Terraform-Associate-004 HashiCorp Certified: Terraform Associate (004) (HCTA0-004) Question and Answers

The reason why the apply fails after adding a new provider to the configuration and immediately running terraform apply in the CD using the local backend is because Terraform needs to install the necessary plugins first. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. Each provider has a source address that determines where to downloadit from. When Terraform encounters a new provider in the configuration, it needs to run terraform init first to install the provider plugins in a local directory. Without the plugins, Terraform cannot communicate with the provider and perform the desired actions. References = [Provider Requirements], [Provider Installation]

Module variable assignments are not inherited from the parent module and you need to explicitly set them using the source argument. This allows you to customize the behavior of each module instance.

Importing Existing Resources: Theterraform importcommand brings resources already deployed in a cloud environment into Terraform’s state file, allowing Terraform to manage them.

Workflow Usage: Importing is vital when managing resources created outside of Terraform or those in place before Terraform adoption.

Refer to Terraform’s import command documentation.

This is the workflow for deploying new infrastructure with Terraform, as it will create a plan and apply it to the target environment. The other options are either incorrect or incomplete.

When running a terraform apply -refresh-only, Terraform does not reference the configuration files, but only the state file, credentials, and cloud provider. The purpose of this command is to update the state file with the current status of the real resources, without making any changes to them1.

terraform state listonly displays resources stored in the state filebut doesnot interact with the cloud provideror refresh the state.

terraform plan, terraform apply, and terraform destroycompare or modify the infrastructure, so theyrefresh the stateto ensure accuracy.

Official Terraform Documentation Reference:

terraform state list - HashiCorp Documentation

Before using a remote backend in Terraform, it is mandatory to run terraform init. This command initializes a Terraform working directory, which includes configuring the backend. If a remote backend is specified, terraform init will set up the working directory to use it, including copying any existing state to the remote backend if necessary.References = This principle is a fundamental part of workingwith Terraform and its backends, as outlined in general Terraform documentation and best practices. The specific HashiCorp Terraform Associate (003) study materials in the provided files did not include direct references to this information.

You cannot access state stored with the local backend by using the terraform_remote_state data source. The terraform_remote_state data source is used to retrieve the root module output values from some other Terraform configuration using the latest state snapshot from the remote backend. It requires a backend that supports remote state storage, such as S3, Consul, AzureRM, or GCS. The local backend stores the state file locally on the filesystem, which terraform_remote_state cannot access.

Rationale for Correct Answer (True):

Variables without defaults are required inputs. If the calling module doesn’t supply a value, Terraform will fail with an error at plan time.

Analysis of Incorrect Option:

False: Incorrect, because Terraform does not assume defaults when none are provided.

Key Concept:

Terraform modules enforce required vs. optional variables depending on whether a default is set.

You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.

You should use the force-unlock command when automatic unlocking failed. Terraform will lock your state for all operations that could write state, such as plan, apply, or destroy. This prevents others from acquiring the lock and potentially corrupting your state. State locking happens automatically on all operations that could write state and you won’t see any message that it is happening. If state locking fails, Terraform will not continue. You can disable state locking for most commands with the -lock flag but it is not recommended. If acquiring the lock is taking longer than expected, Terraform will output a status message. If Terraform doesn’t output a message, state locking is still occurring if your backend supports it. Terraform has a force-unlock command to manually unlock the state if unlocking failed. Be very careful with this command. If you unlock the state when someone else is holding the lock it could cause multiple writers. Force unlock should only be used to unlock your own lock in the situation where automatic unlocking failed. To protect you, the force-unlock command requires a unique lock ID. Terraform will output this lock ID if unlocking fails. This lock ID acts as a nonce, ensuring that locks and unlocks target the correct lock. The other situations are not valid reasons to use the force-unlock command. You should not use the force-unlock command if you have a high priority change, if apply failed due to a state lock, or if you see a status message that you cannot acquire the lock. These situations indicate that someone else is holding the lock and you should wait for them to finish theiroperation or contact them to resolve the issue. Using the force-unlock command in these cases could result in data loss or inconsistency. References = [State Locking], [Command: force-unlock]

The public Terraform Module Registry automatically exposes all the information about published modules, including required input variables, optional input variables and default values, and outputs. This helps users to understand how to use and configure the modules.

