HashiCorp Terraform-Associate-004 Dumps

Dynamic blocks in Terraform allow you to define multiple nested blocks within a resource based on the values of a variable. This feature is particularly useful for scenarios where the number of nested blocks is not fixed and can change based on variable input.

Rationale for Correct Answer: terraform graph outputs a Graphviz DOT representation of Terraform’s dependency graph, which you can pipe into Graphviz tools (e.g., dot) to visualize resource/module dependencies.

Analysis of Incorrect Options (Distractors):

B: terraform show displays state or a plan file in human-readable form (or JSON with -json), not DOT.

C: terraform refresh (deprecated as a standalone command in newer workflows) refreshes state, not graph output.

D: terraform output prints root module outputs, not dependency graphs.

Key Concept: Visualizing Terraform’s dependency graph using terraform graph.

Sensitive values such as API tokens should be stored in a secure way, either in Terraform Cloud variables marked as sensitive or in HashiCorp Vault. Storing secrets in version control systems or plaintext files is not recommended.

Terraform can call modules from various sources including the public Terraform Registry, private registries, local file paths, or version control systems like GitHub.

Running terraform fmt without any flags in a directory with Terraform configuration files will not check the formatting of those files without changing their contents, but will actually rewrite them to a canonical format and style. If you want to check the formatting without making changes, you need to use the -check flag.

It is not a best practice to store secret data in the same version control repository as your Terraform configuration, as it could expose your sensitive information to unauthorized parties or compromise your security. You should use environment variables, vaults, or other mechanisms to store and provide secret data to Terraform.

Automated Visualization: HCP Terraform providesvisualization toolsthat map infrastructure configurations, helping users manage complex architectures.

Remote State Storage: Terraform Cloud offersremote state management, essential for teams working collaboratively on shared infrastructure, ensuring consistency and avoiding state conflicts.

For more information, consultTerraform Cloud and HCP Terraform featuresin the official documentation.

A provider configuration block is not required in every Terraform configuration. A provider configuration block can be omitted if its contents would otherwise be empty. Terraform assumes an empty default configuration for any provider that is not explicitly configured. However, some providers may require some configuration arguments (such as endpoint URLs or cloud regions) before they can be used. A provider’s documentation should list which configuration arguments it expects. For providers distributed on the Terraform Registry, versioned documentation is available on each provider’s page, via the “Documentation” link in the provider’s header1. References = [Provider Configuration]1

Terraform providers are not always installed from the Internet. There are other ways to install provider plugins, such as from a local mirror or cache, from a local filesystem directory, or from a network filesystem. These methods can be useful for offline or air-gapped environments, or for customizing the installation process. You can configure the provider installation methods using the provider_installation block in the CLI configuration file.

terraform apply can runwithout explicitly running terraform plan first.

Running terraform plan before apply isrecommendedbutnot mandatory.

If no plan file is provided, terraform applyautomatically creates and executes a planbefore applying changes.

Official Terraform Documentation Reference:

terraform apply - HashiCorp Documentation

Rationale for Correct Answer (B):

Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = " hashicorp/aws "

version = " 3.1 "

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:

Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

Rationale for Correct Answer (B):

IaC best practice is to manage infrastructure through version-controlled code. Changes should be reviewed and approved (via PRs), ensuring collaboration, traceability, and automation.

Analysis of Incorrect Options:

A, D, E: Making direct/manual changes bypasses IaC practices and causes drift.

C: Running code without PR review skips collaboration and approval.

Key Concept:

Infrastructure as Code emphasizes version control + peer review + automation.

The two steps that are required to provision new infrastructure in the Terraform workflow are init and apply. The terraform init command initializes a working directory containing Terraform configuration files. It downloads and installs the provider plugins that are needed for the configuration, and prepares the backend for storing the state. The terraform apply command applies the changes required to reach the desired state of the configuration, as described by the resource definitions in the configuration files. It shows a plan of the proposed changes and asks for confirmation before making any changes to the infrastructure. References = [The Core Terraform Workflow], [Initialize a Terraform working directory with init] , [Apply Terraform Configuration with apply]

The terraform apply command changes both the cloud infrastructure and the state file after you approve the execution plan. The command creates, updates, or destroys the infrastructure resources to match theconfiguration. It also updates the state file to reflect the new state of the infrastructure. The .terraform directory, the execution plan, and the Terraform code are not changed by the terraform apply command. References = Command: apply and Purpose of Terraform State

Outside of the required_providers block, Terraform configurations can refer to providers by either their local names or their source addresses. The local name is a short name that can be used throughout the configuration, while the source address is a global identifier for the provider in the format registry.terraform.io/namespace/type. For example, you can use either aws or registry.terraform.io/hashicorp/aws to refer to the AWS provider.

Rationale for Correct Answer: Remote state storage is configured using a backend block, which lives inside the top-level terraform block (for example, terraform { backend " s3 " { ... } }). Backends control where Terraform stores state (local vs remote), locking, and related settings—this is squarely in the Terraform configuration’s global settings area, not in resources or providers.

