Terraform-Associate-004 HashiCorp Certified: Terraform Associate (004) (HCTA0-004) Questions and Answers

The Terraform collection type that should be used to store key/value pairs is map. A map is a collection of values that are accessed by arbitrary labels, called keys. The keys and values can be of any type, but the keys must be unique within a map. For example, var = { key1 = " value1 " , key2 = " value2 " } is a map with two key/value pairs. Maps are useful for grouping related values together, such as configuration options or metadata. References = [Collection Types], [Map Type Constraints]

The public Terraform Module Registry is free to use, as it is a public service that hosts thousands of self-contained packages called modules that are used to provision infrastructure. You can browse, use, and publish modules to the registry without any cost.

The terraform fmt command is used to format Terraform configuration files to a canonical format and style. This ensures that all team members are using a consistent style, making the code easier to read and maintain. It automatically applies Terraform ' s standard formatting conventions to your configuration files, helping maintain consistency across the team ' s codebase.

This is what determines how Terraform creates, updates, or deletes resources, as it is responsible for understanding API interactions with some service and exposing resources and data sources based on that API.

Rationale for Correct Answers:

C. terraform.tfvars securely managed: Acceptable if distributed securely outside version control.

D. HCP Terraform/Terraform Cloud sensitive variables: Official best practice for team-based workflows.

E. Vault: HashiCorp Vault is designed for secret management and integrates well with Terraform.

Analysis of Incorrect Options:

A: Storing plaintext secrets on shared drives is insecure.

B: Checking secrets into version control is a major security risk.

Key Concept:

Sensitive values should be managed securely in Vault, HCP Terraform, or securely shared .tfvars files — never in plaintext or version control.

Rationale for Correct Answer (B):

Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = " hashicorp/aws "

version = " 3.1 "

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:

Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

When upgrading a provider,you must run terraform init -upgrade to install the new version.

Thisdownloads the latest provider versionand updates the local dependency cache.

terraform refresh(A)only updates the state file but doesnotupgrade providers.

terraform apply -upgrade(C)isnot a valid command.

terraform version can be upgraded separately, but(D)does not install a new provider version.

Official Terraform Documentation Reference:

Upgrading Providers in Terraform

Rationale for Correct Answer (D):

The Terraform Registry provides documentation for published modules, including:

Required inputs (variables you must supply).

Optional inputs with defaults (so you know what you can override).

Outputs (what values the module returns for use elsewhere).

Therefore, the correct answer is all of the above.

Analysis of Incorrect Options:

A. Required inputs only: Incomplete.

B. Outputs only: Incomplete.

C. Optional inputs only: Incomplete.

D. All of the above: Correct because the Registry provides all relevant documentation.

Key Concept:

Terraform Registry modules include inputs, outputs, and usage details, enabling reusability and modular design.

This is a secure way to inject sensitive variables into your Terraform run, as they will not be stored in any file or source code repository. You can also use environment variables or variable files with encryption to pass sensitive variables to Terraform.

This command will check if all code in a Terraform configuration that references multiple modules is properly formatted without making changes, and will return a non-zero exit code if any files need formatting. The other commands will either make changes, list the files that need formatting, or not check the modules.

Rationale for Correct Answer:When using count, Terraform creates resources indexed starting at 0.With count = 2, the instances are indexed as:

First instance → aws_instance.web[0]

Second instance → aws_instance.web[1]

To reference the name attribute of the second instance, the correct syntax is:

aws_instance.web[1].name

Analysis of Incorrect Options (Distractors):

A. [2]: Incorrect because indexing starts at 0 and only indices 0 and 1 exist.

B. *.name: Returns a list of all names, not a single instance value.

D. [1]: References the whole resource object, not the name attribute.

E. element(...): Incorrect syntax and wrong index; also unnecessary when direct indexing is available.

Key Concept:Understanding resource indexing with count and zero-based indexing in Terraform.

In Terraform Cloud, speculative plan runs are not automatically started when changes are merged or committed to the version control repository linked to a workspace. Instead, speculative plans are typically triggered as part of proposed changes in merge requests or pull requests to give an indication of what would happen if the changes were applied, without making any real changes to the infrastructure. Actual plan and apply operations in Terraform Cloud workspaces are usually triggered by specific events or configurations defined within the Terraform Cloud workspace settings.References = This behavior is part of how Terraform Cloud integrates with version control systems and is documented in Terraform Cloud ' s usage guidelines and best practices, especially in the context of VCS-driven workflows.

Terraform state is a representation of the infrastructure that Terraform manages. Terraform uses state to track the current status of the resources it creates and to plan future changes. However, Terraform state is not aware of any changes made to the resources outside of Terraform, such as through the Azure Cloud Console, the Azure CLI, or the Azure API. Therefore, changing resources via the Azure Cloud Console does not update the current state file, and it may cause inconsistencies or conflicts with Terraform’s desired configuration. To avoid this, it is recommended to manage resources exclusively through Terraform or to use the terraform import command to bring existing resources under Terraform’s control.

