Detailed Explanation:

Rationale for Correct Answer: To bring existing infrastructure under Terraform management, Terraform needs both a matching resource block in the configuration and an import declaration or import command that maps the real cloud object to the Terraform resource address. With modern configuration-driven import, you add an import block and a corresponding resource block, then run Terraform to import the object into state.

Analysis of Incorrect Options (Distractors):

A. Pick the two correct responses below. Incorrect. This is an instruction, not an action.

B. Run terraform state pull. Incorrect. This only downloads and displays the current state. It does not import existing cloud resources.

E. Run terraform apply -refresh-only. Incorrect. Refresh-only updates Terraform state for resources already managed in state. It does not import unmanaged VMs.

Key Concept: Existing infrastructure must be imported into Terraform state and represented in Terraform configuration before Terraform can manage it.

Rationale for Correct Answer: terraform state rm < address > removes a resource from Terraform state without destroying the real infrastructure. After removal, Terraform “forgets” it and will no longer manage it (unless it’s re-imported). That matches the requirement: keep the resource, stop managing it.

Analysis of Incorrect Options (Distractors):

A: Removing the resource block causes Terraform to plan to destroy the resource (because it’s in state but no longer in config), which is the opposite of “keep it.”

B: Changing count can cause Terraform to destroy instances that no longer have an address (depending on indexing), and it doesn’t explicitly “stop managing” a specific existing instance safely.

D: moved blocks are for renaming/refactoring addresses while keeping management; they do not stop managing a resource.

Key Concept: Detaching resources from Terraform management using state subcommands (terraform state rm).

Rationale for Correct Answer (D):

The terraform.lock.hcl file is automatically created and maintained by Terraform. It records the specific versions and checksums of providers used in a configuration, ensuring consistent runs across environments and machines.

Analysis of Incorrect Options:

A. There is no such file: Incorrect — the lock file exists and is crucial for dependency management.

B. Storing references to workspaces: Incorrect — workspaces are tracked in the state file, not the lock file.

C. Preventing Terraform runs: Incorrect — the lock file does not block runs; it enforces consistent provider versions.

Key Concept:

The terraform.lock.hcl file enforces provider version consistency, which is critical for reproducible and reliable Terraform deployments.

Rationale for Correct Answer (B):

terraform import allows Terraform to associate existing resources (created outside of Terraform or by another tool) with a Terraform configuration by writing them into the state file. After import, Terraform can manage those resources.

Analysis of Incorrect Options:

A. From one state file to another: Incorrect, import does not transfer between state files.

C. Importing a module: Incorrect, modules are defined in configuration, not imported.

D. Import all infrastructure: Incorrect, import is per-resource, not bulk.

E. Provider configuration transfer: Incorrect, provider configs are in .tf files, not imported with this command.

Key Concept:

The terraform import command bridges existing resources with Terraform state management.

Detailed Explanation:

Rationale for Correct Answer: Terraform logging is enabled by setting the TF_LOG environment variable. Common values include TRACE, DEBUG, INFO, WARN, and ERROR. For example: export TF_LOG=DEBUG.

Analysis of Incorrect Options (Distractors):

A. Set the log level command-line flag. Incorrect. Terraform does not use a general CLI flag for verbose log level control.

C. Set the log level in your terraform block. Incorrect. Logging is not configured in the Terraform configuration block.

Key Concept: Terraform troubleshooting logs are controlled through environment variables.

Rationale for Correct Answer: A local value (locals { ... }) is the simplest way to define a reusable expression once and reference it many times via local. < name > . This is exactly what locals are for: reducing repetition and improving readability when combining values like random_id results and variables.

Analysis of Incorrect Options (Distractors):

A (Module): Overkill—modules are for packaging reusable groups of resources, not simple string reuse inside the same configuration.

B (Output value): Outputs are for exposing values to the CLI or to parent modules, not for internal reuse within the same module.

D (Data source): Data sources read existing remote objects; they are not intended for composing local strings.

Key Concept: Using locals to avoid repeating expressions.

The correct syntax to pass a variable from the root module to a child module isservers = var.num_servers. Terraform uses dot notation to reference variables.

