HashiCorp Terraform-Associate-004 HashiCorp Certified: Terraform Associate (004) (HCTA0-004) Exam Practice Test

terraform validate does not confirm that your infrastructure matches the Terraform state file. It only checks whether the configuration files in a directory are syntactically valid and internally consistent3. To confirm that your infrastructure matches the Terraform state file, you need to use terraform plan or terraform apply with the -refresh-only option.

Sensitive values such as API tokens should be stored in a secure way, either in Terraform Cloud variables marked as sensitive or in HashiCorp Vault. Storing secrets in version control systems or plaintext files is not recommended.

This is the type of block that is used to construct a collection of nested configuration blocks, by using a for_each argument to iterate over a collection value and generate a nested block for each element. For example, you can use a dynamic block to create multiple ingress rules for a security group resource.

Rationale for Correct Answer:terraform state list only reads the existing state file and lists the resources Terraform currently tracks. It does not contact providers or refresh resource data, so stale state is not updated.

Analysis of Incorrect Options (Distractors):

B. terraform plan: Refreshes state by default before generating the execution plan.

C. terraform apply: Refreshes state before applying changes.

D. terraform destroy: Refreshes state to determine what resources must be destroyed.

Key Concept:Some Terraform commands read state only, while others refresh state by querying providers.

The terraform plan command does not update the state file. Instead, it reads the current state and the configuration files to determine what changes would be made to bring the real-world infrastructure into the desired state defined in the configuration. The plan operation is a read-only operation and does not modify the state or the infrastructure. It is the terraform apply command that actually applies changes and updates the state file.References = Terraform's official guidelines and documentation clarify the purpose of the terraform plan command, highlighting its role in preparing and showing an execution plan without making any changes to the actual state or infrastructure .

The public Terraform Module Registry is free to use, as it is a public service that hosts thousands of self-contained packages called modules that are used to provision infrastructure. You can browse, use, and publish modules to the registry without any cost.

This is how the Terraform Cloud integration differs from other state backends such as S3, Consul, etc., as it allows you to perform remote operations on Terraform Cloud’s servers instead of your local machine. The other options are either incorrect or irrelevant.

Terraform workspaces allow you to create multiple states but still be associated with your current code. Workspaces are like “environments” (e.g. staging, production) for the same configuration. You can use workspaces to spin up a copy of your production deployment for testing purposes without having to configure a new state backend. Terraform data sources, local values, and modules are not features that allow you to create multiple states. References = Workspaces and How to Use Terraform Workspaces

Terraform variable names are not saved in the state file, only their values are. The state file only stores the attributes of the resources and data sources that are managed by Terraform, not the variables that are used to configure them.

The terraform validate command is used to check for syntax errors and internal consistency within Terraform configurations, such as whether all required arguments are specified. It does not check for indentation styles, missing variable values (as variables might not be defined at validation time), or state file consistency with the current infrastructure. Therefore, none of the provided options are correct in the context of what terraform validate reports.References = Terraform's official documentation details the purpose and function of the terraform validate command, specifying that it focuses on syntaxand consistency checks within Terraform configurations themselves, not on external factors like the state file or infrastructure state. Direct references from the HashiCorp Terraform Associate (003) study materials to this specific detail were not found in the provided files.

This is what state locking accomplishes, by preventing other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss.

To see all the resources that Terraform will delete, you can use either of these two commands:

terraform destroy will show the plan of destruction and ask for your confirmation before proceeding. You can cancel the command if you do not want to destroy the resources.

terraform plan -destroy will show the plan of destruction without asking for confirmation. You can use this command to review the changes before running terraform destroy. References = : Destroy Infrastructure : Plan Command: Options

In Terraform, a data block is used to fetch or compute information from external sources for use elsewhere in the Terraform configuration. Unlike resource blocks that manage infrastructure, data blocks gather information without directly managing any resources. This can include querying for data from cloud providers, external APIs, or other Terraform states.References = This definition and usage of data blocks are covered in Terraform's official documentation, highlighting their role in fetching external information to inform Terraform configurations.