When you change a Terraform-managed resource via the Azure Cloud Console, Terraform does not immediately update the state file to reflect the change. However, the next time you run terraform plan or terraform apply, Terraform will compare the state file with the actual state of the resources in Azure and detect any drifts or differences. Terraform will then update the state file to match the current state of the resources and show you the proposed changes in the execution plan. Depending on the configuration and the change, Terraform may try to undo the change, modify the resource further, or recreate the resource entirely. To avoid unexpected or destructive changes, it is recommended to review the execution plan carefully before applying it or to use the terraform refresh command to update the state file without applying any changes.

References = Purpose of Terraform State, Terraform State, Managing State, Importing Infrastructure, [Command: plan], [Command: apply] , [Command: refresh]

Environment variables and connection configurations outside of Terraform are secure options for storing secrets for connecting to a Terraform remote backend. Environment variables can be used to set values for input variables that contain secrets, such as backend access keys or tokens. Terraform will read environment variables that start with TF_VAR_ and match the name of an input variable. For example, if you have an input variable called backend_token, you can set its value with the environment variable TF_VAR_backend_token1. Connection configurations outside of Terraform are files or scripts that provide credentials or other information for Terraform to connect to a remote backend. For example, you can use a credentials file for the S3 backend2, or a shell script for the HTTP backend3. These files or scripts are not part of the Terraform configuration and can be stored securely in a separate location. The other options are not secure for storing secrets. A variable file is a file that contains values for input variables. Variable files are usually stored in the same directory as the Terraform configuration or in a version control system. This exposes the secrets to anyone who can access the files or the repository. You should not store secrets in variable files1. Inside the backend block within the Terraform configuration is where you specify the type and settings of the remote backend. The backend block is part of the Terraform configuration and is usually stored in a version control system. This exposes the secrets to anyone who can access the configuration or the repository. You should not store secrets in the backend block4. References = [Terraform Input Variables] 1, [Backend Type: s3]2, [Backend Type: http] 3, [Backend Configuration]4

This is how you specify a module’s version when publishing it to the public Terraform Module Registry, as it uses the tags from your version control system (such as GitHub or GitLab) to identify module versions. You need to use semantic versioning for your tags, such as v1.0.0.

Sentinel is a policy-as-code framework that allows you to define and enforce rules on your Terraform configurations, states, and plans1. Some of the benefits of using Sentinel with Terraform Cloud/Terraform Enterprise are:

•You can restrict specific resource configurations, such as disallowing the use of CIDR=0.0.0.0/0, which would open up your network to the entire internet. This can help you prevent misconfigurations or security vulnerabilities in your infrastructure2.

•Policy-as-code can enforce security best practices, such as requiring encryption, authentication, or compliance standards. This can help you protect your data and meet regulatory requirements3.

•You can enforce a list of approved AWS AMIs, which are pre-configured images that contain the operating system and software you need to run your applications. This can help you ensure consistency, reliability, and performance across your infrastructure4.

References =

•1: Terraform and Sentinel | Sentinel | HashiCorp Developer

•2: Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

•3: Exploring the Power of HashiCorp Terraform, Sentinel, Terraform Cloud …

•4: Using New Sentinel Features in Terraform Cloud – Medium

Option C is the correct way to configure multiple providers in a Terraform configuration. Each provider block must have a name attribute that specifies which provider it configures2. The other options are either missing the name attribute or using an invalid syntax.

When you use a remote backend that needs authentication, HashiCorp recommends that you:

You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.

In Terraform, the max function can be used to select the largest number from a list of numbers. The max function takes multiple arguments and returns the highest one. For the list numcpus = [18, 3, 7, 11, 2], using max(numcpus...) will return 18, which is the largest number in the list.

Confidentiality: UsingHCP Terraform/Terraform Cloud’s private registrykeeps the module configurations within your organization, ensuring privacy and access control.

Version Constraints: The private registry supportssemantic versioning, allowing you to manage versions of your modules as Terraform does natively.

Browsable Directory: The private registry offers a user interface to browse modules, making it easy for users within the organization to locate and manage modules.

This setup aligns with HashiCorp’s design forprivate registry supportin Terraform, meeting all listed requirements for secure, version-controlled, and searchable module storage.

This is the type of block that is used to construct a collection of nested configuration blocks, by using a for_each argument to iterate over a collection value and generate a nested block for each element. For example, you can use a dynamic block to create multiple ingress rules for a security group resource.

This will trigger a run in the Terraform Cloud workspace, which will perform a plan and apply operation on the infrastructure defined by the Terraform configuration files in the VCS repository.

This is how Terraform chooses which version of the provider to use, when you add a new resource to an existing Terraform configuration, but do not update the version constraint in the configuration. The lock file records the exact version of each provider that was installed in your working directory, and ensures that Terraform will always use the same provider versions until you run terraform init -upgrade to update them.