Analysis of Incorrect Options (Distractors):

A (The resource block): Resources define infrastructure objects (e.g., servers, buckets). They do not configure where Terraform stores state.

B (The provider block): Providers configure how Terraform talks to an API (credentials/regions/features). They don’t define state storage.

C (The data block): Data sources read existing infrastructure; they are unrelated to backend/state storage configuration.

Key Concept: Backends and remote state configuration using terraform { backend ... }.

This is how Terraform determines dependencies between resources, by using the references between them in the configuration files and other factors that affect the order of operations.

You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.

Terraform state is a representation of the infrastructure that Terraform manages. Terraform uses state to track the current status of the resources it creates and to plan future changes. However, Terraform state is not aware of any changes made to the resources outside of Terraform, such as through the Azure Cloud Console, the Azure CLI, or the Azure API. Therefore, changing resources via the Azure Cloud Console does not update the current state file, and it may cause inconsistencies or conflicts with Terraform’s desired configuration. To avoid this, it is recommended to manage resources exclusively through Terraform or to use the terraform import command to bring existing resources under Terraform’s control.

When you change a Terraform-managed resource via the Azure Cloud Console, Terraform does not immediately update the state file to reflect the change. However, the next time you run terraform plan or terraform apply, Terraform will compare the state file with the actual state of the resources in Azure and detect any drifts or differences. Terraform will then update the state file to match the current state of the resources and show you the proposed changes in the execution plan. Depending on the configuration and the change, Terraform may try to undo the change, modify the resource further, or recreate the resource entirely. To avoid unexpected or destructive changes, it is recommended to review the execution plan carefully before applying it or to use the terraform refresh command to update the state file without applying any changes.

References = Purpose of Terraform State, Terraform State, Managing State, Importing Infrastructure, [Command: plan], [Command: apply] , [Command: refresh]

Theversion argumentin a module ensures Terraform uses aspecific versionof a module, preventing unintended updates.

A (source)– Specifies the module source butdoes not control versioning.

B (count)– Controls how many instances of a resource/module exist,not updates.

D (lifecycle)– Controls how resources behavebut does not control module versioning.

Official Terraform Documentation Reference:

Module Version Constraints

The correct syntax to pass a variable from the root module to a child module isservers = var.num_servers. Terraform uses dot notation to reference variables.

Detailed Explanation:

Rationale for Correct Answer: In Terraform, each “provider” plugin is responsible for interacting with a specific API surface (for example: AWS, AzureRM, Google, Kubernetes). If you want to manage resources across multiple cloud platforms, you typically configure and use the corresponding provider plugins (e.g., aws, azurerm, google). This matches Terraform’s provider model: providers are the integration points to external services.

Analysis of Incorrect Options (Distractors):

B: Incorrect. While a single provider can sometimes manage multiple services within a platform, managing different cloud providers (AWS vs Azure vs GCP) requires their respective provider plugins/configurations.

Key Concept: Providers are Terraform’s integration layer to each infrastructure platform/API.

A (✅Correct)– Providers allow Terraform tointeract with APIsof cloud/on-premises services.

B (✅Correct)– Some Terraform providers can provisionon-premises infrastructure, such as VMware, OpenStack, etc.

C (❌Incorrect)– This describesTerraform Workspaces, not providers.

D (✅Correct)– Terraform providers allow provisioning ofpublic cloud resources(AWS, Azure, GCP, etc.).

E (❌Incorrect)– Enforcing security and compliance policies isnot a direct provider function, but it can be done using Sentinel or other policy-as-code tools.

Official Terraform Documentation Reference:

Terraform Providers

The Terraform Cloud private registry provides the ability to restrict modules to members of Terraform Cloud or Enterprise organizations. This allows you to share modules within your organization without exposing them to the public. The private registry also supports importing modules from your private VCS repositories. The public Terraform Module Registry, on the other hand, publishes modules from public Git repositories and makes them available to any user of Terraform. References = : Private Registry - Terraform Cloud : Terraform Registry - Provider Documentation

Destroy Command Options: Theterraform destroycommand is the correct method to destroy resources, and it requires either manual approval or the -auto-approve flag.

Unsupported Triggering Method: The--destroy flagis not a recognized option for plan or apply commands, making B the correct answer as it isnota valid way to initiate resource destruction.

For more on destroying resources, refer to theterraform destroy command documentationin the Terraform CLI reference.

Terraform Cloud provides features like remote state storage and a web-based user interface for managing your Terraform runs. While it offers robust infrastructure as code capabilities, automatic backups of configuration and state are not directly provided by Terraform Cloud; instead, the state is stored remotely and secured.