Terraform creates the .terraform.lock.hcl file after the first terraform init command. This lock file ensures that the dependencies for your project are consistent across different runs by locking the versions of the providers and modules used.

Outside of the required_providers block, Terraform configurations can refer to providers by either their local names or their source addresses. The local name is a short name that can be used throughout the configuration, while the source address is a global identifier for the provider in the format registry.terraform.io/namespace/type. For example, you can use either aws or registry.terraform.io/hashicorp/aws to refer to the AWS provider.

The terraform init command is required before using a new backend or integrating with HCP Terraform/Terraform Cloud.

terraform init initializes the working directory and sets up the backend, downloading necessary provider plugins and modules.

If the backend configuration changes, Terraform willrequirere-initialization to apply those changes.

Without running terraform init, Terraform willfailto use a new backend or remote Terraform Cloud workspace.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

Changing the Terraform backend after performing the initial terraform apply is technically possible but strongly discouraged. This is because changing backends can lead to complexities in state management, requiring manual intervention such as state migration to ensure consistency. Terraform's documentation and best practices advise planning the backend configuration carefully before applying Terraform configurations to avoid such changes.References = This guidance is consistent with Terraform's official documentation, which recommends careful consideration and planning of backend configurations to avoid the need for changes.

Rationale for Correct Answer:Terraform local values are evaluated together and can reference previously defined local values within the same locals block or earlier blocks.

Analysis of Incorrect Options (Distractors):

B: Incorrect, locals can reference other locals.

Key Concept:Local values enable reuse and composition of expressions.

Theversion argumentin a module ensures Terraform uses aspecific versionof a module, preventing unintended updates.

A (source)– Specifies the module source butdoes not control versioning.

B (count)– Controls how many instances of a resource/module exist,not updates.

D (lifecycle)– Controls how resources behavebut does not control module versioning.

Official Terraform Documentation Reference:

Module Version Constraints

Infrastructure as code (IaC) is a way of managing and provisioning cloud infrastructure using programming techniques instead of manual processes1. IaC has many advantages over using a graphical user interface (GUI) for provisioning infrastructure, such as:

•Versioning: IaC allows you to store your infrastructure configuration in a version control system, such as Git, and track changes over time. This enables you to roll back to previous versions, compare differences, and collaborate with other developers2.

•Reusability: IaC allows you to create reusable modules and templates that can be applied to different environments, such as development, testing, and production. This reduces duplication, improves consistency, and speeds up deployment3.

•Sharing: IaC allows you to share your infrastructure configuration with other developers, teams, or organizations, and leverage existing code from open source repositories or registries. This fosters best practices, innovation, and standardization4.

•Risk reduction: IaC reduces the risk of human error, configuration drift, and security breaches that can occur when provisioning infrastructure manually or using a GUI. IaC also enables you to perform automated testing, validation, and compliance checks on your infrastructure before deploying it5.

References =

•1: What is Infrastructure as Code? Explained for Beginners - freeCodeCamp.org

•2: The benefits of Infrastructure as Code - Microsoft Community Hub

•3: Infrastructure as Code : Best Practices, Benefits & Examples - Spacelift

•4: 5 Benefits of Infrastructure as Code (IaC) for Modern Businesses in the Cloud

•5: The 7 Biggest Benefits of Infrastructure as Code - DuploCloud

terraform validatechecks for syntax errors and internal consistencyin the configuration files.

However, itdoes notcheck if resource configurations are valid with the provider.

Official Terraform Documentation Reference:

terraform validate - HashiCorp Documentation

A secure string is not a valid option to keep secrets out of Terraform configuration files. A secure string is a feature of AWS Systems Manager Parameter Store that allows you to store sensitive data encrypted with a KMS key. However, Terraform does not support secure strings natively and requires a custom data source to retrieve them. The other options are valid ways to keep secrets out of Terraform configuration files. A Terraform provider can expose secrets as data sources that can be referenced in the configuration. Environment variables can be used to set values for input variables that contain secrets. A -var flag can be used to pass values for input variables that contain secrets from the command line or a file. References = [AWS Systems Manager Parameter Store], [Terraform AWS Provider Issue #55], [Terraform Providers], [Terraform Input Variables]

Rationale for Correct Answer (B):

terraform import allows Terraform to associate existing resources (created outside of Terraform or by another tool) with a Terraform configuration by writing them into the state file. After import, Terraform can manage those resources.