Rationale for Correct Answer: A private registry in HCP Terraform is designed to publish and share modules within an organization (with org access controls), rather than publicly. That supports internal reuse while keeping module content and usage confined to authorized users in the org.

Analysis of Incorrect Options (Distractors):

B (False): Incorrect—confidential/internal distribution is a primary purpose of private registries.

Key Concept: Public vs private module registries and organizational access control.

Rationale for Correct Answer: terraform apply -replace=ADDRESS forces Terraform to replace the specified resource during the next apply, meaning it will plan to destroy and then recreate it (or create-before-destroy if the resource supports it and the graph/lifecycle allows). This is used when a resource is unhealthy, drifted in a way that’s hard to correct, or you want a fresh instance without changing configuration.

Analysis of Incorrect Options (Distractors):

A: Incorrect—-replace is not “destroy only”; it’s destroy + recreate.

B: Incorrect—ignoring changes is done with lifecycle ignore_changes, not -replace.

D: Incorrect—destroying everything is terraform destroy (or apply with all resources removed), not -replace.

Key Concept: Forcing resource replacement using -replace in the apply workflow.

In Terraform, the backend configuration, which includes details about where and how state is stored, is specified within the terraform block of your configuration. This block is the correct place to define the backend type and its configuration parameters, such as the location of the state file for a local backend or the bucket details for a remote backend like S3.References = This practice is outlined in Terraform ' s core documentation, which provides examples and guidelines on how to configure various aspects of Terraform ' s behavior, including state backends .

The -replace flag is used with the terraform apply command when there is a need to explicitly force Terraform to destroy and then recreate a specific resource during the next apply. This can be necessary in situations where a simple update is insufficient or when a resource must be re-provisioned to pick up certain changes.

Changing the Terraform backend after performing the initial terraform apply is technically possible but strongly discouraged. This is because changing backends can lead to complexities in state management, requiring manual intervention such as state migration to ensure consistency. Terraform ' s documentation and best practices advise planning the backend configuration carefully before applying Terraform configurations to avoid such changes.References = This guidance is consistent with Terraform ' s official documentation, which recommends careful consideration and planning of backend configurations to avoid the need for changes.

Terraformdownloads modules and providersinto the .terraform directory inside the working directory.

A (/tmp/)– Incorrect; modules arenot stored temporarily.

C (In memory)– Incorrect; modules persist on disk.

D (Not cached)– Incorrect; Terraformdoes cache modulesfor efficiency.

Official Terraform Documentation Reference:

Terraform Module Caching

Detailed Explanation:

Rationale for Correct Answer: Setting version = " 3.1.4 " pins the module to that exact version, preventing Terraform from selecting any newer version. This is the strongest guard against unexpected changes (including potential breaking changes) because it does not allow upgrades unless you explicitly change the version constraint.

Analysis of Incorrect Options (Distractors):

A: Incorrect. This allows any version < 3.2 (including 3.1.5, 3.1.9, etc.). Those may still introduce behavioral changes you want to avoid.

B: Incorrect. This forces Terraform to use 3.1.5 or newer, the opposite of what you want.

D: Incorrect. ~ > 3.1.4 allows patch-level updates (e.g., 3.1.5, 3.1.9) and could still introduce changes your team wants to avoid.

Key Concept: Module version constraints and pinning to avoid unexpected upgrades.

To import the contents of a local file as a string in Terraform, you can use the built-in file function. By specifying file( " id_rsa.pub " ), Terraform reads the contents of the id_rsa.pub file and uses it as a string within your Terraform configuration. This function is particularly useful for scenarios where you need to include file data directly into your configuration, such as including an SSH public key for provisioning cloud instances.References = This information is a standard part of Terraform ' s functionality with built-in functions, as outlined in Terraform ' s official documentation and commonly used in various Terraform configurations.

 The concept of infrastructure as code (IaC) is to define and manage infrastructure using code, rather than manual processes or GUI tools. A script that contains a series of public cloud CLI commands is an example of IaC, because it uses code to provision resources into a public cloud. The other options are not examples of IaC, because they involve manual or interactive actions, such as running curl commands, sending REST requests, or entering commands into a console. References = [Introduction to Infrastructure as Code with Terraform] and [Infrastructure as Code]

Terraform can call modules from various sources including the public Terraform Registry, private registries, local file paths, or version control systems like GitHub.

Rationale for Correct Answer:terraform destroy removes all resources currently tracked in the Terraform state file by issuing destroy requests to the configured providers. It does not delete configuration files or providers themselves.

Analysis of Incorrect Options (Distractors):

B: Terraform never deletes configuration files.

C: Terraform only destroys resources it manages, not all provider infrastructure.

D: Terraform does not delete the state file by default.

Key Concept:terraform destroy enforces removal of all managed infrastructure.

This is a secure way to protect sensitive data in the state file, as it will be encrypted at rest and in transit2. The other options are not recommended, as they could lead to data loss, errors, or security breaches.