The terraform state show command allows you to access all of the attributes and details of a resource managed by Terraform. You can use the resource address (e.g. provider_type.name) as an argument to show the information about a specific resource. The terraform state list command only shows the list of resources in the state, not their attributes. The terraform get command downloads and installs modules needed for the configuration. It does not show any information about resources. References = [Command: state show] and [Command: state list]

The terraform import command is used to import existing infrastructure into Terraform’s state. This allows Terraform to manage and destroy the imported infrastructure as part of the configuration. The terraform import command does not modify the configuration, so the imported resources must be manually added to the configuration after the import. References = [Importing Infrastructure]

 If you manually destroy infrastructure, Terraform will automatically detect the change and update the state file during the next plan or apply. Terraform compares the current state of the infrastructure with the desired state in the configuration and generates a plan to reconcile the differences. If a resource is missing from the infrastructure but still exists in the state file, Terraform will attempt to recreate it. If a resource is present in the infrastructure but not in the state file, Terraform will ignore it unless you use the terraform import command to bring it under Terraform’s management. References = [Terraform State]

Terraform detects infrastructure drift by comparing thestate filewith the actual infrastructure.

When an instance ismanually deleted, Terraformsees it as missingand marks it for recreation.

Running terraform apply willonly recreate the missing instanceswhile leaving the rest of the infrastructure unchanged.

Explanation of incorrect answers:

A (Tear down everything and rebuild)– Incorrect. Terraform does not destroy existing infrastructure unless explicitly told to.

B (Build a completely new set of infrastructure)– Incorrect. Terraform does not create duplicates unless configuration changes.

D (Stop and error out)– Incorrect. Terraform does not fail; itrebuilds missing resourcesautomatically.

Official Terraform Documentation Reference:

Handling Infrastructure Drift

The " version " attribute is optional when referencing a module from the Terraform Registry. If not specified, the latest version will be used, but it is often recommended to specify a version to ensure consistency across environments.

Terraform providers are not part of the Terraform core binary. Providers are distributed separately from Terraform itself and have their own release cadence and version numbers. Providers are plugins that Terraform uses to interact with various APIs, such as cloud providers, SaaS providers, and other services. You can find and install providers from the Terraform Registry, which hosts providers for most major infrastructure platforms. You can also load providers from a local mirror or cache, or develop your own custom providers. To use a provider in your Terraform configuration, you need to declare it in the provider requirements block and optionally configure its settings in the provider block. References = : Providers - Configuration Language | Terraform : Terraform Registry - Providers Overview | Terraform

Infrastructure as Code (IaC) provides several benefits, including the ability to version control infrastructure, reuse code, and automate infrastructure management. However, IaC is typically associated with declarative configuration files and does not inherently provide a graphical user interface (GUI). A GUI is a feature that may be provided by specific tools or platforms built on top of IaC principles but is not a direct benefit of IaC itself1.

References = The benefits of IaC can be verified from the official HashiCorp documentation on “What is Infrastructure as Code with Terraform?” provided by HashiCorp Developer1.

The terraform plan command does not update the state file. Instead, it reads the current state and the configuration files to determine what changes would be made to bring the real-world infrastructure into the desired state defined in the configuration. The plan operation is a read-only operation and does not modify the state or the infrastructure. It is the terraform apply command that actually applies changes and updates the state file.References = Terraform ' s official guidelines and documentation clarify the purpose of the terraform plan command, highlighting its role in preparing and showing an execution plan without making any changes to the actual state or infrastructure .

Rationale for Correct Answer: depends_on explicitly adds a dependency edge in Terraform’s graph. By adding depends_on = [azurerm_role_assignment.kv_access] to the web app resource, you force Terraform to create the role assignment first, even if Terraform can’t infer the dependency from attribute references.

Analysis of Incorrect Options (Distractors):

B: create_before_destroy is a lifecycle setting relevant to replacement behavior, not initial create ordering between independent resources.

C: File/block order does not control creation order; Terraform uses its dependency graph.

D: count controls quantity, not ordering.

Key Concept: Dependency graph and explicit dependencies via depends_on.

Rationale for Correct Answer: Terraform is designed to be idempotent. If the configuration and real infrastructure match the state, a subsequent terraform apply will show no changes and perform no actions.

Analysis of Incorrect Options (Distractors):

A: Terraform does not recreate resources unless the plan requires it (configuration change, forced replacement, drift that requires replacement, etc.).

B: Terraform won’t create duplicates unless the configuration indicates multiple instances (e.g., count, for_each) or a new resource address.

C: The state was already written during the first successful apply; a second apply doesn’t “re-apply to the state file” as a distinct action.

Key Concept: Terraform idempotency and convergence to desired state.

terraform graphgeneratesGraphviz DOT formatoutput, which allows visualization ofresource dependenciesin Terraform.

A (terraform refresh)– Incorrect, as it only updates the state file.

C (terraform output)– Incorrect, as it only displays Terraform output values.

D (terraform show)– Incorrect, as it only displays the Terraform state.