Analysis of Incorrect Options:

A. From one state file to another: Incorrect, import does not transfer between state files.

C. Importing a module: Incorrect, modules are defined in configuration, not imported.

D. Import all infrastructure: Incorrect, import is per-resource, not bulk.

E. Provider configuration transfer: Incorrect, provider configs are in .tf files, not imported with this command.

Key Concept:

The terraform import command bridges existing resources with Terraform state management.

Rationale for Correct Answer:When multiple provider configurations are defined using an alias, Terraform requires the provider meta-argument inside the resource block to explicitly reference the aliased provider.In this case, the provider is defined as aws with alias = "west", so resources targeting us-west-2 must specify:

provider = aws.west

This tells Terraform exactly which provider configuration to use.

Analysis of Incorrect Options (Distractors):

B. alias = aws.west: Incorrect — alias is only used inside the provider block, not in resources.

C. provider = west: Incorrect — Terraform requires the full provider name (aws.west), not just the alias.

D. alias = west: Incorrect — resources do not support an alias meta-argument.

Key Concept:Using aliased provider configurations and the provider meta-argument to deploy resources across multiple regions or accounts.

The best way to specify a tag of v1.0.0 when referencing a module stored in Git is to append ?ref=v1.0.0 argument to the source path. This tells Terraform to use a specific Git reference, such as a branch, tag, or commit, when fetching the module source code. For example, source = "git::https://example.com/vpc.git?ref=v1.0.0 ". This ensures that the module version is consistent and reproducible across different environments. References = [Module Sources], [Module Versions]

Option C is the correct way to configure multiple providers in a Terraform configuration. Each provider block must have a name attribute that specifies which provider it configures2. The other options are either missing the name attribute or using an invalid syntax.

terraform state listonly displays resources stored in the state filebut doesnot interact with the cloud provideror refresh the state.

terraform plan, terraform apply, and terraform destroycompare or modify the infrastructure, so theyrefresh the stateto ensure accuracy.

Official Terraform Documentation Reference:

terraform state list - HashiCorp Documentation

The "version" attribute is optional when referencing a module from the Terraform Registry. If not specified, the latest version will be used, but it is often recommended to specify a version to ensure consistency across environments.

You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.

When the state file is locked, operations that modify or depend on the state (liketerraform apply,terraform destroy, andterraform state list) are blocked.terraform fmtonly formats the configuration files and does not interact with the state, so it is allowed.

When running a terraform apply -refresh-only, Terraform does not reference the configuration files, but only the state file, credentials, and cloud provider. The purpose of this command is to update the state file with the current status of the real resources, without making any changes to them1.

Rationale for Correct Answer (C):

Credentials should not be hardcoded in Terraform files. Best practice is to configure them via environment variables or secret managers.

Analysis of Incorrect Options:

A: Shared servers introduce risk and drift.

B: Storing secrets in config/version control is insecure.

D: Incorrect since option C is valid.

Key Concept:

Separation of credentials from code is a Terraform security best practice.

Any user with permission to apply a plan can apply it, not only the user that generated it. This allows for collaboration and delegation of tasks among team members.

You can configure a backend in your Terraform code before initializing it. Initializing a backend will store the state file remotely and enable features like locking and workspaces. References = [Terraform Backends]

Module version is optional to reference a module on the Terraform Module Registry. If you omit the version constraint, Terraform will automatically use the latest available version of the module

Rationale for Correct Answer:

C: Securely managed .tfvars files are acceptable if not committed to version control.

D: HCP Terraform provides secure storage for sensitive variables.

E: HashiCorp Vault is designed for secrets management and integrates with Terraform.

Analysis of Incorrect Options (Distractors):

A: Plaintext storage is insecure.

B: Secrets should never be committed to version control.

Key Concept:Sensitive values must be stored using secure secret management solutions.

