TA-004 Cheat Sheet
Infrastructure as Code (IaC) with Terraform
Explain What IaC Is
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- IaC is provisioning via machine-readable config
Infrastructure as Code (IaC) is the practice of managing and provisioning infrastructure through machine-readable configuration files rather than through manual console actions or interactive point-and-click tools.
Trap IaC is not merely a script that automates GUI clicks; the configuration itself codifies the intended infrastructure so it can be versioned and reused.
10 questions test this
- A colleague claims that a screen-recording macro that replays the same sequence of clicks in the cloud console each time already counts as Infrastructure as Code. Which statement best explains the dis
- A colleague asks how Terraform actually represents the infrastructure you manage with it. According to HashiCorp's description of Terraform, in what form do you express those resources?
- An operations team must be able to tear down and rebuild an entire environment on demand and have it return in exactly the same state, without an engineer manually repeating dozens of setup steps each
- A new engineer joins a team that manages its entire cloud environment with Terraform and asks how she can find out exactly what infrastructure the team currently runs. Which property of Infrastructure
- Before any change to their cloud environment takes effect, a team wants a second engineer to review and approve it using the same pull-request process they already use for application code. Which char
- A team wants a reliable, reviewable record of every change to their infrastructure over time, including who changed what and how the environment was defined at any past point. Which characteristic of
- A platform team is describing its shift away from manually configuring servers by clicking through a cloud provider's web console. In the context of Terraform, what does the term Infrastructure as Cod
- A workshop lists several ways a team could stand up infrastructure. Which one actually embodies the core idea of Infrastructure as Code, namely provisioning and managing infrastructure through machine
- A team keeps a detailed wiki page that lists, step by step, every console click and manual command an engineer must perform to build their environment, and they call this page their 'infrastructure as
- A manager assumes Infrastructure as Code is only useful for the first-time build of an environment and that any later changes or teardowns must return to manual console work. How does Infrastructure a
- Terraform is an IaC tool
Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently by defining them in human-readable configuration files.
5 questions test this
- A colleague asks how Terraform actually represents the infrastructure you manage with it. According to HashiCorp's description of Terraform, in what form do you express those resources?
- A team currently manages its cloud environment through ad-hoc API calls and console changes and now wants to adopt a dedicated infrastructure as code tool to define that environment declaratively inst
- During onboarding, a new engineer asks how HashiCorp officially positions Terraform among infrastructure tools. Which statement matches Terraform's own definition of what the tool is and what category
- A team lead points out that Terraform's human-readable configuration files can be treated much like application source code. According to Terraform's description, what does defining resources in these
- An organization runs workloads on two different cloud providers plus some on-prem systems and wants a single tool and workflow to manage all of them. How does Terraform, as an infrastructure as code t
- Terraform config is declarative
Terraform's configuration language is declarative: it describes the desired end-state of your infrastructure rather than the ordered steps to build it, and Terraform determines the operations needed to reach that state.
Trap A Terraform configuration is not an imperative or procedural script that lists commands in execution order.
9 questions test this
- During a review, a new team member argues that a Terraform configuration is essentially a shell script: a top-to-bottom list of commands that Terraform executes in the exact order they appear in order
- While reviewing team documentation, you must select the statement that correctly describes Terraform's declarative configuration model as opposed to an imperative one. Which statement is correct?
- Your operations team currently provisions cloud resources with hand-written scripts that call each cloud provider's SDK directly, firing API requests in a fixed sequence. A colleague claims that adopt
- Before Terraform, your team followed a written runbook: a person clicked through each cloud console and issued API calls in a documented order to stand up an environment. Which characteristic of Terra
- A skeptic on your team insists Terraform adds nothing over calling a cloud provider's API directly from a script, since both ultimately hit the same endpoints. Which capability best demonstrates that
- During onboarding you are asked to summarize, in one sentence, what it means that Terraform's configuration language is declarative. Which statement best captures the declarative model?
- A platform team maintains a staging and a production environment. Historically each was built by running ad-hoc cloud CLI commands, and over time the two environments have drifted apart. They ask how
- You edit an existing configuration to change one instance's machine type and to remove a storage bucket that is no longer needed, then you apply. Because Terraform is declarative, what does it do with
- An engineer applies a Terraform configuration that provisions several cloud resources, and the run completes successfully. Without editing the configuration and without changing any of the infrastruct
- Terraform vs conventional API-driven management
Compared with conventional management that issues one-off imperative API or CLI calls, Terraform describes infrastructure with version-controlled, repeatable configurations that specify the desired state.
Trap Terraform uses provider APIs rather than replacing them with its own protocol, and it is more than a thin wrapper around those APIs because it tracks state and reconciles to the desired state.
5 questions test this
- Your operations team currently provisions cloud resources with hand-written scripts that call each cloud provider's SDK directly, firing API requests in a fixed sequence. A colleague claims that adopt
- Before Terraform, your team followed a written runbook: a person clicked through each cloud console and issued API calls in a documented order to stand up an environment. Which characteristic of Terra
- A skeptic on your team insists Terraform adds nothing over calling a cloud provider's API directly from a script, since both ultimately hit the same endpoints. Which capability best demonstrates that
- A colleague believes that once you adopt Terraform, it stops using the AWS, Azure, or Google Cloud public APIs and instead talks to each platform over a HashiCorp-proprietary channel. How does Terrafo
- A platform team maintains a staging and a production environment. Historically each was built by running ad-hoc cloud CLI commands, and over time the two environments have drifted apart. They ask how
- Manual provisioning is not reproducible
Manual or ad-hoc provisioning (clicking in a console or running undocumented CLI commands) is hard to reproduce, whereas IaC codifies infrastructure so applying the same configuration yields the same result every time.
Trap Undocumented one-off API calls are not IaC just because they use an API; IaC requires codified, versioned, repeatable definitions.
18 questions test this
- During an incident an operator connects directly to a running production server and hand-edits a configuration file to apply a quick fix, without touching any code. Compared with making the change thr
- Last quarter an engineer built an application load balancer entirely by clicking through the cloud provider's web console and kept no record of the steps. The team must now stand up an identical load
- A developer points out that Terraform ultimately calls the very same cloud provider APIs they could invoke by hand, and concludes it therefore offers no reproducibility advantage over just making thos
- A team must stand up a staging environment that is identical to a production environment which was originally assembled by hand through the console. Why does that manual origin make an exact copy hard
- A team keeps hitting 'it worked in development but broke in production' because each environment was built by hand, at a different time, with slightly different settings. How does defining the infrast
- The only engineer who knew how a business-critical environment was built - entirely by clicking through the cloud console - has left the company, and the new hire has no reliable record of how it was
- A team wrote a one-off shell script that fires a series of undocumented cloud provider API calls to create resources, and now claims it is 'doing infrastructure as code' because it drives an API inste
- A team currently manages cloud infrastructure by clicking through consoles and running one-off commands. Which single characteristic most fundamentally distinguishes an infrastructure-as-code approach
- Several engineers on a team need to change shared infrastructure without stepping on each other, and their old habit of each making direct manual changes in the console left no coordinated record. How
- A business-critical server was assembled over two years through countless undocumented manual tweaks, and the operations team is not confident they could rebuild it identically if it were lost. Which
- Two engineers debate why re-running the same Terraform configuration reliably yields the same infrastructure, while re-running a hand-written sequence of manual provisioning steps often does not. Whic
- An engineer argues that because their team provisions infrastructure quickly using the cloud provider's web-console wizards and one-off CLI helper commands, they are 'already doing infrastructure as c
- In the core Terraform workflow of Write, Plan, and Apply, the Apply step is described as provisioning a specific kind of infrastructure that ad-hoc manual provisioning does not deliver. Which characte
- A configuration change is applied and immediately breaks production, and the team wants to return the environment to the exact setup that was running before the change. Why is this reliable with Terra
- A company must roll out the same application stack into fifteen new regions over the next month, and building each one by hand would be slow and would produce subtly different environments. How does a
- An operations lead is frustrated that hand-built servers keep failing because someone mistypes a value or forgets a step during manual provisioning. Which characteristic of an infrastructure-as-code a
- Two teams each build the same type of internal service by hand, and because every engineer sets it up slightly differently, the results are inconsistent and hard to support. Beyond merely writing down
- A QA group needs to create a full test environment several times a week and tear it down afterward, and their current manual rebuilds are slow and never come back quite the same. How does an infrastru
- IaC applies software-engineering practices
Because infrastructure is expressed as code, IaC brings software-engineering practices such as version history, code review, and testing to infrastructure provisioning.
Advantages of IaC Patterns
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Multi-Cloud, Hybrid, and Service-Agnostic Workflows
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Terraform fundamentals
Install and version Terraform providers
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- required_providers lives inside the terraform block
The
required_providersblock must be declared inside the top-levelterraformblock, and each entry maps a module-local name to an object containing asourceargument and an optionalversionargument. It is not valid at the top level of a file or inside aproviderblock.Trap Placing required_providers at the top level of the file or inside a provider block instead of nested in the terraform block.
8 questions test this
- A module author is writing the `required_providers` block inside the `terraform` block and wants each provider entry structured the way the language requires. For a provider they will reference locall
- An engineer moves the `required_providers` block into their `provider "aws"` block, reasoning that a provider's requirements belong next to that provider's configuration. When they run `terraform init
- In a module's `required_providers` block, an author writes `mycloud = { source = "mycorp/mycloud", version = "~> 1.0" }`. A reviewer asks what the `mycloud` key on the left side of that mapping actual
- An engineer opens a new Terraform configuration and needs to declare that the root module depends on the `aws` and `random` providers with pinned versions. They are unsure where in the configuration t
- A `terraform` block contains both `required_version = ">= 1.8.0"` and a `required_providers` entry `aws = { source = "hashicorp/aws", version = ">= 5.30.0" }`. A teammate asks what each of these two v
- An engineer's configuration fails to initialize. At the top level of `main.tf`, outside every other block, they have written a standalone `required_providers { ... }` block listing their providers, an
- A configuration contains a `provider "aws" { region = "us-east-1" }` block but no `required_providers` entry. The author believes the `provider` block already declares the module's dependency on the A
- In a `required_providers` entry, an engineer declares `random = { source = "hashicorp/random" }` and deliberately omits the `version` argument. A teammate warns that `terraform init` will reject the e
- Provider source address format
A provider
sourceaddress has the form[HOSTNAME/]NAMESPACE/TYPE(for examplehashicorp/aws); when the hostname is omitted Terraform defaults to the public registryregistry.terraform.io.Trap Thinking
sourceis a download URL, or that the hostnameregistry.terraform.iomust always be written explicitly.10 questions test this
- A module author is writing the `required_providers` block inside the `terraform` block and wants each provider entry structured the way the language requires. For a provider they will reference locall
- During `terraform init`, Terraform needs to install a provider declared with `source = "hashicorp/random"`, which includes no hostname segment. From which registry does Terraform download this provide
- A source address is written in full as `registry.terraform.io/hashicorp/aws`. A teammate is unsure what the first segment, `registry.terraform.io`, before the two slashes actually specifies in a provi
- A new team member argues that because a provider `source` string "points somewhere," they should be able to set `source = "https://github.com/hashicorp/terraform-provider-aws"` so Terraform pulls the
- Your platform team publishes an internal provider through a private registry your company hosts at `terraform.example.com`. A new engineer copies a public example and writes `source = "examplecorp/myc
- Two providers are declared in `required_providers`: one entry uses `source = "hashicorp/aws"` and another uses `source = "registry.terraform.io/hashicorp/aws"`. A reviewer asks whether these two sourc
- A configuration contains a `provider "aws" { region = "us-east-1" }` block but no `required_providers` entry. The author believes the `provider` block already declares the module's dependency on the A
- In a `required_providers` entry, an engineer declares `random = { source = "hashicorp/random" }` and deliberately omits the `version` argument. A teammate warns that `terraform init` will reject the e
- A colleague asks you to confirm which of the following is written in the correct format for a provider `source` address inside a `required_providers` entry. Which one is a validly-formed provider sour
- A teammate writes `source = "hashicorp/aws"` inside a `required_providers` entry and asks you to explain what the two slash-separated parts of that provider source address actually represent. How shou
- The local name is the required_providers key
The key of each
required_providersentry is the provider's local name, which is used to reference that provider elsewhere in the module (inproviderblocks and as the prefix of its resource types). By convention it matches the source TYPE but it can differ.Trap Assuming the local name must exactly equal the TYPE in the source address.
- terraform required_version setting
Inside the terraform block, required_version constrains which Terraform CLI/core version may run the configuration using the standard constraint operators (=, !=, >, >=, <, <=, ~>). It applies only to the Terraform binary and is distinct from the per-provider version constraints in required_providers; if the running CLI version does not satisfy the constraint, Terraform prints an error and exits immediately without taking any action.
Trap required_version constrains the Terraform CLI, not providers — provider versions are pinned separately in required_providers under the terraform block.
6 questions test this
- A platform team wants their root module to run on Terraform CLI 1.9 or any newer release in the 1.x line, while automatically refusing the 2.0 major release. They intend to express this with a single
- During a code review, a colleague claims that adding `required_version = ">= 1.9.0"` to the `terraform` block will force everyone to use at least version 1.9 of the AWS provider. A plan then starts on
- A `terraform` block contains both `required_version = ">= 1.8.0"` and a `required_providers` entry `aws = { source = "hashicorp/aws", version = ">= 5.30.0" }`. A teammate asks what each of these two v
- A CI runner has Terraform CLI v1.6 installed, but a configuration's `terraform` block sets `required_version = ">= 1.9.0"`. When the pipeline job runs `terraform plan` against this configuration, how
- A developer's laptop has Terraform CLI v1.7, while a project's `terraform` block sets `required_version = ">= 1.12.0"`. They expect that running `terraform init` will make Terraform fetch and switch t
- A module's `terraform` block declares several `required_providers` entries with pinned `version` constraints but does not include a `required_version` argument. A teammate assumes this means only the
- Version constraint operators
Provider version constraints support
=(or no operator, exact),!=(exclude),>,>=,<,<=, and~>. Multiple constraints separated by commas are combined with logical AND, for exampleversion = ">= 1.2.0, < 2.0.0".Trap Treating comma-separated constraints as OR rather than AND.
5 questions test this
- A reusable module author wants to declare the minimum provider version the module is known to work with — at least 2.5.0 — while still allowing all future releases, including new 3.x and 4.x major ver
- A team runs on the 1.x line of a provider but has confirmed that release 1.4.2 contains a regression they must avoid. They want a single version constraint that accepts any 1.x version except 1.4.2. W
- An engineer writes `version = "2.4.0"` for a provider, with no comparison operator before the number, assuming it sets a floor for acceptable versions. During review, the team debates what this constr
- A platform team pins a provider in the `required_providers` block with the constraint `version = ">= 3.0.0, != 3.2.0"` after finding that release 3.2.0 introduced a regression. During code review a co
- A platform engineer pins a provider in the required_providers block with the constraint `version = ">= 1.2.0, < 2.0.0"` so the team stays on the 1.x line. A colleague asks how Terraform interprets the
- The ~> pessimistic operator
The
~>operator allows only the right-most specified version component to increment:~> 1.0.4permits 1.0.5 and later 1.0.x but not 1.1.0, while~> 1.1permits 1.2 and later 1.x but not 2.0.Trap Believing
~> 1.1allows 2.0, or that~> 1.0.4allows 1.1.0.4 questions test this
- An engineer pins a provider with `version = "~> 2.3.1"` in `required_providers`, expecting Terraform to automatically pick up the upcoming 2.4.0 minor release once it is published. A teammate reviewin
- A reusable module author wants to declare the minimum provider version the module is known to work with — at least 2.5.0 — while still allowing all future releases, including new 3.x and 4.x major ver
- A root module owner wants a provider constraint that automatically accepts new minor and patch releases across the entire 3.x line as they ship, but that firmly blocks the next major release, 4.0, bec
- An engineer sets `version = "~> 1.1"` for a provider, expecting ongoing updates without breaking changes. A teammate reviewing the pull request asks precisely which provider versions this two-componen
- Version constraints are quoted strings
The version requirement is a string assigned to
versioninside the provider object, with the operator and number both inside the quotes, e.g.version = ">= 3.1". Forms such asversion >= 3.1orversion = >= 3.1are invalid syntax.Trap Writing the constraint without the
=assignment or without quotes, e.g.version >= 3.1.5 questions test this
- While editing the `required_providers` block for the AWS provider, an engineer needs to require at least version 3.1 of that provider. Reviewing four candidate lines, which one uses valid HCL syntax t
- A team runs on the 1.x line of a provider but has confirmed that release 1.4.2 contains a regression they must avoid. They want a single version constraint that accepts any 1.x version except 1.4.2. W
- An engineer adds `version = >= 3.1` to the provider entry inside `required_providers`, then runs `terraform init`, which fails with a syntax error. What is the correct diagnosis and fix for this versi
- During code review, a teammate proposes writing a provider version constraint as `version = >= "3.1"`, quoting only the number and leaving the operator outside the quotes. Which statement about correc
- An engineer copies a provider requirement from a blog post into the `required_providers` block and writes the line as `version ">= 4.2"`, then runs `terraform init`, which fails with a syntax error. W
- Pre-release versions need an exact match
Pre-release versions such as
1.2.0-betaare only selected when requested with an exact=constraint; they never satisfy range operators like>=,<, or~>.Trap Expecting
>= 1.2.0to select a1.2.0-betapre-release.- terraform init installs providers
terraform initis the command that downloads and installs the provider plugins required by the configuration into the working directory; it must be run beforeterraform planorterraform applycan use those providers.Trap Thinking providers are downloaded during
terraform plan/applyrather than duringterraform init.5 questions test this
- A developer new to Terraform assumes that when they run `terraform init`, Terraform clones each provider's Go source code from GitHub and compiles it locally before use. Which statement correctly desc
- A team stores its configuration in Git together with a committed `.terraform.lock.hcl`. When a run executes in HCP Terraform (formerly Terraform Cloud), how are the required provider plugins made avai
- A colleague clones a Terraform configuration that declares the `hashicorp/aws` provider in its `required_providers` block into a fresh working directory. Eager to preview changes, they run `terraform
- A configuration constrains its AWS provider with `version = "~> 5.0"`, and version 5.40 was just published. The selection currently recorded in `.terraform.lock.hcl` is 5.31. An engineer wants Terrafo
- An engineer adds a second provider, `hashicorp/tls`, to a configuration that was already initialized with only `hashicorp/aws`. Running `terraform plan` now fails, complaining about an uninitialized p
- Where Terraform installs providers from
Terraform can install providers directly from an origin registry (default
registry.terraform.io), from a local filesystem mirror (a plugins directory), from an HTTPS network mirror, or reuse a shared plugin cache (plugin_cache_dir/TF_PLUGIN_CACHE_DIR). Terraform never compiles provider source code at runtime.Trap Believing Terraform compiles provider source code at run time — providers are distributed as pre-built plugin binaries.