Official Terraform Documentation Reference:

terraform graph - HashiCorp Documentation

Rationale for Correct Answer: terraform plan -refresh-only refreshes (reconciles) the state with the real infrastructure only for the purpose of the plan output. It does not persist (write) those updates to the state file. To actually update the stored state, you must run terraform apply -refresh-only (or a normal terraform apply). This matches the Terraform CLI objective: plan previews changes; apply makes changes (including writing state).

Analysis of Incorrect Options (Distractors):

A (True): Incorrect because terraform plan does not write state; it only calculates and displays what would change.

Key Concept: The plan vs apply workflow and when Terraform writes state.

Inrefresh-only mode(terraform apply -refresh-only), Terraformupdates the state fileto match the actual infrastructurewithout modifying resources.

A (Terraform configuration)–Not modifiedin refresh-only mode.

B (Terraform plan)–Plan is generated but not modified.

D (Cloud infrastructure)–Not modifiedin refresh-only mode.

Official Terraform Documentation Reference:

Refresh-Only Mode

You should run terraform fmt to rewrite all Terraform configurations within the current working directory to conform to Terraform-style conventions. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. It is recommended to use this command to ensure consistency of style across different Terraform codebases. The command is optional, opinionated, and has no customization options, but it can help you and your team understand the code more quickly and easily. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

The terraform import command is not part of any other Terraform workflow. It must be explicitly invoked by the user with the appropriate arguments, such as the resource address and the ID of the existing infrastructure to import. References = [Importing Infrastructure]

This is the variable type that you could use for this input, as it can store multiple attributes of different types within a single value. The other options are either invalid or incorrect for this use case.

Variables declared within a module are only accessible within that module, unless they are explicitly exposed as output values1.

Terraform state files are not automatically encrypted by default. Sensitive values are stored in plaintext within the state file. However, you can protect the state file by using remote backends that support encryption, such as AWS S3 with server-side encryption enabled or Terraform Cloud, which offers encrypted state storage.

Rationale for Correct Answer (True):

Local values (locals {}) are scoped to a module and are not directly visible outside. To make them available to callers, you must define outputs in the module. Outputs act as the interface for exposing values from a child module to the root module.

Analysis of Incorrect Option:

False: Incorrect, because locals cannot be exposed directly; only via outputs.

Key Concept:

Outputs are the way to expose information outside of a module.

This is what you must do to successfully retrieve this value from your networking module, as it will expose the attribute as an output value that can be referenced by other modules or resources. The error message indicates that the networking module does not have an output value named vnet_id, which causes the reference to fail.

Rationale for Correct Answer:When using count, Terraform creates resources indexed starting at 0.With count = 2, the instances are indexed as:

First instance → aws_instance.web[0]

Second instance → aws_instance.web[1]

To reference the name attribute of the second instance, the correct syntax is:

aws_instance.web[1].name

Analysis of Incorrect Options (Distractors):

A. [2]: Incorrect because indexing starts at 0 and only indices 0 and 1 exist.

B. *.name: Returns a list of all names, not a single instance value.

D. [1]: References the whole resource object, not the name attribute.

E. element(...): Incorrect syntax and wrong index; also unnecessary when direct indexing is available.

Key Concept:Understanding resource indexing with count and zero-based indexing in Terraform.

Changes invoked by terraform apply take effect once the resource provider has fulfilled the request, not after Terraform has updated the state file or immediately. The state file is only a reflection of the real resources, not a source of truth.

Sentinel is a policy-as-code framework that integrates with Terraform Cloud to enforce security, compliance, and governance rules. You can enforce rules such as approved AMIs and ensure security best practices. Policies are written in the Sentinel language, not HCL.

Rationale for Correct Answer:When multiple provider configurations are defined using an alias, Terraform requires the provider meta-argument inside the resource block to explicitly reference the aliased provider.In this case, the provider is defined as aws with alias = " west " , so resources targeting us-west-2 must specify:

provider = aws.west

This tells Terraform exactly which provider configuration to use.

Analysis of Incorrect Options (Distractors):

B. alias = aws.west: Incorrect — alias is only used inside the provider block, not in resources.

C. provider = west: Incorrect — Terraform requires the full provider name (aws.west), not just the alias.

D. alias = west: Incorrect — resources do not support an alias meta-argument.

Key Concept:Using aliased provider configurations and the provider meta-argument to deploy resources across multiple regions or accounts.

A module cannot always refer to all variables declared in its parent module, as it needs to explicitly declare input variables and assign values to them from the parent module’s arguments. A module cannot access the parent module’s variables directly, unless they are passed as input arguments.

The error messageindicates an authentication issue (403 - Access Denied), which requiresdebugging Terraform logs.

Setting TF_LOG=DEBUG enablesdetailed logs, providing insights into API requests, state loading, and authentication errors.

Terraformdoes not log errors in /var/log/terraform.log or syslog, making optionsC and D incorrect.

A (terraform login)is only relevant forTerraform Cloud, but this error appears to be related toprovider authentication.