You should run terraform fmt to rewrite all Terraform configurations within the current working directory to conform to Terraform-style conventions. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. It is recommended to use this command to ensure consistency of style across different Terraform codebases. The command is optional, opinionated, and has no customization options, but it can help you and your team understand the code more quickly and easily. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

Rationale for Correct Answer: terraform init initializes the working directory: it sets up the backend, downloads providers, and installs modules. It does not validate that required input variables have values—that check occurs when running commands that evaluate the configuration (typically plan/apply), and terraform validate checks configuration structure, not whether you supplied runtime variable values.

Analysis of Incorrect Options (Distractors):

A: Yes—init installs required providers.

C: Yes—init initializes and configures the backend.

D: Yes—init retrieves and installs modules referenced by module blocks.

Key Concept: What terraform init does vs what happens at plan/apply time.

Rationale for Correct Answer: terraform output shows the root module’s outputs (the outputs defined in the current working directory’s root module). Outputs from child modules are not directly listed unless the root module re-exports them via its own output blocks (e.g., output "child_public_ip" { value = module.child.public_ip }).

Analysis of Incorrect Options (Distractors):

A (True): Incorrect because child module outputs are accessible via module..

, but terraform output displays only outputs defined in the root module.

Key Concept: Module outputs scope: child outputs must be exposed through root outputs to be shown by terraform output.

Rationale for Correct Answers:

B. View the execution plan: Correct — terraform plan shows what Terraform intends to do (create, update, or destroy).

C. Save a generated execution plan: Correct — using terraform plan -out=planfile lets you save the plan to apply later with terraform apply planfile.

Analysis of Incorrect Options:

A. Schedule runs in the future: Incorrect, Terraform does not provide scheduling; external tools (like cron, CI/CD) are required.

D. Execute a plan in a different workspace: Incorrect, execution happens in the current workspace; switching workspaces must be done before running the plan.

Key Concept:

terraform plan is used for previewing and optionally saving an execution plan for controlled and predictable infrastructure changes.

These are some of the ways that a ticket-based system can slow down infrastructure provisioning and limit the ability to scale, as they introduce delays, bottlenecks, and manual interventions in the process of creating and modifying infrastructure.

This is not a valid Terraform variable type. The other options are valid variable types that can store different kinds of values2.

Rationale for Correct Answer: Terraform state is Terraform’s record of what it manages: it maps resource addresses in configuration to real-world resource IDs and stores metadata needed to plan changes. That makes it a source of truth for resources Terraform is managing, enabling accurate diffs, updates, and deletes.

Analysis of Incorrect Options (Distractors):

A: Incorrect—Terraform state does not schedule jobs; that’s the role of external schedulers/automation tools.

B: Incorrect—the desired state is expressed in .tf configuration, not in the state file. State reflects the current known state of managed infrastructure.

D: Incorrect—resources created manually in a cloud console are not automatically in Terraform state unless they are imported/adopted.

Key Concept: Purpose of Terraform state: resource mapping, metadata, and planning accuracy.

To see all the resources that Terraform will delete, you can use either of these two commands:

terraform destroy will show the plan of destruction and ask for your confirmation before proceeding. You can cancel the command if you do not want to destroy the resources.

terraform plan -destroy will show the plan of destruction without asking for confirmation. You can use this command to review the changes before running terraform destroy. References = : Destroy Infrastructure : Plan Command: Options

This is a secure way to inject sensitive variables into your Terraform run, as they will not be stored in any file or source code repository. You can also use environment variables or variable files with encryption to pass sensitive variables to Terraform.

This is how you specify a module’s version when publishing it to the public Terraform Module Registry, as it uses the tags from your version control system (such as GitHub or GitLab) to identify module versions. You need to use semantic versioning for your tags, such as v1.0.0.

This is where Terraform saves resource state when using a remote backend or Terraform Cloud integration, as it allows you to store and manage your state file in a remote location, such as a cloud storage service or Terraform Cloud’s servers. This enables collaboration, security, and scalability for your Terraform infrastructure.

