254 questions · instant answer feedback · concise explanations · free
Question 1 of 254True or False? By default, the terraform destroy command will prompt the user for confirmation before proceeding.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
The terraform destroy command requires interactive confirmation by default to prevent accidental infrastructure deletion. You can bypass this safety prompt using the dash dash auto-approve flag during automation workflows.
Question 2 of 254When assigning a value to a Terraform input variable through an environment variable, which prefix string is necessary?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. TF_VAR_
Environment variables intended to set Terraform inputs must use the TF_VAR_ prefix followed by the variable name. The other prefixes are invalid because Terraform strictly matches this specific pattern when populating the root module variables.
Question 3 of 254A resource was changed manually outside of Terraform. You don't want to make any changes yet, but you want to see how the state would be updated to match the current real-world values. Which command should you run?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform plan -refresh-only
The plan with refresh-only flag updates state to match current real-world values without proposing infrastructure changes. Apply would attempt to modify infrastructure, which violates the requirement.
Question 4 of 254Why is using a single tool like Terraform for multi-cloud deployments more beneficial than using separate tools and workflows for each cloud?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. It provides a common workflow and reusable modules, enabling consistent CI/CD and policy across clouds.
A single declarative tool provides a standard workflow using reusable modules across different providers. Do not assume it eliminates cloud-specific APIs or credentials; it simply standardizes the deployment process.
Question 5 of 254Your team is building a reusable Terraform module for web servers. The module must always create exactly two instances, and you want Terraform to fail if a caller tries to use any other value during plan or apply. Which approach should you use to enforce this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Add a validation block that checks the variable equals 2 and provides an error message if it does not.
A variable validation block actively enforces business logic by failing the plan if the input does not equal two. Simply setting a default value does not prevent users from overriding it.
Question 6 of 254You've decided to change your backend configuration from S3 to HCP Terraform. After updating the backend block, you run terraform init. Which flag should you use to reconfigure the backend without copying the existing state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform init -reconfigure
The -reconfigure flag forces Terraform to ignore the previous backend configuration and prevents any automatic state migration. Use -migrate-state instead if you actually want to copy state.
Question 7 of 254You are calling a child module named network from your root module. In your root module, you attempt to reference the VPC ID as displayed below. When you run terraform plan, Terraform returns an error that vpc_id is not a valid attribute for module.network. What is the most likely cause of this error?resource "aws_subnet" "primary_core" { vpc_id = module.network.vpc_id cidr_block = "10.5.0.0/23" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The network module did not define an output block that exports the VPC ID, resulting in the error.
Child module resources are hidden from the parent unless an output block explicitly exports them. The other options are invalid because module outputs are referenceable during plan and require no data blocks or root variables.
Question 8 of 254You are performing a code review of a colleague's Terraform code and see the following code. Where is this module stored?module "vault-aws-tgw" { source = "terraform-aws-modules/transit-gateway/aws" version = "3.0.3"client_id = var.bk_client hvn_id = var.hvn route_table_id = var.rtb_id }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. the Terraform public registry
Using a source string with the namespace, name, and provider format points directly to the public Terraform Registry. The other options are incorrect because local paths use absolute or relative file references, not slash-separated registry identifiers.
Question 9 of 254Your colleague provided the code snippet below and is looking for assistance in identifying the implicit dependency. What is the implicit dependency in this code?resource "aws_eip" "public_ip" { vpc = true instance = aws_instance.web_server.id }resource "aws_instance" "web_server" { ami = "ami-502b7f631" instance_type = "t2.micro"depends_on = [aws_s3_bucket.company_data] }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The EC2 instance labeled web_server
Referencing an attribute from another resource creates an implicit dependency that Terraform automatically resolves in the graph. The S3 bucket is an explicit dependency created by the depends_on argument, not an implicit one.
Question 10 of 254Which statement best describes a Terraform data source?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. a read-only construct that queries provider APIs and returns attributes for use elsewhere in the configuration
A data source is a read-only construct that queries provider APIs to fetch existing infrastructure attributes for use elsewhere. It does not create resources, persist variables, or cache values between runs.
Question 11 of 254You have a variable containing subnet CIDR blocks as a list: ["10.0.5.0/24", "10.0.0.0/24", "10.0.2.0/24"]. You need to determine how many subnets are in the list to use. Which function returns the number of elements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. length(var.subnet_cidrs)
The length function returns the total number of elements contained within a given list or string. The contains function checks for a specific value, while keys and values target map objects rather than simple lists.
Question 12 of 254You have split a large module into multiple .tf files and rearranged several resource blocks without changing any arguments or references. What impact should this have when running a terraform plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. No changes. Block order doesn't affect the plan because Terraform parses all .tf files in a module together during execution.
Terraform parses all configuration files within a module together, making resource block order completely irrelevant to the execution plan. Distractors suggesting replacements or minor changes confuse Terraform with imperative scripting languages.
Question 13 of 254What sets Infrastructure as Code (IaC) apart from managing infrastructure directly instead of making raw API calls or executing CLI commands?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Terraform uses declarative configuration to describe the desired end state and generates a plan of action before applying changes.
Infrastructure as Code relies on declarative configuration to describe the desired end state rather than imperative step-by-step logic. Terraform does not automatically update resources later without an explicit apply process.
Question 14 of 254In Terraform, what does "drift" mean in the context of a workspace's state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Real infrastructure has changed outside Terraform and no longer matches the desired state.
Drift means real infrastructure has changed outside Terraform and no longer matches the desired state. The other options describe pure configuration or backend changes, which do not represent infrastructure drift.
Question 15 of 254Which feature of HCP Terraform enables you to publish and maintain a set of custom modules that can only be used within your organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. HCP Terraform private registry
The private registry allows you to securely publish and maintain custom modules restricted to your organization. Public registry modules are visible to everyone, and VCS integrations only link source code.
Question 16 of 254You are using a local backend and accidentally delete the terraform.tfstate file for your workspace. What is the most serious consequence?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform can no longer track the resources it manages, so the next plan or apply might attempt to create duplicate resources.
Deleting local state severs Terraform's tracking of managed resources, causing the next apply to attempt creating duplicates. Terraform cannot magically reconstruct state from variables or provider APIs.
Question 17 of 254In HCP Terraform, what is the purpose of using a run trigger?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. to automatically queue a new run in one workspace after another workspace applies successfully
Run triggers automatically queue a workspace run immediately after another specified workspace applies successfully. They orchestrate dependencies between workspaces, whereas credentials or approvals use different features.
Question 18 of 254You are reviewing Terraform code from a colleague and discover a `.terraform/` directory. What is the purpose of this directory?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The .terraform/ directory stores Terraform's local working data, including installed provider and module plugins and backend metadata.
This directory stores local working data like installed provider and module plugins plus backend metadata. Terraform downloads these during initialization, whereas sensitive state and credentials are stored elsewhere.
Question 19 of 254You're deploying AWS infrastructure and writing the configuration as shown below. What does the reference `aws_vpc.main.id` in the subnet configuration accomplish?resource "aws_vpc" "main" { cidr_block = "10.5.0.0/16"tags = { Name = "production-vpc" } }resource "aws_subnet" "public" { vpc_id = aws_vpc.main.id cidr_block = "10.5.2.0/24"tags = { Name = "bk-public-subnet" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. it retrieves the VPC's ID and creates an implicit dependency
Referencing the VPC resource retrieves its ID and creates an implicit dependency, ensuring correct creation order. Terraform handles resource dependencies automatically through these references instead of manual ordering.
Question 20 of 254You're invoking a module that creates a subnet. The root load balancer module requires that subnet's ID. How should you expose the ID and pass it to the load balancer module?modules/subnets:resource "aws_subnet" "bk" { vpc_id = aws_vpc.bk.id cidr_block = var.subnet_cidrtags = { Name = "BK Subnet" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. add an output block to the subnet module and pass the value for the load balancer module using module.subnets.subnet_id
You must add an output block in the child module to expose the subnet ID, then reference it in the root module. Resources created inside a module are hidden from the root configuration unless explicitly exported as outputs.
Question 21 of 254Your team uses HCP Terraform with a CLI-driven workflow. After making changes to your configuration locally, you run terraform plan. Where does the plan operation execute?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. on HCP Terraform infrastructure with results streamed back to your terminal
In a CLI-driven workflow, plan operations execute remotely on HashiCorp infrastructure with results streamed to your terminal. Local execution is bypassed entirely to ensure consistent runs and enable collaboration features.
Question 22 of 254True or False? In the configuration below, the aws_volume_attachment.attach_data resource has an implicit dependency on both the instance and the volume.resource "aws_instance" "app_core" { ami = "ami-0c55b159cbfafe1f0" instance_type = "t3.micro" availability_zone = "ca-central-1a"tags = { Owner = "btk-platform", Env = "pr0d-east" } }resource "aws_ebs_volume" "data_pr0d_east" { availability_zone = "ca-central-1a" size = 10 }resource "aws_volume_attachment" "attach_data" { device_name = "/dev/xvdf" volume_id = aws_ebs_volume.data_pr0d_east.id instance_id = aws_instance.app_core.id }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
Referencing resource attributes creates implicit dependencies that dictate execution order. The attachment block references both the volume and instance identifiers, so Terraform automatically waits for them.
Question 23 of 254Your team's change management process requires that all Terraform changes be reviewed and approved before execution. You run terraform plan -out=bk-project.tfplan and send the output for review. After approval is granted two hours later, what command should you run to execute the exact changes that were reviewed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. run terraform apply bk-project.tfplan to execute the saved plan
Applying a saved plan file executes the exact changes that were reviewed and approved. Without a plan file, Terraform recalculates the diff, bypassing your change management process.
Question 24 of 254How do you specify which provider Terraform should install for a configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Define the provider in required_providers and add a matching provider block in the configuration.
The required_providers block specifies source addresses and versions for providers. Terraform downloads them during initialization, whereas manual binary placement is unsupported.
Question 25 of 254You added a new module block to an existing Terraform configuration to reuse infrastructure code from a remote source. What do you need to do so that Terraform downloads the module and makes it available in your working directory?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Run terraform init to install the module into the current working directory.
Running initialization downloads modules from their configured sources and caches them locally. Terraform never downloads modules automatically during a plan.
Question 26 of 254In a Terraform module block that sources a module from a registry, why should you include the version argument?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. to pin a specific module release and avoid unexpected upgrades
Pinning the version prevents unexpected breaking changes when module authors publish new releases. This argument constrains the module code, not the Terraform CLI or provider versions.
Question 27 of 254Which of the following statements is the most accurate about the Terraform language?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Terraform is an immutable, declarative Infrastructure as Code language based on HashiCorp Configuration Language or JSON.
Terraform uses a declarative syntax where you define the desired end state. Distractors mentioning imperative or mutable workflows describe traditional configuration management tools.
Question 28 of 254After creating several new Terraform configurations, you want to quickly format the files without editing each one manually. How can you update all the files at once?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform fmt
The formatting command rewrites configuration files to canonical style in a single pass. Validation checks syntax, while initialization downloads plugins.
Question 29 of 254Aside from traditional code reviews, which Terraform command provides an opportunity for team members to review each other's work before deployment?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. terraform plan
The plan command generates an execution plan showing proposed changes before deployment. This allows teams to catch errors before any infrastructure is modified.
Question 30 of 254Why is state locking necessary when using a remote backend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. prevents concurrent runs from writing to the same state at the same time to avoid state corruption.
State locking prevents concurrent operations from corrupting the state file. It ensures serial execution, while caching and encryption are separate backend features.
Question 31 of 254What environment variable can be set to enable detailed logging for Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. TF_LOG
Setting the log environment variable activates verbose output for troubleshooting. The other variables are not recognized by Terraform for this purpose.
Question 32 of 254Your configuration includes a validation block in a variable, as shown in the exhibit below. A user sets instance_count = 15. When does Terraform report the validation error?variable "instance_count" { type = number validation { condition = var.instance_count > 0 && var.instance_count <= 10 error_message = "Instance count must be between 1 and 10." } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. During terraform validate or terraform plan, before attempting to create any resources
Variable validation blocks are evaluated during the planning phase to ensure that assigned values meet the configured conditions before any changes are applied. The initialization command only downloads providers and modules, so validation errors are correctly reported during validation or planning commands.