6 questions test this
- A team commits `.terraform.lock.hcl` generated on macOS. A colleague on Linux then runs `terraform init` in CI and it fails because the lock file contains no checksum matching the Linux provider packa
- A platform engineer runs Terraform across dozens of working directories on one CI worker and wants to avoid downloading the same provider plugin from the registry over and over, reusing a single local
- A developer new to Terraform assumes that when they run `terraform init`, Terraform clones each provider's Go source code from GitHub and compiles it locally before use. Which statement correctly desc
- A colleague clones a Terraform configuration that declares the `hashicorp/aws` provider in its `required_providers` block into a fresh working directory. Eager to preview changes, they run `terraform
- A platform engineer on a Linux workstation wants to set per-user CLI behavior - such as a shared provider plugin cache - that applies across every Terraform working directory, independent of any singl
- An engineer must run Terraform in an isolated network that cannot reach `registry.terraform.io`. They have copied the required provider packages onto an internal HTTPS server and want Terraform to fet
- The .terraform.lock.hcl dependency lock file
Running
terraform initcreates or updates.terraform.lock.hclin the working directory, recording the exact provider versions selected plus their checksums (hashes); this file should be committed to version control and does not lock module versions.Trap Assuming the lock file also pins module versions — it only locks providers.
6 questions test this
- A team commits `.terraform.lock.hcl` generated on macOS. A colleague on Linux then runs `terraform init` in CI and it fails because the lock file contains no checksum matching the Linux provider packa
- After running `terraform init`, an engineer sees a new `.terraform.lock.hcl` file. A teammate insists the file pins both the provider versions and the versions of any remote modules the configuration
- A platform team keeps its Terraform configuration in a shared Git repository, and after a colleague runs `terraform init` for the first time a new `.terraform.lock.hcl` file appears in the working dir
- A team stores its configuration in Git together with a committed `.terraform.lock.hcl`. When a run executes in HCP Terraform (formerly Terraform Cloud), how are the required provider plugins made avai
- A configuration constrains its AWS provider with `version = "~> 5.0"`, and version 5.40 was just published. The selection currently recorded in `.terraform.lock.hcl` is 5.31. An engineer wants Terrafo
- An engineer adds a second provider, `hashicorp/tls`, to a configuration that was already initialized with only `hashicorp/aws`. Running `terraform plan` now fails, complaining about an uninitialized p
- terraform init -upgrade
Without
-upgrade,terraform initre-selects the versions already recorded in.terraform.lock.hcleven if newer releases exist; runningterraform init -upgradereconsiders the constraints, selects newer allowed versions, and updates the lock file.Trap Expecting a plain
terraform initto upgrade providers to the newest matching version.
How Terraform uses providers
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Providers are plugins Terraform relies on
Terraform relies on plugins called providers to interact with cloud platforms, SaaS providers, and other APIs; Terraform Core itself contains no infrastructure-specific logic and delegates all API interaction to providers.
Trap Thinking Terraform has built-in support for cloud services without a provider.
11 questions test this
- A stakeholder assumes that because Terraform 'creates and manages resources on cloud platforms,' it must ship with native, built-in support for each cloud's services out of the box. Which statement mo
- A team needs Terraform to manage a niche SaaS platform that HashiCorp does not maintain an official provider for. A colleague argues this is impossible, claiming that only HashiCorp can add support fo
- A new team member asks why HashiCorp describes Terraform as being 'logically split into two main parts.' At the associate level, which description best captures the relationship between Terraform Core
- During a design review, a colleague claims that Terraform can manage any resource type on its own as long as the HCL syntax is valid, without needing a provider for that platform. Why is this claim in
- A practitioner writing their first configuration wonders how Terraform knows which arguments an aws_instance resource accepts, given that the Terraform CLI itself ships with no AWS-specific code. Whic
- A new engineer is surprised that one tool can manage thousands of different platforms - AWS, Kubernetes, GitHub, Datadog, and many more - from a single CLI. Which statement best explains the design ch
- While debugging a failed run, an engineer asks which part of Terraform actually authenticates to the target platform and issues the create, read, update, and delete API calls for each resource. At the
- A practitioner browsing the Terraform Registry sees provider entries for AWS, Azure, Kubernetes, and GitHub. At the associate level, what is one of these provider entries, in terms of how Terraform ac
- During onboarding, a teammate asks what a Terraform provider actually contributes to a configuration once terraform init has installed it. At the associate level, which description most accurately cap
- A configuration contains only input variables, locals, and outputs, and declares no providers at all. A practitioner claims Terraform can still create cloud infrastructure from it because Terraform is
- Your team is standing up a new Terraform project that will manage resources on a cloud platform your organization has never automated with Terraform before. A colleague asks how Terraform is able to t
- Providers are versioned separately from Terraform
Providers are distributed and released separately from the Terraform CLI, each with its own version numbers and release cadence, which is why provider versions are constrained independently of the Terraform version.
Trap Assuming a provider's version tracks the Terraform CLI version.
8 questions test this
- A practitioner is editing the required_providers block for the AWS provider and wants to require any released version at or above 3.1, written with Terraform's version-constraint syntax. Which version
- A practitioner notices their configuration uses AWS provider version 5.x while the Terraform CLI they run reports version 1.12. A colleague worries this is a version mismatch and says the AWS provider
- While reviewing the AWS provider's page on the Terraform Registry, an engineer notices it has published far more releases over the past year than the Terraform CLI has. A teammate assumes each provide
- During a discussion about pinning dependencies, an engineer explains why Terraform lets you constrain provider versions in the configuration independently of the Terraform CLI version itself. Which re
- A practitioner upgrades the Terraform CLI on their workstation from v1.11 to v1.12 and then wonders whether the AWS provider that their configuration already uses will automatically move to a matching
- A practitioner adds required_version = ">= 1.5" to the terraform block, believing this also guarantees a recent AWS provider will be selected. During review, a teammate asks what required_version actu
- A team is blocked by a confirmed bug in the Azure provider and asks when the fix will reach them. One engineer states they must wait for the next Terraform CLI release before the fix can be delivered.
- A single Terraform configuration declares two providers: the AWS provider constrained to a 5.x release and the random provider constrained to a 3.x release. A reviewer objects that every provider in o
- Core talks to providers over a plugin protocol
Terraform Core communicates with each provider plugin over an RPC-based plugin protocol, launching the provider as a separate process during operations.
- Each provider adds resource types and data sources
Each provider defines a set of resource types and/or data sources that Terraform can manage; a provider is required for every resource type, so Terraform cannot manage any infrastructure without the corresponding provider.
Trap Thinking resource types are built into Terraform Core rather than supplied by providers.
15 questions test this
- Reviewing a colleague's configuration, an engineer sees a `resource` block for `aws_s3_bucket` and, nearby, a `data` block for `aws_ami`, each beginning with the same `aws` prefix. What does that shar
- A developer new to Terraform assumes that resource types such as `aws_instance` and `google_storage_bucket` are keywords compiled into the Terraform CLI binary itself, the same way built-in language f
- A platform engineer opens the AWS provider's page on the Terraform Registry to plan a new configuration and notices it documents two separate catalogs: one titled "Resources" and another titled "Data
- An engineer adds a `data "aws_ami" "latest"` block to look up an existing image's ID so she can reference it in her configuration, then runs `terraform apply`. She wants to know what actually contacts
- An engineer only needs Terraform to read information from an external platform — never to create, update, or destroy anything there. A colleague claims Terraform cannot interact with a platform at all
- A team wants to manage an internal ticketing platform with Terraform, but no provider for it has ever been published on any registry and they will not write one themselves. Based on how Terraform is d
- A configuration manages three resources — `aws_instance`, `aws_vpc`, and `aws_s3_bucket` — and also declares a `data "aws_ami"` block to look up an image. A teammate asks how many separate providers m
- An engineer needs to manage a resource on Azure but has only declared and installed the AWS provider in her configuration. She reasons that since both are clouds, the installed provider should still b
- An engineer writes a resource block for the aws_instance type and runs `terraform apply`. She wants to understand which part of Terraform actually knows that the aws_instance resource type corresponds
- A team adds a `resource` block for a new provider's resource type but has not yet listed that provider in the configuration's `required_providers` block. Conceptually, why must the provider be declare
- A developer adds a `random_password` resource to generate a value and, because it touches no cloud service, assumes it is a built-in feature of the Terraform CLI that needs nothing installed. When `te
- A developer new to Terraform believes a `data` block is a built-in feature of the Terraform language that can look up information from a platform without installing any provider, unlike a `resource` b
- An engineer needs to look up the ID of a machine image that another team already created, so she can reference it in her configuration without creating, modifying, or destroying that image. Which prov
- A platform engineer writing her first Terraform configuration notices that resource types such as `aws_instance` and `azurerm_resource_group` are documented on the Terraform Registry rather than in Te
- A team currently manages only AWS resources with Terraform and now needs to manage DNS records on a SaaS platform for which an official provider is already published on the Terraform Registry. Concept
- Providers translate configuration into API calls
A provider translates the resources declared in configuration into the create, read, update, and delete API calls of its target platform, acting as the bridge between Terraform and the remote system's API.
Trap Thinking Terraform Core calls cloud APIs directly rather than through a provider plugin.
9 questions test this
- During `terraform apply`, an engineer's configuration declares a resource with several arguments, and Terraform creates the matching object on the cloud platform. She wants to understand what converts
- After `terraform apply` creates a new cloud object, the platform assigns it a server-generated identifier that was not present anywhere in the configuration, yet that identifier appears in Terraform's
- An engineer adds a `data "aws_ami" "latest"` block to look up an existing image's ID so she can reference it in her configuration, then runs `terraform apply`. She wants to know what actually contacts
- An engineer needs to manage a resource on Azure but has only declared and installed the AWS provider in her configuration. She reasons that since both are clouds, the installed provider should still b
- An engineer writes a resource block for the aws_instance type and runs `terraform apply`. She wants to understand which part of Terraform actually knows that the aws_instance resource type corresponds
- An engineer edits a managed resource's argument and runs `terraform apply`, and Terraform updates the real object; later she removes the resource block and `apply` destroys it. Throughout this create-
- A team adds a `resource` block for a new provider's resource type but has not yet listed that provider in the configuration's `required_providers` block. Conceptually, why must the provider be declare
- A platform engineer configures a `provider "aws"` block with a region and credentials, then wonders which part of Terraform actually uses those credentials to authenticate and issue requests to the AW
- During `terraform apply`, Terraform must issue create and update calls to a cloud platform's API to realize the resources declared in configuration. In Terraform's plugin architecture, which component
- Terraform Core ships with no resource types
Terraform Core ships with no built-in resource types; all resource types and data sources come from providers, which is why a configuration must declare its provider requirements.
- Resource type prefix selects the provider
Terraform infers which provider manages a resource from the prefix of the resource type name — for example
aws_instanceuses theawsprovider — unless the resource sets an explicitprovidermeta-argument.Trap Assuming the resource's name label (not the type prefix) determines the provider.
10 questions test this
- By default `resource "aws_s3_bucket" "logs"` is handled by the `aws` provider inferred from its prefix. An engineer needs this one bucket to use a different, non-default `aws` provider configuration i
- A previously empty module now contains a single resource, `resource "cloudflare_record" "www"`, plus a matching `required_providers` entry for `cloudflare`. A teammate runs `terraform init` for the fi
- A configuration declares both the `aws` and `google` providers and contains many resource blocks. A new engineer has valid AWS and Google Cloud credentials exported in their shell and asks how Terrafo
- A configuration mixes cloud resources with `resource "null_resource" "trigger"`. A reviewer claims `null_resource` is a built-in Terraform language construct that needs no provider, unlike the `aws_`
- An engineer writes the block `resource "google_storage_bucket" "aws_migration_target"` in a configuration that declares both the `aws` and `google` providers and sets no `provider` meta-argument. A re
- During a refactor an engineer edits a block from `resource "aws_instance" "app"` to `resource "google_compute_instance" "app"`, leaving the name label `app` unchanged, in a configuration that declares
- A team imports a module that declares the AWS provider under the conventional local name `aws`. A developer, assuming the name is only cosmetic, writes `resource "amazon_instance" "web"` expecting it
- To audit which resources a particular provider manages, an engineer wants to list every `resource` and `data` block handled by the `google` provider in a large configuration that sets no `provider` me
- A configuration contains `resource "aws_instance" "web"`, `resource "aws_s3_bucket" "assets"`, and `resource "aws_iam_role" "app"`, none of which set a `provider` meta-argument. A teammate asks how ma
- An engineer must pin one resource to a non-default provider configuration. The provider was declared with the local name `google` and a block carrying `alias = "europe"`. Which value for the resource'
- init installs plugins into .terraform
terraform initreads the configuration to determine the required providers and installs their plugin binaries under the.terraformdirectory of the working directory, recording the selections in the lock file.
Writing configuration with multiple providers
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
How Terraform uses and manages state
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Core Terraform workflow
Describe the Terraform workflow
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Core workflow is Write, Plan, Apply
The core Terraform workflow has three stages in order: Write (author infrastructure as code), Plan (preview the changes Terraform will make), and Apply (provision the described infrastructure).
Trap Assuming 'init' is one of the three core-workflow stages; init is a prerequisite setup step, not one of the Write/Plan/Apply stages.
6 questions test this
- A colleague sketches Terraform's core workflow on a whiteboard as four repeating phases and asks you to remove the one that is really a one-time prerequisite preparing the working directory rather tha
- A platform engineer who is new to Terraform is documenting the standard end-to-end sequence a single practitioner follows to turn a fresh configuration into running infrastructure. Setting aside one-t
- A team migrating away from manual, click-through cloud provisioning is at the point where an engineer expresses the desired infrastructure in configuration files and commits them to version control, b
- An engineer edits a configuration to increase the size of a compute instance and, before doing anything else, wants a read-only summary of exactly which resources Terraform would add, change, or destr
- An engineer runs the Write → Plan → Apply loop several times a day as the configuration evolves, but notices they seldom need to run `terraform init` again after the first time. Which statement best e
- An organization is deciding whether to keep running Terraform from individual laptops or adopt HCP Terraform for the whole team. A lead argues that the fundamental sequence of stages practitioners fol
- Plan previews, Apply provisions
The Plan stage previews proposed changes without altering any real infrastructure, while the Apply stage carries out the approved plan to create, update, or destroy resources.
Trap Believing terraform plan changes infrastructure; plan is read-only and never modifies remote objects.