Official Terraform Documentation Reference:

Debugging Terraform

You can install third party plugins using terraform init, as long as you specify the plugin directory in your configuration or as a command-line argument. You can also use the terraform providers mirror command to create a local mirror of providers from any source.

The command that makes your code more human readable is terraform fmt. This command is used to rewrite Terraform configuration files to a canonical format and style, following the Terraform language style conventions and other minor adjustments for readability. The command is optional, opinionated, and has no customization options, but it is recommended to ensure consistency of style across different Terraform codebases. Consistency can help your team understand the code more quickly and easily, making the use of terraform fmt very important. You can run this command on your configuration files before committing them to source control or as part of your CI/CD pipeline. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

Rationale for Correct Answer (False):

Any user with access to the saved plan file (terraform plan -out=planfile) can run terraform apply planfile. Terraform does not enforce user-specific restrictions.

Analysis of Incorrect Option:

True: Incorrect — Terraform doesn’t tie plan files to individual users.

Key Concept:

Plan files ensure predictability but are not bound to the identity of the user.

From the Terraform Provider Requirements:

" > = 3.0 " means any versiongreater than or equal to 3.0— including 4.x and beyond.

A (wrong): Would need > = 3.0, < 4.0

C/D (wrong): > excludes 3.0 — not what’s written.

terraform state listonly displays resources stored in the state filebut doesnot interact with the cloud provideror refresh the state.

terraform plan, terraform apply, and terraform destroycompare or modify the infrastructure, so theyrefresh the stateto ensure accuracy.

Official Terraform Documentation Reference:

terraform state list - HashiCorp Documentation

Rationale for Correct Answer: Terraform can store state in a remote backend (remote location) configured in the terraform block (for example, terraform { backend " s3 " { ... } } or terraform { cloud { ... } }). Remote backends store the state outside the local filesystem and often add collaboration features like locking.

Analysis of Incorrect Options (Distractors):

B: Incorrect—CLI configuration files (like .terraformrc / terraform.rc) control CLI behavior (credentials helpers, plugin cache, etc.), but backend/state storage is configured in the Terraform configuration (terraform block) and initialized with terraform init.

C: Incorrect—Terraform must persist state between runs; in-memory storage would be lost when the process ends.

D: Incorrect—environment variables can influence behavior (e.g., credentials, logging), but Terraform does not store state in environment variables.

Key Concept: Configuring remote backends for state storage via the terraform block.

Child modulesdo not automatically inheritvariables from the parent module.

To pass values from theparent moduleto thechild module, you mustexplicitly define input variablesin the child module and pass them in the parent module.

Example:

hcl

CopyEdit

module " example " {

source = " ./child_module "

var1 = " value "

}

Official Terraform Documentation Reference:

Passing Variables to Modules

To import existing resources into Terraform, you need to do two things1:

Write a resource configuration block for each resource, matching the type and name used in your state file.

Run terraform import for each resource, specifying its address and ID. There is no such command as terraform Import-gcp, and provisioning new VMs with the same names will not import them into Terraform.

Terraform variable names are not saved in the state file, only their values are. The state file only stores the attributes of the resources and data sources that are managed by Terraform, not the variables that are used to configure them.

The terraform refresh-only command is intended to detect state file drift. This command synchronizes the state file with the actual infrastructure, updating the state to reflect any changes that have occurred outside of Terraform.

From terraform plan -refresh-only:

" Use this to detectdrift, i.e., changes made outside of Terraform. "

It compares actual infrastructure to what ' s recorded in the state file.

The purpose of state in Terraform is to keep track of the real-world resources managed by Terraform, mapping them to the configuration. The state file contains metadata about these resources, such as resource IDs and other important attributes, which Terraform uses to plan and manage infrastructure changes. The state enables Terraform to know what resources are managed by which configurations and helps in maintaining the desired state of the infrastructure.References = This role of state in Terraform is outlined in Terraform ' s official documentation, emphasizing its function in mapping configuration to real-world resources and storing vital metadata .

Infrastructure as code (IaC) is a way of managing and provisioning cloud infrastructure using programming techniques instead of manual processes1. IaC has many advantages over using a graphical user interface (GUI) for provisioning infrastructure, such as:

•Versioning: IaC allows you to store your infrastructure configuration in a version control system, such as Git, and track changes over time. This enables you to roll back to previous versions, compare differences, and collaborate with other developers2.

•Reusability: IaC allows you to create reusable modules and templates that can be applied to different environments, such as development, testing, and production. This reduces duplication, improves consistency, and speeds up deployment3.

•Sharing: IaC allows you to share your infrastructure configuration with other developers, teams, or organizations, and leverage existing code from open source repositories or registries. This fosters best practices, innovation, and standardization4.

•Risk reduction: IaC reduces the risk of human error, configuration drift, and security breaches that can occur when provisioning infrastructure manually or using a GUI. IaC also enables you to perform automated testing, validation, and compliance checks on your infrastructure before deploying it5.

