Terraform-Associate-004 HashiCorp Certified: Terraform Associate (004) (HCTA0-004) Questions and Answers

From the Terraform Output Docs – Sensitive:

"Marking an output as sensitive prevents Terraform from showing its value in the CLI output,but it will still bestored in the state file."

Thus, it protects display, not storage.

Rationale for Correct Answer (B):

IaC best practice is to manage infrastructure through version-controlled code. Changes should be reviewed and approved (via PRs), ensuring collaboration, traceability, and automation.

Analysis of Incorrect Options:

A, D, E: Making direct/manual changes bypasses IaC practices and causes drift.

C: Running code without PR review skips collaboration and approval.

Key Concept:

Infrastructure as Code emphasizes version control + peer review + automation.

This is where the Terraform local backend stores its state, by default, unless you specify a different file name or location in your configuration. The local backend is the simplest backend type that stores the state file on your local disk.

Rationale for Correct Answer: depends_on explicitly adds a dependency edge in Terraform’s graph. By adding depends_on = [azurerm_role_assignment.kv_access] to the web app resource, you force Terraform to create the role assignment first, even if Terraform can’t infer the dependency from attribute references.

Analysis of Incorrect Options (Distractors):

B: create_before_destroy is a lifecycle setting relevant to replacement behavior, not initial create ordering between independent resources.

C: File/block order does not control creation order; Terraform uses its dependency graph.

D: count controls quantity, not ordering.

Key Concept: Dependency graph and explicit dependencies via depends_on.

Sentinel is a policy-as-code framework that allows you to define and enforce rules on your Terraform configurations, states, and plans1. Some of the benefits of using Sentinel with Terraform Cloud/Terraform Enterprise are:

•You can restrict specific resource configurations, such as disallowing the use of CIDR=0.0.0.0/0, which would open up your network to the entire internet. This can help you prevent misconfigurations or security vulnerabilities in your infrastructure2.

•Policy-as-code can enforce security best practices, such as requiring encryption, authentication, or compliance standards. This can help you protect your data and meet regulatory requirements3.

•You can enforce a list of approved AWS AMIs, which are pre-configured images that contain the operating system and software you need to run your applications. This can help you ensure consistency, reliability, and performance across your infrastructure4.

References =

•1: Terraform and Sentinel | Sentinel | HashiCorp Developer

•2: Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

•3: Exploring the Power of HashiCorp Terraform, Sentinel, Terraform Cloud …

•4: Using New Sentinel Features in Terraform Cloud – Medium

This is what will happen if you run terraform destroy without any flags, as it will attempt to delete all the resources that are associated with your current working directory or workspace. You can use the -target flag to specify a particular resource that you want to destroy.

You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.

Rationale for Correct Answer: To make a variable optional, you define a type that allows omission. Using optional(string) indicates the input may be unset (commonly used when the variable is part of an object type, or when you want to explicitly model optionality). This supports reusable configs where the tag is included only when provided.

Analysis of Incorrect Options (Distractors):

A: Invalid syntax—type = default is not a valid type declaration.

B: Invalid syntax—default must have a value.

D: Invalid—there is no optional = true argument for variable blocks.

Key Concept: Input variable type constraints and optional inputs.

These are features of Terraform Cloud, which is a hosted service that provides a web-based UI, remote state storage, remote operations, collaboration features, and more for managing your Terraform infrastructure.

This is not true, as modules can be either public or private, depending on your needs and preferences. You can use the Terraform Registry to publish and consume public modules, or use Terraform Cloud or Terraform Enterprise to host and manage private modules.

Purpose of Refresh-Only Mode: Running Terraform inrefresh-only modeupdates Terraform's state file with the current state of resources in your infrastructure without making changes to the resources themselves.

Context of Terraform Import: When usingterraform import, you’re adding existing resources to the state file, and running Terraform in refresh-only mode before this operation can ensure that any initial configuration syncs precisely with the actual state.

For more on refresh-only mode in relation to terraform import, refer to Terraform's import documentation.

terraform graphgeneratesGraphviz DOT formatoutput, which allows visualization ofresource dependenciesin Terraform.

A (terraform refresh)– Incorrect, as it only updates the state file.

C (terraform output)– Incorrect, as it only displays Terraform output values.

D (terraform show)– Incorrect, as it only displays the Terraform state.