6 questions test this
- To guarantee that an automated production run executes only the exact changes a human already reviewed, an engineer saves the output of a plan to a file and later hands that file to apply. What is tru
- During a change-review meeting a teammate worries that running `terraform plan` against the production configuration might accidentally recreate a load balancer that another team depends on. As the pr
- A junior teammate believes `terraform plan` and `terraform apply` are interchangeable because both print a list of proposed changes. You need to correct the single most important behavioral difference
- An engineer edits a configuration to increase the size of a compute instance and, before doing anything else, wants a read-only summary of exactly which resources Terraform would add, change, or destr
- An engineer has already generated an execution plan for a new virtual network, reviewed the output, and is satisfied it matches their intent. They now want the described resources to actually exist in
- An organization's policy forbids any command run during a pull-request check from creating, changing, or deleting cloud resources, yet the check must still show reviewers exactly what merging would ch
- Terraform configuration is VCS-friendly text
Terraform configuration is human-readable declarative text (HCL), so it can be committed to a version control system alongside application code and reviewed with standard tools like Git.
Trap Thinking the state file (rather than the configuration) is the artifact you commit to VCS; state can contain secrets and is generally not committed.
6 questions test this
- A team is deciding what to keep in the Git repository for a Terraform project so that infrastructure changes can be reviewed in pull requests and their history preserved over time. Which of the follow
- Two engineers need to work on the same Terraform configuration while keeping their infrastructure changes coordinated and their state consistent. Which arrangement follows Terraform's recommended prac
- A teammate asks why the team can review Terraform configuration using the same Git tools and pull-request process they already use for application source code. Which property of Terraform configuratio
- A team is writing the `.gitignore` for their Terraform repository so that only the appropriate files are committed. Which of these files should be excluded from version control rather than committed t
- While reviewing a pull request, an engineer notices that a colleague has added the project's `terraform.tfstate` file to the shared Git repository next to the `.tf` files. Why does HashiCorp discourag
- A platform engineer is initializing a Git repository for a new Terraform project so the team can review infrastructure changes through pull requests, the same way they review application code. Which f
- Reviewing the plan before apply improves reliability
Running terraform plan before terraform apply lets a team review proposed changes before they touch real infrastructure, catching mistakes early and improving change reliability.
Trap Overclaiming that this workflow means invalid configurations can 'never' be deployed; review reduces risk but does not make bad applies impossible.
5 questions test this
- In the write-plan-apply workflow, teams treat the plan step as a reliability checkpoint. What is the main way that reviewing the `terraform plan` output before running `terraform apply` improves the r
- During a retrospective, a team member argues that because they always run `terraform plan` and review its output before every `terraform apply`, it is now impossible for a broken or non-compliant conf
- An engineer runs `terraform plan` and reviews a proposed change that would destroy and recreate a production database. Deciding the change is wrong, they close the terminal without ever running `terra
- Before modifying a production environment, an engineer wants the rest of the team to see exactly which resources Terraform will create, update, or destroy and to approve those actions, without any rea
- A team wants every proposed infrastructure change to be reviewed by a second engineer before it is applied. Following HashiCorp's recommended collaboration practice, where in the workflow does that re
- -help prints a subcommand's usage
Appending the -help flag to a subcommand (for example, terraform plan -help) prints that command's usage information and its list of available options.
Trap Guessing -usage, -info, or -man; Terraform uses -help (also available as terraform -help ).
20 questions test this
- An engineer opening an interactive session wants to first review the options that the `terraform console` subcommand accepts, printed to the terminal. Which flag do they append to the subcommand to di
- Reviewing formatting options, an engineer half-remembers that Terraform prints a command's options with a flag but blanks on its exact name, and types `terraform fmt -usage`. Which statement correctly
- A platform engineer wants a single, reliable way to look up the accepted options for many different Terraform subcommands, including less common ones such as `terraform providers`, `terraform get`, an
- An engineer wants to print the usage information and the full set of options that the `terraform output` subcommand accepts, without reading any actual output values from state. Following Terraform's
- An engineer types `terraform show -help` in a working directory that already has state, expecting to review the command before using it. Given that `terraform show` normally displays the current state
- An engineer types `terraform apply -help` in a working directory that manages live infrastructure, unsure whether the `-help` flag will still let the apply proceed and begin creating or modifying real
- While reading the `Global options` section printed by `terraform -help`, an engineer notices the entry described as showing this help output, or the help for a specified subcommand. Acting on that des
- A platform engineer is scanning the list of Terraform's global options and needs the one that will display the usage information and accepted options for a particular subcommand such as `plan`. Which
- An engineer runs `terraform plan -help` and wants to predict what the top of the output looks like before reading it. Which description most accurately reflects what the `-help` option prints for the
- Working on a build agent with no internet access, an engineer cannot reach the Terraform documentation website but still needs to see the options that the `terraform login` subcommand accepts. How can
- During a review, an engineer runs `terraform validate -help` and needs to describe what appears on screen to a teammate. Which description correctly characterizes the output that the `-help` option pr
- A platform engineer is preparing to run `terraform destroy` against a scratch working directory and, before doing so, wants to print the destroy command's usage line and the complete list of options i
- An engineer wants to review the accepted options and usage for the `state list` operation, which is one of the subcommands grouped under `terraform state`. Following the documented convention for gett
- An engineer notices the command `terraform -chdir=environments/prod plan` in a runbook and wonders whether the `-chdir` global option can also be used to print the plan command's usage and its availab
- Two engineers disagree about how to display the usage information for the `init` subcommand. One types `terraform init -help`; the other insists it must be written as `terraform -help init`. According
- An engineer runs `terraform -help` on its own and sees the general help: a list of available commands and the global options. They actually need to review only the specific options that the `terraform
- While preparing to import an existing resource, an engineer wants to review every option that the `terraform import` subcommand accepts, along with its usage, without running an actual import or leavi
- A platform engineer has just cloned an unfamiliar repository and wants to review every option that the `terraform plan` subcommand accepts, together with its usage line, directly from the command line
- A new team member is nervous about experimenting with `terraform apply` in a production working directory and wants to inspect the command's accepted options first. A colleague suggests running `terra
- A developer runs `terraform` with no additional arguments and sees the list of available commands, including `init`. They now want to see exactly which options the `init` subcommand accepts and how it
- Command structure with global options
The Terraform CLI follows the pattern terraform [global options] [args], where global options such as -chdir and -version precede the subcommand name.
Initialize a working directory
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- init performs backend, module, and provider setup
terraform init initializes a working directory by initializing the backend, downloading and installing child modules referenced in module blocks, and installing the provider plugins the configuration requires.
Trap Thinking init applies changes or refreshes state; init only prepares the working directory and never provisions infrastructure.
10 questions test this
- A small configuration has no `backend` block, so it uses Terraform's default local backend, and it requires only the `aws` provider. A developer argues that because there is no remote backend to confi
- You clone a repository whose root module both references child modules in `module` blocks and requires several providers. Because there is no `.terraform` directory yet, `terraform plan` fails immedia
- An engineer adds a new `aws` provider to the `required_providers` block of a configuration that was already initialized earlier. Running `terraform plan` now fails with a message stating that the prov
- Before the first `terraform plan`, an engineer must download the child modules referenced in `module` blocks and install the provider plugins the configuration requires. A colleague suggests running `
- A developer new to Terraform assumes the `aws` provider ships built into the Terraform CLI binary, so they expect no network access to be needed the first time they run `terraform init` on a configura
- A platform engineer has just cloned a Terraform repository whose root configuration declares several `required_providers`, references two child modules in `module` blocks, and specifies an `s3` backen
- Two engineers collaborate on a Terraform configuration through a shared Git repository, but the `.terraform` directory is excluded from version control. When the second engineer clones the repository,
- During a code review, a colleague asks what is actually stored inside the `.terraform` directory that `terraform init` created in the project root. Which answer correctly describes its contents?
- A teammate who is new to Terraform believes that running `terraform init` on a fresh configuration will begin creating the cloud resources it declares. You correct them before they run it. Which state
- An engineer clones a Terraform repository and runs `terraform init` successfully. Before running any other command, they assume init has already reconciled the Terraform state with the live remote obj
- init is the first command and creates .terraform
terraform init is the first command run against a new or cloned configuration; it creates the local .terraform directory used to store backend configuration, provider plugins, and modules.
5 questions test this
- A small configuration has no `backend` block, so it uses Terraform's default local backend, and it requires only the `aws` provider. A developer argues that because there is no remote backend to confi
- Before the first `terraform plan`, an engineer must download the child modules referenced in `module` blocks and install the provider plugins the configuration requires. A colleague suggests running `
- A platform engineer has just cloned a Terraform repository whose root configuration declares several `required_providers`, references two child modules in `module` blocks, and specifies an `s3` backen
- Two engineers collaborate on a Terraform configuration through a shared Git repository, but the `.terraform` directory is excluded from version control. When the second engineer clones the repository,
- During a code review, a colleague asks what is actually stored inside the `.terraform` directory that `terraform init` created in the project root. Which answer correctly describes its contents?
- init is safe to run multiple times
terraform init is idempotent and safe to run repeatedly; it installs newly added modules and providers but never deletes existing configuration or state.
- -upgrade ignores locked provider selections
terraform init -upgrade upgrades all previously selected providers to the newest versions allowed by the configuration's version constraints, ignoring the versions recorded in the dependency lock file.
Trap Believing a plain terraform init upgrades providers; without -upgrade it honors the versions already recorded in .terraform.lock.hcl.
8 questions test this
- Your configuration pins a provider with `version = "~> 5.0"`, the lock file records 5.10.0, and both 5.40.0 and a brand-new 6.0.0 have been published. A colleague runs `terraform init -upgrade`, expec
- Before running `terraform init -upgrade`, an engineer worries it will jump every provider to the absolute latest release on the registry, including a new major version that could break the configurati
- A platform engineer runs `terraform init -upgrade` and Terraform selects newer versions for two of the required providers. Before this command, `.terraform.lock.hcl` recorded the older versions and wa
- Your configuration constrains the aws provider with `version = "~> 5.0"`, and `.terraform.lock.hcl` currently records 5.20.0, even though 5.40.0 has since been released. A teammate runs `terraform ini
- Your team widened the version constraint on the `aws` provider in `required_providers` so a newer release is now permitted, but a plain `terraform init` still installed the version already recorded in
- Weeks after your last initialization, several of the providers required by your configuration have published newer patch releases that still satisfy your existing version constraints. You run a plain
- An engineer wants to move the team onto a newer release of the Terraform CLI itself and assumes that running `terraform init -upgrade` will download and install that newer Terraform binary. In terms o
- A configuration requires three providers, all with versions currently recorded in `.terraform.lock.hcl`. Only one of them has published a newer release within the existing constraints. An engineer run
- init writes the dependency lock file
During provider installation terraform init records the selected provider versions and checksums in .terraform.lock.hcl, which should be committed to version control so future inits select the same versions.
12 questions test this
- Before running `terraform init -upgrade`, an engineer worries it will jump every provider to the absolute latest release on the registry, including a new major version that could break the configurati
- A developer opening a pull request proposes adding `.terraform.lock.hcl` to the project's `.gitignore`, arguing it is just a machine-generated artifact. Following HashiCorp's guidance for the dependen
- Two engineers work from the same Git repository. The first runs `terraform init`, commits the resulting `.terraform.lock.hcl`, and pushes. The second engineer pulls the repo and runs `terraform init`
- A new engineer notices `.terraform.lock.hcl` sitting in the root of the working directory next to the `.tf` files, while the downloaded provider binaries live under the `.terraform` subdirectory. They
- A platform engineer runs `terraform init -upgrade` and Terraform selects newer versions for two of the required providers. Before this command, `.terraform.lock.hcl` recorded the older versions and wa
- Your configuration constrains the aws provider with `version = "~> 5.0"`, and `.terraform.lock.hcl` currently records 5.20.0, even though 5.40.0 has since been released. A teammate runs `terraform ini
- Your team widened the version constraint on the `aws` provider in `required_providers` so a newer release is now permitted, but a plain `terraform init` still installed the version already recorded in
- Weeks after your last initialization, several of the providers required by your configuration have published newer patch releases that still satisfy your existing version constraints. You run a plain
- A developer initializes a brand-new Terraform project for the first time by running `terraform init`. Provider installation completes successfully, and a `.terraform.lock.hcl` file now appears in the
- Your team relies on `.terraform.lock.hcl` to keep deployments reproducible across environments. A teammate assumes the lock file also pins the versions of the remote registry modules your configuratio
- During a code review, a teammate claims that `terraform plan` and `terraform apply` refresh `.terraform.lock.hcl` whenever providers change. You want to correct this misconception about which command
- You add a brand-new provider to the `required_providers` block of an already-initialized configuration and then run `terraform plan`, which stops with an error saying the provider is not installed. Wh
- -plugin-dir forces a local plugin source
terraform init -plugin-dir=PATH forces Terraform to read provider plugins only from the specified directory, bypassing the registry and other install methods.
- init -migrate-state moves state to a new backend
After changing the backend configuration, you re-run terraform init; the -migrate-state option copies the existing state file into the newly configured backend.
Trap Reaching for terraform state mv, push, or refresh to move to a new backend; backend migration is done by re-running terraform init.
7 questions test this
- You are reinitializing a working directory against a replacement backend, and you explicitly do NOT want Terraform to copy the current state into it — the new backend should start empty and the previo
- A working directory holds three CLI workspaces (default, staging, and prod), each with its own state, all persisted in one remote backend. The team edits the `backend` block to point at a different re
- An automated pipeline must migrate Terraform state to a newly configured backend without any human at the keyboard: the run must copy the existing state and answer 'yes' to every migration confirmatio
- An engineer is repointing a working directory from an old remote backend to a brand-new, empty one. The previous state is obsolete and must NOT be carried over — the team wants Terraform to initialize
- An engineer has changed a project's backend settings several times, and each `terraform init` keeps reconciling against the backend configuration Terraform cached during an earlier initialization. The
- To move a project's state from an old remote backend into a newly configured one, one teammate proposes running `terraform state mv` for each resource and another proposes `terraform refresh`; in test
- A colleague asks you to spell out the practical difference between `terraform init -migrate-state` and `terraform init -reconfigure` when they are pointing a working directory at a different backend.
- -reconfigure skips state migration
terraform init -reconfigure disregards any existing backend configuration and reinitializes from scratch, explicitly preventing migration of existing state to the new backend.
Trap Confusing -reconfigure with -migrate-state; -reconfigure discards the old backend without copying state, while -migrate-state copies it.
8 questions test this
- An engineer edits the `backend` block to target a new remote backend and runs `terraform init -reconfigure`, assuming the current state will be carried over. After it completes, the new backend is emp
- You are reinitializing a working directory against a replacement backend, and you explicitly do NOT want Terraform to copy the current state into it — the new backend should start empty and the previo
- A working directory holds three CLI workspaces (default, staging, and prod), each with its own state, all persisted in one remote backend. The team edits the `backend` block to point at a different re
- An automated pipeline must migrate Terraform state to a newly configured backend without any human at the keyboard: the run must copy the existing state and answer 'yes' to every migration confirmatio
- An engineer is repointing a working directory from an old remote backend to a brand-new, empty one. The previous state is obsolete and must NOT be carried over — the team wants Terraform to initialize
- An engineer has changed a project's backend settings several times, and each `terraform init` keeps reconciling against the backend configuration Terraform cached during an earlier initialization. The
- To move a project's state from an old remote backend into a newly configured one, one teammate proposes running `terraform state mv` for each resource and another proposes `terraform refresh`; in test
- A colleague asks you to spell out the practical difference between `terraform init -migrate-state` and `terraform init -reconfigure` when they are pointing a working directory at a different backend.
- -backend=false initializes without a backend
terraform init -backend=false skips backend initialization, which is useful for installing plugins and modules to validate a configuration without accessing remote state.
- Terraform merges all .tf/.tf.json files order-independently
Terraform loads and merges every .tf and .tf.json file in the working (top-level) directory into a single configuration, evaluating the whole module as one document; nested directories are treated as separate modules and are not auto-loaded. Because the language is declarative, the order in which files are loaded does not matter, so splitting code across main.tf, variables.tf, and outputs.tf is purely an organizational convention with no effect on behavior.
Trap Assuming filenames like main.tf/variables.tf/outputs.tf are required or that Terraform executes files in a top-to-bottom or filename order — it does not. The lone exception to flat merging is override files (override.tf, override.tf.json, or any *_override.tf / *_override.tf.json), which are loaded last and merged in to override matching blocks.