This is how Terraform chooses which version of the provider to use, when you add a new resource to an existing Terraform configuration, but do not update the version constraint in the configuration. The lock file records the exact version of each provider that was installed in your working directory, and ensures that Terraform will always use the same provider versions until you run terraform init -upgrade to update them.

This is the scenario that poses a challenge for this team, if they adopt AWS CloudFormation as their standardized method for provisioning public cloud resources, as CloudFormation only supports AWS services and resources, and cannot be used to provision infrastructure on other cloud platforms such as Azure.

You should run terraform init after you start coding a new Terraform project and before you run terraform plan for the first time. This command will initialize the working directory by downloading the required providers and modules, creating the initial state file, and performing other necessary tasks. References = : Initialize a Terraform Project

Rationale for Correct Answer (False):

Any user with access to the saved plan file (terraform plan -out=planfile) can run terraform apply planfile. Terraform does not enforce user-specific restrictions.

Analysis of Incorrect Option:

True: Incorrect — Terraform doesn’t tie plan files to individual users.

Key Concept:

Plan files ensure predictability but are not bound to the identity of the user.

Detailed Explanation:

Rationale for Correct Answer: terraform destroy destroys all resources managed by the current configuration, but it is not the only way to remove infrastructure. You can also remove a resource block from the configuration and run terraform apply; Terraform will then plan to destroy that specific resource because it is no longer declared.

Analysis of Incorrect Options (Distractors):

A. True. Incorrect. Terraform can destroy infrastructure through normal apply operations when resources are removed from configuration.

Key Concept: Terraform reconciles real infrastructure with configuration. Removing a resource from configuration and applying the change can destroy that resource.

In Terraform Cloud, speculative plan runs are not automatically started when changes are merged or committed to the version control repository linked to a workspace. Instead, speculative plans are typically triggered as part of proposed changes in merge requests or pull requests to give an indication of what would happen if the changes were applied, without making any real changes to the infrastructure. Actual plan and apply operations in Terraform Cloud workspaces are usually triggered by specific events or configurations defined within the Terraform Cloud workspace settings.References = This behavior is part of how Terraform Cloud integrates with version control systems and is documented in Terraform Cloud ' s usage guidelines and best practices, especially in the context of VCS-driven workflows.

Rationale for Correct Answer (B):

IaC best practice is to manage infrastructure through version-controlled code. Changes should be reviewed and approved (via PRs), ensuring collaboration, traceability, and automation.

Analysis of Incorrect Options:

A, D, E: Making direct/manual changes bypasses IaC practices and causes drift.

C: Running code without PR review skips collaboration and approval.

Key Concept:

Infrastructure as Code emphasizes version control + peer review + automation.

This is what state locking accomplishes, by preventing other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss.

A module can declare a variable with a default value without requiring the caller to define it. This allows the module to provide a sensible default behavior that can be customized by the caller if needed. References = [Module Variables]

In Terraform, the backend configuration, which includes details about where and how state is stored, is specified within the terraform block of your configuration. This block is the correct place to define the backend type and its configuration parameters, such as the location of the state file for a local backend or the bucket details for a remote backend like S3.References = This practice is outlined in Terraform ' s core documentation, which provides examples and guidelines on how to configure various aspects of Terraform ' s behavior, including state backends .

Sentinel is a policy-as-code framework that allows you to define and enforce rules on your Terraform configurations, states, and plans1. Some of the benefits of using Sentinel with Terraform Cloud/Terraform Enterprise are:

•You can restrict specific resource configurations, such as disallowing the use of CIDR=0.0.0.0/0, which would open up your network to the entire internet. This can help you prevent misconfigurations or security vulnerabilities in your infrastructure2.

•Policy-as-code can enforce security best practices, such as requiring encryption, authentication, or compliance standards. This can help you protect your data and meet regulatory requirements3.

•You can enforce a list of approved AWS AMIs, which are pre-configured images that contain the operating system and software you need to run your applications. This can help you ensure consistency, reliability, and performance across your infrastructure4.