Official Terraform Documentation Reference:

terraform graph - HashiCorp Documentation

B (terraform init)–Must be run firstto initialize the Terraform working directory, download providers, and configure the backend.

A (terraform apply)– Requires initialization first, so itcannotbe run before terraform init.

C (terraform plan)– Also requires terraform init first to generate a plan.

D (terraform show)– Displays the state,not relevantfor first-time deployment.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

The .terraform.lock.hcl file is a new feature in Terraform 0.14 that records the exact versions of each provider used in your configuration. This helps ensure consistent and reproducible behavior across different machines and runs.

Rationale for Correct Answer: Data sources are referenced using the address format:data...Here, the type is aws_ami, the name is web, and the attribute is id, so the correct reference is data.aws_ami.web.id.

Analysis of Incorrect Options (Distractors):

A (aws_ami.web.id): Incorrect because it omits the required data. prefix. This looks like a managed resource reference, not a data source.

B (web.id): Incorrect because Terraform references must include the full address (type and name); web alone is ambiguous.

D (data.web.id): Incorrect because it omits the data source type (aws_ami).

Key Concept: Terraform addressing and attribute references for data sources.

Any user with permission to apply a plan can apply it, not only the user that generated it. This allows for collaboration and delegation of tasks among team members.

This is what state locking accomplishes, by preventing other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss.

Rationale for Correct Answer: To save an execution plan to a file, Terraform uses the -out flag: terraform plan -out=tfplan. That produces a plan file that can later be applied with terraform apply tfplan.

Analysis of Incorrect Options (Distractors):

A: This is an apply command with a variable file flag; it does not create a plan file.

B: -target expects a resource address (like aws_instance.example), not a plan filename.

C: -generate-config-out is used with configuration generation workflows (e.g., from import), not for saving a plan.

Key Concept: Creating and saving plan files with terraform plan -out=....

This is how Terraform determines dependencies between resources, by using the references between them in the configuration files and other factors that affect the order of operations.

Terraform modules are referenced by specifying a source location. This location can be a URL or a file path. However, specifying query parameters such as ?version=vl.6.0 directly within the source path is not a valid or supported method for specifying a module version in Terraform. Instead, version constraints are specified using the version argument within the module block, not as part of the source string.References = This clarification is based on Terraform's official documentation regarding module usage, which outlines the correct methods for specifying module sources and versions.

Module variable assignments are not inherited from the parent module and you need to explicitly set them using the source argument. This allows you to customize the behavior of each module instance.

Rationale for Correct Answer: terraform plan -refresh-only refreshes (reconciles) the state with the real infrastructure only for the purpose of the plan output. It does not persist (write) those updates to the state file. To actually update the stored state, you must run terraform apply -refresh-only (or a normal terraform apply). This matches the Terraform CLI objective: plan previews changes; apply makes changes (including writing state).

Analysis of Incorrect Options (Distractors):

A (True): Incorrect because terraform plan does not write state; it only calculates and displays what would change.

Key Concept: The plan vs apply workflow and when Terraform writes state.

Rationale for Correct Answers:

B. View the execution plan: Correct — terraform plan shows what Terraform intends to do (create, update, or destroy).

C. Save a generated execution plan: Correct — using terraform plan -out=planfile lets you save the plan to apply later with terraform apply planfile.

Analysis of Incorrect Options:

A. Schedule runs in the future: Incorrect, Terraform does not provide scheduling; external tools (like cron, CI/CD) are required.

D. Execute a plan in a different workspace: Incorrect, execution happens in the current workspace; switching workspaces must be done before running the plan.

Key Concept:

terraform plan is used for previewing and optionally saving an execution plan for controlled and predictable infrastructure changes.

This is the meta-argument that you must include in any non-default provider configurations, as it allows you to give a friendly name to the configuration and reference it in other parts of your code. The other options are either invalid or irrelevant for this purpose.

When upgrading a provider,you must run terraform init -upgrade to install the new version.

Thisdownloads the latest provider versionand updates the local dependency cache.

terraform refresh(A)only updates the state file but doesnotupgrade providers.

terraform apply -upgrade(C)isnot a valid command.

terraform version can be upgraded separately, but(D)does not install a new provider version.