6 questions test this
- A base file declares `resource "aws_instance" "app"` with `instance_type = "t3.micro"` and several other arguments. A separate `app_override.tf` in the same directory declares the same resource with o
- A team keeps its canonical infrastructure in `main.tf` and wants to override one argument on a single resource for a quick experiment. A developer adds a file named exactly `override.tf`, with no pref
- A team generates part of its configuration programmatically and writes it to a file named `generated.tf.json`, keeping their hand-written resources in ordinary `.tf` files in the same directory. A col
- To tidy a growing root module, an engineer moves the networking resources into a new `./networking` subdirectory inside the same working directory, leaving the remaining `.tf` files at the top level.
- While refactoring a working directory, a platform engineer copies a `resource "aws_s3_bucket" "logs"` block from `storage.tf` into a second file, `buckets.tf`, so both files now declare that same reso
- A directory contains a base `main.tf` plus two override files, `a_override.tf` and `b_override.tf`, that set the same argument on the same resource to different values. In what order does Terraform ap
Validate a configuration
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- validate checks syntax and internal consistency
terraform validate verifies that a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state.
13 questions test this
- A terraform validate check passes in CI, but an engineer now needs to verify the same configuration in the context of a specific run, meaning a particular target workspace and a specific set of input
- An engineer clones a repository containing Terraform configuration and immediately runs terraform validate without running terraform init first. The command errors out before it checks the configurati
- A platform engineer wants to confirm that the Terraform files in a working directory are syntactically valid and internally consistent, but the target cloud account is currently offline and she does n
- A configuration declares an input variable named region that is required and has no default. No .tfvars file is present and no value is supplied on the command line. A teammate then runs terraform val
- A platform team wants a CI job that confirms a reusable module's Terraform files are syntactically valid and internally consistent on every pull request. The CI runner has no cloud credentials and mus
- A developer assigns a string to an argument that a resource expects to be a number, and also misspells another argument name so that it does not exist on that resource type. Running terraform validate
- An engineer configures an S3 remote backend and a cloud provider block, then runs terraform validate, expecting it to confirm that the remote state bucket is reachable and that the provider credential
- A developer runs `terraform fmt` on a module and, seeing it exit cleanly after tidying the indentation, tells a teammate the configuration is now confirmed correct. The teammate is skeptical and sugge
- An engineer relies on `terraform validate` to catch typos in resource argument names — for example writing `ami_id` where the resource type expects `ami` — before opening a pull request. For `terrafor
- In your continuous-integration pipeline, a terraform validate step runs against a module directory on every pull request. A teammate who is new to Terraform asks what a passing validate result actuall
- A developer sets `instance_type = "t2.mikro"` on a resource, accidentally misspelling a real machine size, and then runs `terraform validate` in a working directory that has already been initialized.
- A module author has no cloud credentials on her laptop and cannot deploy anything, but she wants to confirm that a reusable module's resource argument names and value types are correct before she publ
- While reviewing a reusable module before publishing it, an author already knows that terraform validate confirms the files parse correctly. She wants to understand what additional correctness check va
- validate checks attribute names and value types
terraform validate confirms that argument names and value types are correct for the resources and providers referenced, catching type mismatches and unknown attributes before a plan.
8 questions test this
- An engineer clones a repository containing Terraform configuration and immediately runs terraform validate without running terraform init first. The command errors out before it checks the configurati
- A developer assigns a string to an argument that a resource expects to be a number, and also misspells another argument name so that it does not exist on that resource type. Running terraform validate
- A developer runs `terraform fmt` on a module and, seeing it exit cleanly after tidying the indentation, tells a teammate the configuration is now confirmed correct. The teammate is skeptical and sugge
- An engineer relies on `terraform validate` to catch typos in resource argument names — for example writing `ami_id` where the resource type expects `ami` — before opening a pull request. For `terrafor
- A developer sets `instance_type = "t2.mikro"` on a resource, accidentally misspelling a real machine size, and then runs `terraform validate` in a working directory that has already been initialized.
- A module author has no cloud credentials on her laptop and cannot deploy anything, but she wants to confirm that a reusable module's resource argument names and value types are correct before she publ
- An engineer wants a local, offline command that will catch a misspelled (nonexistent) resource argument and an argument assigned the wrong value type, checking these against the provider schema withou
- While reviewing a reusable module before publishing it, an author already knows that terraform validate confirms the files parse correctly. She wants to understand what additional correctness check va
- validate does not check remote services
terraform validate does not validate remote services such as provider APIs or remote state, so it cannot confirm that credentials work or that a resource can actually be created.
Trap Assuming a passing validate guarantees a successful apply; it checks configuration correctness only, not real infrastructure or API access.
11 questions test this
- An engineer wants a command that, unlike `terraform validate`, actually reconciles the configuration against real remote objects by contacting the provider API and reading current state, so they can p
- A configuration is set up to store its state in a remote backend, but that backend is temporarily unreachable from the engineer's network. The engineer wants to check that a reusable module's configur
- A module author on a locked-down build agent has no access to the remote state backend but needs to confirm that a reusable module is internally consistent as part of a CI job. What is the correct way
- Ahead of a scheduled production deployment, an engineer wants a fast pre-flight check that the cloud provider credentials configured in their shell actually authenticate and that the provider's API is
- During testing, an engineer runs `terraform validate -var 'region=xx-fake-1'`, deliberately passing a region value that no cloud provider actually offers. The configuration is otherwise well-formed, a
- A new team member asks how `terraform validate` and `terraform plan` differ in terms of what infrastructure and state they actually touch when run with no extra flags. Which statement correctly distin
- A platform team's CI pipeline runs `terraform validate` on every pull request, and the command exits successfully for a change that adds a new cloud resource. A reviewer argues that because validate p
- A module author's CI pipeline runs only `terraform fmt` and `terraform validate` before publishing a reusable module to the private registry. A consumer later finds that `terraform apply` fails agains
- An engineer hard-codes an AMI ID into an `aws_instance` resource, but that AMI does not exist in the target account or region. The HCL is otherwise well-formed. They run `terraform validate` after `te
- An engineer clones a Terraform project onto a fresh laptop that has no cloud provider credentials configured at all. After running `terraform init`, they run `terraform validate` against the configura
- A team is documenting each command in their Terraform workflow. For `terraform validate`, which statement best describes the scope of what the command actually checks in a configuration directory?
- validate is not a plan
terraform validate does not read state or generate an execution plan, so it will not surface drift or runtime errors that only appear when Terraform contacts real infrastructure.
- validate requires an initialized directory
terraform validate requires an already-initialized working directory with referenced providers and modules installed; run terraform init (optionally with -backend=false) first.
Trap Thinking validate works on a fresh checkout without init; it needs providers and modules installed to type-check the configuration.
12 questions test this
- A platform engineer clones a teammate's Terraform repository onto a brand-new workstation and, before running anything else, immediately runs `terraform validate` to lint the HCL. Instead of a validat
- Your CI runner must run `terraform validate` on a configuration, but it has no credentials for the remote backend and you do not want initialization to contact or configure that backend. Which single
- While writing a Makefile target that runs `terraform validate`, an engineer must add a prior step that installs the referenced provider plugins and child modules into the working directory, since vali
- A developer clones a repository whose configuration references a cloud provider and a published registry module, then runs `terraform validate` on the untouched checkout expecting a quick syntax lint.
- A teammate is compiling a checklist of what `terraform validate` needs in order to run against a configuration as they set up a shared CI lint stage. Which of the following does `terraform validate` a
- A continuous integration job checks out your module into a clean container image and runs `terraform validate` as its first lint step, but every build fails at that step because the referenced provide
- Your root configuration includes a `module` block whose `source` points to a module on the public Terraform Registry. On a freshly cloned copy of the repository you run `terraform validate`, and it fa
- During a code review, a colleague insists that `terraform validate` is a purely offline syntax check and should therefore succeed on a fresh checkout with no setup at all. Which statement most accurat
- To let `terraform validate` run inside a CI container that has no backend credentials, an engineer initializes the directory with `terraform init -backend=false`. In terms of what actually gets set up
- Before adding `terraform validate` to an automated check, a developer is unsure whether it will refuse to run when no input variable values have been supplied and no state file exists yet for the conf
- An engineer wants a check that confirms their HCL is syntactically valid and internally consistent WITHOUT contacting the remote backend or any provider's API, and is unsure what setup that check need
- The `terraform validate` documentation notes that it is safe to run automatically, for example as a post-save editor check or a CI test step. A developer wires it into a pre-commit hook, but the hook
- validate supports JSON output and CI use
terraform validate -json produces machine-readable output, and the command is safe to run automatically, for example as an editor post-save check or a CI test step for a reusable module.
Generate and review an execution plan
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Apply changes to infrastructure
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Destroy managed infrastructure
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Apply formatting and style adjustments
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Terraform configuration
Resource and data blocks
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Resource block has two labels
A
resourceblock requires two labels: the resource type (e.g.aws_instance) and a local name (e.g.web). Together they form the resource addressaws_instance.web, which must be unique within the module.Trap Believing the local name must be globally unique or must match a provider-assigned identifier.
3 questions test this
- In Terraform's configuration language a resource is declared with the keyword `resource` followed by two quoted labels, as in `resource "aws_instance" "web" { ... }`. What do these two labels specify,
- Within one module, an engineer writes `resource "aws_instance" "web" { ... }` and, in the same configuration, `resource "aws_s3_bucket" "web" { ... }`, reusing the local name `web` for both blocks. A
- An engineer declares a single compute instance with the block `resource "aws_instance" "web" { ... }` and later needs to reference that instance's exported attributes from an `output` value elsewhere
- Resource meta-arguments
In addition to provider-defined arguments, a
resourceblock accepts the meta-argumentsdepends_on,count,for_each,provider, andlifecycle.countandfor_eachare mutually exclusive within the same block.Trap Using both
countandfor_eachin one resource block (Terraform errors).3 questions test this
- To create several storage buckets, an engineer adds both `count = 3` and `for_each = var.bucket_names` to the same `resource` block, expecting Terraform to combine the two. When the engineer runs `ter
- Two resources in a module have a hidden relationship: an application server must be created only after a monitoring agent's IAM role finishes provisioning, yet the server's configuration never referen
- A platform engineer is refactoring a resource block so that, during future updates, Terraform provisions a replacement instance before tearing down the current one, and so that no plan can ever destro
- Managed resource lifecycle
A managed
resourceblock directs Terraform to create, update, or destroy real infrastructure so it matches the configuration.3 questions test this
- A new team member asks what a managed `resource` block actually instructs Terraform to do when they run `terraform apply` against it. Which statement best describes the purpose of a managed resource b
- An engineer deletes an `aws_instance` resource block that was previously applied and whose real compute instance still exists and is recorded in state. Leaving the rest of the configuration unchanged,
- A platform engineer is refactoring a resource block so that, during future updates, Terraform provisions a replacement instance before tearing down the current one, and so that no plan can ever destro
- count vs. for_each resource meta-arguments
The count meta-argument takes a whole number and creates that many instances addressed by count.index (starting at 0), while for_each takes a map or a set of strings and creates one instance per element keyed by each.key/each.value; you cannot set both count and for_each on the same block. for_each is preferred when instances need stable identity, because instances are tracked by map/set key rather than by positional index, so adding or removing a middle element does not force the shift-and-replace churn that count produces.
Trap count.index is unavailable inside a for_each block (and each.key/each.value are unavailable with count); switching a resource from count to for_each changes every instance address and forces replacement unless you add a moved block.
3 questions test this
- To create several storage buckets, an engineer adds both `count = 3` and `for_each = var.bucket_names` to the same `resource` block, expecting Terraform to combine the two. When the engineer runs `ter
- An engineer manages five virtual machines with `count = 5` and wants to switch to `for_each` keyed by hostname so that removing one machine from the middle of the list no longer reshuffles the others.
- An engineer wants one storage bucket per name in a variable `bucket_names` that is typed as `list(string)`, so they write `for_each = var.bucket_names` directly on the resource block. Terraform return
- Data blocks are read-only
A data source is declared
data "<TYPE>" "<NAME>" {}; Terraform performs only read operations on it, fetching information about existing objects without creating or modifying infrastructure.4 questions test this
- A team needs their Terraform configuration to look up the ID of an existing, externally managed VPC and feed it into a new security group, without provisioning or taking ownership of the VPC itself. W
- A root configuration contains one `resource "aws_instance" "app"` block and one `data "aws_ami" "base"` block that looks up the AMI the instance uses. The engineer runs `terraform destroy` and confirm
- During a design review, a colleague asks why the team uses a `data` block rather than a `resource` block to obtain the ID of a pre-existing VPC that a different team already provisions and owns. Which
- A platform engineer adds a `data "aws_ami" "ubuntu" {}` block to a configuration that already manages several EC2 instances. During code review, a teammate worries that running `terraform apply` will
- When data sources are read
Terraform reads a data source during the plan/refresh phase when its arguments are known, but defers the read until apply when the data block depends on values not yet known (for example attributes of resources changing in the same plan).
Trap Assuming data sources are always read at apply time, or always fully resolved before plan.
4 questions test this
- A `data "aws_ami" "latest"` block selects the most recent AMI matching a fixed filter. Between two runs of `terraform plan`, a newer matching AMI is published in the cloud account. With every argument
- A platform engineer declares `data "aws_vpc" "primary" {}` that looks up an existing VPC using only fixed literal filter values, with no reference to any managed resource in the configuration. A teamm
- An engineer's `data "aws_ami" "ubuntu"` block filters solely on hard-coded literal values - a fixed name pattern and a fixed owner ID - with no `depends_on` set. All of the block's arguments are there
- An engineer writes a `data "aws_subnet" "selected"` block whose lookup argument references `aws_instance.app.id` - an instance being created in the very same `terraform plan`. Because that argument is
- Data source reference syntax
Data source attributes are referenced as
data.<TYPE>.<NAME>.<ATTRIBUTE>; the leadingdata.prefix distinguishes them from managed resource references.Trap Omitting the
data.prefix and referencing the source like a managed resource.2 questions test this
- A child module declares `data "aws_subnet" "selected" {}` and must expose that subnet's `cidr_block` attribute to its parent module through an `output` block. Which reference belongs in the output blo
- In one configuration, an engineer has both a managed resource `aws_vpc.main` and a data source declared `data "aws_vpc" "main"` - the same type and the same name label. Which pair of expressions refer
- CRUD ownership differs
A managed
resourceblock owns the full create/update/delete lifecycle of the object, while adatablock only reads an existing object and never manages or destroys it.Trap Thinking a data source can provision or destroy infrastructure.
7 questions test this
- An engineer needs Terraform to create a brand-new load balancer, keep it updated in place as the configuration evolves, and destroy it when it is removed from the configuration. Which block type decla
- A configuration contains a `data` block that looks up an existing, externally managed database instance so its endpoint can be passed to an application resource. A colleague worries that running `terr
- A colleague created a storage account by hand in the cloud console and now wants Terraform to fully own it, updating it when the configuration changes and destroying it when it is removed. Another eng
- A teammate claims that Terraform reconciles a `data` block and a managed `resource` block on exactly the same schedule during a run. How does the update cadence of a data source actually differ from t
- In Terraform, a `resource` block and a `data` block both describe objects that live in a provider, yet they play fundamentally different roles in a configuration. Which statement correctly describes h
- A platform team already has a production VPC that was created by hand in the cloud console. They want their new Terraform configuration to reference that VPC's ID when defining subnets, but Terraform
- New to Terraform, an engineer writes a `data` block for a cloud storage bucket, expecting that the next `terraform apply` will provision a brand-new bucket for the team. When the apply runs, what does
- Data sources re-read each run
Terraform re-reads each data source during the refresh step of every plan/apply so it reflects the current real-world value, whereas a managed resource is only changed when configuration or state drift requires it.
5 questions test this
- A `data` block reads a value from a shared platform that a different team updates several times a week. Between two runs nobody edits the Terraform files or the data block's arguments. During the next
- A `data` block reads an existing DNS record whose value is maintained outside Terraform, and a managed resource references that data source's output. Someone edits the DNS record directly in the provi
- A teammate claims that Terraform reconciles a `data` block and a managed `resource` block on exactly the same schedule during a run. How does the update cadence of a data source actually differ from t
- During a normal `terraform plan` in which a `data` block's arguments are all already known, at what point does Terraform query that data source, and why does the timing matter?
- A `data` block looks up the most recent machine image published by a platform team. Weeks after the last apply, that team publishes a newer image. Without changing any Terraform files, the engineer no
- provisioners: local-exec vs. remote-exec
A local-exec provisioner runs a command on the machine running Terraform, whereas a remote-exec provisioner runs commands on the newly created remote resource and therefore requires a connection block (SSH or WinRM). Provisioners run at creation time by default, or during destroy when when = destroy is set, and HashiCorp guidance is to use them only as a last resort after purpose-built alternatives.