Question 33 of 254What is the purpose of Terraform's dependency graph?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. builds a graph of dependencies to perform create/update/destroy operations from it
Terraform builds a dependency graph to determine the correct order of operations for creating, updating, and destroying resources. The configuration does not execute resources based on file ordering, nor does it rely on cloud provider APIs to manage dependencies during a run.
Question 34 of 254Which Terraform command checks modules, attribute names, and value types to ensure the configuration is syntactically valid and internally consistent?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform validate
The terraform validate command checks general syntax and internal consistency without accessing cloud APIs. Avoid confusing it with terraform fmt, which only rewrites files to canonical formatting.
Question 35 of 254You run terraform init in a new working directory. The output shows Terraform downloading the aws and time provider plugins. On this machine, where does Terraform store those provider plugins?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The .terraform/providers directory in the current working directory
Terraform stores downloaded provider plugins in the hidden .terraform/providers directory inside your current working directory. This local cache keeps dependencies isolated to your specific workspace.
Question 36 of 254Some of your production resources were created manually in the Azure portal. The company requires all production resources to be managed through Terraform. What should you do to bring those existing resources under Terraform management without disrupting them?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use the import block to import the existing resources under Terraform management.
The import block safely brings manually created cloud resources into Terraform state without causing downtime. Manually deleting or recreating them violates the requirement to avoid disruption.
Question 37 of 254You configure two aws providers in the same module, as shown below, and Terraform returns Error: Duplicate provider configuration and says to set an additional argument for alternative configurations. Which argument must you add to the second provider block so both can be used?provider "aws" { region = "us-east-1" }provider "aws" { region = "ap-south-1" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. alias
The alias meta-argument is required to define multiple configurations for the same provider within a module. Without alias, Terraform throws a duplicate provider configuration error.
Question 38 of 254You added resources from a new provider to an existing configuration, and the next terraform plan returns an error about that provider. What should you do first?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Run terraform init so Terraform downloads the plugin for the newly added provider.
Running terraform init downloads the necessary plugins whenever new providers are added to a configuration. Plan will fail until initialization completes because the local binaries are missing.
Question 39 of 254You have a Terraform project with multiple subdirectories: /dev, /staging, and /prod. Each directory contains a separate Terraform configuration for each different environment. Before deploying resources, where do you need to run terraform init?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. In each directory (/dev, /staging, and /prod) since each is a separate working directory.
Terraform initializes the current working directory, so you must run terraform init inside each environment directory separately. Initialization cannot cascade automatically across subdirectories.
Question 40 of 254You have configured a workspace in HCP Terraform to use local execution. In this mode, what does HCP Terraform do?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. HCP Terraform only stores and syncs the workspace's state file, while you run plan and apply locally on your own machine.
Local execution mode restricts HCP Terraform to only storing and syncing the workspace state file. Plan and apply operations execute locally on your machine, eliminating remote execution while preserving remote state management.
Question 41 of 254In the following Terraform code, what do name, cidr, and azs represent, and what purpose do they serve?module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.2"name = var.vpc_name cidr = var.vpc_cidr_block azs = var.vpc_azstags = merge( var.vpc_tags, { Owner = "btk-platform" Environment = "pr0d-east" } ) }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. these are module-specific inputs that are passed into the child module used for resource creation
These arguments are module-specific inputs passed into the child module for resource creation. Variables declared inside the child module must be set by the calling root module, whereas outputs flow outward.
Question 42 of 254You're using a module from the Terraform registry for your infrastructure. When defining the configuration, is it necessary to specify a version argument in the module block?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. No, the version argument is optional, but it is recommended to ensure consistent and reproducible deployments
The version argument in a module block is optional, though specifying it is strongly recommended to guarantee consistent and reproducible deployments. Without a version constraint, Terraform defaults to the latest available version, which introduces the risk of unexpected infrastructure changes when the module is updated.
Question 43 of 254Your organization manages a Google Cloud project with 50 resources across multiple services. You need to decommission only the Cloud SQL database instance and its backup policy while keeping all other infrastructure running. What is the most appropriate approach?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Remove the database and backup resource blocks from your configuration, then run terraform apply.
The most standard method to decommission resources is removing their blocks and running terraform apply. However, the removed block feature is also a valid option, making this question slightly ambiguous.
Question 44 of 254Which Terraform command will force a resource to be destroyed and recreated even if there are no configuration changes that would require it?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform apply -replace=<address>
The terraform apply dash replace command targets a specific resource address and forces Terraform to destroy and recreate it. The dash refresh dash only flag only syncs state with reality, and standard apply commands will ignore resources lacking configuration drift.
Question 45 of 254Management wants to understand how adopting Infrastructure as Code with Terraform differs from your current method of using the console and CLI to deploy and manage infrastructure. Which statement correctly identifies a major difference?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Infrastructure as Code allows infrastructure to be described using a configuration syntax that can be versioned, reused, and shared.
Infrastructure as Code uses declarative configuration files that can be versioned, shared, and reused. Manual approaches lack this repeatable structure, and Terraform still relies on cloud APIs to provision resources.
Question 46 of 254What is preventing you from producing a plan based on the error below?$ terraform plan Planning failed. Terraform encountered an error while generating this plan. ╷ │ Error: Invalid value for variable │ │ on variables.tf line 7: │ 7: variable "cluster_endpoint" { │ ├──────────────── │ │ var.cluster_endpoint is "" │ │ var.create_cluster is false │ │ You must specify a value for cluster_endpoint if create_cluster is false.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A validation block on cluster_endpoint requires a non-empty value when create_cluster=false, so input evaluation failed and Terraform cannot produce a plan.
Custom variable validation rules evaluate before the execution plan is generated. If an input fails a validation condition, Terraform stops immediately, distinguishing this from a resource precondition which evaluates later.
Question 47 of 254You have a SQL Database that's currently in production with live data. You need to change the database's pricing tier, but the change requires destroying and recreating the database. You want to ensure the new database is created before the old one is destroyed to avoid downtime. What should you add to your resource configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. add a lifecycle block with create_before_destroy = true
Setting create_before_destroy to true inside a lifecycle block forces Terraform to provision the replacement resource first. This avoids downtime, whereas prevent_destroy would block the required recreation entirely.
Question 48 of 254You are troubleshooting an issue where Terraform is modifying certain resource attributes during apply operations that you didn't expect. You suspect the provider is interpreting your configuration differently than expected. What is the primary benefit of enabling Terraform logging in this situation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Logging will show you the detailed interactions between Terraform and the provider API and help you identify where the unexpected behavior occurs
Enabling debug logging exposes the detailed API requests and responses between Terraform and the provider. This reveals how the provider interprets configuration, whereas logs cannot fix syntax or back up state automatically.
Question 49 of 254Your team wants to enforce consistent formatting across all Terraform files before merging code into the main branch. You're setting up a CI/CD pipeline and need a command that checks whether files are properly formatted without making changes. Which command should you use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform fmt -check
The terraform fmt -check command tests whether files are properly formatted without modifying them. The -diff option shows proposed changes, but only -check exits with an error code for CI pipelines when formatting is incorrect.
Question 50 of 254Which of the following is considered a Terraform plugin?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. provider
Terraform providers act as plugins that interact with external APIs to manage infrastructure resources. Modules, backends, and variables are configuration components but do not serve as the executable plugins required for provisioning.
Question 51 of 254Bryan is drafting new Terraform code and wants to verify that the configuration is syntactically valid and internally consistent without contacting any remote services. Which command should he run?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. terraform validate
The terraform validate command checks if your configuration is syntactically valid and internally consistent without accessing remote services. The fmt command only formats code, while apply modifies real infrastructure.
Question 52 of 254Your organization wants to ensure that third-party security scanning tools can review Terraform plans before any infrastructure changes are applied. Which HCP Terraform feature allows you to integrate external tools into the workflow between the plan and apply phases?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. run tasks
HCP Terraform run tasks integrate external tools like security scanners between the plan and apply phases. Run triggers simply chain workspaces together, and health assessments evaluate infrastructure against specific policies.
Question 53 of 254You're moving a project to a remote backend so the state is stored in Amazon S3. How do you correctly configure and initialize the backend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Define the S3 backend in the terraform block using a backend block – run terraform init to migrate your local state.
Configuring the S3 backend inside the terraform block and running terraform init automatically migrates local state to the remote bucket. The init command sets up backends, whereas variables cannot be used in backend configurations.
Question 54 of 254You're deploying a GCP Compute Engine instance and want to verify that the instance receives a public IP address after creation. If it doesn't, you want Terraform to fail with an error. Which validation mechanism should you use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. add a postcondition in the lifecycle block of the instance resource
Postconditions are evaluated after a resource is created or updated, making them ideal for verifying expected attributes like a public IP address. Preconditions are evaluated before the resource action, while check blocks and generic validation blocks do not operate within the resource lifecycle.
Question 55 of 254In an expression, how do you correctly reference the build-tag value from the variable declaration below? variable "metadata" { type = map(string) default = { owner = "platform" build-tag = "v5.0.2" service = "billing" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. var.metadata["build-tag"]
Map elements whose keys contain hyphens must be accessed using bracket notation with quoted strings. The dot syntax is reserved for valid identifiers, making option B the correct choice.
Question 56 of 254What is the .terraform.lock.hcl file and when does Terraform create or modify it?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The .terraform.lock.hcl file is a dependency lock file used by Terraform. It is created or updated every time you run terraform init.
The .terraform.lock.hcl file is a dependency lock file that ensures consistent provider versions across your team. Terraform creates or updates this file automatically whenever you run the terraform init command.
Question 57 of 254You have an existing Google Cloud Storage bucket that was created manually. You want to bring it under Terraform management using a modern config-driven approach, so you add the following configuration: import { to = google_storage_bucket.data_lake id = "bk-existing-bucket" } resource "google_storage_bucket" "data_lake" { name = "bk-existing-bucket" location = "US" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. run terraform plan followed by terraform apply to import the resource
The modern config-driven approach uses import blocks to declaratively manage existing resources. After adding the block, you run terraform plan to preview the import, followed by terraform apply to execute it.
Question 58 of 254A module creates VMs with the vSphere provider. It includes arguments such as datastore = "DS1", network_label = "VM Network", and a folder = "Dev/Apps". You need the same module to work in Lab, QA, and Prod vCenter environments without code changes. What is the most appropriate change to enable the reuse of this module?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Convert the hard-coded values to input variables and provide environment-specific settings via tfvars or variable sets at plan/apply.
Input variables allow you to parameterize a module so it can be reused across different environments without altering the source code. You then provide environment-specific values using variable definitions files or variable sets.
Question 59 of 254After executing a terraform plan in your working directory, you notice that a resource has a tilde (~) next to it. What does this indicate?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. the resource will be updated in place
A tilde in the plan output indicates that Terraform will update the resource in place. A plus sign means creation, a minus sign means destruction, and a plus-minus indicates replacement.
Question 60 of 254True or False? Terraform can only manage dependencies between resources if the depends_on argument is explicitly set for the dependent resources.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
Terraform automatically builds a resource graph by analyzing implicit dependencies from expression references. The depends_on argument is only needed as an override when no implicit resource reference exists in the configuration.
Question 61 of 254Why should a user specify provider version constraints in their Terraform configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. providers are released on a separate schedule from Terraform itself; therefore, a newer version could introduce breaking changes
Providers are downloaded and updated independently from the Terraform CLI. Pinning provider versions prevents unexpected breaking changes or updates from altering your infrastructure state. The versions do not inherently match the CLI or application versions.
Question 62 of 254True or False? All remote backends in Terraform support state locking by default, so you never need to worry about concurrent modifications when using any remote backend.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
Not all remote backends support state locking natively. Always verify the locking capabilities of your specific backend to prevent race conditions. State locking is heavily dependent on the underlying remote storage service.
Question 63 of 254You have created a brand-new Terraform repo that has no backend block. After successfully running your first terraform apply, where does Terraform store state by default?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. in the current working directory in a file named terraform.tfstate
Terraform stores state locally in a file named terraform dot t f state when no backend is configured. This local file serves as the baseline for future runs until a remote backend is initialized.
Question 64 of 254You run terraform plan in a workspace that has existing infrastructure. Terraform shows that it will update 3 resources, create 2 new resources, and destroy 1 resource. How does Terraform determine what changes need to be made?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform compares the desired state in the configuration with the current state in the state file to build the plan
Terraform builds an execution plan by comparing your desired configuration files against the current state file. It then determines what create, update, or destroy actions are required to reach the desired state.