References =

•1: What is Infrastructure as Code? Explained for Beginners - freeCodeCamp.org

•2: The benefits of Infrastructure as Code - Microsoft Community Hub

•3: Infrastructure as Code : Best Practices, Benefits & Examples - Spacelift

•4: 5 Benefits of Infrastructure as Code (IaC) for Modern Businesses in the Cloud

•5: The 7 Biggest Benefits of Infrastructure as Code - DuploCloud

This is one disadvantage of using dynamic blocks in Terraform, as they can introduce complexity and reduce readability of the configuration. The other options are either advantages or incorrect statements.

Rationale for Correct Answer:

B: Providers can manage on-premises services (e.g., vSphere, Kubernetes, GitHub, DNS, databases), not just public cloud.

C: Providers provision and manage public cloud resources (AWS, Azure, Google Cloud, etc.).

D: Providers are the plugin layer that interacts with APIs (cloud/service APIs) to create, read, update, and delete resources.

Analysis of Incorrect Options (Distractors):

A: This describes how Terraform configuration and state are organized (root module/workspace/state), not a provider function.

E: Policy enforcement is handled by separate policy-as-code systems (e.g., Sentinel/OPA integrations) rather than being a core provider responsibility.

Key Concept: Providers as plugins that implement resource/data source types and perform API interactions for many platforms.

The terraform import command is used to import existing infrastructure into your Terraform state. This command takes the existing resource and associates it with a resource defined in your Terraform configuration, updating the state file accordingly. It does not generate configuration for the resource, only the state.

The Terraform Registry allows any user to publish and share modules. Published modules support versioning, automatically generate documentation, allow browsing version histories, show examples and READMEs, and more. Public modules are managed via Git and GitHub, and publishing a module takes only a few minutes. Once a module is published, releasing a new version of a module is as simple as pushing a properly formed Git tag1.

References = The information can be verified from the Terraform Registry documentation on Publishing Modules provided by HashiCorp Developer1.

Rationale for Correct Answer:

A: The plan is stale because state changed after it was created. The correct fix is to recreate the plan against the latest state and apply that new plan.

B: Running terraform apply without specifying the old plan causes Terraform to re-plan using the current state and configuration, then apply the resulting changes.

Analysis of Incorrect Options (Distractors):

C: -lock=false disables locking; it does not make an old plan valid and is unsafe in team environments.

D: -refresh-only changes what’s recorded in state (when applied) but does not “unstale” an existing saved plan file.

E: terraform state push is for advanced/manual state management and does not update a saved plan file; using it here is inappropriate and risky.

Key Concept: Saved plans are tied to a specific state snapshot; if state changes, you must re-plan.

Rationale for Correct Answer: To provision new infrastructure, Terraform’s core workflow is:

terraform plan to create an execution plan (what will be created/changed/destroyed).

terraform apply to execute that plan and provision the infrastructure.

These two steps represent the essential “preview then create” workflow Terraform objectives emphasize.

Analysis of Incorrect Options (Distractors):

A (Import): Used to bring existing resources under Terraform management; not required for provisioning new infrastructure.

C (Validate): Useful for checking syntax and internal consistency, but not required to provision.

E (Init): Typically required before first use in a new working directory (providers/modules/backend setup), but the question asks which steps are required in the workflow to provision—the required provisioning steps are plan + apply.

Key Concept: Terraform CLI workflow: plan → apply for provisioning.

Rationale for Correct Answer: A moved block tells Terraform that an object’s address in state has changed (renamed/refactored) and it should move the state from the old address to the new address. This preserves the existing real resource and prevents unnecessary destroy/recreate.

Analysis of Incorrect Options (Distractors):

A: Works but is unnecessarily risky/extra work; moved is the intended refactoring mechanism for renames.

B: Incorrect—refresh-only updates state to match real infrastructure, but it does not remap an object from one address to another.

C: Incorrect—Terraform will treat the new name as a new resource address and the old one as removed unless you explicitly move/rename state.

Key Concept: Refactoring addresses safely using moved blocks (state address migration).

Rationale for Correct Answer:By default, terraform fmt modifies files in place to match Terraform’s canonical formatting. The -check flag is required to only check formatting without making changes.

Analysis of Incorrect Options (Distractors):

A: Incorrect because formatting changes are applied automatically by default.

Key Concept:terraform fmt enforces consistent formatting by rewriting files unless instructed otherwise.

Rationale for Correct Answer: A local value (locals { ... }) is the simplest way to define a reusable expression once and reference it many times via local. < name > . This is exactly what locals are for: reducing repetition and improving readability when combining values like random_id results and variables.

Analysis of Incorrect Options (Distractors):

A (Module): Overkill—modules are for packaging reusable groups of resources, not simple string reuse inside the same configuration.