Official Terraform Documentation Reference:

Upgrading Providers in Terraform

This is the command that lets you experiment with Terraform expressions, by providing an interactive console that allows you to evaluate expressions and see their results. You can use this command to test your expressions before using them in your configuration files.

This will trigger a run in the Terraform Cloud workspace, which will perform a plan and apply operation on the infrastructure defined by the Terraform configuration files in the VCS repository.

Importing Existing Resources: Theterraform importcommand brings resources already deployed in a cloud environment into Terraform’s state file, allowing Terraform to manage them.

Workflow Usage: Importing is vital when managing resources created outside of Terraform or those in place before Terraform adoption.

Refer to Terraform’s import command documentation.

Rationale for Correct Answer:A Terraform resource block has the following structure:

resource "" "" {

}

In the exhibit:

Resource type: azurerm_resource_group

Resource name: dev

The resource name is the second label in the resource block and is used internally by Terraform to reference the resource (e.g., azurerm_resource_group.dev).

Analysis of Incorrect Options (Distractors):

A. azurerm: This is the provider name, not the resource name.

B. azurerm_resource_group: This is the resource type, not the name.

D. test: This is the value of the name argument inside the resource, not the Terraform resource name.

Key Concept:Understanding the distinction between resource type, resource name, and resource arguments in Terraform configurations.

Rationale for Correct Answer (B):

Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = "hashicorp/aws"

version = "3.1"

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:

Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

The terraform state file is locked when a Terraform operation that could write state is in progress. This prevents concurrent state operations that could corrupt the state. The forbidden actions when the state file is locked are those that could write state, such as terraform apply, terraform destroy, terraform refresh, terraform taint, terraform untaint, terraform import, and terraform state *. The terraform validate command is also forbidden, because it requires an initialized working directory with the state file. The allowed actions when the state file is locked are those that only read state, such as terraform plan, terraform show, terraform output, and terraform console. References = [State Locking] and [Command: validate]

The terraform taint command marks a resource as tainted, which means it will be destroyed and recreated on the next apply. This way, you can replace the VM instance without affecting the database or other resources. References = [Terraform Taint]

Rationale for Correct Answer (False):

Any user with access to the saved plan file (terraform plan -out=planfile) can run terraform apply planfile. Terraform does not enforce user-specific restrictions.

Analysis of Incorrect Option:

True: Incorrect — Terraform doesn’t tie plan files to individual users.

Key Concept:

Plan files ensure predictability but are not bound to the identity of the user.

You need to write Terraform configuration files for the existing infrastructure that you want to import into Terraform, otherwise Terraform will not know how to manage it. The configuration files should match the type and name of the resources that you want to import.

Rationale for Correct Answer: terraform state rm

removes a resource from Terraform state without destroying the real infrastructure. After removal, Terraform “forgets” it and will no longer manage it (unless it’s re-imported). That matches the requirement: keep the resource, stop managing it.

Analysis of Incorrect Options (Distractors):

A: Removing the resource block causes Terraform to plan to destroy the resource (because it’s in state but no longer in config), which is the opposite of “keep it.”

B: Changing count can cause Terraform to destroy instances that no longer have an address (depending on indexing), and it doesn’t explicitly “stop managing” a specific existing instance safely.

D: moved blocks are for renaming/refactoring addresses while keeping management; they do not stop managing a resource.

Key Concept: Detaching resources from Terraform management using state subcommands (terraform state rm).

Terraform keeps track of the infrastructure state via the state file. When you initially ran terraform plan, Terraform determined that the port should be changed from80 to 443. However, since another team member manually modified the load balancer, Terraform's local state file is now outdated.

When you run terraform apply, Terraform willcompare the expected state (from the plan) with the actual state (from the provider API).

Since the port is already set to443, but the local state file still shows80, Terraform willfail with an errordue to the state mismatch.

To resolve this, you should run terraform refresh or use terraform apply -refresh-only to update the local state before applying changes.

Official Terraform Documentation Reference:

State Management - HashiCorp Documentation

Managing Drift in Terraform

When you use a remote backend that needs authentication, HashiCorp recommends that you:

E (✅Correct)–IaC aims to eliminate manual cloud console workflowsby using code-based automation.

A, B, C (✅Advantages of IaC)– IaC enablesself-service deployment, API-driven workflows, and dynamic resource scaling.