Question 65 of 254You have a root module that calls the child module modules/web. In modules/web/main.tf, a developer added name = "${var.env}-app". What is the correct way to make this work?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Declare variable "env" {} in the child module and pass it from root using env = var.env
Child modules do not automatically inherit variables from the root module. You must explicitly declare the variable in the child module and pass its value using the module block arguments in the root module.
Question 66 of 254Your team maintains a map of common tags to apply to all resources. Each individual resource also needs its own specific tags. To accomplish this, you have var.common_tags containing shared tags and local.resource_tags containing resource-specific tags. How do you combine both to apply to a resource?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. merge(var.common_tags, local.resource_tags)
The merge function takes multiple maps and combines them into a single map. This is the correct method for combining multiple tag sets, whereas flatten and concat are reserved for working with sequences and lists.
Question 67 of 254You're refactoring a large Terraform configuration, splitting a monolithic file into multiple smaller files and reorganizing resource blocks. Before running terraform plan, what's the fastest way to verify you didn't introduce any syntax errors during the refactoring?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. run terraform validate
The validate command checks your configuration files for syntax and internal consistency without accessing cloud providers. Running a plan would also check syntax but requires cloud credentials and takes longer to execute.
Question 68 of 254In the snippet below, where does the value for vpc_security_group_ids come from?module "ec2_instances" { source = "terraform-aws-modules/ec2-instance/aws" version = "4.3.0"name = "pr0d-east-app" instance_count = 2 ami = "ami-0c5204531f799e5-2" instance_type = "t3.micro" vpc_security_group_ids = [module.vpc.default_security_group_id] subnet_id = module.vpc.public_subnets[0]tags = { Owner = "btk-platform" Env = "pr0d-east" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. the output of another module
The value for vpc underscore security underscore group underscore ids comes from an output of another module, specifically the vpc module. Prefacing an address with the module keyword followed by a name indicates that the value originates from a module output rather than a variable.
Question 69 of 254True or False? After successfully applying a moved block to refactor your resources, you should immediately remove the moved block from your configuration to keep your code clean.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. False
Moved blocks must remain in the configuration long enough for all users and automation to process the state migration successfully. Removing them prematurely causes Terraform to view the new address as an untracked resource, triggering an unexpected destroy and recreate operation.
Question 70 of 254In the top-level terraform block, which setting specifies a provider's source and version constraints?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. required_providers
The required_providers block specifies provider source addresses and version constraints. Distractors like provider or backend handle different configuration needs, while required_version targets the Terraform binary itself.
Question 71 of 254Your team has been using Terraform to manage infrastructure. A colleague manually created a database in the console for urgent troubleshooting and testing. The database is now needed permanently as part of your production environment. What is the primary reason to use Terraform import in this situation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To bring the database under Terraform management so future changes can be tracked and managed through your IaC workflow.
Terraform import brings manually created resources under state management so future updates follow your code workflow. It does not automatically write code, validate compliance, or optimize performance.
Question 72 of 254A root module includes several variables in terraform.tfvars. You add a child module as shown below. What values can the child module access by default?module "web" { source = "./modules/web" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Only values passed to it via the module block since root variables are not automatically accessible inside the module.
Child modules must explicitly receive variables through their module block. Terraform isolates module scopes, so root variables and locals are not inherited automatically, ensuring modules remain reusable and self-contained.
Question 73 of 254Which of the following Terraform files should be ignored by Git when committing code to a repo?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform.tfstate
The state file tracks real infrastructure and sensitive data, so it must be excluded from version control. Configuration files and the lock file belong in Git to ensure consistent provider versions across the team.
Question 74 of 254You've updated a module and run terraform plan with default settings against the workspace's remote state. What happens when the command is executed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Terraform creates an execution plan and determines what changes are required to achieve the desired state in the configuration files.
The terraform plan command creates an execution plan by comparing the current state to the desired configuration. The apply command executes changes, while plan simply determines what changes are required.
Question 75 of 254True or False? Marking an output as sensitive does not prevent its value from being stored in the Terraform state file.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
Marking an output as sensitive only masks the value in the command line output and logs. Sensitive values are still stored in plaintext within the state file, requiring strict access controls.
Question 76 of 254Rahul deployed multiple VMs outside the Terraform workflow, and now your team is unsure which VM is managed by Terraform. What approach would best help you identify the Terraform-managed VM without making any changes to the infrastructure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use Terraform state commands terraform state show to match the tracked VM's ID with the list of active VMs.
Inspecting the state with terraform state list or terraform state show correctly identifies tracked resources without making changes. Manually updating configurations or deleting untracked VMs risks unintended infrastructure modifications.
Question 77 of 254You're configuring an S3 backend for your Terraform project. You want to keep sensitive values, such as the bucket name and region, out of version control while keeping other backend configuration in your code. Which approach correctly implements partial backend configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. define the backend block with only the type, then pass the bucket and region values using -backend-config flag during terraform init
Partial backend configuration allows you to define the backend type in code while passing sensitive arguments dynamically during terraform init using the -backend-config flag. Variable definitions and environment variables are not evaluated during backend initialization.
Question 78 of 254You want to start managing resources that were not originally provisioned through infrastructure as code. Before you can import the resources, what must you do before running the terraform import command?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. update the Terraform configuration file to include new resource blocks that match the resources you want to import
Before importing an existing resource, you must write a matching resource block in your configuration. While newer Terraform versions support declarative import blocks, the traditional imperative terraform import command explicitly requires the resource block first.
Question 79 of 254Your team manages infrastructure across multiple AWS regions using Terraform. You want to see a complete list of all resources currently tracked in your Terraform state file, but don't need the detailed attributes of each resource. Which command should you use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. terraform state list
The terraform state list command provides a high-level list of all resources tracked in the state file. The terraform show command displays detailed attributes, which is unnecessary if you only need resource addresses.
Question 80 of 254In the example code below, what order will Terraform create these resources? variable "existing_disk" { type = string } resource "google_compute_instance" "web" { name = "btk-web-1" machine_type = "e2-micro" zone = "us-central1-a" boot_disk { initialize_params { image = "debian-cloud/debian-11" } } network_interface { network = "default" access_config {} } } resource "google_compute_attached_disk" "data" { instance = google_compute_instance.web.name disk = var.existing_disk } First – google_compute_instance.web
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Second – google_compute_attached_disk.data
The attached disk resource references the compute instance name, creating an implicit dependency. Terraform uses this graph to determine operation order, ensuring the compute instance is created before the disk attachment.
Question 81 of 254Your company has a centralized network team that manages all Azure Virtual Networks. Your application team needs to deploy virtual machines into the prod-network VNet, which the network team created. What is the correct approach in your Terraform configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. use a data block to reference the existing VNet, then create your VM resources that use attributes from the data source
Use a data block to reference existing infrastructure managed outside your configuration. This allows you to retrieve attributes like a VNet ID without taking ownership of the resource, leaving the network team responsible for its lifecycle.
Question 82 of 254True or False? Multiple providers can be declared within a single Terraform configuration file.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
A single Terraform configuration can declare and use multiple providers. This allows you to orchestrate multi-cloud environments or manage resources across different services within the same set of files.
Question 83 of 254Your team has multiple infrastructure projects with different compliance requirements. Some projects require advisory policy checks while others need mandatory enforcement. How should you configure policies in HCP Terraform to meet these varying requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure different enforcement levels for each policy set and apply them to the appropriate workspaces or projects.
Policy sets in HCP Terraform can be assigned specific enforcement levels like advisory or mandatory, and scoped to particular workspaces or projects. Run triggers handle dependencies between workspaces and cannot enforce compliance or selectively apply policy rules.
Question 84 of 254In HCP Terraform, how many VCS repositories can a workspace be mapped to?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 1
An HCP Terraform workspace can only be linked to a single VCS repository. This ensures that infrastructure deployments are strictly tied to one central source of truth for configuration tracking.
Question 85 of 254What happens when a terraform apply command is executed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. applies the changes required in the target infrastructure in order to reach the desired configuration
The terraform apply command executes the actions proposed in the execution plan to reach the desired configuration state. This differs from terraform plan, which only proposes changes, and init, which prepares the directory.
Question 86 of 254You are reviewing the following Terraform configuration in main.tf. Which statements about this configuration are correct? (select two)module "servers" { source = "./modules/btk-cluster" servers = 5 }
Select 2 answers.
Show answer & explanation
Correct answer: B. source = "./modules/btk-cluster" · E. main.tf is the root (calling) module
The main.tf file acts as the root calling module, and the source path points to a local child module on disk. Terraform does not download local modules from the public registry, and the servers argument is an input variable, not an output.
Question 87 of 254Which of the following best describes a Terraform provider?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. a plugin that Terraform uses to translate the API interactions with the service or provider
A provider acts as a plugin that allows Terraform to interact with external services by translating configuration into API interactions. The other options define resources, modules, and variables, which are core configuration components rather than the providers themselves.
Question 88 of 254A provider alias is used for what purpose in a Terraform configuration file?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. defining multiple configurations of the same provider and binding resources to them
A provider alias allows you to define multiple configurations for the same provider, such as deploying resources to different AWS regions. You then bind specific resources to these alternate configurations using the provider meta-argument.
Question 89 of 254Your teammate wants you to use terraform import to bring an existing Google Cloud Storage bucket under Terraform management. They expected that after running the import, the Terraform configuration file would automatically be populated with all the bucket's current settings, but it wasn't. What should you tell your teammate about Terraform's import functionality?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Importing only adds the resource to Terraform state and you need to add the resource block to match the existing bucket settings.
The terraform import command only maps the existing real-world resource into your Terraform state file. It does not automatically generate the corresponding HCL configuration, which you must manually write to match the imported resource.
Question 90 of 254Which feature of HCP Terraform can be used to enforce fine-grained policies to enforce standardization and cost controls before resources are provisioned with Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Sentinel and OPA
HCP Terraform integrates with policy-as-code frameworks like Sentinel and Open Policy Agent. These tools evaluate your Terraform plan before execution, allowing you to enforce security, compliance, and cost guardrails.
Question 91 of 254A developer writes a new Terraform configuration to create a virtual machine. They run terraform validate and it reports "Success! The configuration is valid." However, when the developer runs terraform apply, the command fails with an error stating that the instance_type does not exist. Why did terraform validate not detect this error?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The terraform validate command checks for syntactic correctness but does not communicate with the provider's API to validate resource-specific values.
The validate command checks syntax and internal consistency without connecting to cloud provider APIs. Provider-specific arguments like instance types are only validated during the plan or apply phases when Terraform queries the actual provider.
Question 92 of 254You open the terraform.tfstate file in a text editor to inspect it. What format is the file, and what type of information does it contain?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. JSON format containing resource metadata, attributes, dependencies, and potentially sensitive values in plaintext
The local terraform.tfstate file uses JSON format to store resource metadata, attributes, and dependencies. This state file may also contain sensitive values in plaintext if they are not explicitly marked as sensitive by the provider.
Question 93 of 254You have a root module with a variable defined, as shown in the exhibit below. Inside a child module, you write name = var.environment as part of an expression when creating a resource. What will happen when you run terraform plan?variable "environment" { default = "production" }module "web" { source = "./modules/web" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Terraform will return an error stating that var.environment is not declared in the child module
Variables defined in the root module are not automatically inherited by child modules. You must explicitly declare the variable inside the child module and pass the value using the module block arguments, or Terraform will return an error.
Question 94 of 254Your team deployed an Azure SQL Database last week. Now you need to create a new web app that connects to this database. The database's connection string is automatically generated by Azure during deployment. How should you pass the connection string to your web app resource in Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. reference the database resource's connection string attribute in the web app configuration
You should directly reference the database resource attribute to pass the dynamically generated connection string. This creates an implicit dependency, ensuring Terraform waits for the database creation to finish before deploying the web app.
Question 95 of 254Which characteristics are commonly associated with Infrastructure as Code (IaC) workflows?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. managing and provisioning infrastructure using machine-readable definitions stored in version control.
Infrastructure as Code relies on machine-readable definition files stored in version control systems. This enables automated, consistent, and repeatable deployments while avoiding manual configuration drift associated with clicking through graphical interfaces.
Question 96 of 254When using HCP Terraform, what is the simplest way to maintain the security and integrity of modules when multiple teams across different projects use them?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use the HCP Terraform Private Registry to make sure your organization only uses approved modules.