Importing Existing Resources: Theterraform importcommand brings resources already deployed in a cloud environment into Terraform’s state file, allowing Terraform to manage them.

Workflow Usage: Importing is vital when managing resources created outside of Terraform or those in place before Terraform adoption.

Refer to Terraform’s import command documentation.

Rationale for Correct Answer: To enforce constraints on an input variable, Terraform provides variable validation using a validation block inside the variable block. If the condition fails, Terraform produces an error and prevents the operation (plan/apply) from continuing with invalid input.

Analysis of Incorrect Options (Distractors):

A (Top-level check block): check blocks validate conditions, but they are not the standard mechanism for constraining input variable values at the point of declaration; variable validation is.

C (Top-level validation block): Terraform does not support a standalone top-level validation block.

D (check block in the variable block): check is not placed inside variable blocks for input validation; the correct construct is validation.

Key Concept: Input variable validation to enforce constraints and fail fast.

Not all modules published on the official Terraform Module Registry have been verified by HashiCorp. While HashiCorp verifies some modules, there are many community-contributed modules that are not verified. Verified modules have a " Verified " badge indicating that HashiCorp has reviewed them for security and best practices, but the registry also includes unverified modules.

If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform init3. This will ensure that you use the same provider versions across different machines and runs.

Rationale for Correct Answer (C):

Best practice is to avoid hardcoding sensitive credentials in Terraform configurations or storing them in version control. Instead, credentials should be managed via environment variables, CLI authentication helpers, or secret managers (e.g., Vault).

Analysis of Incorrect Options:

A. Shared server: Not secure, introduces single point of failure and risk.

B. Storing credentials in config files: A major security risk, especially if pushed to version control.

D. None of the above: Incorrect, because option C is a valid and recommended approach.

Key Concept:

Security best practices in Terraform dictate that credentials should be externalized from Terraform code.

You must initialize your working directory before running terraform validate, as it will ensure that all the required plugins and modules are installed and configured properly. If you skip this step, you may encounter errors or inconsistencies when validating your configuration files.

This is a bad practice, as it exposes your credentials to anyone who can access your configuration files or state files. You should use environment variables, credential files, or other mechanisms to provide credentials to Terraform.

 To tell Terraform to stop managing a specific resource without destroying it, you can use the terraform state rm command. This command will remove the resource from the Terraform state, which means that Terraform will no longer track or update the corresponding remote object. However, the object will still exist in the remote system and you can later use terraform import to start managing it again in a different configuration or workspace. The syntax for this command is terraform state rm < address > , where  < address >  is the resource address that identifies the resource instance to remove. For example, terraform state rm aws_instance.ubuntu[1] will remove the second instance of the aws_instance resource named ubuntu from the state. References = : Command: state rm : Moving Resources

Referencing Terraform Built-in Functions:

✅chomp: removes trailing newlines

✅join: combines list into string

✅split: splits string into list

❌slice:is nota valid Terraform string function (it ' s used in other languages like Python)

Not all standard backend types support state locking and remote operations like plan, apply, and destroy. For example, the local backend does not support remote operations and state locking. State locking is a feature that ensures that no two users can make changes to the state file at the same time, which is crucial for preventing race conditions. Remote operations allow running Terraform commands on a remote server, which is supported by some backends like remote or consul, but not all.

Rationale for Correct Answer: Terraform can store state in a remote backend (remote location) configured in the terraform block (for example, terraform { backend " s3 " { ... } } or terraform { cloud { ... } }). Remote backends store the state outside the local filesystem and often add collaboration features like locking.

Analysis of Incorrect Options (Distractors):

B: Incorrect—CLI configuration files (like .terraformrc / terraform.rc) control CLI behavior (credentials helpers, plugin cache, etc.), but backend/state storage is configured in the Terraform configuration (terraform block) and initialized with terraform init.

C: Incorrect—Terraform must persist state between runs; in-memory storage would be lost when the process ends.

D: Incorrect—environment variables can influence behavior (e.g., credentials, logging), but Terraform does not store state in environment variables.

Key Concept: Configuring remote backends for state storage via the terraform block.

Running terraform fmt without any flags in a directory with Terraform configuration files will not check the formatting of those files without changing their contents, but will actually rewrite them to a canonical format and style. If you want to check the formatting without making changes, you need to use the -check flag.

You need to write Terraform configuration files for the existing infrastructure that you want to import into Terraform, otherwise Terraform will not know how to manage it. The configuration files should match the type and name of the resources that you want to import.