References =

•1: Terraform and Sentinel | Sentinel | HashiCorp Developer

•2: Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

•3: Exploring the Power of HashiCorp Terraform, Sentinel, Terraform Cloud …

•4: Using New Sentinel Features in Terraform Cloud – Medium

Terraform state is a representation of the infrastructure that Terraform manages. Terraform uses state to track the current status of the resources it creates and to plan future changes. However, Terraform state is not aware of any changes made to the resources outside of Terraform, such as through the Azure Cloud Console, the Azure CLI, or the Azure API. Therefore, changing resources via the Azure Cloud Console does not update the current state file, and it may cause inconsistencies or conflicts with Terraform’s desired configuration. To avoid this, it is recommended to manage resources exclusively through Terraform or to use the terraform import command to bring existing resources under Terraform’s control.

When you change a Terraform-managed resource via the Azure Cloud Console, Terraform does not immediately update the state file to reflect the change. However, the next time you run terraform plan or terraform apply, Terraform will compare the state file with the actual state of the resources in Azure and detect any drifts or differences. Terraform will then update the state file to match the current state of the resources and show you the proposed changes in the execution plan. Depending on the configuration and the change, Terraform may try to undo the change, modify the resource further, or recreate the resource entirely. To avoid unexpected or destructive changes, it is recommended to review the execution plan carefully before applying it or to use the terraform refresh command to update the state file without applying any changes.

References = Purpose of Terraform State, Terraform State, Managing State, Importing Infrastructure, [Command: plan], [Command: apply] , [Command: refresh]

In Terraform, the correct way to reference a resource attribute is:

pgsql

CopyEdit

resource_type.resource_name.attribute

For example, if the resource block is:

hcl

CopyEdit

resource " kubernetes_namespace " " example " {

metadata {

name = " my-namespace "

}

}

To reference the name attribute, use:

pgsql

CopyEdit

kubernetes_namespace.example.name

Explanation of incorrect answers:

A (resource.kubernetes_namespace.example.name)– Incorrect. Terraform does not use the resource. prefix when referencing resources.

C (data.kubernetes.namespace.name)– Incorrect. This syntax is used fordata sources, not resources.

D (kubernetes_namespace.test.name)– Incorrect. The resource name is " example " , not " test " .

Official Terraform Documentation Reference:

Terraform Resource References

Setting the TF_LOG environment variable to DEBUG causes debug messages to be logged into stdout, along with other log levels such as TRACE, INFO, WARN, and ERROR. This can be useful for troubleshooting or debugging purposes.

This will enable additional logging messages to find out from which paths Terraform is loading providers referenced in your Terraform configuration files, as it will set the log level to TRACE, which is the most verbose and detailed level.

This is not a valid backend for Terraform, as it does not support locking or versioning of state files4. The other options are valid backends that can store state files in a central location.

Rationale for Correct Answer: A Terraform configuration supports a single cloud block (similar to a single backend configuration). The cloud block defines where Terraform runs (HCP Terraform / Terraform Enterprise) and how the workspace is associated. You cannot connect one configuration to two separate Cloud/Enterprise instances simultaneously using multiple cloud blocks.

Analysis of Incorrect Options (Distractors):

A (True): Incorrect—Terraform does not allow multiple cloud blocks; the configuration can target only one Cloud/Enterprise context at a time.

Key Concept: cloud block constraints and workspace association with HCP Terraform/Terraform Enterprise.

This is the best way to delete the newly-created VM with Terraform, as it will only affect the resource that was created by your configuration and state file. The other options are either incorrect or inefficient.

terraform apply can runwithout explicitly running terraform plan first.

Running terraform plan before apply isrecommendedbutnot mandatory.

If no plan file is provided, terraform applyautomatically creates and executes a planbefore applying changes.

Official Terraform Documentation Reference:

terraform apply - HashiCorp Documentation

This is a secure way to inject sensitive variables into your Terraform run, as they will not be stored in any file or source code repository. You can also use environment variables or variable files with encryption to pass sensitive variables to Terraform.

Detailed Explanation:

Rationale for Correct Answer:terraform validate checks whether the configuration is syntactically valid and internally consistent (for example: references resolve correctly, required arguments exist, blocks are in the correct structure). If your configuration references an input variable like var.instance_type but you did not declare it with a variable " instance_type " { ... } block, validation fails with an error such as “Reference to undeclared input variable.” This is exactly the kind of static configuration issue terraform validate is designed to catch.