The HCP Terraform Private Registry allows organizations to securely share and manage approved internal modules. Organization permissions alone cannot easily restrict module usage across different projects without this centralized registry.
Question 97 of 254You refactored a module and renamed a resource as shown in the code example below. When running terraform plan, Terraform wants to destroy aws_s3_bucket.logs and create aws_s3_bucket.app_logs. How can you make this a config-driven change so Terraform will update state to the new address without replacing it?# ORIGINAL resource "aws_s3_bucket" "logs" {}# UPDATED resource "aws_s3_bucket" "app_logs" {}
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. add a moved block to indicate the address change directly in your configuration
Adding a moved block to your configuration lets Terraform safely update the state address without destroying the resource. The import block is meant for bringing in unmanaged resources, while the replace flag forces resource recreation.
Question 98 of 254Your team manages long-lived VMs with a configuration management tool, but drift and rollbacks are frequent. You're evaluating alternatives. Which option best reflects an IaC advantage over traditional configuration management?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Using declarative IaC and immutable infrastructure allows you to define the desired state in code, easily replace resources, and version everything.
Infrastructure as Code uses declarative configurations to define desired state and supports immutable infrastructure patterns. This reduces configuration drift and allows straightforward rollbacks by versioning and deploying entirely new resources.
Question 99 of 254What function does the terraform init -upgrade command perform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. update all previously installed plugins and modules to the newest version that complies with the configuration's version constraints
The terraform init -upgrade command updates all previously installed plugins and modules to the newest available versions. It disregards the dependency lock file while still strictly honoring the version constraints defined in your configuration.
Question 100 of 254You have an existing VPC in your account and have added the data block to your configuration, as shown below. How would you reference the id of the VPC?data "aws_vpc" "production" { tags = { Name = "prod" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. data.aws_vpc.production.id
To reference attributes from a data source, you must prefix the expression with the data keyword followed by the type and name. Therefore, the correct reference for the VPC identifier is data dot aws_vpc dot production dot id.
Question 101 of 254A project is using version 6.0.2 of the hashicorp/aws provider. The configuration's version constraint is set to ~> 6.0.0. Two newer versions are available, 6.0.5 and 6.1.0. What is the effect of running terraform init -upgrade?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. It will install the newest provider version that matches the ~> 6.0.0 constraint, which is 6.0.5.
The upgrade command honors your configured version constraints while grabbing the newest allowed release. The pessimistic constraint tilde greater than six point zero point zero restricts updates to patch releases, meaning it selects six point zero point five.
Question 102 of 254Your team is debating whether to use a map(string) or an object type for storing AWS instance configuration. A team member suggests using object because it provides better structure. What is the key difference between these two types?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. An object type defines a fixed structure with specific attribute names and types, while a map allows any keys with values of the same type.
An object type defines a fixed structure with specific named attributes and their individual types, while a map requires all values to share the same type. Option D is incorrect because objects and maps enforce completely different structural constraints and are not interchangeable.
Question 103 of 254You've updated a production load balancer using Terraform. Before making changes, you must (a) preview the exact set of actions as a dry run and (b) ensure that the same reviewed actions are applied later without drift. Which commands meet both requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform plan -out=lb.tfplan → terraform apply lb.tfplan
Saving an execution plan to a file with terraform plan -out creates a definitive record of the exact changes. Applying that specific plan file later guarantees Terraform executes only the reviewed actions, eliminating the risk of unreviewed drift.
Question 104 of 254You want to dynamically create a server name by combining three string variables with hyphens to produce prod-us-east-web. Which of the following expressions would accomplish this?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. name = join("-", [var.environment, var.region, var.app])
The join function concatenates the elements of a given list into a single string separated by a chosen delimiter. The concat function is the trap here because it combines lists rather than creating a hyphenated string.
Question 105 of 254All your infrastructure is managed by Terraform, but engineers occasionally make small updates directly on the target platform. Which Terraform command can identify changes to the actual infrastructure and reflect them in the Terraform state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform apply -refresh-only
The terraform apply -refresh-only command reconciles the state file with real-world infrastructure to detect drift. This operation updates the state to reflect manual changes without modifying the actual infrastructure.
Question 106 of 254Your team needs to capture Terraform logs for a production deployment. You want the logs saved to a file rather than displayed in the terminal so you can review with senior engineers. Which environment variable should you set to specify the log file location?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. TF_LOG_PATH
Setting the TF_LOG_PATH environment variable directs Terraform to write its detailed logs to a specific file. The TF_LOG variable simply controls the verbosity level but does not specify the destination file.
Question 107 of 254Your organization uses Chef to configure application settings and install software packages on existing servers. The DevOps team is evaluating whether to adopt Terraform alongside Chef. Which statement best explains how Infrastructure as Code tools, like Terraform, differ from configuration management tools?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Infrastructure as Code tools focus on provisioning and managing the lifecycle of infrastructure resources, while configuration management tools focus on installing and managing software on existing servers.
Infrastructure as Code tools like Terraform provision and manage underlying infrastructure resources across their lifecycle. Configuration management tools like Chef install and manage software on those existing servers.
Question 108 of 254Your configuration uses a module stored on a private registry that is configured with this version argument: version = "~> 3.2.0". The registry has versions 3.2.0, 3.2.5, 3.3.0, and 4.0.0 available for this module. Which version will Terraform download during terraform init?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 3.2.5
The pessimistic constraint operator limits updates to the newest patch version within the specified minor release. Because three is the minor version, Terraform selects the highest patch within the three dot two range.
Question 109 of 254You are using the CLI and want your local Terraform configuration to run in HCP Terraform and store state there. How should you configure this in your code?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Add a cloud block inside the terraform block that sets the HCP Terraform organization and workspace to use for this working directory.
The cloud block inside the terraform configuration connects local directories to HCP Terraform for remote execution and state management. Provider and backend blocks are incorrect because they handle external APIs or legacy state storage.
Question 110 of 254Which method below ensures sensitive information is not stored in the state file?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. none of the above
Terraform stores all resource attributes in plaintext in the state file, meaning none of these methods can prevent sensitive data from being saved. To protect credentials, you must strictly secure the state file itself.
Question 111 of 254A developer wants to interactively test how a Terraform expression and a built-in function will evaluate using the current state and variable values before adding the expression to a configuration. Which command should the developer use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform console
The terraform console command opens an interactive shell to test expressions and functions using current state and variables. Other commands like plan, show, or output only display generalized state or planned changes without interactive testing.
Question 112 of 254You have a Terraform workspace managing Azure infrastructure as shown in the exhibit below. You run terraform destroy. In what order will Terraform destroy these resources?resource "azurerm_resource_group" "main" { name = "production-bk" location = "East US" }resource "azurerm_virtual_network" "main" { name = "prod-bk-vnet" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location address_space = ["172.16.0.0/16"] }resource "azurerm_subnet" "main" { name = "prod-bk-subnet" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = ["172.16.67.0/24"] }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform will follow the dependency chain: subnet, virtual network, resource group
Terraform determines destruction order by analyzing resource dependencies, destroying children before parents. The subnet is destroyed first, followed by the virtual network, and finally the resource group.
Question 113 of 254You have a Terraform configuration file defining resources to deploy on VMware, yet there is no related state file. You have successfully run terraform init already. What happens when you run a terraform apply?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform will create the resources defined in the configuration file and write a new state file.
Without a prior state file, Terraform safely assumes the infrastructure does not exist and creates everything defined in the configuration. It then writes a new state file tracking those newly created resources.
Question 114 of 254What built-in tool or command can you use to easily format Terraform code to meet the recommended canonical formatting and style?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform fmt
The terraform fmt command automatically formats code to canonical standards, ensuring consistency across your configuration files. Plan and validate evaluate configuration logic, while env manages workspaces.
Question 115 of 254True or False? A remote backend configuration is required for using Terraform.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
Terraform uses a local backend by default if a remote backend is not explicitly configured. Remote backends are optional and primarily enhance collaboration, security, and remote state management.
Question 116 of 254Given the configuration below, which expression correctly references the EC2 instance created for the frontend application?resource "aws_instance" "svc_apps" { for_each = { "auth" = "security" "billing" = "finance" "frontend" = "ui" "worker" = "batch" } … }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. aws_instance.svc_apps["frontend"]
When using the for_each meta-argument, Terraform creates a map of resources. You must reference the specific resource using the map key inside brackets, such as aws_instance.svc_apps["frontend"].
Question 117 of 254You are reviewing a Terraform workspace set up by another team member. You want to quickly count the number of resources currently being managed without scrolling through pages of detailed configuration and attribute information. Which command is most appropriate for this task?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. terraform state list
The terraform state list command provides a concise list of resource addresses managed in the current state. Options like terraform show or state show dump detailed configurations, making them unsuitable for a quick resource count.
Question 118 of 254After adding an import block to your configuration, you see the error shown below. What steps must be taken first to manage this EC2 instance using Terraform?$ terraform apply Error: resource address "aws_instance.web_app_42" does not exist in the configuration.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. create a new resource block in your configuration for the aws_instance resource in the Terraform configuration file
Terraform requires a matching resource block in your configuration before it can successfully import and manage an existing resource. Data blocks are only for reading attributes, while ignore changes hides drift rather than enabling management.
Question 119 of 254You have three test VMs running on a new cluster, and you run terraform destroy to remove them. However, Terraform only removes two of the virtual machines, leaving one virtual machine still running. Why would Terraform only remove two of the three virtual machines?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The remaining virtual machine was not created by Terraform; therefore, Terraform is unaware of it and cannot destroy it.
Terraform can only destroy resources that it tracks inside its state file. If a virtual machine was created outside of Terraform, the tool remains completely unaware of its existence and safely leaves it running during destruction.
Question 120 of 254When running the terraform validate command, which issue will be brought to your attention?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. a variable is being used in a resource block but has not been declared
The terraform validate command checks syntax and internal consistency without accessing cloud APIs or existing state. It specifically catches referencing an undeclared variable, whereas configuration drift and missing state require evaluating infrastructure.
Question 121 of 254Your team wants Terraform to manage a new SaaS with just a REST API. Which Terraform component defines resource schemas, manages authentication and interactions with the API, and provides resources and data sources for configurations?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Terraform provider
Providers act as the bridge between Terraform and external systems by defining resource schemas and handling API interactions. Provisioners, backends, and modules serve entirely different purposes like bootstrapping scripts, storing state, or organizing configurations.
Question 122 of 254True or False? Terraform requires you to run a terraform plan before applying the configuration with terraform apply.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
Terraform does not mandate running a plan separately because the apply command automatically generates an execution plan and prompts for approval. You only need to run plan manually if you want to review changes without applying them.
Question 123 of 254You're writing a backend configuration block for S3. Which of the following can be defined directly inside the backend block?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. values like bucket name, key, and region, but not computed values or variables
Backend blocks require static literal values and cannot reference variables, locals, or data sources because Terraform must configure the backend before loading the rest of the configuration.
Question 124 of 254Your team is using two HCP Terraform workspaces. The prod-webserver workspace has successfully deployed an Azure VM. You're now working in the prod-dns workspace and need to use the public IP to create a DNS record. The webserver IP keeps changing, so you don't want to manually update a variable whenever it changes. What can you add to the prod-dns workspace to automatically retrieve the IP from prod-webserver?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. a tfe_outputs data source that references the prod-webserver workspace
The tfe_outputs data source retrieves output values from another HCP Terraform workspace. Standard variables require manual updates, while dynamic blocks iterate over complex local data and cannot fetch remote state.
Question 125 of 254What type of file can be used to set explicit values for the current working directory that will override the default variable values?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. .tfvars file
Terraform uses .tfvars files to assign variable values, which automatically override any defaults set in the configuration. Template files are for dynamic generation, while state files store deployed resource data.
Question 126 of 254What is the primary function of using HCP Terraform agents?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. execute Terraform plans and apply changes to isolated, private, or on-premises infrastructure
HCP Terraform agents execute plans and applies against isolated, private, or on-premises infrastructure from within restricted networks. They do not provide workspace management, remote monitoring, or state file storage capabilities.
Question 127 of 254Your team deployed an Azure SQL Database using Terraform and needs to share the connection string with the application team. You create an output block with the sensitive flag set to true. However, a team member reports that they can still see the connection string when running terraform show -json. Why does this happen?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The sensitive flag only prevents the value from appearing in the CLI output, but it is still stored in plain text in the state file.