B (Output value): Outputs are for exposing values to the CLI or to parent modules, not for internal reuse within the same module.

D (Data source): Data sources read existing remote objects; they are not intended for composing local strings.

Key Concept: Using locals to avoid repeating expressions.

 This is a quick way to inspect the state file and find the information you need without modifying anything5. The other options are either incorrect or inefficient.

This is the backend that the Terraform CLI uses by default, unless you specify a different backend in your configuration. The local backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure.

Rationale for Correct Answer: Data sources are referenced using the address format:data. < DATA_SOURCE_TYPE > . < NAME > . < ATTRIBUTE > Here, the type is aws_ami, the name is web, and the attribute is id, so the correct reference is data.aws_ami.web.id.

Analysis of Incorrect Options (Distractors):

A (aws_ami.web.id): Incorrect because it omits the required data. prefix. This looks like a managed resource reference, not a data source.

B (web.id): Incorrect because Terraform references must include the full address (type and name); web alone is ambiguous.

D (data.web.id): Incorrect because it omits the data source type (aws_ami).

Key Concept: Terraform addressing and attribute references for data sources.

terraform validateonlychecks the configuration’s syntax and internal consistency—itdoes notinteract with provider APIs or check if the infrastructure settings are correct.

It ensures that the Terraform code is syntactically correct and follows proper HCL structure.

However, it doesnotverify if resources are valid according to the provider API or if the credentials are correct.

To verify actual infrastructure settings, use terraform plan, which interacts with the provider APIs.

Official Terraform Documentation Reference:

terraform validate - HashiCorp Documentation

Confidentiality: UsingHCP Terraform/Terraform Cloud’s private registrykeeps the module configurations within your organization, ensuring privacy and access control.

Version Constraints: The private registry supportssemantic versioning, allowing you to manage versions of your modules as Terraform does natively.

Browsable Directory: The private registry offers a user interface to browse modules, making it easy for users within the organization to locate and manage modules.

This setup aligns with HashiCorp’s design forprivate registry supportin Terraform, meeting all listed requirements for secure, version-controlled, and searchable module storage.

Rationale for Correct Answer (D):

The terraform.lock.hcl file is automatically created and maintained by Terraform. It records the specific versions and checksums of providers used in a configuration, ensuring consistent runs across environments and machines.

Analysis of Incorrect Options:

A. There is no such file: Incorrect — the lock file exists and is crucial for dependency management.

B. Storing references to workspaces: Incorrect — workspaces are tracked in the state file, not the lock file.

C. Preventing Terraform runs: Incorrect — the lock file does not block runs; it enforces consistent provider versions.

Key Concept:

The terraform.lock.hcl file enforces provider version consistency, which is critical for reproducible and reliable Terraform deployments.

Infrastructure as Code (IaC) can indeed be stored in a version control system along with application code. This practice is a fundamental principle of modern infrastructure management, allowing teams to apply software development practices like versioning, peer review, and CI/CD to infrastructure management. Storing IaC configurations in version control facilitates collaboration, history tracking, and change management.References = While this concept is a foundational aspect of IaC and is widely accepted in the industry, direct references from the HashiCorp Terraform Associate (003) study materials were not found in the provided files. However, this practice is encouraged in Terraform ' s best practices and various HashiCorp learning resources.

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. Running this command on your configuration files before committing them to source control can help ensure consistency of style between different Terraform codebases, and can also make diffs easier to read. You can also use the -check and -diff options to check if the files are formatted and display the formatting changes respectively2. Running the terraform fmt command during the code linting phase of your CI/CD process can help automate this process and enforce the formatting standards for your team. References = [Command: fmt] 2

Terraform allows usingprivate module sourceshosted in:

C (Internally hosted VCS platforms, e.g., GitLab, Bitbucket, GitHub Enterprise)✅

D (Private GitHub repositories)✅

A (Public GitHub repository)❌–GitHubis supported, but apublic repo is not " private " .

B (Public Terraform Registry)❌–The public registryis not a private source.

Official Terraform Documentation Reference:

Terraform Module Sources

Rationale for Correct Answer: A major IaC advantage is declarative desired state: you describe what you want, and the tool figures out the necessary create/update/delete API calls to converge infrastructure to that end state. This reduces manual API orchestration and makes changes repeatable and reviewable.

Analysis of Incorrect Options (Distractors):

A: Incorrect—IaC reduces the need to write individual API calls; that’s the point.

B: Incorrect—IaC tools typically use provider plugins and APIs; efficiency is not about “calling CLI tools.”

C: Incorrect—IaC configurations define desired state; “current state” is discovered via refresh/state, not defined as the goal.

Key Concept: Declarative IaC: define end state, tool determines API actions.

This is the best way to delete the newly-created VM with Terraform, as it will only affect the resource that was created by your configuration and state file. The other options are either incorrect or inefficient.

Setting the TF_LOG environment variable to DEBUG causes debug messages to be logged into stdout, along with other log levels such as TRACE, INFO, WARN, and ERROR. This can be useful for troubleshooting or debugging purposes.