This is a bad practice, as it exposes your credentials to anyone who can access your configuration files or state files. You should use environment variables, credential files, or other mechanisms to provide credentials to Terraform.

Any user with permission to apply a plan can apply it, not only the user that generated it. This allows for collaboration and delegation of tasks among team members.

Rationale for Correct Answer:A Terraform resource block has the following structure:

resource "" "" {

}

In the exhibit:

Resource type: azurerm_resource_group

Resource name: dev

The resource name is the second label in the resource block and is used internally by Terraform to reference the resource (e.g., azurerm_resource_group.dev).

Analysis of Incorrect Options (Distractors):

A. azurerm: This is the provider name, not the resource name.

B. azurerm_resource_group: This is the resource type, not the name.

D. test: This is the value of the name argument inside the resource, not the Terraform resource name.

Key Concept:Understanding the distinction between resource type, resource name, and resource arguments in Terraform configurations.

Infrastructure as Code (IaC) can indeed be stored in a version control system along with application code. This practice is a fundamental principle of modern infrastructure management, allowing teams to apply software development practices like versioning, peer review, and CI/CD to infrastructure management. Storing IaC configurations in version control facilitates collaboration, history tracking, and change management.References = While this concept is a foundational aspect of IaC and is widely accepted in the industry, direct references from the HashiCorp Terraform Associate (003) study materials were not found in the provided files. However, this practice is encouraged in Terraform's best practices and various HashiCorp learning resources.

Rationale for Correct Answer: A Terraform configuration supports a single cloud block (similar to a single backend configuration). The cloud block defines where Terraform runs (HCP Terraform / Terraform Enterprise) and how the workspace is associated. You cannot connect one configuration to two separate Cloud/Enterprise instances simultaneously using multiple cloud blocks.

Analysis of Incorrect Options (Distractors):

A (True): Incorrect—Terraform does not allow multiple cloud blocks; the configuration can target only one Cloud/Enterprise context at a time.

Key Concept: cloud block constraints and workspace association with HCP Terraform/Terraform Enterprise.

terraform graphgeneratesGraphviz DOT formatoutput, which allows visualization ofresource dependenciesin Terraform.

A (terraform refresh)– Incorrect, as it only updates the state file.

C (terraform output)– Incorrect, as it only displays Terraform output values.

D (terraform show)– Incorrect, as it only displays the Terraform state.

Official Terraform Documentation Reference:

terraform graph - HashiCorp Documentation

In Terraform, the backend configuration, which includes details about where and how state is stored, is specified within the terraform block of your configuration. This block is the correct place to define the backend type and its configuration parameters, such as the location of the state file for a local backend or the bucket details for a remote backend like S3.References = This practice is outlined in Terraform's core documentation, which provides examples and guidelines on how to configure various aspects of Terraform's behavior, including state backends .

This is not true, as modules can be either public or private, depending on your needs and preferences. You can use the Terraform Registry to publish and consume public modules, or use Terraform Cloud or Terraform Enterprise to host and manage private modules.

Changes invoked by terraform apply take effect once the resource provider has fulfilled the request, not after Terraform has updated the state file or immediately. The state file is only a reflection of the real resources, not a source of truth.

terraform initretrieves and caches providers and modules, butonly for explicitly declared modulesin the configuration.

If a module isadded or updated, terraform init needs to be re-run to download the new version.

Terraform does not automatically cache all remote modules unless they are explicitly referenced in the configuration.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

Terraform follows adeclarativeapproach, meaning it ensures the infrastructure matches the configuration.

If you run terraform apply againwithout any changes, Terraform willdetect that the infrastructure is already up to dateand willdo nothing.

The command will complete successfully with the message"No changes. Your infrastructure matches the configuration."