Terraform is built on a plugin-based architecture, enabling developers to extend Terraform by writing new plugins or compiling modified versions of existing plugins1. Terraform plugins are executable binaries written in Go that expose an implementation for a specific service, such as a cloud resource, SaaS platform, or API2. If there is no existing provider for your API, you can create one using the Terraform Plugin SDK3 or the Terraform Plugin Framework4. References =

•1: Plugin Development - How Terraform Works With Plugins | Terraform | HashiCorp Developer

•2: Lab: Terraform Plug-in Based Architecture - GitHub

•3: Terraform Plugin SDK - Terraform by HashiCorp

•4: HashiCorp Terraform Plugin Framework Now Generally Available

The best way to automatically and proactively enforce the security control that new AWS S3 buckets must be private and encrypted at rest is with a Sentinel policy, which runs before every apply. Sentinel is a policy as code framework that allows you to define and enforce logic-based policies for your infrastructure. Terraform Cloud supports Sentinel policies for all paid tiers, and can run them before any terraform plan or terraform apply operation. You can write a Sentinel policy that checks the configuration of the S3 buckets and ensures that they have the proper settings for privacy and encryption, and then assign the policy to your Terraform Cloud organization or workspace. This way, Terraform Cloud will prevent any changes that violate the policy from being applied. References = [Sentinel Policy Framework], [Manage Policies in Terraform Cloud] , [Write and Test Sentinel Policies for Terraform]

 This is the command that can add existing resources into Terraform state, by matching them with the corresponding configuration blocks in your files. 

terraform validatechecks for syntax errors and internal consistencyin the configuration files.

However, itdoes notcheck if resource configurations are valid with the provider.

Official Terraform Documentation Reference:

terraform validate - HashiCorp Documentation

Rationale for Correct Answer (B):

Terraform uses a state file to map real-world resources to your configuration. By default, if no backend is explicitly defined, Terraform stores this information in a file named terraform.tfstate located in the same directory as your configuration files. This local state file is critical for Terraform to understand what infrastructure already exists and to plan updates correctly.

Analysis of Incorrect Options (Distractors):

A. .terraform.d (home directory subdirectory):

This is used for storing plugins and some global settings, not for resource state.

C. .terraform.lock.hcl (lock file):

This file locks provider versions to ensure reproducible runs, but it does not contain resource state information.

D. .terraform (subdirectory):

This folder contains cached provider binaries and related data, but not the actual state file.

Key Concept:

Terraform state management is at the core of " Implement and Maintain State. " Understanding where Terraform stores the state by default is critical because state files should often be stored remotely (using a backend like S3, GCS, or Terraform Cloud) for collaboration and reliability.

Rationale for Correct Answer:

A: The plan is stale because state changed after it was created. The correct fix is to recreate the plan against the latest state and apply that new plan.

B: Running terraform apply without specifying the old plan causes Terraform to re-plan using the current state and configuration, then apply the resulting changes.

Analysis of Incorrect Options (Distractors):

C: -lock=false disables locking; it does not make an old plan valid and is unsafe in team environments.

D: -refresh-only changes what’s recorded in state (when applied) but does not “unstale” an existing saved plan file.

E: terraform state push is for advanced/manual state management and does not update a saved plan file; using it here is inappropriate and risky.

Key Concept: Saved plans are tied to a specific state snapshot; if state changes, you must re-plan.

You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.

From Terraform CLI Overview:

" Terraform provides a consistent CLI workflow regardless of which cloud or service you’re managing. "

Thesame Terraform commandswork across all providers via plugins.

Rationale for Correct Answer: To provision new infrastructure, Terraform’s core workflow is:

terraform plan to create an execution plan (what will be created/changed/destroyed).

terraform apply to execute that plan and provision the infrastructure.

These two steps represent the essential “preview then create” workflow Terraform objectives emphasize.

Analysis of Incorrect Options (Distractors):

A (Import): Used to bring existing resources under Terraform management; not required for provisioning new infrastructure.

C (Validate): Useful for checking syntax and internal consistency, but not required to provision.

E (Init): Typically required before first use in a new working directory (providers/modules/backend setup), but the question asks which steps are required in the workflow to provision—the required provisioning steps are plan + apply.

Key Concept: Terraform CLI workflow: plan → apply for provisioning.

The terraform validate command is used to check that your Terraform configuration files are syntactically valid and internally consistent. It is a useful command for ensuring your Terraform code is error-free before applying any changes to your infrastructure.

This is where the Terraform local backend stores its state, by default, unless you specify a different file name or location in your configuration. The local backend is the simplest backend type that stores the state file on your local disk.

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. Running this command on your configuration files before committing them to source control can help ensure consistency of style between different Terraform codebases, and can also make diffs easier to read. You can also use the -check and -diff options to check if the files are formatted and display the formatting changes respectively2. Running the terraform fmt command during the code linting phase of your CI/CD process can help automate this process and enforce the formatting standards for your team. References = [Command: fmt] 2

terraform apply can runwithout explicitly running terraform plan first.

Running terraform plan before apply isrecommendedbutnot mandatory.

If no plan file is provided, terraform applyautomatically creates and executes a planbefore applying changes.