The sensitive flag prevents values from displaying in standard CLI output but does not encrypt the state file. Anyone with read access to the state file can view the raw plain text values.
Question 128 of 254Given the example code below, where will the S3 buckets named logs and operations be created?provider "aws" { region = "us-east-1" }provider "aws" { alias = "west" region = "us-west-2" }provider "aws" { alias = "eu" region = "eu-west-2" }resource "aws_s3_bucket" "logs" { # <bucket arguments> }resource "aws_s3_bucket" "operations" { provider = aws.west # <bucket arguments> }resource "aws_s3_bucket" "config" { provider = aws.eu # <bucket arguments> }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. operations: us-west-2
Resources use the default provider configuration unless the provider meta-argument specifies an alias. The operations bucket is explicitly set to use the aws.west provider, placing it in us-west-2. The logs bucket lacks an alias and does not have a matching option for its default us-east-1 region.
Question 129 of 254You have a resource in your public cloud that was deployed manually, but you want to reference its attributes throughout your configuration without hardcoding values. How can you achieve this?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Add a data block to your configuration to query the existing resource. Use the available exported attributes of that resource type as needed throughout your configuration to get the values you need.
Data blocks query existing cloud resources to read their exported attributes dynamically. Hardcoding IDs in variables is discouraged, and attempting to import into a resource block is meant for taking over management, not just reading attributes.
Question 130 of 254You have a workspace that deploys a VPC and subnets, and another workspace that deploys applications into that VPC. You want the application workspace to automatically run a plan whenever the networking workspace completes a successful apply. What HCP Terraform feature should you configure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. use run triggers that connect the networking workspace to the application workspace
Run triggers connect HCP Terraform workspaces to automatically queue a speculative plan in a downstream workspace. They trigger the application workspace automatically after the upstream networking workspace successfully applies.
Question 131 of 254Which statement best describes the primary purpose of Infrastructure as Code (IaC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Define and provision infrastructure using code for consistent, repeatable deployments.
Infrastructure as Code defines cloud resources using high-level configuration files to ensure consistent, repeatable deployments. This eliminates manual configuration errors and directly supports automated provisioning workflows.
Question 132 of 254Your AWS infrastructure configuration deploys a load balancer and several EC2 instances. Your security team wants to audit which resources were created and obtain their IDs for documentation. You're deciding whether to add output blocks to your configuration. What is the primary benefit of using output blocks for this purpose?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. output blocks provide a way to expose specific resource attributes for use without requiring others to parse the entire state file.
Output blocks expose specific resource attributes like IDs without requiring users to parse the entire state file. Terraform automatically tracks resources in state regardless of outputs, which eliminates the other options.
Question 133 of 254You want to use the new features available in Terraform 1.12.0 and change the required_version constraint in your configuration to ~> 1.12.0. After committing and pushing the change, your HCP Terraform run fails with an error stating that the Terraform version does not meet the required_version constraint. What is the most likely cause of this error?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The Terraform version setting in HCP Terraform workspace is still set to an older version and needs to be updated to 1.12.0 or later.
HCP Terraform workspace settings dictate the exact Terraform version used for execution. If the workspace is pinned to an older version, the required_version constraint will fail until the workspace setting is manually updated.
Question 134 of 254One of your team members manually deleted an EC2 instance through the AWS console that Terraform was managing. What happens when you run terraform plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Terraform detects the missing instance and shows that it will recreate the resource
Terraform reconciles the current state file against your configuration and the real infrastructure. When a managed resource is deleted manually, the plan detects the drift and proposes recreating it to match your code.
Question 135 of 254Assuming default settings, which statement best describes how the local backend is used?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Terraform writes state to a file named terraform.tfstate in the current working directory.
By default, the local backend writes state to a file named terraform dot tfstate in the current working directory. It does not provide remote collaboration, encryption, or cloud-based locking.
Question 136 of 254Your team manages infrastructure with Terraform. A colleague manually modified a security group in the AWS console to allow emergency access last night. This morning, you run terraform plan without making any changes to your configuration files. What will the plan output show?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. the security group will show as needing updates to revert the manual changes and match your configuration
Terraform plan compares your desired configuration against the real infrastructure, detecting any drift. The plan will propose changes to revert the manual security group edits and match your code.
Question 137 of 254After successfully deploying resources for your test application, you decide to share it with users to gather feedback. You add a new module block to create a DNS record. What command do you need to run before Terraform can create the new resource?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform init
Whenever you add a new module block, you must run terraform init to download the module and its providers. Plan and apply will fail if the working directory is not initialized first.
Question 138 of 254You must destroy and recreate only one database server managed by Terraform without editing the configuration. Which command should you run?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform apply -replace="aws_instance.database"
The terraform apply -replace flag forces the destruction and recreation of a specific resource without altering its configuration. Avoid manual destroy commands or targets, because they can disrupt dependency ordering and leave the configuration out of sync.
Question 139 of 254After running terraform init in a new working directory, Thomas wants a dry run that saves the result for a later apply without creating resources. Which command should he use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. run terraform plan -out=thomas
The terraform plan command with the out flag saves an execution plan to a file for later application. The refresh-only flag merely syncs state with real infrastructure, while show and output simply display existing data.
Question 140 of 254You're applying changes to your production Azure infrastructure. When you run terraform apply, the creation of an Azure Virtual Machine succeeds, but the subsequent creation of an Azure Network Security Group fails due to a quota limit. What is the state of your infrastructure and state file after this failure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The VM exists in Azure and is recorded in state, but the NSG does not exist. You can run apply again to create the NSG.
Terraform writes successfully created resources to the state file immediately during an apply. It does not roll back partial deployments, so the virtual machine remains tracked while the security group is simply skipped.
Question 141 of 254You are configuring remote state and must keep backend credentials out of both the .terraform directory and any saved plan files. Which method will meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. supply the credentials using environment variables on the machine executing plan/apply
Supplying credentials via environment variables keeps them completely out of configuration files and the local directory. Passing secrets through backend config files risks writing them to disk, and standard variables might be saved inside plan files.
Question 142 of 254You clone a Terraform repo, adjust a variable, and immediately run terraform apply. The command fails before planning, complaining about missing provider plugins. Which core workflow step should have happened first?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Run terraform init to set up the working directory and install providers.
The initialization command prepares the working directory by downloading required provider plugins and configuring the backend. Skipping this step prevents Terraform from recognizing providers, so always initialize your directory before planning or applying changes.
Question 143 of 254Steve needs to gather detailed information about an EC2 instance that he deployed earlier in the day. What command can Steve use to view this detailed information?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform state show aws_instance.frontend
The state show command displays detailed attributes for a specific resource tracked in the current state. The general show command requires a state file path, while state list merely outputs resource addresses without attributes.
Question 144 of 254You have decided to move your state file to an Amazon S3 remote backend. You configure Terraform as shown below. What command should be run in order to complete the state migration while copying the existing state to the new backend?terraform { backend "s3" { bucket = "tf-state-bucket" key = "terraform/krausen/" region = "ap-south-1" } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. terraform init -migrate-state
Running initialization with the migrate state flag transfers existing local state to a newly configured remote backend. Plan and apply commands cannot execute backend migrations, making initialization mandatory when changing state storage locations.
Question 145 of 254Your AWS provider configuration is shown in the exhibit below. When running a terraform plan, the region is set to us-west-2 in the provider block, but the AWS_REGION environment variable is set to eu-west-1. Which region will the provider use?provider "aws" { region = "us-west-2" default_tags { tags = { Project = "Project-502" } } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. us-west-2 from the provider block configuration
Explicit arguments defined in a Terraform provider block always take precedence over default provider environment variables. The AWS provider will use the us-west-2 region because explicit configuration overrides the AWS_REGION environment variable.
Question 146 of 254In your Terraform configuration, you have created a terraform.tfvars file that sets the value of a variable named region to us-central1. You also have a default value on the variable block, setting it to us-east1. Which value takes effect?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. us-central1
Variable values defined in a terraform.tfvars file automatically override default values declared in a variable block. The file provides explicit variable assignments, ensuring us-central1 is used.
Question 147 of 254A platform team manages multiple HCP Terraform workspaces across various environments, each configured for a different repository. They want to define cloud credentials and common tags once, store them in a single location, and have those updates automatically apply to all workspaces in the project. What feature should the team use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. create a variable set in HCP Terraform and assign it to all workspaces so shared credentials are updated
Variable sets allow you to define variables and credentials once and share them across multiple HCP Terraform workspaces. You can update shared values centrally without manually editing individual workspaces.
Question 148 of 254Your company uses AWS for production and Azure for development, and currently uses CloudFormation for AWS and ARM templates for Azure. What is the main benefit of switching to Terraform for both cloud platforms?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. teams can use the same workflow and configuration language for both clouds
Terraform provides a unified workflow and a single configuration language for managing multiple cloud providers. It does not abstract away provider-specific resources, but it standardizes your deployment process.
Question 149 of 254By default, where does Terraform download and store modules referenced in a configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. in the .terraform/modules subdirectory in the current working directory
During initialization, Terraform downloads referenced modules into the hidden dot-terraform subdirectory. This local cache allows Terraform to reuse the modules for subsequent operations without downloading them again.
Question 150 of 254A team needs identical environments across regions that have a history of version control. What practice solves this most directly?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Infrastructure as Code to declare resources and automate reproducible provisioning.
Infrastructure as Code uses declarative configuration files to automate provisioning and ensure environments are reproducible. Version control integration directly satisfies the requirement for history and identical deployments across multiple regions.
Question 151 of 254You need to search across all workspaces in your HCP Terraform organization to identify which workspaces manage the AWS S3 bucket named production-data-lake. Which HCP Terraform feature provides this search capability?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Explorer
The HCP Terraform Explorer feature allows users to search across all workspaces within an organization to identify specific managed resources. The other listed utilities do not exist as built-in platform features.
Question 152 of 254Your team has a CI/CD pipeline that runs terraform fmt -check, then terraform init, terraform validate, and finally terraform plan. A developer commits code with a typo in an argument name and writes instance_typo instead of instance_type. At which stage will the pipeline catch this error?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. terraform validate
The terraform validate command checks configuration files for syntax errors, including incorrect argument names like an instance type typo. The format command only checks stylistic spacing, while plan evaluates against the provider schema.
Question 153 of 254Which Terraform feature lets you transform, combine, and derive values for use in resource arguments?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. expressions with built-in functions
Expressions with built-in functions allow you to transform, combine, and derive values for resource arguments in Terraform. While variables hold raw inputs, functions provide the required data manipulation capabilities.
Question 154 of 254You have recently run terraform apply successfully using the local backend. You notice Terraform has created a new file called terraform.tfstate.backup in your working directory. What is the purpose of this file?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It contains the previous state before the most recent apply, allowing manual recovery if the current state becomes corrupted
The terraform.tfstate.backup file stores the previous state before the most recent apply operation. This serves as a manual recovery point if the primary state file becomes corrupted.
Question 155 of 254Your startup is deciding between using local state with manual coordination or migrating to HCP Terraform for remote state management. Which advantage does HCP Terraform offer to address team collaboration challenges?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. automatic state locking, centralized state storage, state versioning, and audit logs for compliance
HCP Terraform provides centralized state storage, automatic locking, versioning, and audit logs. Local backends lack these built-in collaboration and security features, eliminating the distractors.
Question 156 of 254What variable type is represented by a pair of curly braces {} containing a series of key/value pairs?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. maps and objects
Curly braces containing key-value pairs represent map and object types in Terraform. Lists and tuples use square brackets, while strings and numbers use basic literal syntax.
Question 157 of 254After running terraform apply, you notice some odd behavior and need to investigate. Which of the following environment variables will configure Terraform to write more detailed logs to assist with troubleshooting?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. TF_LOG=TRACE
Setting the TF underscore LOG environment variable to TRACE enables verbose logging for troubleshooting. The other variables either do not exist or incorrectly attempt to assign log levels.
Question 158 of 254You're creating three GCP Compute Engine instances that must be placed in the same subnet. The subnet was created by another resource in your configuration. What's the correct approach to ensure all three instances use the same subnet?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. reference the subnet ID attribute in each instance's network interface block
You should reference the subnet resource's ID attribute within each instance configuration. This establishes explicit dependencies, whereas hardcoding values creates configuration drift and should be avoided.