Trap A failed creation-time provisioner marks the resource as tainted so it is recreated on the next apply; destroy-time provisioners still require a valid connection at destroy time.
8 questions test this
- A new team is deciding how heavily to rely on provisioners for post-apply configuration of their infrastructure. According to HashiCorp's official guidance, what posture should they take toward provis
- A platform engineer is choosing between the local-exec and remote-exec provisioners for a post-apply step attached to a single resource, and needs to recall the essential difference between the two. W
- A team configures a remote-exec provisioner with when = destroy on a server resource so that a graceful-shutdown script runs on the host just before Terraform tears it down. For this destroy-time prov
- A team adds a provisioner to a resource and wants it to run automatically the first time that resource is created, and they include no when argument at all. At what point in the resource's lifecycle d
- A platform engineer adds a provisioner to a resource so that, immediately after the resource is created, a shell command runs on the same CI runner that is executing Terraform to update a local invent
- An engineer must run a CLI command on the very machine executing Terraform right after a load balancer is created, to register the load balancer's DNS name with an external monitoring service. Which p
- During terraform apply, a destroy-time provisioner (when = destroy) attached to a resource being removed exits non-zero while running its cleanup script. Unlike a failed creation-time provisioner, how
- An engineer adds a remote-exec provisioner to a compute-instance resource to run a package-install command on the new instance, but terraform apply fails because Terraform has no way to reach the host
- Provisioner failure taints the resource
A creation-time provisioner that exits non-zero fails the apply and marks the resource as tainted, so Terraform destroys and recreates it on the next terraform apply; because Terraform cannot predictably model the changes a provisioner makes, recreation is used instead of a partial repair. The on_failure argument overrides this: the default (fail) aborts the apply, while on_failure = continue makes Terraform ignore the error and proceed.
Trap Assuming a failed provisioner leaves a usable resource, or that continue is the default (it is not — fail is). Destroy-time provisioners behave differently: a failure returns an error and Terraform re-runs the provisioner on the next terraform apply rather than tainting.
5 questions test this
- During terraform apply, a remote-exec provisioner attached to a newly created server exits with a non-zero status while running a bootstrap script, and no on_failure argument is set on the provisioner
- A one-off local-exec provisioner runs a best-effort notification command that occasionally exits non-zero, and the engineer does not want that failure to abort an otherwise-successful terraform apply.
- During terraform apply, a destroy-time provisioner (when = destroy) attached to a resource being removed exits non-zero while running its cleanup script. Unlike a failed creation-time provisioner, how
- An engineer's remote-exec provisioner exits non-zero midway through configuring a freshly created VM, and the provisioner has no on_failure argument set. Focusing only on the current terraform apply t
- A junior engineer asks why, after a creation-time provisioner fails and taints a resource, Terraform destroys and recreates the whole resource on the next apply instead of simply re-running the provis
- The file provisioner
The file provisioner copies files or directories from the machine where Terraform is running to the newly created resource, using either a source path or inline content plus a destination path on the target. Like remote-exec, it reaches the resource through a connection block over SSH or WinRM.
Trap file completes the provisioner-type triad (local-exec, remote-exec, file); a common misconception is treating file as a generic data/config feature or forgetting it still requires a connection block — unlike local-exec it acts on the remote host, not the Terraform machine.
- terraform_data built-in resource (null_resource replacement)
The built-in terraform_data managed resource (added in Terraform 1.4, provider source terraform.io/builtin/terraform, requiring no provider block or required_providers entry) is the modern replacement for the null provider's null_resource: it implements the standard resource lifecycle without managing any real infrastructure object. Its optional input argument stores an arbitrary value that is echoed to the computed output attribute (unknown during plan, equal to input after apply), and it can host standalone provisioners that have no other logical managed resource to attach to. Setting its triggers_replace argument forces the terraform_data instance to be replaced whenever that value changes, so referencing the instance from another resource's lifecycle { replace_triggered_by = [terraform_data.] } propagates a forced replacement onto that dependent resource.
Trap Assuming terraform_data still needs the hashicorp/null provider (a required_providers entry or provider block) the way null_resource did — it does not; terraform_data is always available through Terraform's built-in provider, so no provider is declared or configured.
Referencing resource attributes
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Attribute reference form
Another resource's exported attribute is referenced as
<TYPE>.<NAME>.<ATTRIBUTE>, for exampleaws_vpc.main.id.6 questions test this
- In one configuration an `aws_eip` resource sets `instance = aws_instance.web.id`, and `aws_instance.web` uses neither `count` nor `for_each`. Beyond supplying the instance id value, what else does wri
- In Terraform, when one resource needs a value that another managed resource - one that uses neither count nor for_each - exports, which general form correctly references that exported attribute?
- An engineer declares `resource "aws_instance" "node" { count = 4 ... }` and now needs an output that returns the `id` of only the FIRST instance Terraform created. Given that count instances are addre
- Two resources sit in one Terraform configuration: a VPC declared as `resource "aws_vpc" "main" { ... }` and a security group that needs the VPC's exported `id` for its `vpc_id` argument. Neither resou
- A configuration declares `resource "aws_instance" "api" { for_each = var.nodes ... }`, where `var.nodes` is a map with the keys `"blue"` and `"green"`. Another resource must reference the `id` of the
- During a review, an engineer points at the reference `aws_subnet.public.vpc_id`, used inside another resource block to wire two resources together; neither resource uses `count` or `for_each`. Reading
- Indexing count instances
For a resource using
count, individual instances are addressed by numeric index such asaws_instance.web[0].id; the bare nameaws_instance.webis the whole list of instances.Trap Referencing
aws_instance.web.iddirectly whencountis set, which errors because the value is a list.5 questions test this
- An engineer wrote `resource "aws_instance" "web" { count = 2 ... }` and then referenced `aws_instance.web.id` in an output, expecting a single instance id. Running `terraform plan` returns an error in
- A module author converts a resource from `count` to `for_each = var.instances`, where `var.instances` is a map, but leaves an existing reference `aws_instance.web[0].id` unchanged. After the switch th
- A configuration declares `resource "aws_instance" "web" { count = 5 ... }`. An output must return a single list containing the `id` of every instance the `count` created, in index order. Using the doc
- An engineer declares `resource "aws_instance" "node" { count = 4 ... }` and now needs an output that returns the `id` of only the FIRST instance Terraform created. Given that count instances are addre
- A resource declares `resource "aws_instance" "worker" { count = 3 ... }`. Elsewhere an engineer writes the bare address `aws_instance.worker` with no index, expecting it to behave like a single resour
- Indexing for_each instances
For a resource using
for_each, instances are addressed by their map/set key, such asaws_instance.web["app"].id; the collection is a map keyed byeach.key.Trap Using a numeric index like
[0]to address afor_eachinstance instead of its string key.4 questions test this
- A resource `aws_s3_bucket.logs` is declared with `for_each = { app = "app-logs", db = "db-logs" }`. Another resource must reference the `arn` of the bucket created for the `db` entry. Which statement
- A module author converts a resource from `count` to `for_each = var.instances`, where `var.instances` is a map, but leaves an existing reference `aws_instance.web[0].id` unchanged. After the switch th
- A configuration declares `resource "aws_instance" "web" { for_each = toset(["app", "db"]) ... }`. A teammate needs the `private_ip` of the instance created for the `"app"` key. Because the resource us
- A configuration declares `resource "aws_instance" "api" { for_each = var.nodes ... }`, where `var.nodes` is a map with the keys `"blue"` and `"green"`. Another resource must reference the `id` of the
- References create implicit dependencies
When one resource argument references another resource's attribute (e.g.
subnet_id = aws_subnet.main.id), Terraform automatically infers a dependency and creates or updates the referenced resource first.Trap Adding a manual
depends_onwhen a reference already establishes the ordering.12 questions test this
- A subnet resource is referenced by an instance through `subnet_id = aws_subnet.main.id`, which makes the instance implicitly depend on the subnet. The engineer later runs `terraform destroy` to tear d
- In a configuration, an `aws_nat_gateway` sets its `allocation_id` argument to `aws_eip.nat.id`, referencing an Elastic IP declared in the same configuration. The Elastic IP does not reference the NAT
- An engineer defines a new `aws_subnet` and an `aws_instance` whose `subnet_id` references `aws_subnet.main.id`. The subnet does not exist yet, and its `id` is assigned by the provider only when the su
- After adding a `depends_on` argument to a module that already references an upstream resource, an engineer notices that the next `terraform plan` reports many more of the module's attributes as `(know
- A team is establishing configuration standards. One proposal is to add `depends_on` to every resource block 'to be safe,' regardless of whether the resources already reference one another. According t
- An engineer references a newly created database's `aws_db_instance.main.address` - assigned on create, so `(known after apply)` at plan time - inside an argument of a separate application resource. A
- An engineer's configuration declares a dozen resources across several files, some referencing other resources' attributes and some fully independent. Nothing sets an explicit ordering. When the engine
- A configuration defines an `aws_s3_bucket` for logs and an `aws_key_pair` for SSH access. Neither resource references any attribute of the other, and there is no `depends_on` between them. When the en
- An application running on an `aws_instance` reads objects from an S3 bucket at runtime, but the instance's configuration never references any attribute of the `aws_s3_bucket` resource. The engineer st
- A configuration creates a new resource and then defines an `output` value that references the `arn` attribute of that not-yet-created resource. Because the resource does not exist during planning, the
- A root module declares `aws_vpc.main` and calls a child `network` module, passing `vpc_id = aws_vpc.main.id` as one of the module's input variables. The child module uses that value to create subnets,
- A platform engineer writes an `aws_instance` resource whose `subnet_id` argument is set to `aws_subnet.main.id`, referencing a subnet declared in the same configuration. Neither block includes a `depe
- Unknown referenced values
If a referenced attribute is not yet known at plan time (for example an ID the provider assigns on create), the plan shows the dependent value as
(known after apply).8 questions test this
- An engineer defines a new `aws_subnet` and an `aws_instance` whose `subnet_id` references `aws_subnet.main.id`. The subnet does not exist yet, and its `id` is assigned by the provider only when the su
- After adding a `depends_on` argument to a module that already references an upstream resource, an engineer notices that the next `terraform plan` reports many more of the module's attributes as `(know
- An engineer references a newly created database's `aws_db_instance.main.address` - assigned on create, so `(known after apply)` at plan time - inside an argument of a separate application resource. A
- An engineer configures a resource with `count` set to a value derived from another resource's `id` attribute, but that `id` is assigned by the provider only when the other resource is created. When th
- A `terraform plan` for a brand-new database shows its `endpoint` and `id` as `(known after apply)`. The engineer proceeds with `terraform apply`, and it completes successfully. What is now true of tho
- Reviewing a `terraform plan` for a new deployment, an engineer sees one attribute displayed as `(known after apply)` and a different attribute displayed as `(sensitive value)`. A colleague assumes bot
- A configuration creates a new resource and then defines an `output` value that references the `arn` attribute of that not-yet-created resource. Because the resource does not exist during planning, the
- An engineer plans the creation of a new `aws_instance` whose `ami` and `instance_type` are set to literal strings in the configuration, while `id`, `arn`, and `private_ip` are assigned by the provider
- Named value prefixes
Terraform references named values by prefix: input variables as
var.<NAME>, local values aslocal.<NAME>, data sources asdata.<TYPE>.<NAME>, and child-module outputs asmodule.<NAME>.<OUTPUT>.Trap Referencing a variable by its bare name instead of
var.<name>, or reaching a child module's internal resource instead of its declared output.11 questions test this
- A root configuration calls a child module with the label `network`, and that child module declares `output "vpc_id"` exposing the id of an `aws_vpc` resource it creates. From the root module, which ex
- Module A defines `region_config` in its `locals` block. The author of a separate module B tries to reference `local.region_config` directly, and Terraform reports that the local value is not declared.
- An engineer wants to embed the name of the currently selected CLI workspace into a resource tag so resources are labeled per environment. Which built-in named value returns the current workspace name
- A module author wants the teams that call the module to be able to supply their own value for `environment`, but currently `environment` is defined in a `locals` block and callers report they cannot o
- An engineer defines a `locals` block that computes `name_prefix` from several input variables, and now needs to use that computed value in a resource's `tags` argument. Which expression correctly refe
- An engineer defines a `resource "aws_s3_bucket" "logs"` block and, in a separate `aws_s3_bucket_policy` resource in the same configuration, needs to supply that bucket's ARN. Which expression correctl
- An engineer adds a `data "aws_availability_zones" "available"` block and needs to pass the list of zone names it returns into a resource argument. Which expression correctly references the `names` att
- While reviewing a module, a new team member asks how Terraform tells apart the different kinds of named values it can reference in expressions. Which statement correctly describes the reference prefix
- A module declares `variable "network"` with an object type whose members include a `region` string, and a resource needs the value of that `region` member. Which expression correctly references the `r
- An engineer adds a `data "aws_ami" "ubuntu"` block to look up an image, then needs to pass the resulting image id to the `ami` argument of an `aws_instance` resource. Which expression correctly refere
- An engineer declares `variable "instance_type"` in a module and needs to use its value as the `instance_type` argument of an `aws_instance` resource in the same module. Which expression correctly refe
- Path and workspace values
path.module,path.root, andpath.cwdgive filesystem paths andterraform.workspacegives the current workspace name;self,count.index, andeach.key/each.valueare only valid inside specific block contexts.- locals block for named local values
A locals block assigns names to expressions so a value can be computed once and reused, referenced elsewhere as local. (singular local, even though the block keyword is locals). Local values keep configuration DRY and readable, but unlike input variables they are internal to the module and cannot be set or overridden by callers.
Trap Reference a local with the singular local., not the plural locals.; and because callers cannot set locals, a local is not a substitute for a variable when you need external input.
7 questions test this
- A teammate is confused because a Terraform configuration declares values inside a block written `locals { ... }`, yet every reference in the code uses `local.` without the trailing s. Which explanatio
- Module A defines `region_config` in its `locals` block. The author of a separate module B tries to reference `local.region_config` directly, and Terraform reports that the local value is not declared.
- A module author wants the teams that call the module to be able to supply their own value for `environment`, but currently `environment` is defined in a `locals` block and callers report they cannot o
- During a code review, an engineer replaces the same lengthy expression that appeared in five different resource arguments with a single named value defined in a `locals` block and referenced as `local
- An engineer defines a `locals` block that computes `name_prefix` from several input variables, and now needs to use that computed value in a resource's `tags` argument. Which expression correctly refe
- While reviewing a module, a new team member asks how Terraform tells apart the different kinds of named values it can reference in expressions. Which statement correctly describes the reference prefix
- An engineer keeps an environment prefix in a `locals` block and wants to override it for a single run by passing `terraform apply -var="prefix=staging"` on the command line. What is the correct unders
Variables and outputs
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Variables without default are required
A
variableblock with nodefaultis required; Terraform prompts for its value interactively, or errors in a non-interactive run, when it is not supplied.Trap Assuming a variable without a default silently becomes null or empty.
4 questions test this
- A teammate claims that if you declare `variable "tags" {}` without a `default` and then never supply a value, Terraform will simply treat `var.tags` as an empty or null value when it plans. Which stat
- Every time teammates run `terraform plan` on a shared module, Terraform stops and prompts them to enter a value for `variable "replica_count"`. The team wants the variable to stop prompting and instea
- A CI/CD pipeline runs `terraform plan -input=false` for a configuration that declares `variable "environment" {}` with no default. The pipeline supplies no -var or -var-file flags, no terraform.tfvars
- A developer declares `variable "db_password" {}` with a `type` argument but no `default`, adds no terraform.tfvars file, and runs `terraform plan` interactively in a local terminal with no `-var` flag
- Variable type and nullable
typeconstrains the accepted value,defaultsupplies a fallback, andnullable = falseforbids a null value (the default isnullable = true).4 questions test this
- An engineer declares a variable with three arguments: `type = list(string)`, `default = []`, and `nullable = false`. A teammate asks how these three arguments divide responsibility for the variable's
- A variable block for `labels` sets `type = map(string)` and a `default`, but omits the `nullable` argument entirely. A module consumer then explicitly assigns `labels = null`. Given that nullable is n
- Every time teammates run `terraform plan` on a shared module, Terraform stops and prompts them to enter a value for `variable "replica_count"`. The team wants the variable to stop prompting and instea
- In a module, an engineer writes a variable block for `image_id` with `type = string` and `nullable = false`, and gives it no default. A consumer of the module explicitly passes `image_id = null`. What
- Access variables with var.