Official Terraform Documentation Reference:

terraform apply - HashiCorp Documentation

Sentinel policies are checked after the plan stage of a Terraform run, but before it can be confirmed or the terraform apply is executed3. This allows you to enforce rules on your infrastructure before it is created or modified.

It lets you version, reuse, and share infrastructure configuration as code files, which can be stored in a source control system and integrated with your CI/CD pipeline.

It reduces risk of operator error by automating repetitive tasks and ensuring consistency across environments. IaC does not necessarily provision resources at a lower cost, secure your credentials, or prevent manual modifications to your resources - these depend on other factors such as your cloud provider, your security practices, and your access policies.

The key principle of infrastructure as code that is not listed among the options is golden images. Golden images are pre-configured, ready-to-use virtual machine images that contain a specific set of software and configuration. They are often used to create multiple identical instances of the same environment, such as for testing or production. However, golden images are not a principle of infrastructure as code, but rather a technique that can be used with or without infrastructure as code. The other options are all key principles of infrastructure as code, as explained below:

Self-describing infrastructure: This means that the infrastructure is defined in code that describes its desired state, rather than in scripts that describe the steps to create it. This makes the infrastructure easier to understand, maintain, and reproduce.

Idempotence: This means that applying the same infrastructure code multiple times will always result in the same state, regardless of the initial state. This makes the infrastructure consistent and predictable, and avoids errors or conflicts caused by repeated actions.

Versioned infrastructure: This means that the infrastructure code is stored in a version control system, such as Git, that tracks the changes and history of the code. This makes the infrastructure code reusable, auditable, and collaborative, and enables practices such as branching, merging, and rollback. References = [Introduction to Infrastructure as Code with Terraform], [Infrastructure as Code in a Private or Public Cloud]

Detailed Explanation:

Rationale for Correct Answer: Changing count changes the desired number of resource instances. To reconcile real infrastructure with the updated configuration, you run terraform apply (typically after reviewing the plan). Terraform will create/destroy instances as needed to match the new count value.

Analysis of Incorrect Options (Distractors):

A: Incorrect. terraform init is required when you add/change providers, modules, or backend configuration—not for simple variable value changes.

B: Incorrect. Outputs do not change infrastructure; they only display derived values.

C: Incorrect. You generally should not edit state to reflect intended changes; you apply configuration changes and let Terraform update state.

Key Concept: Terraform workflow: update configuration → plan/apply to converge infrastructure to desired state.

This is the command that always causes a state file to be updated with changes that might have been made outside of Terraform, as it will only refresh the state file with the current status of the real resources, without making any changes to them or creating a plan.

In Terraform, the correct way to reference a resource attribute is:

pgsql

CopyEdit

resource_type.resource_name.attribute

For example, if the resource block is:

hcl

CopyEdit

resource " kubernetes_namespace " " example " {

metadata {

name = " my-namespace "

}

}

To reference the name attribute, use:

pgsql

CopyEdit

kubernetes_namespace.example.name

Explanation of incorrect answers:

A (resource.kubernetes_namespace.example.name)– Incorrect. Terraform does not use the resource. prefix when referencing resources.

C (data.kubernetes.namespace.name)– Incorrect. This syntax is used fordata sources, not resources.

D (kubernetes_namespace.test.name)– Incorrect. The resource name is " example " , not " test " .

Official Terraform Documentation Reference:

Terraform Resource References

The command that makes your code more human readable is terraform fmt. This command is used to rewrite Terraform configuration files to a canonical format and style, following the Terraform language style conventions and other minor adjustments for readability. The command is optional, opinionated, and has no customization options, but it is recommended to ensure consistency of style across different Terraform codebases. Consistency can help your team understand the code more quickly and easily, making the use of terraform fmt very important. You can run this command on your configuration files before committing them to source control or as part of your CI/CD pipeline. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

Terraform providers are not part of the Terraform core binary. Providers are distributed separately from Terraform itself and have their own release cadence and version numbers. Providers are plugins that Terraform uses to interact with various APIs, such as cloud providers, SaaS providers, and other services. You can find and install providers from the Terraform Registry, which hosts providers for most major infrastructure platforms. You can also load providers from a local mirror or cache, or develop your own custom providers. To use a provider in your Terraform configuration, you need to declare it in the provider requirements block and optionally configure its settings in the provider block. References = : Providers - Configuration Language | Terraform : Terraform Registry - Providers Overview | Terraform

When running a terraform apply -refresh-only, Terraform does not reference the configuration files, but only the state file, credentials, and cloud provider. The purpose of this command is to update the state file with the current status of the real resources, without making any changes to them1.

Rationale for Correct Answer:When multiple provider configurations are defined using an alias, Terraform requires the provider meta-argument inside the resource block to explicitly reference the aliased provider.In this case, the provider is defined as aws with alias = " west " , so resources targeting us-west-2 must specify:

provider = aws.west

This tells Terraform exactly which provider configuration to use.