Official Terraform Documentation Reference:

Terraform Apply - HashiCorp Documentation

Rationale for Correct Answer (B):

Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = "hashicorp/aws"

version = "3.1"

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:

Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

In Terraform, the correct way to reference a resource attribute is:

pgsql

CopyEdit

resource_type.resource_name.attribute

For example, if the resource block is:

hcl

CopyEdit

resource "kubernetes_namespace" "example" {

metadata {

name = "my-namespace"

}

}

To reference the name attribute, use:

pgsql

CopyEdit

kubernetes_namespace.example.name

Explanation of incorrect answers:

A (resource.kubernetes_namespace.example.name)– Incorrect. Terraform does not use the resource. prefix when referencing resources.

C (data.kubernetes.namespace.name)– Incorrect. This syntax is used fordata sources, not resources.

D (kubernetes_namespace.test.name)– Incorrect. The resource name is "example", not "test".

Official Terraform Documentation Reference:

Terraform Resource References

Environment variables and connection configurations outside of Terraform are secure options for storing secrets for connecting to a Terraform remote backend. Environment variables can be used to set values for input variables that contain secrets, such as backend access keys or tokens. Terraform will read environment variables that start with TF_VAR_ and match the name of an input variable. For example, if you have an input variable called backend_token, you can set its value with the environment variable TF_VAR_backend_token1. Connection configurations outside of Terraform are files or scripts that provide credentials or other information for Terraform to connect to a remote backend. For example, you can use a credentials file for the S3 backend2, or a shell script for the HTTP backend3. These files or scripts are not part of the Terraform configuration and can be stored securely in a separate location. The other options are not secure for storing secrets. A variable file is a file that contains values for input variables. Variable files are usually stored in the same directory as the Terraform configuration or in a version control system. This exposes the secrets to anyone who can access the files or the repository. You should not store secrets in variable files1. Inside the backend block within the Terraform configuration is where you specify the type and settings of the remote backend. The backend block is part of the Terraform configuration and is usually stored in a version control system. This exposes the secrets to anyone who can access the configuration or the repository. You should not store secrets in the backend block4. References = [Terraform Input Variables]1, [Backend Type: s3]2, [Backend Type: http]3, [Backend Configuration]4

This is what will happen if you run terraform destroy without any flags, as it will attempt to delete all the resources that are associated with your current working directory or workspace. You can use the -target flag to specify a particular resource that you want to destroy.

The -replace flag is used with the terraform apply command when there is a need to explicitly force Terraform to destroy and then recreate a specific resource during the next apply. This can be necessary in situations where a simple update is insufficient or when a resource must be re-provisioned to pick up certain changes.

Rationale for Correct Answer: Data sources are referenced with: data....For a vSphere datacenter data source, the correct reference to its id is:data.vsphere_datacenter..id.✅ Given the options, only A follows the correct data-source addressing pattern and includes the .id attribute.

Analysis of Incorrect Options (Distractors):

B: Incorrect—missing the data. prefix, so it looks like a managed resource reference.

C: Incorrect—missing the attribute (.id).

D: Incorrect—missing the data source type and name.

Key Concept: Correct HCL reference syntax for data sources.

A Terraformbackenddetermineswhere and how Terraform state is stored.

Bothterraform applyandterraform destroyinteract with state, so Terraform needs access to the backend for state storage and updates.

D (Neither are correct)is incorrect becauseTerraform state is required for both apply and destroy operations.

Official Terraform Documentation Reference:

Terraform Backends

Variables declared within a module are only accessible within that module, unless they are explicitly exposed as output values1.

From the official Terraform Type Constraints Documentation:

The object({ name = string, age = number }) type expects:

name to be aquoted string, e.g. "John"

age to be anumber, e.g. 52

Option Bsatisfies both:

{

name = "John" #✅Valid string

age = 52 #✅Valid number

}

Let's analyze the incorrect ones:

❌Option A: "fifty two" is not a valid number.

❌Option C: John is unquoted (invalid string), and "fifty two" is not a number.

❌Option D: name = John is not quoted, making it an invalid string in HCL.

Terraform is strict about type and formatting. Stringsmust be quoted, and numbersmust be numeric literals.

To output returned values from a child module in the Terraform CLI output, you need to declare the output in both the child module and the root module. The child module output will return the value to the root module, and the root module output will display the value in the CLI. References = [Terraform Outputs]

This is the backend that the Terraform CLI uses by default, unless you specify a different backend in your configuration. The local backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure.