Inside configuration a variable's value is accessed as
var.<NAME>, never by the bare variable name.Trap Referencing a variable as
vpc_cidrsinstead ofvar.vpc_cidrs.4 questions test this
- An engineer's configuration sets a resource argument to `vpc_cidrs` - the bare name of a declared input variable - and `terraform validate` fails because Terraform reads `vpc_cidrs` as a reference to
- While refactoring a module, an engineer keeps an input variable named `bucket_name` and, in a `locals` block, adds a local value also named `bucket_name` that appends a random suffix to it. One resour
- A configuration declares `variable "region" {}`. Inside an `aws_instance` resource block, an engineer needs one of the resource arguments to use the value that was supplied for that input variable. Wh
- A module declares `variable "network"` using an object type that includes an attribute named `subnet_id`. Inside a resource block, the engineer needs the `subnet_id` field of the value supplied for th
- Which tfvars auto-load
Terraform automatically loads
terraform.tfvars,terraform.tfvars.json, and any*.auto.tfvars/*.auto.tfvars.jsonfiles from the working directory with no extra flags; other.tfvarsfiles must be passed explicitly with-var-file.Trap Thinking
terraform.tfvarsis ignored unless passed with-var-file, or that only*.auto.tfvarsfiles auto-load.8 questions test this
- A `region` variable is assigned `us-east-1` in a `terraform.tfvars` file in the working directory. A platform engineer then runs `terraform apply -var="region=us-west-2"` from that same directory. Whi
- A team keeps default override values in a file and wants Terraform to load it automatically on every plan and apply, without anyone remembering to pass `-var-file`, and the file must not be named `ter
- A CI system writes variable values into a file named `terraform.tfvars.json` in the working directory. A teammate claims Terraform auto-loads only HCL `.tfvars` files, so this JSON file must be passed
- The variable `env` is assigned "staging" in `terraform.tfvars`, "testing" in `terraform.tfvars.json`, and "production" in `prod.auto.tfvars`, all in the same working directory. No `-var` flag is used
- An engineer has exported the environment variable `TF_VAR_environment=staging` in their shell, while the working directory's `terraform.tfvars` file sets `environment = "production"`. They run a bare
- A working directory contains a `terraform.tfvars` file that sets `instance_count = 2` and a `prod.auto.tfvars` file that sets `instance_count = 5`. An engineer runs a bare `terraform plan` with no `-v
- A working directory contains four files: `terraform.tfvars`, `production.tfvars`, `network.auto.tfvars`, and `terraform.tfvars.json`. An engineer runs `terraform apply` with no additional flags. Which
- An engineer created a file named `common.tfvars` in the working directory, expecting `terraform apply` to pick up its shared values automatically, but the values were not applied to the run. Why were
- TF_VAR_ environment variables
An environment variable named
TF_VAR_<name>sets the value of the input variable<name>.6 questions test this
- A variable `instance_count` is set to 2 in `terraform.tfvars`, the shell also has `TF_VAR_instance_count=3` exported, and an engineer runs `terraform apply -var="instance_count=5"`. All three sources
- An input variable `log_level` declares `default = "info"` and no .tfvars file sets it. A developer exports `TF_VAR_log_level=debug` in the shell and runs `terraform apply` with no `-var` flag. Which v
- In a CI pipeline that cannot write .tfvars files to disk, an engineer must supply a list value for the input variable `subnet_ids` using only an exported environment variable before `terraform apply`.
- An engineer has exported the environment variable `TF_VAR_environment=staging` in their shell, while the working directory's `terraform.tfvars` file sets `environment = "production"`. They run a bare
- A platform engineer is preparing to run `terraform apply` in a working directory that has no `-var` or `-var-file` flags and no `*.auto.tfvars` files. The shell has `TF_VAR_region=us-east-1` exported,
- An engineer needs to set the value of an input variable named `region` for a single run without editing any .tfvars file and without using the `-var` flag, by exporting a shell environment variable be
- Variable precedence order
When a variable is set in multiple places, precedence from highest to lowest is:
-var/-var-file(command line, last one wins),*.auto.tfvars(processed in lexical filename order),terraform.tfvars.json,terraform.tfvars,TF_VAR_environment variables, then thedefault.Trap Believing environment variables or
terraform.tfvarsoverride a command-line-varvalue.8 questions test this
- A `region` variable is assigned `us-east-1` in a `terraform.tfvars` file in the working directory. A platform engineer then runs `terraform apply -var="region=us-west-2"` from that same directory. Whi
- An engineer runs `terraform apply -var-file=base.tfvars -var-file=override.tfvars`, and both files assign a value to the variable `replicas`. Neither file is auto-loaded by name. Which file's value fo
- A variable `instance_count` is set to 2 in `terraform.tfvars`, the shell also has `TF_VAR_instance_count=3` exported, and an engineer runs `terraform apply -var="instance_count=5"`. All three sources
- An input variable `log_level` declares `default = "info"` and no .tfvars file sets it. A developer exports `TF_VAR_log_level=debug` in the shell and runs `terraform apply` with no `-var` flag. Which v
- The variable `env` is assigned "staging" in `terraform.tfvars`, "testing" in `terraform.tfvars.json`, and "production" in `prod.auto.tfvars`, all in the same working directory. No `-var` flag is used
- An engineer has exported the environment variable `TF_VAR_environment=staging` in their shell, while the working directory's `terraform.tfvars` file sets `environment = "production"`. They run a bare
- A platform engineer is preparing to run `terraform apply` in a working directory that has no `-var` or `-var-file` flags and no `*.auto.tfvars` files. The shell has `TF_VAR_region=us-east-1` exported,
- A working directory contains a `terraform.tfvars` file that sets `instance_count = 2` and a `prod.auto.tfvars` file that sets `instance_count = 5`. An engineer runs a bare `terraform plan` with no `-v
- Output block value argument
An
outputblock exposes data through its requiredvalueargument; root-module outputs are printed after apply and by theterraform outputcommand.8 questions test this
- A root configuration calls a child module labeled `network`, and that child declares an output named `subnet_id`. A teammate runs `terraform output` in the root directory expecting to see `subnet_id`,
- An engineer needs the private subnet ID created inside a child module named `network` and writes `module.network.aws_subnet.private.id` in the root configuration, but Terraform reports that the refere
- An engineer provisions an application load balancer whose DNS name is generated by the provider and is only known after creation. They want the root module to surface that DNS name so teammates can re
- An engineer wants a root `output` named `connection_string` whose value combines an `aws_db_instance` resource's `address` attribute with a fixed port suffix using string interpolation. Is such a comb
- After a successful `terraform apply`, an automation script needs the value of a single root output named `alb_dns_name` — not the full list of outputs — read back from the current state. Which command
- A teammate cleared their terminal and can no longer see the output values that `terraform apply` printed earlier. They want to redisplay those root module outputs without changing any infrastructure o
- A platform engineer adds an `output` block named `db_endpoint` to the root module and runs `terraform validate`, which fails with an error reporting a missing required argument. Which argument must ev
- After defining several `output` blocks in the root module of a configuration, an engineer runs `terraform apply` and approves the change. Without running any additional command afterward, where do the
- Accessing child module outputs
A parent module reads a child module's output as
module.<MODULE_NAME>.<OUTPUT_NAME>; only declared outputs are exposed, not the child's internal resources.Trap Attempting to reference a child module's resource directly instead of through a declared output.
2 questions test this
- A root configuration calls a child module labeled `network`, and that child declares an output named `subnet_id`. A teammate runs `terraform output` in the root directory expecting to see `subnet_id`,
- An engineer needs the private subnet ID created inside a child module named `network` and writes `module.network.aws_subnet.private.id` in the root configuration, but Terraform reports that the refere
- Sensitive output behavior
sensitive = trueon an output redacts it as<sensitive>in CLI output but the value is still stored in state, andterraform output -json/-rawreveal it.Trap Assuming a sensitive output is omitted from or encrypted in the state file.
4 questions test this
- An engineer adds `sensitive = true` to a root `output` block that exposes a generated database password and then runs `terraform apply`. What does Terraform display for that output at the end of the a
- A CI pipeline needs the plaintext value of a root output declared with `sensitive = true` so it can pass the value to a downstream step. Running `terraform output db_password` returns a redacted resul
- A security reviewer asks whether adding `sensitive = true` to an output that exposes an API token keeps that token out of the Terraform state file, or encrypts it there. For a configuration using the
- An engineer declares an input variable `db_password` with `sensitive = true`, then adds a root-module `output` named `database_password` whose `value` is `var.db_password`, but does not set `sensitive
Complex types
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Expressions and functions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Resource dependencies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Custom condition validation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Managing sensitive data
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Terraform modules
How Terraform sources modules
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Local paths must begin with ./ or ../
A local path module source must begin with either
./or../so Terraform recognizes it as a filesystem path rather than a registry address; for examplesource = "./modules/vpc". A bare relative name likemodules/vpcis interpreted as a registry address, not a local path.Trap Believing a bare relative path such as
modules/vpc(without a leading ./) loads a local directory.5 questions test this
- A shared `modules/common` directory sits one level ABOVE a service's root configuration on disk. From that root module, an engineer wants the `source` argument to reference the shared directory as a l
- An engineer adds a `module "network"` block whose child code lives in a `modules/network` subdirectory of the same configuration, and writes `source = "modules/network"` with no leading `./`. After ru
- An engineer is reviewing four `module` blocks in one configuration and wants to identify the single block that Terraform will load as a LOCAL directory on disk rather than fetch from a remote location
- A platform team keeps a child module in a `./modules/app` directory committed to the same repository as the root configuration that calls it. A new engineer, used to modules pulled from the public reg
- After writing `source = "network"` for a module whose code lives in a `network` subfolder beside the root configuration, an engineer sees `terraform init` fail while trying to find the module in a reg
- Local modules are loaded in place, not downloaded
Terraform treats a local path module as part of the same package as the calling configuration and loads it directly from disk instead of fetching a cached copy. Edits to a local module take effect on the next plan or apply without re-running
terraform get.Trap Assuming local modules are copied into .terraform/modules and must be re-downloaded after every edit.
4 questions test this
- A platform engineer edits a resource inside a local child module referenced by `source = "./modules/vpc"`, then runs `terraform plan` from the root module without running `terraform get` again. A team
- A teammate wants to pin `source = "./modules/logging"` to a specific release by adding a `version` argument to the module block, exactly as they do for modules pulled from a registry. According to Ter
- A root configuration calls two child modules: one with `source = "./modules/db"` and another with `source = "terraform-aws-modules/vpc/aws"` from the public registry. After `terraform init` finishes s
- A platform team keeps a child module in a `./modules/app` directory committed to the same repository as the root configuration that calls it. A new engineer, used to modules pulled from the public reg
- The source value must be a literal string
The
sourceargument must be a literal string and cannot contain variables, expressions, or interpolation, because module sources are resolved duringterraform initbefore input variables are evaluated. This applies to every source type, local or remote.Trap Trying to build a source dynamically, e.g. source = "./modules/${var.name}".
3 questions test this
- To keep module blocks DRY, an engineer defines a local value `local.module_root = "./modules"` and then writes `source = "${local.module_root}/network"`, expecting Terraform to assemble the path from
- To reuse a single module block across several environments, a developer writes `source = "./modules/${var.env}"`, expecting Terraform to assemble the local path from an input variable when the plan ru
- During a code review, a colleague asks why Terraform refuses to let the `source` argument reference an input variable even though other arguments in the same module block accept variables freely. Whic
- Public registry address is //
A public Terraform Registry module is addressed with the three-part form
<NAMESPACE>/<NAME>/<PROVIDER>, for examplesource = "hashicorp/consul/aws". The final PROVIDER segment is required, not optional.Trap Thinking a registry address is only / and omitting the trailing provider segment.
5 questions test this
- During a code review, a teammate claims that the public registry address in the `source` value `terraform-aws-modules/vpc/aws` only needs the namespace and module name, and that the final `aws` segmen
- A platform engineer is adding a module block that pulls HashiCorp's official Consul module for Amazon Web Services directly from the public Terraform Registry, with no hostname prefix. Which value for
- An engineer copies a module block but accidentally leaves the `source` value as `terraform-aws-modules/vpc` (only two segments, with the provider part missing), and then runs `terraform init` to insta
- An engineer who has only ever consumed modules from the public Terraform Registry now needs to reference a module stored in the company's HCP Terraform private module registry. Compared with a public
- While reviewing module blocks, an engineer wants to identify the entry that sources a module from the PUBLIC Terraform Registry, which uses an address with no hostname prefix. Which of the following `
- Private registry addresses add a host prefix
A module in a private registry is addressed by prepending the registry hostname to the standard address:
<HOST>/<NAMESPACE>/<NAME>/<PROVIDER>, for examplesource = "app.terraform.io/example-corp/vpc/aws". Public registry modules omit the host.Trap Using a git:: URL for a private-registry module instead of the host/namespace/name/provider address.
7 questions test this
- Your organization already stores every Terraform module in Git repositories that teammates reference by URL. A lead asks what the HCP Terraform private module registry would add on top of simply shari
- An organization publishes several internal modules to its HCP Terraform private module registry. A newly onboarded engineer asks how teammates find out which modules and versions exist and whether any
- While reviewing two module blocks, an engineer sees one with `source = "hashicorp/vault/aws"` and another with `source = "app.terraform.io/acme-corp/vault/aws"`. The modules are otherwise equivalent.
- A team has published a `vpc` module to their organization `example-corp` in the HCP Terraform private module registry, reached at the SaaS host `app.terraform.io`, and the module targets AWS. In a new
- An engineer who has only ever consumed modules from the public Terraform Registry now needs to reference a module stored in the company's HCP Terraform private module registry. Compared with a public
- While reviewing module blocks, an engineer wants to identify the entry that sources a module from the PUBLIC Terraform Registry, which uses an address with no hostname prefix. Which of the following `
- A `vpc` module is published in the organization's HCP Terraform private registry as `app.terraform.io/example-corp/vpc/aws`. Instead of that address, an engineer sets the `source` value to `git::https
- HCP Terraform private module registry keeps modules confidential and versioned
A private module registry in HCP Terraform shares modules confidentially within an organization while still supporting Terraform's semantic version constraints and providing a browsable directory of published modules. A plain Git URL provides sharing but not the browsable versioned catalog.
Trap Assuming the public Terraform Registry can host organization-confidential modules.
5 questions test this
- Your organization already stores every Terraform module in Git repositories that teammates reference by URL. A lead asks what the HCP Terraform private module registry would add on top of simply shari
- An organization publishes several internal modules to its HCP Terraform private module registry. A newly onboarded engineer asks how teammates find out which modules and versions exist and whether any
- An engineer proposes pushing the team's internal, company-only Terraform modules to the public Terraform Registry, reasoning that as long as the module names are not publicized, nobody outside the com
- A platform team must share a curated set of approved infrastructure modules across their whole organization. The modules must stay confidential to the company, honor Terraform's semantic version const
- A `vpc` module is published in the organization's HCP Terraform private registry as `app.terraform.io/example-corp/vpc/aws`. Instead of that address, an engineer sets the `source` value to `git::https
- Git and GitHub module sources
Terraform installs modules from generic Git repositories with the
git::prefix (over HTTPS or SSH), and from GitHub with the shorthandsource = "github.com/org/repo". Bitbucket URLs are also detected automatically.Trap Believing every remote source needs the git:: prefix, even the github.com/ shorthand.
6 questions test this
- A configuration must have Terraform clone a private module repository over SSH, using key-based authentication, from a generic Git server at example.com under the path /storage.git. Which source value
- Your team keeps a Terraform module on a self-hosted GitLab server, reachable at the URL https://git.internal.example.com/infra/network.git, and you need Terraform to clone that generic HTTPS Git URL w
- A platform engineer packages a reusable networking module as a compressed .zip archive and uploads it to an S3 bucket, then sets source = "s3::https://s3.amazonaws.com/acme-tf-modules/networking.zip"
- A platform engineer is adding a networking module that lives in a public GitHub repository at github.com/acme/terraform-aws-vpc to a root configuration. She wants Terraform to install it using the bui
- An engineer sources a module from a generic Git repository at git::https://example.com/network.git and must have Terraform check out the release tagged v2.4.0 instead of the default branch. Which chan
- Your organization keeps a Terraform module in a public Bitbucket repository at bitbucket.org/acme/terraform-consul. A teammate claims you must place a git:: prefix in front of the URL before Terraform
- S3, GCS, and HTTP archive sources
Terraform can source modules from object storage using the
s3::prefix (e.g.s3::https://s3-eu-west-1.amazonaws.com/bucket/vpc.zip) or thegcs::prefix, and from plain HTTP URLs that point to a.ziparchive. These sources fetch a compressed archive rather than cloning a repository.Trap Thinking S3/GCS sources support a version argument like registry modules do.