Analysis of Incorrect Options (Distractors):

A: Incorrect. State drift (state not matching real infrastructure) is not detected by terraform validate. Drift is typically revealed by terraform plan/terraform refresh (or plan in general), because that requires reading state and querying providers.

B: Incorrect. Terraform’s configuration language (HCL) allows tabs; indentation style is not a validation error (formatting is handled by terraform fmt, not validate).

D: Incorrect because C can definitely produce a validation error when a variable is referenced but not declared.

Key Concept:What terraform validate does: static validation of configuration syntax and internal consistency, not runtime/provider/state drift checks.

Destroy Command Options: Theterraform destroycommand is the correct method to destroy resources, and it requires either manual approval or the -auto-approve flag.

Unsupported Triggering Method: The--destroy flagis not a recognized option for plan or apply commands, making B the correct answer as it isnota valid way to initiate resource destruction.

For more on destroying resources, refer to theterraform destroy command documentationin the Terraform CLI reference.

Rationale for Correct Answer: Data sources are referenced with: data. < TYPE > . < NAME > . < ATTRIBUTE > .For a vSphere datacenter data source, the correct reference to its id is:data.vsphere_datacenter. < name > .id.✅ Given the options, only A follows the correct data-source addressing pattern and includes the .id attribute.

Analysis of Incorrect Options (Distractors):

B: Incorrect—missing the data. prefix, so it looks like a managed resource reference.

C: Incorrect—missing the attribute (.id).

D: Incorrect—missing the data source type and name.

Key Concept: Correct HCL reference syntax for data sources.

Detailed Explanation:

Rationale for Correct Answer: The Terraform Registry provides module documentation, including required inputs, optional inputs with default values, outputs, dependencies, resources, and usage examples.

Analysis of Incorrect Options (Distractors):

A. Required input variables. Correct but incomplete.

B. Outputs. Correct but incomplete.

C. Optional input variables and default values. Correct but incomplete.

Key Concept: Terraform Registry module documentation exposes inputs, outputs, versions, and usage details.

The command that makes your code more human readable is terraform fmt. This command is used to rewrite Terraform configuration files to a canonical format and style, following the Terraform language style conventions and other minor adjustments for readability. The command is optional, opinionated, and has no customization options, but it is recommended to ensure consistency of style across different Terraform codebases. Consistency can help your team understand the code more quickly and easily, making the use of terraform fmt very important. You can run this command on your configuration files before committing them to source control or as part of your CI/CD pipeline. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

 The concept of infrastructure as code (IaC) is to define and manage infrastructure using code, rather than manual processes or GUI tools. A script that contains a series of public cloud CLI commands is an example of IaC, because it uses code to provision resources into a public cloud. The other options are not examples of IaC, because they involve manual or interactive actions, such as running curl commands, sending REST requests, or entering commands into a console. References = [Introduction to Infrastructure as Code with Terraform] and [Infrastructure as Code]

In Terraform, a data block is used to fetch or compute information from external sources for use elsewhere in the Terraform configuration. Unlike resource blocks that manage infrastructure, data blocks gather information without directly managing any resources. This can include querying for data from cloud providers, external APIs, or other Terraform states.References = This definition and usage of data blocks are covered in Terraform ' s official documentation, highlighting their role in fetching external information to inform Terraform configurations.

Rationale for Correct Answer: Locals are evaluated as expressions, and one local can reference another using local. < name > . This supports building up derived values cleanly:

locals {

env = " prod "

app_name = " api-${local.env} "

}

Analysis of Incorrect Options (Distractors):

B (False): Incorrect—Terraform explicitly supports local-to-local references.

Key Concept: Local values (locals) and expression references.

terraform graphgeneratesGraphviz DOT formatoutput, which allows visualization ofresource dependenciesin Terraform.

A (terraform refresh)– Incorrect, as it only updates the state file.

C (terraform output)– Incorrect, as it only displays Terraform output values.

D (terraform show)– Incorrect, as it only displays the Terraform state.