The name of the default file where Terraform stores the state is terraform.tfstate. This file contains a JSON representation of the current state of the infrastructure managed by Terraform. Terraform uses this file to track the metadata and attributes of the resources, and to plan and apply changes. By default, Terraform stores the state file locally in the same directory as the configuration files, but it can also be configured to store the state remotely in a backend. References = [Terraform State], [State File Format]

Sentinel is a policy-as-code framework that allows you to define and enforce rules on your Terraform configurations, states, and plans1. Some of the benefits of using Sentinel with Terraform Cloud/Terraform Enterprise are:

•You can restrict specific resource configurations, such as disallowing the use of CIDR=0.0.0.0/0, which would open up your network to the entire internet. This can help you prevent misconfigurations or security vulnerabilities in your infrastructure2.

•Policy-as-code can enforce security best practices, such as requiring encryption, authentication, or compliance standards. This can help you protect your data and meet regulatory requirements3.

•You can enforce a list of approved AWS AMIs, which are pre-configured images that contain the operating system and software you need to run your applications. This can help you ensure consistency, reliability, and performance across your infrastructure4.

References =

•1: Terraform and Sentinel | Sentinel | HashiCorp Developer

•2: Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

•3: Exploring the Power of HashiCorp Terraform, Sentinel, Terraform Cloud …

•4: Using New Sentinel Features in Terraform Cloud – Medium

Rationale for Correct Answer: terraform apply -replace=ADDRESS forces Terraform to replace the specified resource during the next apply, meaning it will plan to destroy and then recreate it (or create-before-destroy if the resource supports it and the graph/lifecycle allows). This is used when a resource is unhealthy, drifted in a way that’s hard to correct, or you want a fresh instance without changing configuration.

Analysis of Incorrect Options (Distractors):

A: Incorrect—-replace is not “destroy only”; it’s destroy + recreate.

B: Incorrect—ignoring changes is done with lifecycle ignore_changes, not -replace.

D: Incorrect—destroying everything is terraform destroy (or apply with all resources removed), not -replace.

Key Concept: Forcing resource replacement using -replace in the apply workflow.

Rationale for Correct Answer (B):

Terraform interacts with external systems through providers. Since this is a new proprietary service with its own API, Terraform does not support it by default. You would need to develop a custom provider that implements Terraform’s provider interface and interacts with the proprietary APIs to manage resources like users.

Analysis of Incorrect Option:

A. Any service hosted on a public cloud provider: Not true. Terraform can only manage services that have providers (official or custom). Just being " hosted on a public cloud " doesn’t guarantee Terraform support.

Key Concept:

Terraform providers act as the bridge between Terraform and external APIs. For unsupported services, a custom provider must be developed.

This is the recommended way to use a remote backend that needs authentication, as it allows you to provide the credentials via environment variables, command-line arguments, or interactive prompts, without storing them in the Terraform configuration files.

To output returned values from a child module in the Terraform CLI output, you need to declare the output in both the child module and the root module. The child module output will return the value to the root module, and the root module output will display the value in the CLI. References = [Terraform Outputs]

Rationale for Correct Answers:

B. View the execution plan: Correct — terraform plan shows what Terraform intends to do (create, update, or destroy).

C. Save a generated execution plan: Correct — using terraform plan -out=planfile lets you save the plan to apply later with terraform apply planfile.

Analysis of Incorrect Options:

A. Schedule runs in the future: Incorrect, Terraform does not provide scheduling; external tools (like cron, CI/CD) are required.

D. Execute a plan in a different workspace: Incorrect, execution happens in the current workspace; switching workspaces must be done before running the plan.

Key Concept:

terraform plan is used for previewing and optionally saving an execution plan for controlled and predictable infrastructure changes.

Terraform workspaces allow you to create multiple states but still be associated with your current code. Workspaces are like “environments” (e.g. staging, production) for the same configuration. You can use workspaces to spin up a copy of your production deployment for testing purposes without having to configure a new state backend. Terraform data sources, local values, and modules are not features that allow you to create multiple states. References = Workspaces and How to Use Terraform Workspaces

To see all the resources that Terraform will delete, you can use either of these two commands:

terraform destroy will show the plan of destruction and ask for your confirmation before proceeding. You can cancel the command if you do not want to destroy the resources.

terraform plan -destroy will show the plan of destruction without asking for confirmation. You can use this command to review the changes before running terraform destroy. References = : Destroy Infrastructure : Plan Command: Options

Rationale for Correct Answer: Locals are evaluated as expressions, and one local can reference another using local. < name > . This supports building up derived values cleanly:

locals {

env = " prod "

app_name = " api-${local.env} "

}

Analysis of Incorrect Options (Distractors):

B (False): Incorrect—Terraform explicitly supports local-to-local references.

Key Concept: Local values (locals) and expression references.