7 questions test this
- An engineer sources a module with source = "s3::https://s3.amazonaws.com/corp-modules/network.zip" and wants to pin it to release 3.1.0, so they add version = "3.1.0" to the same module block. What ha
- A module is published as a downloadable zip archive at the plain URL https://modules.example.com/vpc-module.zip, served over standard HTTPS with no S3 or Git backing. If a module block sets source = "
- A team publishes their VPC module as a zip archive to a private S3 bucket, retrievable at https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip only with the team's AWS credentials.
- A single archive stored in S3 at corp-modules/platform.zip bundles several modules in separate folders, and you need Terraform to install only the module located in the networking/vpc subdirectory ins
- A platform engineer packages a reusable networking module as a compressed .zip archive and uploads it to an S3 bucket, then sets source = "s3::https://s3.amazonaws.com/acme-tf-modules/networking.zip"
- Your platform team stores a compressed Terraform module archive in a Google Cloud Storage bucket and wants Terraform to fetch it with the dedicated object-storage fetcher for Google Cloud rather than
- An engineer sources a module from a generic Git repository at git::https://example.com/network.git and must have Terraform check out the release tagged v2.4.0 instead of the default branch. Which chan
- Double-slash selects a sub-directory within a package
For sources that fetch a whole package (Git, archive, object storage), the
//double-slash selects a module in a sub-directory, for examplegit::https://example.com/network.git//modules/vpc. Everything before//identifies the package; everything after is the path inside it.
Variable scope within modules
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Using modules in configuration
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Managing module versions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Terraform state management
Describe the local backend
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Local backend is the default and writes terraform.tfstate
If a configuration has no backend or cloud block, Terraform uses the local backend, which stores state as a file named terraform.tfstate in the root module's working directory and performs all operations on the local machine.
Trap The local backend is not 'no backend' — it is a real backend Terraform selects by default.
8 questions test this
- An engineer initializes a project that relies on the default local backend and runs a first `terraform apply`. What is the exact name of the file Terraform creates to hold the current state in the wor
- A teammate joins a project whose configuration contains no `backend` block and no `cloud` block. Seeing `terraform apply` succeed, they assume Terraform must be saving the state to HashiCorp's servers
- During a code review, a colleague looks at a Terraform configuration that contains no `backend` block and no `cloud` block and concludes, 'Since we never configured a backend, this project isn't using
- An engineer runs `terraform plan` and `terraform apply` for a configuration that uses the default local backend directly from their laptop. With respect to where the work happens and where the state l
- A platform engineer writes a new Terraform configuration that contains provider and resource blocks but no `backend` block and no `cloud` block, then runs `terraform apply` from their workstation. How
- A developer new to Terraform writes a configuration with only `provider` and `resource` blocks - no `backend` block and no `cloud` block - and worries that their infrastructure state will be lost betw
- To keep environment state files together, an engineer configures the local backend with `path = "state/prod.tfstate"` inside a `backend "local"` block and runs Terraform from the default workspace. Wh
- A configuration uses the default local backend and does not set the `path` argument. Relative to the project files, in which location does Terraform create the `terraform.tfstate` file?
- The path argument overrides the local state file location
The local backend's optional path argument sets the filename and location of the state file; when omitted it defaults to terraform.tfstate relative to the root module.
7 questions test this
- To keep environment state organized, an engineer configures the local backend with `path = "envs/prod/terraform.tfstate"` in their `backend "local"` block and applies from the default workspace. What
- An existing project has been applying with the default local backend and already has a populated `terraform.tfstate`. An engineer edits the `backend "local"` block to add `path = "infra/main.tfstate"`
- A configuration contains a `terraform { backend "local" {} }` block with no arguments inside it - in particular, the `path` argument is omitted. When the engineer runs Terraform, which state file does
- A team standardizing their repository layout wants Terraform to write the default workspace's state to `secrets/team.tfstate` instead of the usual `terraform.tfstate`, while still using the local back
- A developer new to Terraform writes a configuration with only `provider` and `resource` blocks - no `backend` block and no `cloud` block - and worries that their infrastructure state will be lost betw
- To keep environment state files together, an engineer configures the local backend with `path = "state/prod.tfstate"` inside a `backend "local"` block and runs Terraform from the default workspace. Wh
- A configuration uses the default local backend and does not set the `path` argument. Relative to the project files, in which location does Terraform create the `terraform.tfstate` file?
- Local backend locks state using system APIs
The local backend supports state locking, acquiring the lock through operating-system file-locking APIs rather than an external service.
Trap State locking is not exclusive to remote backends; the default local backend also locks state.
- -state and -state-out override read/write state files
For the local backend, -state=FILENAME overrides the file Terraform reads prior state from and -state-out=FILENAME overrides the file it writes the new state snapshot to; when -state-out is unset it defaults to the -state path.
10 questions test this
- In a directory with a `prod` workspace selected, an engineer runs `terraform apply -state-out=prod-out.tfstate`. Normally the prod workspace's state lives under terraform.tfstate.d/prod. When -state-o
- An engineer's configuration declares an `s3` backend for remote state and wants to redirect where the new state snapshot is written by adding `-state-out=custom.tfstate` to `terraform apply`. What is
- A practitioner has selected the `dev` workspace in a working directory that uses the local backend, then runs `terraform apply -state=shared.tfstate`. How does supplying -state affect which state file
- Working in the default workspace with the local backend, an engineer wants a `terraform apply` to leave the existing `terraform.tfstate` untouched and write the resulting snapshot to `candidate.tfstat
- A practitioner selects the `staging` workspace in a local-backend directory and runs `terraform apply -state=staging-manual.tfstate` to push an out-of-band fix. The next day, still on the `staging` wo
- An engineer wants a `terraform plan` on a local-backend configuration to read prior state from a custom file and also write the refreshed snapshot to a different custom file during planning. Which leg
- The Terraform documentation labels -state, -state-out, and -backup as legacy options it no longer recommends. According to that documentation, what original workflow were these three options preserved
- An engineer using the local backend runs `terraform apply -state=service.tfstate` and passes no -state-out option. The apply provisions new resources and completes successfully. Because -state-out was
- An engineer keeps two independent local state files, `frontend.tfstate` and `backend.tfstate`, in one working directory instead of using workspaces. To have `terraform plan` build its plan by comparin
- While scripting a disposable local-backend run, an engineer wants Terraform to skip creating the automatic .backup file that the local backend writes alongside the new state snapshot. Which value pass
- -backup writes a state backup and -backup=- disables it
The local backend writes a backup of the previous state to .backup by default; the -backup=FILENAME flag overrides that path, and -backup=- disables backups entirely.
- Legacy -state flags override workspace file selection
When you pass -state or -state-out, the selected workspace no longer determines the state filename, so you must manage distinct filenames per workspace yourself.
Trap Using -state does not switch workspaces; it bypasses workspace-based file selection entirely.
6 questions test this
- In a directory with a `prod` workspace selected, an engineer runs `terraform apply -state-out=prod-out.tfstate`. Normally the prod workspace's state lives under terraform.tfstate.d/prod. When -state-o
- A practitioner has selected the `dev` workspace in a working directory that uses the local backend, then runs `terraform apply -state=shared.tfstate`. How does supplying -state affect which state file
- A teammate believes that running `terraform apply -state=staging.tfstate` is a shortcut for switching to a workspace named 'staging' before applying. Evaluate this belief about what the -state option
- A practitioner selects the `staging` workspace in a local-backend directory and runs `terraform apply -state=staging-manual.tfstate` to push an out-of-band fix. The next day, still on the `staging` wo
- A team has three workspaces (default, staging, prod) in one local-backend directory and standardizes on always passing `-state=terraform.tfstate` to every apply for consistency. What risk does this pr
- An engineer keeps two independent local state files, `frontend.tfstate` and `backend.tfstate`, in one working directory instead of using workspaces. To have `terraform plan` build its plan by comparin
- Non-default workspaces live under terraform.tfstate.d
With the local backend, each non-default workspace's state is stored at terraform.tfstate.d//terraform.tfstate instead of the top-level state file.
12 questions test this
- A teammate new to Terraform asks how the local backend decides where to keep state for the built-in default workspace versus a workspace they created called reporting. Which statement correctly descri
- In a local-backend project, an engineer creates two workspaces, blue and green, and runs `terraform apply` in each. Inspecting the working directory afterward, which description best matches what Terr
- After spending the afternoon in a workspace named prod on a local-backend project, an engineer switches back by running `terraform workspace select default` and then runs `terraform apply`. Where does
- An engineer working with the local backend runs `terraform workspace new payments` and then runs `terraform apply` while the payments workspace is selected. On disk, which file now holds the state for
- A project on the local backend has both the default workspace and a prod workspace, so a terraform.tfstate.d/prod/terraform.tfstate file exists on disk. A teammate asks where the default workspace's o
- An engineer inspects a Terraform project that has only ever used the default workspace with the local backend and looks for a terraform.tfstate.d directory to back up. They find that no such directory
- An engineer has been managing infrastructure on the default workspace only, so its state sits in terraform.tfstate. They now run `terraform workspace new dev` to start a second environment. What happe
- A team keeps one Terraform configuration on the local backend and drives three environments from it using the workspaces dev, qa, and prod, alongside the untouched default workspace. How does Terrafor
- An engineer is moving a local-backend Terraform project to a new workstation and must manually copy every state file so that both the default workspace and a non-default prod workspace keep their stat
- An engineer opens a colleague's local-backend Terraform project for the first time and notices a terraform.tfstate.d directory that contains a single subfolder named prod. Before running anything, wha
- After creating a workspace named dev and running terraform apply in a project backed by the local backend, an engineer notices a new terraform.tfstate.d directory in the working directory that was not
- An engineer manages one Terraform configuration on the local backend and creates a workspace named staging in addition to the existing default workspace. After selecting staging and running terraform
- The default workspace uses the plain terraform.tfstate path
The default workspace stores its state directly at terraform.tfstate (or the configured path), not inside the terraform.tfstate.d directory.
Trap Only non-default workspaces use terraform.tfstate.d; the default workspace is not placed in a subdirectory.
9 questions test this
- A teammate new to Terraform asks how the local backend decides where to keep state for the built-in default workspace versus a workspace they created called reporting. Which statement correctly descri
- In a local-backend project, an engineer creates two workspaces, blue and green, and runs `terraform apply` in each. Inspecting the working directory afterward, which description best matches what Terr
- After spending the afternoon in a workspace named prod on a local-backend project, an engineer switches back by running `terraform workspace select default` and then runs `terraform apply`. Where does
- A project on the local backend has both the default workspace and a prod workspace, so a terraform.tfstate.d/prod/terraform.tfstate file exists on disk. A teammate asks where the default workspace's o
- An engineer inspects a Terraform project that has only ever used the default workspace with the local backend and looks for a terraform.tfstate.d directory to back up. They find that no such directory
- An engineer has been managing infrastructure on the default workspace only, so its state sits in terraform.tfstate. They now run `terraform workspace new dev` to start a second environment. What happe
- An engineer is moving a local-backend Terraform project to a new workstation and must manually copy every state file so that both the default workspace and a non-default prod workspace keep their stat
- An engineer opens a colleague's local-backend Terraform project for the first time and notices a terraform.tfstate.d directory that contains a single subfolder named prod. Before running anything, wha
- An engineer manages one Terraform configuration on the local backend and creates a workspace named staging in addition to the existing default workspace. After selecting staging and running terraform
- workspace_dir sets the non-default workspace directory
The local backend's optional workspace_dir argument overrides the default terraform.tfstate.d directory used to hold non-default workspace state files.
- terraform workspace subcommands
The terraform workspace command family manages named workspaces that each keep their own separate state: new creates and switches to a workspace, select switches to an existing one, list shows all workspaces (marking the current one with an asterisk), show prints the current workspace name, and delete removes an empty workspace. Terraform always starts with a workspace named default, which cannot be deleted.
Trap You cannot delete the workspace you are currently on or the default workspace, and delete refuses to remove a workspace whose state still tracks resources unless forced.
5 questions test this
- An engineer has several workspaces in a local-backend project and, before running a plan, wants Terraform to print only the name of the workspace that is currently selected. Which command does exactly
- Earlier in the sprint an engineer created a workspace named sandbox in a local-backend project. Today, while on the default workspace, they need to switch back to the already-existing sandbox workspac
- While cleaning up an old project, an engineer decides the built-in default workspace is unnecessary and runs terraform workspace delete default from a different, currently selected workspace. Accordin
- An engineer has been managing infrastructure on the default workspace only, so its state sits in terraform.tfstate. They now run `terraform workspace new dev` to start a second environment. What happe
- An engineer no longer needs a workspace called old-test whose local state still tracks several running resources. While selected on the default workspace, they run terraform workspace delete old-test.
Describe state locking
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Configure remote state with the backend block
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Manage resource drift and Terraform state
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Maintain infrastructure with Terraform
Import existing infrastructure
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Import requires a pre-existing resource block
Before running
terraform import ADDRESS ID, you must already have written the targetresourceblock in your configuration; the classic CLI import binds an existing object to that pre-existing address and cannot import into an address that has no matching resource block.Trap Assuming terraform import writes the resource block for you — it only updates state, so the configuration must exist first.
4 questions test this
- Before importing an existing database instance, an engineer adds an empty `resource "aws_db_instance" "main" {}` block with no arguments filled in, then runs `terraform import aws_db_instance.main <id
- An engineer wrote a `resource "aws_instance" "web"` block and then ran `terraform import aws_instance.web i-0abc123def456`, which completed successfully. Reviewing the result, a colleague claims Terra
- Your team is documenting the correct order of steps for importing a hand-built load balancer into Terraform. One engineer claims you can run `terraform import` first and add the `resource` block after
- A platform engineer wants to bring a hand-created object under Terraform management. In an otherwise empty working directory she immediately runs `terraform import aws_instance.web i-0abc123def`, and
- Two positional arguments: ADDRESS and ID
terraform importtakes exactly two positional arguments,terraform import ADDRESS ID, where ADDRESS is the resource address in your configuration and ID is the provider-specific identifier of the real object; the ID format varies by resource type.Trap Thinking the ID is a Terraform-chosen name — it is the provider's own object identifier and differs per resource type.
3 questions test this
- An engineer runs `terraform import aws_instance.web` and Terraform errors out asking for more input. She then tries `terraform import aws_instance.web i-0abc123 vpc-0def456`, which also fails. How man
- An engineer is importing an existing AWS EC2 instance and asks what value to supply as the `ID` positional argument in `terraform import aws_instance.web ID`. She wonders whether she gets to pick a fr
- During a migration an engineer needs to import an existing Route 53 hosted zone that was created by hand, and he has already written the matching `resource` block in his configuration. The `terraform
- CLI import only writes state
The
terraform importCLI command only records the existing object in Terraform state; it does not generate configuration and does not create, modify, or destroy any real infrastructure.Trap Expecting import to auto-generate HCL — the classic CLI command never generates configuration.
5 questions test this
- An engineer runs `terraform import aws_s3_bucket.logs my-logs-bucket` against a bucket that already holds production data, after writing the matching resource block. A teammate worries the command mig
- An engineer wrote a `resource "aws_instance" "web"` block and then ran `terraform import aws_instance.web i-0abc123def456`, which completed successfully. Reviewing the result, a colleague claims Terra
- A team wants Terraform to write the HCL for dozens of existing resources automatically rather than hand-authoring every `resource` block. They ask whether the classic `terraform import` CLI command ca
- Your team is documenting the correct order of steps for importing a hand-built load balancer into Terraform. One engineer claims you can run `terraform import` first and add the `resource` block after
- A platform engineer wants to bring a hand-created object under Terraform management. In an otherwise empty working directory she immediately runs `terraform import aws_instance.web i-0abc123def`, and
- No provider-specific import command
There is no provider-specific import command such as
terraform import-gcp, andterraform refreshdoes not adopt unmanaged objects; the only CLI way to bring existing infrastructure under management isterraform import ADDRESS ID(or a config-driven import block).Trap Believing a command like terraform import-gcp exists or that terraform refresh discovers and adopts unmanaged resources.
3 questions test this
- A team wants Terraform to write the HCL for dozens of existing resources automatically rather than hand-authoring every `resource` block. They ask whether the classic `terraform import` CLI command ca
- Someone on your team created several servers directly in the cloud console. A colleague suggests running `terraform refresh` so Terraform will detect those new servers and begin managing them. Before
- A teammate insists that because your infrastructure runs on Google Cloud, you should adopt an existing GCP object with a provider-specific command such as `terraform import-gcp`. You need to correct t
- import block uses to and id
The configuration-driven
importblock (Terraform 1.5+) declares an import with two arguments:to, the resource address to import into, andid, the provider-specific identifier of the existing object.Trap Swapping the arguments —
tois the Terraform resource address andidis the real object's provider ID, not the reverse.7 questions test this
- An engineer writes an import block whose id argument references an attribute of another resource that Terraform has not created yet, so the value is unknown until apply. When they run terraform plan,
- A platform engineer writes two import blocks in one configuration: one adopts an existing storage bucket and the other adopts an existing virtual machine. The value each block assigns to its id argume
- A platform engineer wants to bring an existing S3 bucket named prod-assets under Terraform management by binding it to the aws_s3_bucket.assets resource block that already exists in the configuration.