This is the backend that the Terraform CLI uses by default, unless you specify a different backend in your configuration. The local backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure.

This is what will happen if you run terraform destroy without any flags, as it will attempt to delete all the resources that are associated with your current working directory or workspace. You can use the -target flag to specify a particular resource that you want to destroy.

Terraform configuration can import modules from various sources, not only from the public registry. Modules can be sourced from local file paths, Git repositories, HTTP URLs, Mercurial repositories, S3 buckets, and GCS buckets. Terraform supports a number of common conventions and syntaxes for specifying module sources, as documented in the [Module Sources] page. References = [Module Sources]

To make Terraform's logging more verbose for troubleshooting purposes, you must configure the TF_LOG environment variable. This variable controls the level of logging and can be set to TRACE, DEBUG, INFO, WARN, or ERROR, with TRACE providing the most verbose output.References = Detailed debugging instructions and the use of environment variables like TF_LOG for increasing verbosity are part of Terraform's standard debugging practices

The terraform refresh-only command is intended to detect state file drift. This command synchronizes the state file with the actual infrastructure, updating the state to reflect any changes that have occurred outside of Terraform.

From terraform plan -refresh-only:

"Use this to detectdrift, i.e., changes made outside of Terraform."

It compares actual infrastructure to what's recorded in the state file.

 This is a quick way to inspect the state file and find the information you need without modifying anything5. The other options are either incorrect or inefficient.

Rationale for Correct Answer (A):

data blocks fetch information from providers (like AMI IDs, network info) that can be used in other resources.

Analysis of Incorrect Options:

B. local: Stores values, doesn’t fetch external data.

C. resource: Defines managed infrastructure, not read-only data.

D. provider: Configures connection to APIs, not data fetching.

Key Concept:

Data sources are read-only queries into existing infrastructure.

Terraform modules are referenced by specifying a source location. This location can be a URL or a file path. However, specifying query parameters such as ?version=vl.6.0 directly within the source path is not a valid or supported method for specifying a module version in Terraform. Instead, version constraints are specified using the version argument within the module block, not as part of the source string.References = This clarification is based on Terraform's official documentation regarding module usage, which outlines the correct methods for specifying module sources and versions.

When you use a remote backend that needs authentication, HashiCorp recommends that you:

 This is the command that you would use to access all of the attributes and details of a resource managed by Terraform, by providing the resource address as an argument. For example, terraform state show 'aws_instance.example' will show you all the information about the AWS instance named example.

You cannot reference a resource created with for_each using a splat (*) expression, as it will not work with resources that have non-numeric keys. You need to use a for expression instead to iterate over the resource instances.

Rationale for Correct Answer (D):

The Terraform Registry provides documentation for published modules, including:

Required inputs (variables you must supply).

Optional inputs with defaults (so you know what you can override).

Outputs (what values the module returns for use elsewhere).

Therefore, the correct answer is all of the above.

Analysis of Incorrect Options:

A. Required inputs only: Incomplete.

B. Outputs only: Incomplete.

C. Optional inputs only: Incomplete.

D. All of the above: Correct because the Registry provides all relevant documentation.

Key Concept:

Terraform Registry modules include inputs, outputs, and usage details, enabling reusability and modular design.

B (terraform init)–Must be run firstto initialize the Terraform working directory, download providers, and configure the backend.

A (terraform apply)– Requires initialization first, so itcannotbe run before terraform init.

C (terraform plan)– Also requires terraform init first to generate a plan.

D (terraform show)– Displays the state,not relevantfor first-time deployment.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

In Terraform Cloud, you can switch between workspaces using both the web UI and CLI. The statement that you "must use the CLI" is false. Workspaces can securely store cloud credentials, offer role-based access control, and integrate with VCS to trigger plan and apply operations.

C (✅Correct)– If changes require aresource replacement(e.g., changing an immutable attribute like instance type), Terraform willdestroy and recreate the resource.

E (✅Correct)– Terraform only appliesthe configuration in the current directory or workspace.

To import existing resources into Terraform, you need to do two things1:

Write a resource configuration block for each resource, matching the type and name used in your state file.