D (diff command)– While useful, troubleshooting via diff is not acore advantageof IaC.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

You should run terraform init after you start coding a new Terraform project and before you run terraform plan for the first time. This command will initialize the working directory by downloading the required providers and modules, creating the initial state file, and performing other necessary tasks. References = : Initialize a Terraform Project

In Terraform, the max function can be used to select the largest number from a list of numbers. The max function takes multiple arguments and returns the highest one. For the list numcpus = [18, 3, 7, 11, 2], using max(numcpus...) will return 18, which is the largest number in the list.

Rationale for Correct Answer: A parent/root module can only read values from a child module if the child module exports them via an output block. The error indicates vnet_id is not an exported output from module.my_network. Defining output "vnet_id" { value = ... } inside the networking (child) module makes module.my_network.vnet_id valid.

Analysis of Incorrect Options (Distractors):

A: Incorrect—Terraform does not use module..outputs.

; module outputs are referenced directly as module..

.

B: Incorrect—variables are inputs to a module, not values exported from it.

C: Incorrect—missing the module. prefix and still uses an invalid .outputs path.

Key Concept: Module outputs are the contract for exposing child module values to the root/parent.

Rationale for Correct Answer (B):

The file() function reads a file from disk and returns its content as a string. This is commonly used for public keys (.pub files).

Analysis of Incorrect Options:

A. fileset(): Returns a set of filenames matching a pattern, not file contents.

C. filebase64(): Reads file and returns Base64 encoded string — unnecessary for .pub.

D. templatefile(): Used for rendering templates with variables, not raw file contents.

Key Concept:

Terraform’s file() function is used for injecting file content directly.

It lets you version, reuse, and share infrastructure configuration as code files, which can be stored in a source control system and integrated with your CI/CD pipeline.

It reduces risk of operator error by automating repetitive tasks and ensuring consistency across environments. IaC does not necessarily provision resources at a lower cost, secure your credentials, or prevent manual modifications to your resources - these depend on other factors such as your cloud provider, your security practices, and your access policies.

The terraform import command is used to import existing infrastructure into Terraform’s state. This allows Terraform to manage and destroy the imported infrastructure as part of the configuration. The terraform import command does not modify the configuration, so the imported resources must be manually added to the configuration after the import. References = [Importing Infrastructure]

Rationale for Correct Answer: Terraform logging is controlled via environment variables. TF_LOG sets the verbosity (e.g., DEBUG), and TF_LOG_PATH directs Terraform to write those logs to a specified file path. This is part of Terraform CLI troubleshooting and operational usage.

Analysis of Incorrect Options (Distractors):

B (Update the Terraform CLI configuration file): The CLI config can control some behaviors (credentials helpers, plugin cache, etc.), but log-to-file is specifically handled by TF_LOG_PATH.

C (Add a path argument to the terraform block): The terraform block configures required versions, required providers, and backends—not CLI logging output.

D (Run the terraform output command): terraform output displays output values from state; it has nothing to do with logging.

Key Concept: Terraform debugging and logging via environment variables (TF_LOG, TF_LOG_PATH).

Referencing Terraform Built-in Functions:

✅chomp: removes trailing newlines

✅join: combines list into string

✅split: splits string into list

❌slice:is nota valid Terraform string function (it's used in other languages like Python)

This is the recommended way to use a remote backend that needs authentication, as it allows you to provide the credentials via environment variables, command-line arguments, or interactive prompts, without storing them in the Terraform configuration files.

Terraform Cloud includes several features designed to enhance collaboration and infrastructure management. Two of these features are:

A web-based user interface (UI): This allows users to interact with Terraform Cloud through a browser, providing a centralized interface for managing Terraform configurations, state files, and workspaces.

Remote state storage: This feature enables users to store their Terraform state files remotely in Terraform Cloud, ensuring that state is safely backed up and can be accessed by team members as needed.

Rationale for Correct Answer: A Terraform configuration supports only one backend at a time. The backend determines where state is stored and how locking works. Terraform does not support writing the same state to multiple backends simultaneously via multiple backend blocks.

Analysis of Incorrect Options (Distractors):

A (True): Incorrect—Terraform allows only a single backend configuration for a given working directory/root module.

Key Concept: Single-backend design: one state location per configuration/workspace.

Rationale for Correct Answer: Terraform lists are zero-indexed. Given ["small", "medium", "large"], index 0 is small, index 1 is medium, and index 2 is large. Therefore, medium is var.sizes[1].