- A team successfully imported an existing resource using an import block plus its matching resource block and then ran terraform apply. A new engineer asks whether the import block must remain in the c
- An engineer's import fails. Their block reads to = "vol-0f9a2" and id = aws_ebs_volume.data, where vol-0f9a2 is the real EBS volume's identifier and aws_ebs_volume.data is the resource block in their
- An engineer wants to bring an existing database instance, whose provider-assigned identifier is prod-db-01, under Terraform management by importing it into the resource address aws_db_instance.prod. W
- An engineer adds an import block containing to = aws_iam_role.ci and id = "ci-deploy-role", but the configuration does not yet contain any resource block at that address. When they run terraform plan,
- Import blocks run through plan and apply
An
importblock is executed through the normal workflow:terraform planpreviews the planned import andterraform applyperforms it; there is no separate import subcommand, and theidmust be a literal or known value at plan time.Trap Thinking import blocks need a special command — they are planned and applied like any other configuration change.
8 questions test this
- An engineer writes an import block whose id argument references an attribute of another resource that Terraform has not created yet, so the value is unknown until apply. When they run terraform plan,
- A DevOps engineer adds an import block for an existing production VPC and then runs terraform plan with no extra flags. Before any changes are made to state, what does Terraform show for that import b
- A team runs Terraform in a CI/CD pipeline against HCP Terraform and wants to adopt several existing resources in a way that can be reviewed in a pull request before any state changes. Why is a config-
- A teammate has added an import block to your configuration to adopt an existing resource, and the matching resource block is already present. Following the config-driven import workflow, which single
- A team successfully imported an existing resource using an import block plus its matching resource block and then ran terraform apply. A new engineer asks whether the import block must remain in the c
- A DevOps engineer is used to adopting resources by running terraform import ADDRESS ID on the command line. They switch to a config-driven import block that already has a matching resource block. Whic
- A team successfully imported an existing resource using an import block and terraform apply. The next day a colleague runs terraform plan again with the same import block still in the configuration. W
- An engineer's configuration contains one import block for an existing network object plus two brand-new resource blocks that do not exist in the provider yet. After reviewing terraform plan, they run
- Import blocks can be removed after apply
Because an
importblock only affects state (recording an existing object at its address), you can safely remove the block from configuration after a successful apply without destroying the resource.- -generate-config-out generates HCL
Running
terraform plan -generate-config-out=<FILE>together with animportblock generates HCLresourceconfiguration for the imported objects into the given file; this config generation is a feature of import blocks, not of the classicterraform importCLI command.Trap Trying to use -generate-config-out with the classic terraform import CLI command — only the config-driven import block supports generated configuration.
11 questions test this
- An operations team must bring roughly forty manually-created cloud objects under Terraform management and wants to avoid hand-authoring a `resource` block for each one. Which approach lets Terraform d
- After adding `import` blocks for three legacy VPCs, an engineer runs `terraform plan -generate-config-out=vpcs.tf` and it completes without error. When she opens the new `vpcs.tf` file, what will it c
- Terraform documents two ways to import existing infrastructure: the imperative `terraform import` CLI command and the config-driven `import` block. A colleague asks which of the two can also generate
- An engineer ran `terraform import aws_s3_bucket.logs my-logs-bucket` to bring an existing bucket under management and expected Terraform to also write a `.tf` file containing the bucket's `resource` c
- A teammate generated resource configuration with `terraform plan -generate-config-out=main-generated.tf` and proposes running `terraform apply` against it immediately, assuming the output is productio
- A team has added `import` blocks, run `terraform plan -generate-config-out=new.tf`, and reviewed and edited the generated configuration. Which command do they run next to actually import the objects i
- Your configuration currently contains only `import` blocks and no other resources for the AWS provider. To generate configuration with `terraform plan -generate-config-out`, the docs say you must add
- You add an `import` block whose `to` argument is `aws_instance.web`, but your configuration contains no `resource "aws_instance" "web"` block yet. You would rather not write that block by hand. How ca
- An engineer wants the generated resources added into her existing `main.tf`, so she runs `terraform plan -generate-config-out=main.tf`, where `main.tf` already holds her provider and other resource bl
- A platform engineer has written several `import` blocks that each set a `to` address and an `id`, but none of the matching `resource` blocks exist in the configuration yet. She wants Terraform to writ
- An engineer has added several `import` blocks to a new configuration and now wants Terraform to auto-generate the corresponding `resource` HCL into a fresh file called `generated.tf` so she does not h
- Generated config is a starting point
Configuration produced by
-generate-config-outis a starting point that you should review and edit before applying, since generated blocks may include attributes that need adjustment to produce a valid plan.
Inspect state with the CLI
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Use verbose logging
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
HCP Terraform
Use HCP Terraform to Create Infrastructure
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Remote execution runs Terraform on HCP Terraform VMs
In a workspace using Remote execution mode (the default), HCP Terraform (formerly Terraform Cloud) performs plan and apply on its own disposable virtual machines using that workspace's configuration, variables, and state. Switching a workspace to Local execution mode makes it act only as a remote state backend while runs execute on your own workstation or CI, which disables policy checks, cost estimation, and remote runs.
Trap Assuming Local execution mode also stores state locally — it still stores state remotely; only the run execution moves to your machine.
5 questions test this
- A workspace is left in the default Remote execution mode. An engineer exports an environment variable in their own laptop shell and then queues a run, expecting that value to be present during the run
- An engineer switches an HCP Terraform workspace from its default execution mode to Local execution mode so runs happen on their laptop. They assume the input variables and variable sets they defined i
- A platform team adds a `cloud` block to their configuration, connects it to an HCP Terraform workspace, and leaves that workspace's execution mode at its default setting. When a colleague later queues
- A workspace is reconfigured to use Local execution mode. A teammate expects that Sentinel policy checks and cost estimation will keep running on every new run exactly as they did before. When the next
- During a Remote-mode run, an engineer sees the log download a small helper tool onto the HCP Terraform worker. They assume that tool will remain installed and available on the worker for the workspace
- Agent execution mode reaches private infrastructure
Agent execution mode runs Terraform on self-hosted HCP Terraform agents installed inside a private network, letting HCP Terraform manage runs against isolated or on-premises infrastructure it cannot reach directly.
- State is stored remotely per workspace
HCP Terraform stores Terraform state remotely and separately for each workspace, automatically retaining prior state versions. When you use the cloud integration you do not add a separate backend block, and state is never committed to version control.
Trap Thinking you still need a backend block alongside the cloud integration — the cloud block replaces backend configuration and manages state itself.
10 questions test this
- While integrating a configuration with HCP Terraform, an engineer adds a `cloud` block inside the `terraform` block. Unsure whether state will actually be stored, they ask a senior colleague whether t
- An auditor needs to inspect the current Terraform state and its recent prior versions for a workspace that uses the HCP Terraform cloud integration. Where does that state live, and how should the audi
- An engineer switches an HCP Terraform workspace from its default execution mode to Local execution mode so runs happen on their laptop. They assume the input variables and variable sets they defined i
- Two engineers queue applies against the same HCP Terraform workspace within moments of each other. Concerned about the workspace's shared state, a teammate asks how HCP Terraform keeps the two runs fr
- An engineer adds a `cloud` block to a configuration that currently uses the default local backend, leaving the existing `terraform.tfstate` file in the working directory. They then run `terraform init
- A team connects an HCP Terraform workspace to a Git repository so that pushes to the repository trigger runs. A newly onboarded engineer clones the repository and hunts for the `terraform.tfstate` fil
- A workspace is reconfigured to use Local execution mode. A teammate expects that Sentinel policy checks and cost estimation will keep running on every new run exactly as they did before. When the next
- An organization manages its development and production environments as two separate HCP Terraform workspaces created from the same configuration repository. A newly hired engineer asks how Terraform s
- After a dozen applies over several weeks in an HCP Terraform workspace, an engineer needs to review the state as it existed two applies ago to analyze how the infrastructure changed. What does HCP Ter
- A configuration already connects to an HCP Terraform workspace with a cloud block. To keep a redundant second copy of state, a teammate proposes also adding an S3 backend block to the same configurati
- Remote run stage order
A remote run moves through ordered stages: it queues (pending), executes a plan, then runs cost estimation, then any policy check, and finally performs the apply (plan -> cost estimation -> policy check -> apply). HCP Terraform surfaces the output of both the plan and apply phases on the run's details page.
Trap Thinking the policy check precedes cost estimation, or that they are one combined step; cost estimation always runs first (plan -> cost estimation -> policy check -> apply), which is why a Sentinel policy can gate on the cost estimate.
6 questions test this
- A run has just been queued in an HCP Terraform workspace and is currently sitting in the pending state. Once the run leaves the pending queue and HCP Terraform starts to actually execute it, which of
- While reviewing a run in HCP Terraform, a teammate insists that 'cost estimation and policy check' are a single combined governance step the platform performs together just before the apply. For a wor
- Two runs are queued at almost the same time against a single HCP Terraform workspace. The engineer wants to know how HCP Terraform handles the newly queued run and which stage it enters first once pro
- After a remote run in HCP Terraform has fully completed, an engineer opens the run's details page to review both what Terraform proposed and what it ultimately changed in the infrastructure. What outp
- An engineer is watching a remote run progress on its details page in HCP Terraform and wants to understand the fixed order of the stages that occur between the completed plan and the eventual apply. W
- An engineer is explaining to a teammate how HCP Terraform produces the cost figures they see on a run. Focusing on when the stage runs and what input it consumes, which description of the cost estimat
- Manual apply pauses for Confirm & Apply
With manual apply (the default), a finished plan pauses and a user with apply permission must click Confirm & Apply to proceed or Discard the run. Auto-apply, when enabled on the workspace, automatically applies plans that complete without errors.
Trap Assuming auto-apply is the default — HCP Terraform requires manual confirmation unless auto-apply is explicitly turned on.
5 questions test this
- In an HCP Terraform workspace that uses the default apply settings, a plan has finished and is waiting on the run's page for a decision. A team member who has only read access to the workspace wants t
- An operations team turns on auto-apply for a busy HCP Terraform workspace to reduce the number of manual approvals during routine deployments. Once auto-apply is enabled, how does it change what happe
- A busy HCP Terraform workspace has auto-apply turned on so routine runs apply without waiting for manual approval. During one run, the plan stage finishes but reports an error in the proposed changes.
- A platform engineer queues a run in an HCP Terraform workspace that still uses the workspace's default apply settings. The plan completes successfully with a set of proposed changes. With no other con
- Under default apply settings, an HCP Terraform workspace has a plan that finished and is now waiting for someone to confirm or discard it. Before anyone acts on it, a new commit is pushed to the conne
- Each workspace processes its run queue in order
Every workspace maintains its own run queue and processes apply-capable runs one at a time, in order. Changing variables or configuration only affects future runs, not a run that has already been planned.
- HCP Terraform cost estimation run stage
In an HCP Terraform run, cost estimation is a distinct stage that runs after the plan and BEFORE the policy check (order: plan -> cost estimation -> policy check -> apply), which is why a Sentinel policy can reference the estimate via the tfrun import. It produces the estimated total monthly cost of the resources in the plan plus the monthly delta (the cost change from the proposed run) for supported major providers (AWS, Azure, GCP), and is enabled per-organization in the organization settings.
Trap Assuming cost estimation runs after, or together with, the policy check; it actually runs before the policy check, which is exactly what lets a Sentinel policy gate on the estimated cost.
6 questions test this
- A new engineer asks how the cost figures for a run get produced in an HCP Terraform organization that already has cost estimation enabled - specifically, whether they need to run a separate command or
- While reviewing a run in HCP Terraform, a teammate insists that 'cost estimation and policy check' are a single combined governance step the platform performs together just before the apply. For a wor
- An engineer is watching a remote run progress on its details page in HCP Terraform and wants to understand the fixed order of the stages that occur between the completed plan and the eventual apply. W
- An engineer notices that runs in one HCP Terraform organization display cost estimates while runs in a second organization show none, even though both manage AWS, Azure, and GCP resources. Where is co
- An engineer is explaining to a teammate how HCP Terraform produces the cost figures they see on a run. Focusing on when the stage runs and what input it consumes, which description of the cost estimat
- During a run in an HCP Terraform organization that has cost estimation turned on, an engineer opens the cost estimation stage of the run. Setting aside the itemized per-resource breakdown, what two fi
- Three run workflows: UI/VCS, CLI, and API driven
HCP Terraform can start runs three ways: UI/VCS-driven (webhooks from a connected repository), CLI-driven (running terraform plan/apply locally with the cloud block configured), and API-driven (uploading a configuration version through the Runs API).
6 questions test this
- An organization's internal CI system, rather than a VCS webhook, decides when Terraform configuration has changed and must be run in HCP Terraform. The team wants that system to start each run program
- So that team members can keep typing `terraform plan` and `terraform apply` locally while the operations run remotely in HCP Terraform, an engineer must add one element to the `terraform {}` configura
- With the `cloud` block configured for the CLI-driven workflow, an engineer runs `terraform plan` from their terminal. The command streams plan output to the terminal, but the engineer notices there is
- An engineer new to HCP Terraform asks how the UI/VCS-driven, CLI-driven, and API-driven run workflows relate to one another. Which statement most accurately describes the relationship among these thre
- A platform engineer wants to keep starting runs by typing `terraform plan` and `terraform apply` in a local terminal, but needs each operation to execute remotely in HCP Terraform so it uses the works
- A team lead is mapping each of HCP Terraform's three run workflows to the mechanism that actually starts its runs. Which of the following pairings correctly matches a run workflow to the mechanism tha
- Speculative plans preview but cannot apply
A speculative plan is a plan-only run that previews proposed changes and policy results but can never apply changes or modify state. Because it cannot alter infrastructure, it bypasses the workspace lock and does not block other runs.
Trap Believing a speculative plan can be confirmed into an apply — it is strictly read-only and has no Confirm & Apply.
9 questions test this
- A reviewer triggers a speculative plan on a shared HCP Terraform workspace to preview a proposed configuration change. Afterward a colleague worries that the speculative run may have altered the works
- A new team member is confused: the run that HCP Terraform started from their merged commit to the tracked branch showed a Confirm & Apply button, but the run started earlier from their pull request di
- A developer opens a pull request against the branch tracked by a VCS-connected HCP Terraform workspace, and HCP Terraform posts a speculative plan back to the PR. The developer then pushes two more co
- A long-running apply is currently in progress and holding the lock on an HCP Terraform workspace. While that apply runs, a developer opens a pull request against the tracked branch, which triggers a s
- With the `cloud` block configured for the CLI-driven workflow, an engineer runs `terraform plan` from their terminal. The command streams plan output to the terminal, but the engineer notices there is
- A VCS-connected HCP Terraform workspace tracks the `production` branch. A developer pushes a commit to a separate `feature/logging` branch and, as a separate action, opens a pull request from `feature
- During code review, a teammate opens a plan-only (speculative) run in HCP Terraform to preview the changes a proposed configuration would make. The run succeeds and passes all policy checks. The teamm
- An engineer wants to preview exactly what a proposed configuration change would do in an HCP Terraform workspace with zero possibility that the run applies anything or writes to state. Which HCP Terra
- A VCS-connected HCP Terraform workspace tracks the `main` branch. A developer pushes a commit directly to `main`, not through a pull request, expecting HCP Terraform only to preview the change. Given
- Commit triggers a full run, PR triggers a speculative plan
For a VCS-connected workspace, a commit or merge to the tracked branch triggers a full run (plan then apply), while opening a pull request triggers only a speculative plan whose result is posted back to the PR.
4 questions test this
- A new team member is confused: the run that HCP Terraform started from their merged commit to the tracked branch showed a Confirm & Apply button, but the run started earlier from their pull request di
- A developer opens a pull request against the branch tracked by a VCS-connected HCP Terraform workspace, and HCP Terraform posts a speculative plan back to the PR. The developer then pushes two more co
- A VCS-connected HCP Terraform workspace tracks the `production` branch. A developer pushes a commit to a separate `feature/logging` branch and, as a separate action, opens a pull request from `feature
- A VCS-connected HCP Terraform workspace tracks the `main` branch. A developer pushes a commit directly to `main`, not through a pull request, expecting HCP Terraform only to preview the change. Given
HCP Terraform Collaboration and Governance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Organizing HCP Terraform Workspaces and Projects
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Configure and Use HCP Terraform Integration
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.