Question 159 of 254True or False? You can continue using your local Terraform CLI to execute terraform plan and terraform apply operations while using HCP Terraform as the backend.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
HCP Terraform can function as a standard remote backend for local execution. While it also supports a remote operations mode that runs the CLI in the cloud, configuring it as a backend does not prevent you from executing plan and apply locally.
Question 160 of 254Given the variable below, which expression returns the string r2d2?variable "robots" { type = list(string) default = ["jarvis", "data", "r2d2", "ultron", "glaDOS"] }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. var.robots[2]
Terraform uses zero-based indexing for lists, meaning the first element is zero. The string r2d2 is the third item in the list, so it is accessed using the index two.
Question 161 of 254True or False? The terraform graph command can be used to generate a visual representation of a configuration or execution plan.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
The terraform graph command outputs a visual dependency graph using the DOT language. It helps you understand resource relationships in either your current configuration or a saved execution plan.
Question 162 of 254You're working on a Terraform project deploying VMware workloads. You now need to add a public DNS record in Amazon Route53, so you add an aws provider block to your configuration file. After saving the file, what should you do next?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. run terraform init to download the newly required AWS provider
The terraform init command initializes the working directory and downloads any newly required provider plugins. Providers are not downloaded automatically during plan or apply, making initialization the required next step.
Question 163 of 254True or False? In most cases, you can migrate Terraform state between supported backends at any time, even after running your first terraform apply.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
Terraform allows you to migrate state between supported backends at any time by updating the configuration and running terraform init. The tool automatically detects the changes and prompts you to migrate the existing state file.
Question 164 of 254True or False? You can specify multiple version constraints for a single module by using the version argument multiple times in the module block, such as version = ">= 1.0.0" and version = "< 2.0.0".
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. False
A module block only accepts the version argument a single time, meaning you cannot declare it multiple times. To satisfy multiple conditions, combine the constraints using comma-separated operators within a single string.
Question 165 of 254You add a check block to continuously monitor that your AWS EC2 instances are using encrypted EBS volumes. During terraform plan, the check fails. What happens?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Terraform reports the check failure as a warning but continues with the plan
Precondition and check block failures during a plan are reported as warnings rather than hard errors. This allows Terraform to output the proposed execution plan so you can review and correct the issue.
Question 166 of 254You need to deploy resources across two different Azure subscriptions in the same Terraform configuration. How do you configure Terraform to handle this?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Define multiple provider blocks with different alias attributes and reference them in resources.
Provider aliases let one configuration target multiple subscriptions or regions. Option D is a valid operational workaround, but the question asks how to handle it in a single configuration, which eliminates separate directories.
Question 167 of 254True or False? Running the terraform fmt command will modify Terraform configuration files in the current working directory and all its subdirectories.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. False
By default, the format command only processes files in the current working directory. It ignores subdirectories unless you explicitly provide the recursive flag, ensuring standard code formatting without unexpected widespread changes.
Question 168 of 254You run a standard terraform plan (without any flags) on your configuration. During the planning phase, what does Terraform do with the current state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Terraform automatically queries the real infrastructure to refresh state data before generating the plan, but doesn't save the refreshed state to the file
A standard plan automatically queries real infrastructure to refresh state data in memory before generating the plan. This ensures accuracy, but the state file is only updated during apply.
Question 169 of 254True or False? When you create a pull request on the linked repository branch of the workspace using HCP Terraform, it automatically initiates a speculative plan for that workspace.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
Linked HCP Terraform workspaces automatically trigger speculative plans on pull requests to preview changes. The trap option is false, which assumes manual intervention is required for previews.
Question 170 of 254True or False? After successfully importing an existing resource using an import block and running terraform apply, you can immediately delete the import block from your configuration file without affecting Terraform's ability to manage the resource.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
Running apply on an import block adds the resource to Terraform state, linking it to your configuration. You can safely delete the import block after the apply completes because the resource management link is now persistent.
Question 171 of 254You need to use a public Azure virtual network module from the Terraform registry, keep it on a 5.x release, and pass name and address_space inputs from variables. Which module block meets all requirements?
Select 6 answers.
Show answer & explanation
Correct answer: A. module "vnet" { · B. source = "Azure/network/azurerm" · C. version = "~> 5.0" · D. name = var.name · E. address_space = var.address_space · F. }
The required module block uses the registry source, the tilde greater than constraint for the major version, and unquoted variable expressions. The distractors use local paths or incorrect syntax that violates these registry rules.
Question 172 of 254You have declared a variable named db_connection_string inside of the app module. However, when you run a terraform apply, you get the following error message:Error: Reference to undeclared input variableon main.tf line 35:35: db_path = var.db_connection_stringAn input variable with the name "db_connection_string" has not been declared. This variable can be declared with a variable "db_connection_string" {} block.Why would you receive such an error?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: F. since the variable was declared within the module, it cannot be referenced outside of the module
Variables declared inside a module are scoped locally and cannot be referenced by the parent configuration. The parent fails because the variable is undeclared at its root scope.
Question 173 of 254By default, where does Terraform CLI store its state about the resources it is managing?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. in the terraform.tfstate file in the current working directory using the local backend
Terraform CLI defaults to the local backend, storing state in a file named terraform dot t f state in your current working directory. The dot terraform directory only holds plugins and modules, not the active state file.
Question 174 of 254Which Terraform variable type should you use to store key-value pairs such as environment-specific configuration settings?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. use a map to satisfy this requirement
A map is the correct variable type for storing key-value pairs. Lists and arrays provide sequential indexed collections, whereas a string only holds a single text value.
Question 175 of 254Your AWS configuration creates multiple subnets using for_each, and you need to launch an EC2 instance in a specific subnet, as shown in the exhibit below. Which expression correctly references the private subnet's ID for your EC2 instance?resource "aws_subnet" "app" { for_each = { public = "10.0.5.0/24" private = "10.0.0.0/24" data = "10.0.2.0/24" } vpc_id = aws_vpc.main.id cidr_block = each.value }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. aws_subnet.app["private"].id
When a resource uses for_each with a map, Terraform creates a map of resources that you index by their string keys. Options relying on dot notation or numeric indexes fail because the resource is a map, not a list or object.
Question 176 of 254You have an existing Google Cloud Compute Engine instance with ID my-instance that was created manually. Now, you want to manage this resource using Terraform. How can you import the existing instance into your Terraform state using the command line?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. terraform import google_compute_instance.my_instance my-instance
The terraform import command maps existing infrastructure into your Terraform state. You must provide the resource address first, followed by the cloud provider's specific resource identifier, so apply and init are incorrect here.
Question 177 of 254A coworker gave you a Terraform configuration file containing the code snippet below. Where will Terraform download the referenced provider from?terraform { required_providers { kubernetes = { source = "hashicorp/kubernetes" version = "2.38.0" } } }provider "kubernetes" { # Configuration below …
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. the official Terraform public registry
Terraform resolves provider sources from the public registry by default, using the namespace and name as the address. It does not pull source code directly from GitHub or a local execution directory.
Question 178 of 254Based on the code snippet below, what does the source argument indicate about where Terraform will find this module?module "vm_deployment" { source = "./modules/vsphere_vm" datacenter = data.vsphere_datacenter.dc.name datastore = data.vsphere_datastore.datastore.name resource_pool = data.vsphere_resource_pool.pool.id network = data.vsphere_network.network.id template = data.vsphere_virtual_machine.template.id vm_name = "btk-server-01" cpu_count = 2 memory = 4096 }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. in the modules subdirectory in the current working directory where Terraform is being executed
A module source starting with dot slash indicates a local path relative to your current working directory. This tells Terraform to read the module directly from your local file system instead of fetching it from a registry.
Question 179 of 254Which command correctly sets a Terraform input variable named user to the value dbadmin01 using an environment variable?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. export TF_VAR_user=dbadmin01
Terraform automatically reads environment variables prefixed with TF underscore VAR to populate input variables. Generic variables or TF underscore INPUT prefixes do not map to variable definitions in your configuration.
Question 180 of 254You're creating a GCP configuration that requires creating a storage bucket first, then creating an IAM binding that grants access to it. The problem is that the IAM binding doesn't directly reference the bucket resource, so it's being created too quickly. How do you ensure the bucket is created before the IAM binding is applied?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. add a depends_on = [google_storage_bucket.data] to the IAM binding resource block
Use the depends on argument inside the IAM binding resource to force Terraform to create the bucket first. Lifecycle blocks only manage resource replacement behavior, and splitting applies breaks infrastructure as code management.
Question 181 of 254In your Terraform configuration, you need to set a variable value based on another variable. If var.environment equals prod, you want to set the instance count to 5, otherwise set it to 2. Which expression correctly implements this logic?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. instance_count = var.environment == "prod" ? 5 : 2
The conditional expression in Terraform uses the format condition question mark true value colon false value. The other options are invalid syntax because Terraform does not support if then else statements or a lookup function with four arguments.
Question 182 of 254Your team uses Terraform CLI to manage infrastructure that hosts multiple applications, and multiple team members need to make updates to these resources. What Terraform feature prevents conflicts when multiple team members attempt to modify infrastructure simultaneously?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. state locking
State locking prevents concurrent modifications by ensuring only one user can update infrastructure at a given time. Version control tracks code changes but does not lock live infrastructure deployments, while local backends and provisioners serve entirely different operational purposes.
Question 183 of 254Your organization is using HCP Terraform with separate workspaces for networking and application infrastructure. You want the app-tier workspace to automatically start a new run whenever networking-vpc finishes a successful apply so downstream changes stay in sync. Which HCP Terraform feature should you configure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. run triggers between the two workspaces
Run triggers allow you to automatically start a new run in a downstream workspace whenever an upstream workspace successfully applies changes. Remote state data sources only read data passively, and run tasks execute external integrations rather than chaining workspace executions.
Question 184 of 254Your team of five engineers is building AWS infrastructure with Terraform. Currently, everyone works with the local backend and shares the terraform.tfstate file via Slack after making changes. What is the primary reason this workflow should be replaced with a remote backend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Remote backends provide state locking to prevent concurrent modifications and centralized storage for team collaboration.
Remote backends provide state locking and centralized storage, which are essential for safe team collaboration. The local backend can manage AWS resources, and state is always stored in JSON format regardless of the backend used.
Question 185 of 254What action does the command terraform init perform in a new working directory?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. downloads plugins and retrieves the source code for referenced modules
The terraform init command initializes a working directory by downloading necessary provider plugins and retrieving the source code for referenced modules. Formatting, validation, and state comparisons are handled by the fmt, validate, and plan commands respectively.
Question 186 of 254You received a Terraform configuration file from your colleague, but you're having difficulty reading it because the parameters and blocks are misaligned. What command can you run to quickly align the configuration file and make it easier to read?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. terraform fmt
The terraform fmt command automatically formats Terraform configuration files to canonical standards and alignments. The init command sets up the environment, while workspace and state commands manage multiple deployments and existing infrastructure mappings.
Question 187 of 254In Terraform, how are input variables scoped with respect to modules?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Variables are local to each module, and child modules can only access parent values when passed to them.
Input variables are scoped locally to each specific module and must be explicitly passed to child modules. Parent variables are never automatically visible to children, ensuring strict isolation and preventing unintended configuration overrides.
Question 188 of 254You moved an existing EC2 instance from aws_instance.web to module.servers.aws_instance.web as part of a refactoring project. Now terraform plan wants to destroy and recreate it. Which block should you add to prevent Terraform from recreating the resource?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. moved block
The moved block informs Terraform that a resource has changed its location within the configuration without altering the real infrastructure. This updates the state file safely to prevent Terraform from destroying and recreating the resource during the next apply.
Question 189 of 254Your team is developing Terraform configurations that require database passwords and API tokens. A developer suggests marking these values as sensitive in variable blocks to prevent them from being stored in state files. What is the behavior of the sensitive argument on variables and outputs in Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The sensitive argument redacts values from CLI output and the HCP Terraform UI, but still stores them in state and plan files.
Marking a variable or output as sensitive redacts its values from command line output and graphical user interfaces. However, it does not prevent the values from being stored in plain text within state and plan files, which still require secure backend protection.