Analysis of Incorrect Options (Distractors):

B. alias = aws.west: Incorrect — alias is only used inside the provider block, not in resources.

C. provider = west: Incorrect — Terraform requires the full provider name (aws.west), not just the alias.

D. alias = west: Incorrect — resources do not support an alias meta-argument.

Key Concept:Using aliased provider configurations and the provider meta-argument to deploy resources across multiple regions or accounts.

From the Terraform Output Docs – Sensitive:

" Marking an output as sensitive prevents Terraform from showing its value in the CLI output,but it will still bestored in the state file. "

Thus, it protects display, not storage.

Some backends support state locking, which prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss. Not all backends support this feature, and you can check the documentation for each backend type to see if it does.

The required_providers block is used to specify the provider versions that the configuration can work with. The version argument accepts a version constraint string, which must be enclosed in double quotes. The version constraint string can use operators such as  > =, ~ > , =, etc. to specify the minimum, maximum, or exact version of the provider. For example, version = " > = 3.1 "  means that theconfiguration can work with any provider version that is 3.1 or higher. References = [Provider Requirements] and [Version Constraints]

Terraform creates the .terraform.lock.hcl file after the first terraform init command. This lock file ensures that the dependencies for your project are consistent across different runs by locking the versions of the providers and modules used.

The terraform refresh-only command is intended to detect state file drift. This command synchronizes the state file with the actual infrastructure, updating the state to reflect any changes that have occurred outside of Terraform.

From terraform plan -refresh-only:

" Use this to detectdrift, i.e., changes made outside of Terraform. "

It compares actual infrastructure to what ' s recorded in the state file.

Purpose of Refresh-Only Mode: Running Terraform inrefresh-only modeupdates Terraform ' s state file with the current state of resources in your infrastructure without making changes to the resources themselves.

Context of Terraform Import: When usingterraform import, you’re adding existing resources to the state file, and running Terraform in refresh-only mode before this operation can ensure that any initial configuration syncs precisely with the actual state.

For more on refresh-only mode in relation to terraform import, refer to Terraform ' s import documentation.

To prevent two Terraform runs from changing the same state file simultaneously, state locking is used. State locking ensures that when one Terraform operation is running, others will be blocked from making changes to the same state, thus preventing conflicts and data corruption. This is achieved by configuring the state backend to support locking, which will lock the state for all operations that could write to the state.References = This information is supported by Terraform ' s official documentation, which explains the importance of state locking and how it can be configured for different backends to prevent concurrent state modifications .

This will enable additional logging messages to find out from which paths Terraform is loading providers referenced in your Terraform configuration files, as it will set the log level to TRACE, which is the most verbose and detailed level.

These are the parameters that terraform import requires, as they allow Terraform to identify the existing resource that you want to import into your state file, and match it with the corresponding configuration block in your files.

Rationale for Correct Answer (B):

Terraform interacts with external systems through providers. Since this is a new proprietary service with its own API, Terraform does not support it by default. You would need to develop a custom provider that implements Terraform’s provider interface and interacts with the proprietary APIs to manage resources like users.

Analysis of Incorrect Option:

A. Any service hosted on a public cloud provider: Not true. Terraform can only manage services that have providers (official or custom). Just being " hosted on a public cloud " doesn’t guarantee Terraform support.

Key Concept:

Terraform providers act as the bridge between Terraform and external APIs. For unsupported services, a custom provider must be developed.

Detailed Explanation:

Rationale for Correct Answer:

A: terraform plan -out=planfile saves the proposed execution plan so you can later run terraform apply planfile. This supports review and controlled deployments.

B: terraform plan shows what Terraform would change (create/update/destroy) so you can verify changes before applying—this is one of the primary purposes of plan.

Analysis of Incorrect Options (Distractors):

C: Incorrect. Scheduling runs is not a capability of terraform plan (that’s handled by external schedulers/CI systems or HCP Terraform scheduling features—not the CLI plan command itself).

D: Incorrect. Workspaces are selected via terraform workspace select < name > (or by using separate working directories / automation). terraform plan itself doesn’t “execute in a different workspace” without switching context first.

Key Concept: terraform plan for previewing changes and optionally saving an execution plan file for later application.

Speculative Plans: Terraform Cloud’sspeculative planfeature runs automatically when changes are detected in a linked VCS repository, enabling users to review potential infrastructure changes without committing them.

Automatic Integration: This feature automates the planning process by triggering when changes are committed, aiding teams in previewing infrastructure changes seamlessly.

For further understanding, see theTerraform Cloud VCS Integrationdocumentation.

These are two ways to produce a list of the IDs from a list of objects that have an attribute id, using either a for expression or a splat expression syntax.

Rationale for Correct Answer (B):

terraform import allows Terraform to associate existing resources (created outside of Terraform or by another tool) with a Terraform configuration by writing them into the state file. After import, Terraform can manage those resources.