Analysis of Incorrect Options (Distractors):

A: Index 0 returns small, not medium.

C: Index 2 returns large, not medium.

D: Index 3 is out of range for a 3-element list.

Key Concept: Accessing list elements with zero-based indexing in Terraform expressions.

Terraform detects infrastructure drift by comparing thestate filewith the actual infrastructure.

When an instance ismanually deleted, Terraformsees it as missingand marks it for recreation.

Running terraform apply willonly recreate the missing instanceswhile leaving the rest of the infrastructure unchanged.

Explanation of incorrect answers:

A (Tear down everything and rebuild)– Incorrect. Terraform does not destroy existing infrastructure unless explicitly told to.

B (Build a completely new set of infrastructure)– Incorrect. Terraform does not create duplicates unless configuration changes.

D (Stop and error out)– Incorrect. Terraform does not fail; itrebuilds missing resourcesautomatically.

Official Terraform Documentation Reference:

Handling Infrastructure Drift

The terraform state list command lists all resources that are managed by Terraform in the current state file1. The terraform state show command shows the attributes of a single resource in the state file2. By using these two commands, you can compare the VM IDs in your list with the ones in the state file and identify which one is managed by Terraform.

This is the correct way to reference the volume IDs associated with the ebs_block_device blocks in this configuration, using the splat expression syntax. The other options are either invalid or incomplete.

terraform validate does not confirm that your infrastructure matches the Terraform state file. It only checks whether the configuration files in a directory are syntactically valid and internally consistent3. To confirm that your infrastructure matches the Terraform state file, you need to use terraform plan or terraform apply with the -refresh-only option.

Infrastructure as Code (IaC) provides several benefits, including the ability to version control infrastructure, reuse code, and automate infrastructure management. However, IaC is typically associated with declarative configuration files and does not inherently provide a graphical user interface (GUI). A GUI is a feature that may be provided by specific tools or platforms built on top of IaC principles but is not a direct benefit of IaC itself1.

References = The benefits of IaC can be verified from the official HashiCorp documentation on “What is Infrastructure as Code with Terraform?” provided by HashiCorp Developer1.

Rationale for Correct Answer: terraform apply -replace=ADDRESS forces Terraform to replace the specified resource during the next apply, meaning it will plan to destroy and then recreate it (or create-before-destroy if the resource supports it and the graph/lifecycle allows). This is used when a resource is unhealthy, drifted in a way that’s hard to correct, or you want a fresh instance without changing configuration.

Analysis of Incorrect Options (Distractors):

A: Incorrect—-replace is not “destroy only”; it’s destroy + recreate.

B: Incorrect—ignoring changes is done with lifecycle ignore_changes, not -replace.

D: Incorrect—destroying everything is terraform destroy (or apply with all resources removed), not -replace.

Key Concept: Forcing resource replacement using -replace in the apply workflow.

Rationale for Correct Answer (C):

Credentials should not be hardcoded in Terraform files. Best practice is to configure them via environment variables or secret managers.

Analysis of Incorrect Options:

A: Shared servers introduce risk and drift.

B: Storing secrets in config/version control is insecure.

D: Incorrect since option C is valid.

Key Concept:

Separation of credentials from code is a Terraform security best practice.

terraform initretrieves and caches providers and modules, butonly for explicitly declared modulesin the configuration.

If a module isadded or updated, terraform init needs to be re-run to download the new version.

Terraform does not automatically cache all remote modules unless they are explicitly referenced in the configuration.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

Rationale for Correct Answer (True):

A cloud block in Terraform configuration specifies a single Terraform Cloud or HCP Terraform workspace. You cannot use one cloud block for multiple workspaces.

Analysis of Incorrect Option:

False: Incorrect because a cloud block is a one-to-one mapping with a single workspace.

Key Concept:

Cloud blocks manage remote operations and backend configuration tied to one workspace.

Rationale for Correct Answer: terraform fmt automatically rewrites .tf files to match Terraform’s canonical formatting (indentation, spacing, alignment conventions). This is the standard tool for enforcing consistent style across a team.

Analysis of Incorrect Options (Distractors):

B: Insufficient—formatting is more than tabs vs spaces; terraform fmt handles the full HCL style.