Question 190 of 254Your team uses the AWS provider that is pinned to version = "6.0.0". The AWS provider is installed from the public Terraform Registry. A critical security patch is released in version 6.0.3. You update the version constraint to version = "~> 6.0.0" and run terraform init. Why does Terraform still continue to use version 6.0.0?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The dependency lock file still references 6.0.0, and terraform init without the -upgrade flag respects the lock file.
The dependency lock file ensures consistent provider versions are used across environments by locking them to specific versions. To upgrade past a locked version, you must run terraform init with the upgrade flag, regardless of the version constraint updates.
Question 191 of 254You're developing a reusable Terraform module for your team. The module creates networking resources and accepts several input variables. Before publishing the module to your private registry, what's the best way to verify the module's configuration is valid without actually creating any infrastructure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. run terraform validate in the module directory after running terraform init
The terraform validate command checks syntax and configuration validity without contacting cloud APIs. You must run terraform init first to initialize the backend and download the necessary providers.
Question 192 of 254What does the version constraint ~> 3.0.0 mean in a provider requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. allow only patch releases within version 3.0.x, like 3.0.1 but not 3.1.0
The pessimistic constraint tilde 3.0.0 allows patch updates like 3.0.1 but blocks minor version upgrades like 3.1.0. This safely pulls bug fixes while avoiding breaking changes.
Question 193 of 254Your team uses a VCS-driven workflow in HCP Terraform. When a pull request is opened that includes Terraform changes, what happens automatically in HCP Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. HCP Terraform runs a speculative plan and posts the results as a comment on the pull request
HCP Terraform automatically triggers a speculative plan during a pull request to preview changes. The results post directly to the pull request as a comment for review without modifying infrastructure.
Question 194 of 254True or False? Under special circumstances, Terraform can be used without state when deploying and managing resources.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. False
Terraform always requires a state file to map configuration to real-world resources and track metadata. Even for simple deployments, state is generated automatically to maintain dependencies and track attributes.
Question 195 of 254What is the recommended approach for letting teams across your organization securely consume a shared Terraform state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. configure a remote backend that supports locking and access control
Remote backends are the recommended way to share state because they provide state locking and support access controls. Committing state to version control is a security risk, and local files cannot be safely shared.
Question 196 of 254You're building a Google Cloud Platform infrastructure and write the following configuration shown in the exhibit below. What will happen when you run terraform apply? data "google_compute_network" "shared" { name = "bk-company-network" } resource "google_compute_subnetwork" "app" { name = "bk-app-subnet" ip_cidr_range = "10.5.2.0/24" network = data.google_compute_network.shared.id region = "us-central1" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform will create the subnet in the existing shared network without modifying the network itself
A data block reads information from an existing resource without managing it. Terraform will create the subnetwork but will leave the existing network completely unmodified.
Question 197 of 254Your child module creates an Azure storage account and defines this output as shown in the exhibit below. output "storage_account_name" { value = azurerm_storage_account.data.name } In your root module, you call this module as shown below: module "storage" { source = "./modules/storage" } How do you correctly reference the storage account name in your root module?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. module.storage.storage_account_name
To access values from a child module in the root module, use the syntax module dot module name dot output name. Var is strictly for input variables, while outputs is not a valid attribute.
Question 198 of 254You have decided to use a module from the Terraform registry to deploy resources on your private cloud. What parameter should you include to prevent unexpected issues if the module gets updated?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. version
Specifying the version argument constrains the module to a known release, preventing unexpected breaking changes. Without it, Terraform might pull the latest version and alter your infrastructure unexpectedly.
Question 199 of 254A child module creates a new subnet. Which Terraform block should you define in the child so the root module can read the subnet ID?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. output block
An output block exports values from a child module so the parent module can reference them. Data blocks are only for reading existing resources, and resource blocks do not inherently expose attributes.
Question 200 of 254True or False? For each unique platform you create resources on, Terraform requires the use of a different provider/plugin.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
Terraform uses specific providers to interact with each unique platform via its API. Because each cloud or service has distinct endpoints, you must install the appropriate provider plugin for every platform you manage.
Question 201 of 254You are currently using version 4.50.0 of the azurerm provider. You need to provision a few resources that are supported with the latest provider version, so you add the resource blocks and update the required_providers block to version = 4.53.0. What happens when you run terraform plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Terraform shows an error and requires you to run the command terraform init -upgrade
The lock file pins the provider version, so running plan will fail until you update it. To download the new version and update the lock file, you must run terraform init with the upgrade flag.
Question 202 of 254After many hours of development, you've created a new Terraform configuration from scratch, and now you want to test it. Before provisioning the resources, what is the first command you should run?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform init
The core Terraform workflow begins with init to initialize the directory and download required providers. You cannot run plan or apply successfully until this initialization step downloads the necessary plugins.
Question 203 of 254You have declared the variable as shown below. How should you reference this variable throughout your configuration?variable "aws_region" { type = string description = "region used to deploy workloads" default = "us-east-1"validation { condition = can(regex("^us-", var.aws_region)) error_message = "The value must be a region in the USA, starting with \"us-\"." } }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. var.aws_region
Input variables are referenced using the var prefix. Distractors using variable fail because that block defines a variable but does not access its value at runtime.
Question 204 of 254True or False? HCP Terraform drift detection can automatically fix detected drift by running terraform apply to bring infrastructure back into compliance with your configuration.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. False
HCP Terraform drift detection identifies differences between actual infrastructure and desired configuration, but it cannot automatically fix the detected drift. Users must manually review the drift report and apply necessary changes.
Question 205 of 254In HCP Terraform, what does it mean to run Terraform as a remote operation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform runs are managed and executed on HCP Terraform infrastructure
Remote operations in HCP Terraform execute runs on managed infrastructure rather than your local machine. This centralizes execution, providing consistent logs and controlled access to state and secrets.
Question 206 of 254Your organization's Terraform configuration requires AWS access keys to provision infrastructure. The team is concerned about security best practices for managing these credentials. Which approach follows Terraform best practices for managing sensitive credentials like cloud provider access keys?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Store credentials in an external secrets manager such as HashiCorp Vault and reference them in Terraform using data sources.
Best practice is to retrieve sensitive credentials from an external secrets manager like HashiCorp Vault. Hardcoding secrets or merely ignoring tfvars files is insecure because variables are still exposed in state files.
Question 207 of 254Your team is evaluating Infrastructure as Code (IaC). Which of the following statements is inaccurate regarding the benefits of IaC?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. eliminates API communication to the target platform
Infrastructure as Code tools rely entirely on API communication to provision and manage resources. Distractors mentioning self-documenting infrastructure, code sharing, and versioning are all valid benefits.
Question 208 of 254What command can be used to display the resources that are being managed by Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform show
The terraform show command provides a human-readable output of the current state or a plan file. This allows you to inspect managed resources and their attributes directly from the CLI.
Question 209 of 254A team member ran terraform apply and the operation was interrupted (their laptop crashed), and the state lock wasn't released. Other team members can't run Terraform commands because they get a "state is locked" error. What command should be used to resolve this situation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. use the command terraform force-unlock <lock-id> to manually release the stuck lock
The terraform force-unlock command manually releases a stuck state lock using the specific lock ID. Deleting the state file or bypassing the lock introduces severe data corruption risks.
Question 210 of 254True or False? Enabling Terraform logging with TF_LOG will cause Terraform to skip the plan phase and apply changes directly to reduce the amount of logged information.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
Enabling TF_LOG strictly adjusts verbosity for troubleshooting without altering workflow phases. Terraform safely maintains its standard initialization, planning, and applying execution steps.
Question 211 of 254Your organization manages dozens of HCP Terraform workspaces used by different teams. You have been asked to simplify the structure, improve access controls, and group related infrastructure by function. How can you organize these workspaces?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. place each team-related workspace into a team project
HCP Terraform projects let you group related workspaces to simplify organization and manage team access. Creating multiple organizations is excessive for a single company, while tags and variable sets do not enforce access controls.
Question 212 of 254Your teammate runs terraform plan and shares the output showing 15 resources to be created. You review it and approve the changes. However, before applying, your teammate runs terraform plan again. What will happen?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Terraform will generate a new plan that may differ from the first one if any state or configuration changes occurred
Running terraform plan always evaluates the current configuration and state, generating a fresh plan. A previously saved plan file is not automatically reused unless explicitly passed to apply, so any external changes will yield a new plan.
Question 213 of 254You are managing multiple resources using Terraform. You want to destroy all the resources except for a single web server, which should remain running but no longer be managed by Terraform. How can you accomplish this?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Add a removed block with from = <address> to stop managing the web server, then run terraform apply followed by terraform destroy
The removed block is the correct way to safely stop managing a resource without destroying it, allowing you to subsequently destroy the rest of the stack. Distractors involving prevent_destroy or -target either fail the destroy step or require complex targeting.
Question 214 of 254You need to authenticate your local Terraform CLI to run plans against an HCP Terraform workspace. According to HashiCorp, what is the correct way to set up authentication?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Run terraform login, generate a user API token in the browser, and let Terraform store that token in ~/.terraform.d/credentials.tfrc.json for future commands.
The terraform login command opens a browser to generate an API token and stores it locally in the credentials dot tfrc dot json file. Committing access keys to source control is a severe security anti-pattern and does not authenticate the command line interface.
Question 215 of 254True or False? HCP Terraform automatically stores state files remotely and provides state locking to prevent concurrent operations by multiple users from corrupting the state.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. True
HCP Terraform provides fully managed remote state storage that includes automatic state locking. This locking mechanism prevents concurrent operations from corrupting the state file, ensuring safe team collaboration without requiring manual backend configuration.
Question 216 of 254You run terraform plan on your configuration that uses a remote backend with state locking. What happens with the state lock during this operation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform acquires a lock to prevent state modification
Terraform acquires a state lock during the plan operation to prevent state modifications by concurrent runs. This ensures the state file does not change while the plan is being generated.
Question 217 of 254During terraform apply, you notice Terraform is using version 5.0.0 of the AWS provider, but you know version 5.31.0 is available and includes a bug fix you need. The current provider version constraint is ~> 5.0. What command should you run to upgrade to version 5.31.0?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. run terraform init -upgrade to update providers to the newest version matching the constraints
Running terraform init with the upgrade flag updates providers to the newest version matching your configured constraints. The dependency lock file pins provider versions, so a standard initialization alone will not bypass it.
Question 218 of 254You are using Terraform to manage some of your GCP infrastructure. You notice that a new version of the provider now includes additional functionality you want to take advantage of. What command do you need to run to upgrade the provider?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. terraform init -upgrade
Running terraform init with the upgrade flag updates your providers to the newest compatible version. The dependency lock file pins specific versions, so standard initialization ignores newer releases.
Question 219 of 254True or False? The `terraform state list` and `terraform show` commands modify the state file when executed, so you should always create a backup before running them during incident investigation.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. False
The state list and show commands are strictly read-only operations. They safely inspect resources during troubleshooting without modifying the state file, unlike destructive subcommands such as state remove or state move.
Question 220 of 254What is the purpose of the .terraform.lock.hcl file in a Terraform project?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It locks provider versions and checksums to ensure consistent installs.
The .terraform.lock.hcl file locks provider versions and checksums to ensure consistent installs across environments. It does not cache plans, store state, or record variable defaults.
Question 221 of 254You have a module block definition using version = "2.1.0". The module publisher releases version 2.1.5 with bug fixes. You update your module block to version = "~> 2.1.0". What command must you run to update to the latest version?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. terraform init -upgrade
Running terraform init -upgrade updates dependencies to the latest allowed versions, including modules. The standard terraform init command will not override the locked version if it is already present in the lock file.
Question 222 of 254What is the primary purpose of Terraform state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. to track the mapping between resources in your configuration and real-world infrastructure
Terraform state tracks the mapping between resources in your configuration and real-world infrastructure. It is not a backup mechanism, syntax validator, or encryption tool for sensitive values.
Question 223 of 254When running a terraform plan, how can you save the plan so it can be applied at a later time?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. use the -out flag
The -out flag saves the generated plan to a file for later application with terraform apply. There are no -save or -file flags, and saving plans is a core automation feature.
Question 224 of 254You run terraform validate and receive the response: "Success! The configuration is valid." Afterward, you run terraform plan and receive an error: "Error: Invalid provider configuration – The argument 'region' is required." Why did validate succeed but plan fail?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. validate only checks syntax and internal consistency, not provider-specific requirements
The terraform validate command only checks syntax and internal consistency, not provider-specific requirements. The plan command actually connects to providers, revealing missing required arguments like region.