It lets you version, reuse, and share infrastructure configuration as code files, which can be stored in a source control system and integrated with your CI/CD pipeline.

It reduces risk of operator error by automating repetitive tasks and ensuring consistency across environments. IaC does not necessarily provision resources at a lower cost, secure your credentials, or prevent manual modifications to your resources - these depend on other factors such as your cloud provider, your security practices, and your access policies.

Rationale for Correct Answer: terraform state rm

removes a resource from Terraform state without destroying the real infrastructure. After removal, Terraform “forgets” it and will no longer manage it (unless it’s re-imported). That matches the requirement: keep the resource, stop managing it.

Analysis of Incorrect Options (Distractors):

A: Removing the resource block causes Terraform to plan to destroy the resource (because it’s in state but no longer in config), which is the opposite of “keep it.”

B: Changing count can cause Terraform to destroy instances that no longer have an address (depending on indexing), and it doesn’t explicitly “stop managing” a specific existing instance safely.

D: moved blocks are for renaming/refactoring addresses while keeping management; they do not stop managing a resource.

Key Concept: Detaching resources from Terraform management using state subcommands (terraform state rm).

Confidentiality: UsingHCP Terraform/Terraform Cloud’s private registrykeeps the module configurations within your organization, ensuring privacy and access control.

Version Constraints: The private registry supportssemantic versioning, allowing you to manage versions of your modules as Terraform does natively.

Browsable Directory: The private registry offers a user interface to browse modules, making it easy for users within the organization to locate and manage modules.

This setup aligns with HashiCorp’s design forprivate registry supportin Terraform, meeting all listed requirements for secure, version-controlled, and searchable module storage.

It is not a best practice to store secret data in the same version control repository as your Terraform configuration, as it could expose your sensitive information to unauthorized parties or compromise your security. You should use environment variables, vaults, or other mechanisms to store and provide secret data to Terraform.

Not all modules published on the official Terraform Module Registry have been verified by HashiCorp. While HashiCorp verifies some modules, there are many community-contributed modules that are not verified. Verified modules have a "Verified" badge indicating that HashiCorp has reviewed them for security and best practices, but the registry also includes unverified modules.

Setting the TF_LOG environment variable to DEBUG causes debug messages to be logged into stdout, along with other log levels such as TRACE, INFO, WARN, and ERROR. This can be useful for troubleshooting or debugging purposes.

 Terraform configuration (including any module references) can contain more than one Terraform provider type. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. A Terraform configuration can use multiple providers to manage resources across different platforms and services. For example, a configuration can use the AWS provider to create a virtual machine, the Cloudflare provider to manage DNS records, and the GitHub provider to create a repository. Terraform supports hundreds of providers for different use cases and scenarios. References = [Providers], [Provider Requirements], [Provider Configuration]

You cannot reference a resource created with for_each using a splat (*) expression, as it will not work with resources that have non-numeric keys. You need to use a for expression instead to iterate over the resource instances.

Rationale for Correct Answer: A parent/root module can only read values from a child module if the child module exports them via an output block. The error indicates vnet_id is not an exported output from module.my_network. Defining output "vnet_id" { value = ... } inside the networking (child) module makes module.my_network.vnet_id valid.

Analysis of Incorrect Options (Distractors):

A: Incorrect—Terraform does not use module..outputs.

; module outputs are referenced directly as module..

.

B: Incorrect—variables are inputs to a module, not values exported from it.

C: Incorrect—missing the module. prefix and still uses an invalid .outputs path.

Key Concept: Module outputs are the contract for exposing child module values to the root/parent.

Rationale for Correct Answer: Remote state storage is configured using a backend block, which lives inside the top-level terraform block (for example, terraform { backend "s3" { ... } }). Backends control where Terraform stores state (local vs remote), locking, and related settings—this is squarely in the Terraform configuration’s global settings area, not in resources or providers.

Analysis of Incorrect Options (Distractors):

A (The resource block): Resources define infrastructure objects (e.g., servers, buckets). They do not configure where Terraform stores state.