Analysis of Incorrect Options:

A. From one state file to another: Incorrect, import does not transfer between state files.

C. Importing a module: Incorrect, modules are defined in configuration, not imported.

D. Import all infrastructure: Incorrect, import is per-resource, not bulk.

E. Provider configuration transfer: Incorrect, provider configs are in .tf files, not imported with this command.

Key Concept:

The terraform import command bridges existing resources with Terraform state management.

The terraform plan command does not update the state file. Instead, it reads the current state and the configuration files to determine what changes would be made to bring the real-world infrastructure into the desired state defined in the configuration. The plan operation is a read-only operation and does not modify the state or the infrastructure. It is the terraform apply command that actually applies changes and updates the state file.References = Terraform ' s official guidelines and documentation clarify the purpose of the terraform plan command, highlighting its role in preparing and showing an execution plan without making any changes to the actual state or infrastructure .

Child modulesdo not automatically inheritvariables from the parent module.

To pass values from theparent moduleto thechild module, you mustexplicitly define input variablesin the child module and pass them in the parent module.

Example:

hcl

CopyEdit

module " example " {

source = " ./child_module "

var1 = " value "

}

Official Terraform Documentation Reference:

Passing Variables to Modules

The statement that you must use the CLI to switch between workspaces is false. Terraform Cloud workspaces are different from Terraform CLI workspaces. Terraform Cloud workspaces are required and represent all of the collections of infrastructure in an organization. They are also a major component of role-based access in Terraform Cloud. You can grant individual users and user groupspermissions for one or more workspaces that dictate whether they can manage variables, perform runs, etc. You can create, view, and switch between Terraform Cloud workspaces using the Terraform Cloud UI, the Workspaces API, or the Terraform Enterprise Provider5. Terraform CLI workspaces are optional and allow you to create multiple distinct instances of a single configuration within one working directory. They are useful for creating disposable environments for testing or experimenting without affecting your main or production environment. You can create, view, and switch between Terraform CLI workspaces using the terraform workspace command6. The other statements about Terraform Cloud workspaces are true. They have role-based access controls that allow you to assign permissions to users and teams based on their roles and responsibilities. You can create and manage roles using the Teams API or the Terraform Enterprise Provider7. Plans and applies can be triggered via version control system integrations that allow you to link your Terraform Cloud workspaces to your VCS repositories. You can configure VCS settings, webhooks, and branch tracking to automate your Terraform Cloud workflow8. They can securely store cloud credentials as sensitive variables that are encrypted at rest and only decrypted when needed. You can manage variables using the Terraform Cloud UI, the Variables API, or the Terraform Enterprise Provider9. References = [Workspaces]5, [Terraform CLI Workspaces] 6, [Teams and Organizations]7, [VCS Integration] 8, [Variables]9

Terraform can manage resource dependencies implicitly or explicitly. Implicit dependencies are created when a resource references another resource or data source in its arguments. Terraform can infer the dependency from the reference and create or destroy the resources in the correct order. Explicit dependencies are created when you use the depends_on argument to specify that a resource depends on another resource or module. This is useful when Terraform cannot infer the dependency from the configuration or when you need to create a dependency for some reason outside of Terraform’s scope. References = : Create resource dependencies : Terraform Resource Dependencies Explained

Rationale for Correct Answer: IaC enables reviewable, version-controlled change proposals (for example, Terraform plans in pull requests). This makes it possible to systematically review proposed infrastructure changes—including automated security/policy checks—before they are applied. That review-and-approve workflow is a direct outcome of defining infrastructure as code and generating an execution plan.

Analysis of Incorrect Options (Distractors):

A: Auto scaling is enabled by cloud services (e.g., ASGs, autoscalers) and can be configured with or without IaC.

B: RBAC is a capability of cloud/IAM platforms and can be managed without IaC (though IaC can codify it).

C: Cost optimization is a practice/process; IaC can help standardize and enforce cost controls, but it’s not “only enabled” by IaC.

Key Concept: IaC enables version control, change review, and pre-deployment validation (plan + policy/security review).

The best way to specify a tag of v1.0.0 when referencing a module stored in Git is to append ?ref=v1.0.0 argument to the source path. This tells Terraform to use a specific Git reference, such as a branch, tag, or commit, when fetching the module source code. For example, source = " git::https://example.com/vpc.git?ref=v1.0.0 " . This ensures that the module version is consistent and reproducible across different environments. References = [Module Sources], [Module Versions]

Terraform keeps track of the infrastructure state via the state file. When you initially ran terraform plan, Terraform determined that the port should be changed from80 to 443. However, since another team member manually modified the load balancer, Terraform ' s local state file is now outdated.

When you run terraform apply, Terraform willcompare the expected state (from the plan) with the actual state (from the provider API).

Since the port is already set to443, but the local state file still shows80, Terraform willfail with an errordue to the state mismatch.

To resolve this, you should run terraform refresh or use terraform apply -refresh-only to update the local state before applying changes.

Official Terraform Documentation Reference:

State Management - HashiCorp Documentation

Managing Drift in Terraform