Question 225 of 254You're creating a variable for the cloud provider region and want to ensure users only provide valid US regions. You want Terraform to reject invalid values before any resources are created. Where should you add this validation logic?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. add a validation block inside the variable declaration
Adding a validation block inside the variable declaration enforces constraints before resources are created. Preconditions and postconditions apply to resource lifecycle phases rather than input variable evaluation.
Question 226 of 254You are modifying a Terraform configuration that manages production infrastructure. Before applying the changes, you want to preview exactly what resources will be created, modified, or destroyed without making any actual changes. Which command should you run?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. run a terraform plan and validate the changes that will be made
The terraform plan command generates an execution plan that previews exactly which resources will be created, modified, or destroyed. Running validate only checks for syntax errors, and refresh only compares state to real infrastructure without showing config changes.
Question 227 of 254What block type allows you to query information about an existing resource for use in your Terraform configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. data block
A data block queries information about existing resources without managing or provisioning them. An import block is used to bring existing infrastructure under management, whereas a data block simply reads attributes for use in configuration.
Question 228 of 254You need a public module to create a VPC. How do you search and get the value to reference it in your configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use registry.terraform.io search, open the module page, and copy its source address.
Public modules are discovered on the Terraform Registry, where you can review details and copy the exact source address. Guessing GitHub URLs or copying raw resource examples bypasses the official registry workflow and lacks the proper namespace, name, and provider formatting.
Question 229 of 254You successfully imported an existing Azure Virtual Network into Terraform using an import block. The resource is now in your state file. When you run terraform plan immediately after the import, Terraform shows that it wants to modify several attributes of the virtual network, including tags and DNS servers. What is the most likely cause of this behavior?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The resource block in your configuration does not exactly match all the settings of the existing virtual network, so Terraform wants to update the resource to match your code.
Terraform generates a plan to reconcile differences between your configuration and the current state. The drift occurs because the resource block does not exactly match the existing settings, causing Terraform to propose updates to align the infrastructure with the code.
Question 230 of 254In HCP Terraform, what is a change request?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. a tracked request that lists planned changes for one or more workspaces so teams can manage a backlog of infrastructure work
A change request in HCP Terraform is a tracked request that lists planned changes for one or more workspaces. It helps teams manage a backlog of infrastructure work by organizing and documenting planned modifications.
Question 231 of 254You have a module named prod_subnet that outputs the subnet_id of the subnet created by the module. How would you reference the subnet ID when using it as an input for another module?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. subnet = module.prod_subnet.subnet_id
Module outputs are accessed using the module keyword, the module name, and the output name. This standard syntax allows you to pass data between different modules seamlessly.
Question 232 of 254Your organization is using HCP Terraform. A new app team group should be able to view state and queue plans across its workspaces, but they must not be allowed to edit variables or change workspace settings. As the admin, what is the most efficient way to grant this access?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create a new team for the app team, add the users to it, and assign the team the Plan role on its workspaces.
Assigning the team the Plan role on its workspaces allows users to view state and queue runs. This role restricts variable edits and workspace settings, satisfying the least privilege requirement.
Question 233 of 254You need to destroy all infrastructure managed by an HCP Terraform workspace. What is the correct way to accomplish this using the CLI-driven workflow?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. run terraform destroy in your local terminal while authenticated to HCP Terraform
Running terraform destroy in your local terminal removes all resources defined in the configuration. This uses the standard CLI workflow to communicate the destructive changes directly to the remote workspace.
Question 234 of 254You have a tiered module structure for building your infrastructure. Your root module calls a network module, which internally calls a subnet module to retrieve subnet IDs. You also want to use these subnet IDs in the root module. What must be configured for this to work?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The network module must define an output that exposes the subnet IDs from its child subnet module, then the root module can access it via module.network.subnet_ids
Module outputs do not automatically bubble up through nested tiers. An intermediate module must explicitly declare an output block to expose a child module's value to the root configuration.
Question 235 of 254Your organization requires that no security group within your public cloud environment should list 0.0.0.0/0 as a source of network traffic. How can you proactively enforce this policy and block the execution of Terraform configurations containing this string?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create a Sentinel or OPA policy that checks for the string and denies the terraform apply if the string exists.
Sentinel and Open Policy Agent integrate with Terraform to enforce custom governance rules. These policy-as-code tools evaluate configurations before apply and actively block execution if a restricted string is detected.
Question 236 of 254You're creating an Azure VM that needs to be placed in an existing Virtual Network that was created outside of Terraform. You've added a data source to query it. Which expression below can be used to reference the VNet ID for use in your VM's network interface?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. data.azurerm_virtual_network.existing.id
Data sources retrieve information about existing infrastructure using the data prefix. You access their exported attributes the same way you do for managed resources by appending the desired attribute to the reference.
Question 237 of 254You're reviewing a colleague's Terraform configuration for a VMware vSphere deployment and notice the formatting is inconsistent. You decide to run `terraform fmt` on this file. What changes will the command make?“`hcl resource "vsphere_virtual_machine" "bk-web" { name = "bk-web-server" resource_pool_id = data.vsphere_resource_pool.pool.id datastore_id = data.vsphere_datastore.datastore.id num_cpus = 2 memory = 4096 } “`
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. it will align the equals signs and fix indentation to follow Terraform style conventions
The formatting command applies canonical Terraform style and conventions. It adjusts spacing by aligning the equals signs and fixes indentation, but it never evaluates logic or adds missing arguments.
Question 238 of 254You have a Terraform configuration file with no defined resources. However, there is a related state file for resources that were created on AWS. What happens when you run a `terraform apply`?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform will destroy all of the resources
Terraform reconciles your state file with the active configuration to determine desired infrastructure state. If a resource exists in state but is absent from the configuration, Terraform assumes you intended to delete it.
Question 239 of 254You manage a Kubernetes cluster with Terraform that includes many different deployments, services, and various configmaps. Your team decides to migrate to a new cluster, and you need to completely tear down the old cluster. After running `terraform destroy` and confirming, what happens to the state file?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The state file remains, but no longer contains any resources
The destroy command removes all real world infrastructure tracked by the configuration. While those resources vanish from state, the state file itself is safely retained by Terraform and is left completely empty.
Question 240 of 254True or False? After modifying the backend configuration in your terraform block (such as changing the S3 bucket name), you must run `terraform init` again for the changes to take effect.
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. True
The initialization command is responsible for preparing the working directory and configuring the backend. Whenever backend settings change, you must run init again so Terraform migrates state to the new target.
Question 241 of 254You are refactoring your Terraform configuration and want to rename your resources to adhere to a new naming standard. How can you update the Terraform state to reflect the new names without affecting the resources themselves?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. use a moved block to indicate that the resource has been relocated to the new resource block
A moved block declaratively tells Terraform that a resource has a new address. During the next plan, Terraform updates the state to reflect the new name without destroying or recreating the underlying infrastructure.
Question 242 of 254Which of the following commands can be used to detect configuration drift?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform plan -refresh-only
The command terraform plan -refresh-only detects configuration drift by refreshing the state without staging changes. Other commands like init or fmt do not compare state against real-world infrastructure.
Question 243 of 254Your team wants to use HashiCorp Vault to manage database credentials for Terraform-managed resources. You need Terraform to authenticate to Vault and retrieve secrets dynamically. What is required in your Terraform configuration to enable this integration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. configure the Vault provider with credentials and use Vault data sources to retrieve secrets
Configuring the Vault provider with credentials and using its data sources lets Terraform securely retrieve dynamic secrets. Hardcoding tokens in variables or tfvars files violates security best practices and is not the intended provider integration.
Question 244 of 254You have three S3 buckets that were manually created with names app-data-dev, app-data-staging, and app-data-prod. You want to manage them in Terraform using a single resource block with for_each as shown in the exhibit below. How should you structure the import blocks to import all three buckets?resource "aws_s3_bucket" "app_data" { for_each = toset(["dev", "staging", "prod"]) bucket = "app-data-${each.key}" }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create a single import block with for_each = toset(["dev", "staging", "prod"]), to = aws_s3_bucket.app_data[each.key], and id = "app-data-${each.key}
A single import block can use for_each to import multiple resources into a for_each resource block. The target must reference the specific instance using the each key, and the id must uniquely identify the real-world object.
Question 245 of 254You need to define a variable that contains subnet configuration data, including an IP address (string) and a subnet mask (number). What type of variable should you use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. type = object()
Using an object type variable allows you to define a structured input containing multiple attributes of different types. Simple types like string or bool cannot group related fields together.
Question 246 of 254You have a Kubernetes deployment managed by Terraform. You need to replace a specific pod deployment because a critical security patch requires recreating resources, but you want to keep all other resources unchanged. Your configuration is shown in the exhibit below. What command should you use to force the replacement of only the api deployment? resource "kubernetes_deployment" "api" { metadata { name = "api-server" } # … } resource "kubernetes_deployment" "worker" { metadata { name = "background-worker" } # … } resource "kubernetes_service" "api-svc" { metadata { name = "api-service" } # … }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. terraform apply -replace=kubernetes_deployment.api
The terraform apply command with the replace flag forces Terraform to taint and recreate a specific resource. Using the target flag would only limit the scope of the operation, whereas replace explicitly destroys and recreates the chosen deployment without affecting others.
Question 247 of 254You want to use an AWS VPC module from the public registry, but ensure you only accept patch updates automatically, never minor or major version updates. Your current version is 5.1.2. Which version should you add to the module block to meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. version = "~> 5.1.2"
The pessimistic constraint operator allows the rightmost specified version segment to increment. Specifying the version as five dot one dot two permits patch updates like five dot one dot three, but prevents minor updates to five dot two dot zero.
Question 248 of 254You enabled verbose logging to troubleshoot an issue. After resolving the problem, what should you do to disable Terraform logging for subsequent operations?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. unset the TF_LOG environment variable
Unsetting the TF_LOG environment variable is the correct way to disable Terraform logging for subsequent operations. Removing the environment variable causes Terraform to revert to its default behavior, whereas setting it to OFF or NONE are invalid values.
Question 249 of 254You have run terraform apply, and midway through provisioning resources, your network connection drops, and the command fails. When connectivity is restored, you run terraform plan to assess the status of the infrastructure. What will the plan output show?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. only the resources that failed to create or were not yet attempted will show as needing to be created
Terraform updates the state file incrementally as resources are successfully provisioned during an apply operation. A dropped connection triggers a partial failure, so the subsequent plan only shows the incomplete or unattempted resources instead of recreating the successfully deployed ones.
Question 250 of 254What type of dependency does the depends_on argument create?resource "aws_instance" "eCommerce" { ami = "ami-3256b422" instance_type = "m6a.large" depends_on = [aws_s3_bucket.customer_data] }
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. explicit dependency
The depends_on argument creates an explicit dependency between resources. Terraform builds implicit dependencies automatically from expressions, but depends_on manually forces the order of operations.
Question 251 of 254Which of the following best describes the default local backend in Terraform?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Terraform stores state in a file named terraform.tfstate in the current working directory and uses system APIs for state locking
The default local backend stores state in a local file named terraform dot tfstate within the current working directory. It uses system APIs for state locking to prevent concurrent operations from corrupting the state.
Question 252 of 254When running Terraform, you are confused about the source of certain values used within a resource. How can you enable more logging to help with troubleshooting?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Set the environment variable TF_LOG=TRACE in your shell environment.
Setting the TF_LOG environment variable to TRACE provides highly detailed output for troubleshooting. The log path variable only dictates where logs are written, so setting TRACE is required to actually increase verbosity.
Question 253 of 254You are adding a new resource block and notice it doesn't specify a provider argument. How does Terraform determine which provider configuration to use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Terraform selects the provider configuration with a matching type in the same module.
Terraform automatically infers the correct provider configuration by matching the resource type prefix in the same module. Explicit provider arguments are only required when using multiple configurations of the same provider, such as targeting different regions.
Question 254 of 254You have a list variable var.vm_ids containing three VM IDs. You need to access the second VM ID in the list. Which expression retrieves this value?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. image = var.vm_ids[1]
Terraform list indices are zero-based, so index one accesses the second element in a list. Option D uses index two, which would incorrectly retrieve the third item in your list of virtual machine identifiers.
More free practice tests at certpunch.com and new video rounds on @CertPunch.