Run terraform import for each resource, specifying its address and ID. There is no such command as terraform Import-gcp, and provisioning new VMs with the same names will not import them into Terraform.

Terraform detects infrastructure drift by comparing thestate filewith the actual infrastructure.

When an instance ismanually deleted, Terraformsees it as missingand marks it for recreation.

Running terraform apply willonly recreate the missing instanceswhile leaving the rest of the infrastructure unchanged.

Explanation of incorrect answers:

A (Tear down everything and rebuild)– Incorrect. Terraform does not destroy existing infrastructure unless explicitly told to.

B (Build a completely new set of infrastructure)– Incorrect. Terraform does not create duplicates unless configuration changes.

D (Stop and error out)– Incorrect. Terraform does not fail; itrebuilds missing resourcesautomatically.

Official Terraform Documentation Reference:

Handling Infrastructure Drift

Terraform Cloud includes several features designed to enhance collaboration and infrastructure management. Two of these features are:

A web-based user interface (UI): This allows users to interact with Terraform Cloud through a browser, providing a centralized interface for managing Terraform configurations, state files, and workspaces.

Remote state storage: This feature enables users to store their Terraform state files remotely in Terraform Cloud, ensuring that state is safely backed up and can be accessed by team members as needed.

The execution plan for terraform apply will not be the same as the one you ran locally with terraform plan, if your teammate manually modified the infrastructure component you are working on. This is because Terraform will refresh the state file before applying any changes, and will detect any differences between the state and the real resources.

Some backends support state locking, which prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss. Not all backends support this feature, and you can check the documentation for each backend type to see if it does.

Speculative Plans: Terraform Cloud’sspeculative planfeature runs automatically when changes are detected in a linked VCS repository, enabling users to review potential infrastructure changes without committing them.

Automatic Integration: This feature automates the planning process by triggering when changes are committed, aiding teams in previewing infrastructure changes seamlessly.

For further understanding, see theTerraform Cloud VCS Integrationdocumentation.

 If you manually destroy infrastructure, Terraform will automatically detect the change and update the state file during the next plan or apply. Terraform compares the current state of the infrastructure with the desired state in the configuration and generates a plan to reconcile the differences. If a resource is missing from the infrastructure but still exists in the state file, Terraform will attempt to recreate it. If a resource is present in the infrastructure but not in the state file, Terraform will ignore it unless you use the terraform import command to bring it under Terraform’s management. References = [Terraform State]

The terraform plan command is used to create an execution plan. It allows you to see what actions Terraform will take to reach the desired state defined in your configuration files. It evaluates the current state and configuration, showing a detailed outline of the resources that will be created, updated, or destroyed. This is a critical step in the development process as it helps you verify that the changes you are about to apply will perform as expected, without actually modifying any state or infrastructure.

You can configure Terraform to log to a file using the TF_LOG environment variable. This variable can be set to one of the log levels: TRACE, DEBUG, INFO, WARN or ERROR. You can also use the TF_LOG_PATH environment variable to specify a custom log file location. References = : Debugging Terraform

This is the command that always causes a state file to be updated with changes that might have been made outside of Terraform, as it will only refresh the state file with the current status of the real resources, without making any changes to them or creating a plan.

The module source path that does not specify a remote module is source = "module/consul". This specifies a local module, which is a module that is stored in a subdirectory of the current working directory. The other options are all examples of remote modules, which are modules that are stored outside of the current working directory and can be accessed by various protocols, such as Git, HTTP, or the Terraform Registry. Remote modules are useful for sharing and reusing code across different configurations and environments. References = [Module Sources], [Local Paths], [Terraform Registry], [Generic Git Repository], [GitHub]

It is not a best practice to store secret data in the same version control repository as your Terraform configuration, as it could expose your sensitive information to unauthorized parties or compromise your security. You should use environment variables, vaults, or other mechanisms to store and provide secret data to Terraform.

This is the workflow for deploying new infrastructure with Terraform, as it will create a plan and apply it to the target environment. The other options are either incorrect or incomplete.