Official Terraform Documentation Reference:

terraform graph - HashiCorp Documentation

Detailed Explanation:

Rationale for Correct Answer: The terraform force-unlock command is used to manually remove a state lock only when Terraform fails to release it automatically. This situation typically occurs due to interruptions (e.g., crashed process, network failure) that leave the state locked. Terraform’s locking mechanism prevents concurrent operations, so force-unlock should be used cautiously and only when you are certain no other process is actively using the state.

Analysis of Incorrect Options (Distractors):

A. When apply has failed due to a state lock. Incorrect because failure alone does not justify force-unlock; the lock may still be valid and held by another process.

B. When you have a high-priority change. Incorrect because urgency does not justify bypassing Terraform’s locking mechanism.

D. When you see a status message stating that you cannot acquire the lock. Incorrect because this usually means another process is currently holding the lock; force-unlock should not be used unless you are sure the lock is stale.

Key Concept: Terraform state locking and safe use of force-unlock to recover from stale locks.

Terraforminstalls providers during the terraform init phase.

Providers aredownloaded and installedwhen running terraform init.

A (terraform plan)is incorrect because terraform plan only calculates changes but does not install providers.

C (terraform refresh)is incorrect because terraform refresh only updates the state but does not install providers.

Official Terraform Documentation Reference:

Provider Installation - HashiCorp Documentation

Detailed Explanation:

Rationale for Correct Answer: terraform init initializes the working directory. It downloads required providers, installs modules, and configures the backend. You must run it before running terraform plan or terraform apply for the first time in a new configuration directory.

Analysis of Incorrect Options (Distractors):

B. terraform workspace. Incorrect. This command manages Terraform workspaces but does not initialize providers, modules, or backends.

C. terraform validate. Incorrect. Validation is useful, but it is not the required initialization step before planning or applying.

D. terraform import. Incorrect. Import brings existing infrastructure into Terraform state. It is not required before planning or applying a new configuration.

Key Concept: Terraform working directories must be initialized with terraform init.

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. Running this command on your configuration files before committing them to source control can help ensure consistency of style between different Terraform codebases, and can also make diffs easier to read. You can also use the -check and -diff options to check if the files are formatted and display the formatting changes respectively2. Running the terraform fmt command during the code linting phase of your CI/CD process can help automate this process and enforce the formatting standards for your team. References = [Command: fmt]2

To import existing resources into Terraform, you need to do two things1:

Write a resource configuration block for each resource, matching the type and name used in your state file.

Run terraform import for each resource, specifying its address and ID. There is no such command as terraform Import-gcp, and provisioning new VMs with the same names will not import them into Terraform.

Terraform modules are referenced by specifying a source location. This location can be a URL or a file path. However, specifying query parameters such as ?version=vl.6.0 directly within the source path is not a valid or supported method for specifying a module version in Terraform. Instead, version constraints are specified using the version argument within the module block, not as part of the source string.References = This clarification is based on Terraform ' s official documentation regarding module usage, which outlines the correct methods for specifying module sources and versions.

A secure string is not a valid option to keep secrets out of Terraform configuration files. A secure string is a feature of AWS Systems Manager Parameter Store that allows you to store sensitive data encrypted with a KMS key. However, Terraform does not support secure strings natively and requires a custom data source to retrieve them. The other options are valid ways to keep secrets out of Terraform configuration files. A Terraform provider can expose secrets as data sources that can be referenced in the configuration. Environment variables can be used to set values for input variables that contain secrets. A -var flag can be used to pass values for input variables that contain secrets from the command line or a file. References = [AWS Systems Manager Parameter Store], [Terraform AWS Provider Issue #55] , [Terraform Providers], [Terraform Input Variables]

This is the backend that the Terraform CLI uses by default, unless you specify a different backend in your configuration. The local backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure.

The " version " attribute is optional when referencing a module from the Terraform Registry. If not specified, the latest version will be used, but it is often recommended to specify a version to ensure consistency across environments.

Rationale for Correct Answer: A parent/root module can only read values from a child module if the child module exports them via an output block. The error indicates vnet_id is not an exported output from module.my_network. Defining output " vnet_id " { value = ... } inside the networking (child) module makes module.my_network.vnet_id valid.