C: terraform validate checks syntax and internal consistency, not formatting.

D: Terraform does not auto-format configuration during apply.

Key Concept: Standardizing HCL formatting with terraform fmt.

Rationale for Correct Answer: A resource block creates/updates/destroys an infrastructure object and contains the configuration settings for that managed object (e.g., a VM, bucket, network). This is how Terraform manages real infrastructure.

Analysis of Incorrect Options (Distractors):

B (provider): Configures how Terraform connects to an API (region, credentials), not an infrastructure object.

C (data): Reads existing infrastructure; it does not manage (create/update/destroy) it.

D (locals): Defines named expressions for reuse; it doesn’t manage infrastructure.

Key Concept: Managed infrastructure is defined with resource blocks.

This is the best time to run terraform validate, as it will check your code for syntax errors, typos, and missing arguments before you attempt to create a plan. The other options are either incorrect or unnecessary.

Automated Visualization: HCP Terraform providesvisualization toolsthat map infrastructure configurations, helping users manage complex architectures.

Remote State Storage: Terraform Cloud offersremote state management, essential for teams working collaboratively on shared infrastructure, ensuring consistency and avoiding state conflicts.

For more information, consultTerraform Cloud and HCP Terraform featuresin the official documentation.

 Terraform configuration (including any module references) can contain more than one Terraform provider type. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. A Terraform configuration can use multiple providers to manage resources across different platforms and services. For example, a configuration can use the AWS provider to create a virtual machine, the Cloudflare provider to manage DNS records, and the GitHub provider to create a repository. Terraform supports hundreds of providers for different use cases and scenarios. References = [Providers], [Provider Requirements], [Provider Configuration]

Rationale for Correct Answer (A):

Terraform does not automatically update state references when resource identifiers are renamed. Instead, you must use a moved block in your configuration to inform Terraform how to map the old resource to the new one. This prevents Terraform from destroying and recreating the resource.

Analysis of Incorrect Options:

B & C: Incorrect syntax — moved requires from and to.

D: Incorrect, Terraform won’t auto-detect renames and will plan to destroy and recreate the resource unless a moved block is provided.

Key Concept:

The moved block is essential for refactoring resource names without losing resources in state.

The execution plan for terraform apply will not be the same as the one you ran locally with terraform plan, if your teammate manually modified the infrastructure component you are working on. This is because Terraform will refresh the state file before applying any changes, and will detect any differences between the state and the real resources.

Rationale for Correct Answer: terraform output shows the root module’s outputs (the outputs defined in the current working directory’s root module). Outputs from child modules are not directly listed unless the root module re-exports them via its own output blocks (e.g., output "child_public_ip" { value = module.child.public_ip }).

Analysis of Incorrect Options (Distractors):

A (True): Incorrect because child module outputs are accessible via module..

, but terraform output displays only outputs defined in the root module.

Key Concept: Module outputs scope: child outputs must be exposed through root outputs to be shown by terraform output.

Rationale for Correct Answer (D):

terraform state list shows all resources currently managed by Terraform. terraform state show provides detailed attributes, including the VM ID. This lets you match the Terraform-managed instance with the actual infrastructure.

Analysis of Incorrect Options:

A: Importing is not needed since one VM is already in state.

B: terraform apply doesn’t show which VM ID is managed, it only refreshes attributes.

C: Removing state entries is destructive and may lead to losing state data unnecessarily.

Key Concept:

The state file is Terraform’s source of truth for which resources it manages.

Terraform variable names are not saved in the state file, only their values are. The state file only stores the attributes of the resources and data sources that are managed by Terraform, not the variables that are used to configure them.

Terraform providers are not always installed from the Internet. There are other ways to install provider plugins, such as from a local mirror or cache, from a local filesystem directory, or from a network filesystem. These methods can be useful for offline or air-gapped environments, or for customizing the installation process. You can configure the provider installation methods using the provider_installation block in the CLI configuration file.

Speculative Plans: Terraform Cloud’sspeculative planfeature runs automatically when changes are detected in a linked VCS repository, enabling users to review potential infrastructure changes without committing them.

Automatic Integration: This feature automates the planning process by triggering when changes are committed, aiding teams in previewing infrastructure changes seamlessly.

For further understanding, see theTerraform Cloud VCS Integrationdocumentation.