Not all standard backend types support state locking and remote operations like plan, apply, and destroy. For example, the local backend does not support remote operations and state locking. State locking is a feature that ensures that no two users can make changes to the state file at the same time, which is crucial for preventing race conditions. Remote operations allow running Terraform commands on a remote server, which is supported by some backends like remote or consul, but not all.

Rationale for Correct Answer:Terraform detects drift by refreshing state during terraform apply. Since the VM no longer exists but is still declared in configuration, Terraform will plan and recreate the missing resource.

Analysis of Incorrect Options (Distractors):

B. Error: Terraform treats this as drift, not an error.

C. Remove from state: Terraform does not remove resources automatically unless instructed.

D. No changes: Incorrect because drift is detected and corrected.

Key Concept:Terraform enforces the desired state defined in configuration, correcting drift automatically.

Running terraform fmt without any flags in a directory with Terraform configuration files will not check the formatting of those files without changing their contents, but will actually rewrite them to a canonical format and style. If you want to check the formatting without making changes, you need to use the -check flag.

Rationale for Correct Answer (B):

Terraform uses a state file to map real-world resources to your configuration. By default, if no backend is explicitly defined, Terraform stores this information in a file named terraform.tfstate located in the same directory as your configuration files. This local state file is critical for Terraform to understand what infrastructure already exists and to plan updates correctly.

Analysis of Incorrect Options (Distractors):

A. .terraform.d (home directory subdirectory):

This is used for storing plugins and some global settings, not for resource state.

C. .terraform.lock.hcl (lock file):

This file locks provider versions to ensure reproducible runs, but it does not contain resource state information.

D. .terraform (subdirectory):

This folder contains cached provider binaries and related data, but not the actual state file.

Key Concept:

Terraform state management is at the core of "Implement and Maintain State." Understanding where Terraform stores the state by default is critical because state files should often be stored remotely (using a backend like S3, GCS, or Terraform Cloud) for collaboration and reliability.

These are features of Terraform Cloud, which is a hosted service that provides a web-based UI, remote state storage, remote operations, collaboration features, and more for managing your Terraform infrastructure.

This is a key benefit of the Terraform state file, as it stores and tracks the metadata and attributes of the resources that are managed by Terraform, and allows Terraform to compare the current state with the desired state expressed by your configuration files.

This command will upgrade the plugins to the latest acceptable version within the version constraints specified in the configuration. The other commands do not have an -upgrade option.

This is the best time to run terraform validate, as it will check your code for syntax errors, typos, and missing arguments before you attempt to create a plan. The other options are either incorrect or unnecessary.

E (✅Correct)–IaC aims to eliminate manual cloud console workflowsby using code-based automation.

A, B, C (✅Advantages of IaC)– IaC enablesself-service deployment, API-driven workflows, and dynamic resource scaling.

D (diff command)– While useful, troubleshooting via diff is not acore advantageof IaC.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

This is what will happen if you run terraform apply in the working directory again, after removing the resource definition from your Terraform configuration file. Terraform will detect that there is a resource in the state file that is not present in the configuration file, and will assume that you want to delete it.

terraform init is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It initializes a working directory containing Terraform configuration files and downloads any required providers and modules. The other commands are used for different purposes, such as importing existing resources, switching between workspaces, generating execution plans, etc.

Rationale for Correct Answer (A):

Terraform does not automatically update state references when resource identifiers are renamed. Instead, you must use a moved block in your configuration to inform Terraform how to map the old resource to the new one. This prevents Terraform from destroying and recreating the resource.

Analysis of Incorrect Options:

B & C: Incorrect syntax — moved requires from and to.

D: Incorrect, Terraform won’t auto-detect renames and will plan to destroy and recreate the resource unless a moved block is provided.

Key Concept:

The moved block is essential for refactoring resource names without losing resources in state.

When upgrading a provider,you must run terraform init -upgrade to install the new version.

Thisdownloads the latest provider versionand updates the local dependency cache.

terraform refresh(A)only updates the state file but doesnotupgrade providers.

terraform apply -upgrade(C)isnot a valid command.

terraform version can be upgraded separately, but(D)does not install a new provider version.

Official Terraform Documentation Reference:

Upgrading Providers in Terraform