Analysis of Incorrect Options (Distractors):

A: Incorrect—Terraform does not use module. < name > .outputs. < output > ; module outputs are referenced directly as module. < name > . < output > .

B: Incorrect—variables are inputs to a module, not values exported from it.

C: Incorrect—missing the module. prefix and still uses an invalid .outputs path.

Key Concept: Module outputs are the contract for exposing child module values to the root/parent.

When upgrading a provider,you must run terraform init -upgrade to install the new version.

Thisdownloads the latest provider versionand updates the local dependency cache.

terraform refresh(A)only updates the state file but doesnotupgrade providers.

terraform apply -upgrade(C)isnot a valid command.

terraform version can be upgraded separately, but(D)does not install a new provider version.

Official Terraform Documentation Reference:

Upgrading Providers in Terraform

The terraform plan command is used to create an execution plan. It allows you to see what actions Terraform will take to reach the desired state defined in your configuration files. It evaluates the current state and configuration, showing a detailed outline of the resources that will be created, updated, or destroyed. This is a critical step in the development process as it helps you verify that the changes you are about to apply will perform as expected, without actually modifying any state or infrastructure.

Terraform state files are not automatically encrypted by default. Sensitive values are stored in plaintext within the state file. However, you can protect the state file by using remote backends that support encryption, such as AWS S3 with server-side encryption enabled or Terraform Cloud, which offers encrypted state storage.

Rationale for Correct Answer (True):

Local values (locals {}) are scoped to a module and are not directly visible outside. To make them available to callers, you must define outputs in the module. Outputs act as the interface for exposing values from a child module to the root module.

Analysis of Incorrect Option:

False: Incorrect, because locals cannot be exposed directly; only via outputs.

Key Concept:

Outputs are the way to expose information outside of a module.

Rationale for Correct Answers:

B. View the execution plan: Correct — terraform plan shows what Terraform intends to do (create, update, or destroy).

C. Save a generated execution plan: Correct — using terraform plan -out=planfile lets you save the plan to apply later with terraform apply planfile.

Analysis of Incorrect Options:

A. Schedule runs in the future: Incorrect, Terraform does not provide scheduling; external tools (like cron, CI/CD) are required.

D. Execute a plan in a different workspace: Incorrect, execution happens in the current workspace; switching workspaces must be done before running the plan.

Key Concept:

terraform plan is used for previewing and optionally saving an execution plan for controlled and predictable infrastructure changes.

Rationale for Correct Answer: terraform output shows the root module’s outputs (the outputs defined in the current working directory’s root module). Outputs from child modules are not directly listed unless the root module re-exports them via its own output blocks (e.g., output " child_public_ip " { value = module.child.public_ip }).

Analysis of Incorrect Options (Distractors):

A (True): Incorrect because child module outputs are accessible via module. < name > . < output > , but terraform output displays only outputs defined in the root module.

Key Concept: Module outputs scope: child outputs must be exposed through root outputs to be shown by terraform output.

This is the workflow for deploying new infrastructure with Terraform, as it will create a plan and apply it to the target environment. The other options are either incorrect or incomplete.

Rationale for Correct Answer:terraform init initializes backends, downloads providers, and retrieves modules — but it does not generate or create configuration files.

Analysis of Incorrect Options (Distractors):

A: Correct action performed by terraform init.

C: Providers are downloaded during initialization.

D: Module source code is fetched during initialization.

Key Concept:terraform init prepares the working directory but does not create configuration.

C (✅Correct)– InHCP Terraform, you can use the terraform_remote_state data source to referenceanother workspace ' s state. This feature isnot available in Terraform CLI.

A (❌Incorrect)– terraform plan (dry runs)is available in both Terraform CLI and HCP Terraform.

B (❌Incorrect)– Secure variable storageexists in HCP Terraform, but CLI users can store variables securely using environment variables or .tfvars files.

D (❌Incorrect)– BothTerraform CLI and HCP Terraform support multiple cloud providers.

Official Terraform Documentation Reference:

terraform_remote_state - HashiCorp Documentation