Dynamic blocks in Terraform allow you to define multiple nested blocks within a resource based on the values of a variable. This feature is particularly useful for scenarios where the number of nested blocks is not fixed and can change based on variable input.

Terraform’s Indentation Standards: Terraform’s style convention usestwo spaces per nesting levelfor readability, helping to maintain uniform code across teams.

Configuration Files: Consistent indentation is crucial for Terraform’s HCL syntax, as it improves readability and avoids parsing issues.

More details are available in theTerraform configuration style guide.

Terraform creates the .terraform.lock.hcl file after the first terraform init command. This lock file ensures that the dependencies for your project are consistent across different runs by locking the versions of the providers and modules used.

The terraform plan command is used to create an execution plan. It allows you to see what actions Terraform will take to reach the desired state defined in your configuration files. It evaluates the current state and configuration, showing a detailed outline of the resources that will be created, updated, or destroyed. This is a critical step in the development process as it helps you verify that the changes you are about to apply will perform as expected, without actually modifying any state or infrastructure.

Changes invoked by terraform apply take effect once the resource provider has fulfilled the request, not after Terraform has updated the state file or immediately. The state file is only a reflection of the real resources, not a source of truth.

Infrastructure as Code (IaC) refers to managing infrastructureprogrammatically, enabling automation and repeatability.

Ais incorrect becauseIaC is not just about software delivery pipelines; it specifically deals with infrastructure.

Bis incorrect because"Write once, run anywhere" applies more to software development than IaC.

Dis incorrect becauseIaC does not enforce vendor-agnostic APIs; it depends on the tool and provider.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

Some backends support state locking, which prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss. Not all backends support this feature, and you can check the documentation for each backend type to see if it does.

Rationale for Correct Answers:

C. terraform.tfvars securely managed: Acceptable if distributed securely outside version control.

D. HCP Terraform/Terraform Cloud sensitive variables: Official best practice for team-based workflows.

E. Vault: HashiCorp Vault is designed for secret management and integrates well with Terraform.

Analysis of Incorrect Options:

A: Storing plaintext secrets on shared drives is insecure.

B: Checking secrets into version control is a major security risk.

Key Concept:

Sensitive values should be managed securely in Vault, HCP Terraform, or securely shared .tfvars files — never in plaintext or version control.

This is not a valid Terraform collection type, as Terraform only supports three collection types: list, map, and set. A tree is a data structure that consists of nodes with parent-child relationships, which is not supported by Terraform.

In the given Terraform configuration snippet:

resource "aws_vpc" "main" {

name = "test"

}

The provider for the resource aws_vpc is aws. The provider is specified by the prefix of the resource type. In this case, aws_vpc indicates that the resource type vpc is provided by the aws provider.

You cannot reference a resource created with for_each using a splat (*) expression, as it will not work with resources that have non-numeric keys. You need to use a for expression instead to iterate over the resource instances.

Rationale for Correct Answer: A Terraform configuration supports a single cloud block (similar to a single backend configuration). The cloud block defines where Terraform runs (HCP Terraform / Terraform Enterprise) and how the workspace is associated. You cannot connect one configuration to two separate Cloud/Enterprise instances simultaneously using multiple cloud blocks.

Analysis of Incorrect Options (Distractors):

A (True): Incorrect—Terraform does not allow multiple cloud blocks; the configuration can target only one Cloud/Enterprise context at a time.

Key Concept: cloud block constraints and workspace association with HCP Terraform/Terraform Enterprise.

Module version is optional to reference a module on the Terraform Module Registry. If you omit the version constraint, Terraform will automatically use the latest available version of the module

Terraform allows usingprivate module sourceshosted in:

C (Internally hosted VCS platforms, e.g., GitLab, Bitbucket, GitHub Enterprise)✅

D (Private GitHub repositories)✅

A (Public GitHub repository)❌–GitHubis supported, but apublic repo is not "private".

B (Public Terraform Registry)❌–The public registryis not a private source.

Official Terraform Documentation Reference:

Terraform Module Sources

A Terraformbackenddetermineswhere and how Terraform state is stored.

Bothterraform applyandterraform destroyinteract with state, so Terraform needs access to the backend for state storage and updates.

D (Neither are correct)is incorrect becauseTerraform state is required for both apply and destroy operations.

Official Terraform Documentation Reference:

Terraform Backends