B (The provider block): Providers configure how Terraform talks to an API (credentials/regions/features). They don’t define state storage.

C (The data block): Data sources read existing infrastructure; they are unrelated to backend/state storage configuration.

Key Concept: Backends and remote state configuration using terraform { backend ... }.

Rationale for Correct Answer (D):

terraform state list shows all resources currently managed by Terraform. terraform state show provides detailed attributes, including the VM ID. This lets you match the Terraform-managed instance with the actual infrastructure.

Analysis of Incorrect Options:

A: Importing is not needed since one VM is already in state.

B: terraform apply doesn’t show which VM ID is managed, it only refreshes attributes.

C: Removing state entries is destructive and may lead to losing state data unnecessarily.

Key Concept:

The state file is Terraform’s source of truth for which resources it manages.

This is the command that always causes a state file to be updated with changes that might have been made outside of Terraform, as it will only refresh the state file with the current status of the real resources, without making any changes to them or creating a plan.

Rationale for Correct Answer: AWS CloudFormation is AWS-specific. If your standardized provisioning tool is CloudFormation, deploying infrastructure into Microsoft Azure becomes a challenge because CloudFormation does not natively provision Azure resources. This highlights a core IaC concept: tool/platform scope and portability across clouds.

Analysis of Incorrect Options (Distractors):

A (Reusable code base for any AWS region): CloudFormation templates are commonly reusable across AWS regions; region differences are typically handled via parameters, mappings, and region-specific resource availability—not a fundamental challenge.

B (Managing a new stack on AWS-native services): This is CloudFormation’s strength: managing AWS-native services with declarative templates and stack updates.

C (Automating manual console provisioning): Another core use case for IaC—CloudFormation is designed to replace manual provisioning with repeatable automation.

Key Concept: IaC tool scope and portability—AWS CloudFormation is tightly coupled to AWS, limiting multi-cloud provisioning.

The "version" attribute is optional when referencing a module from the Terraform Registry. If not specified, the latest version will be used, but it is often recommended to specify a version to ensure consistency across environments.

This will enable additional logging messages to find out from which paths Terraform is loading providers referenced in your Terraform configuration files, as it will set the log level to TRACE, which is the most verbose and detailed level.

Terraform modules are referenced by specifying a source location. This location can be a URL or a file path. However, specifying query parameters such as ?version=vl.6.0 directly within the source path is not a valid or supported method for specifying a module version in Terraform. Instead, version constraints are specified using the version argument within the module block, not as part of the source string.References = This clarification is based on Terraform's official documentation regarding module usage, which outlines the correct methods for specifying module sources and versions.

This is one disadvantage of using dynamic blocks in Terraform, as they can introduce complexity and reduce readability of the configuration. The other options are either advantages or incorrect statements.

Rationale for Correct Answer: terraform plan creates and displays an execution plan showing what Terraform would change, add, or destroy to reach the desired state—this is the standard preview step before applying changes.

Analysis of Incorrect Options (Distractors):

A: terraform show displays a human-readable view of an existing state or plan file; it doesn’t compute proposed changes by itself.

C: terraform validate checks configuration syntax and internal consistency, not proposed infrastructure changes.

D: terraform get downloads modules; it doesn’t preview infrastructure changes.

Key Concept: Previewing changes with plan in the Terraform workflow.

The .terraform.lock.hcl file is a new feature in Terraform 0.14 that records the exact versions of each provider used in your configuration. This helps ensure consistent and reproducible behavior across different machines and runs.

This is not a valid Terraform collection type, as Terraform only supports three collection types: list, map, and set. A tree is a data structure that consists of nodes with parent-child relationships, which is not supported by Terraform.

The terraform state rm commandremovesa resource from Terraform’s state file butdoes not destroythe resource in the actual infrastructure. It only removes Terraform’s knowledge of the resource, meaning Terraform will no longer manage it.

If you run terraform state rm on a resource, Terraform will forget that the resource exists.

However, the resource will still exist in the cloud or infrastructure provider.

If you later run terraform apply, Terraform may try torecreatethe resource because it is no longer present in its state file.

Official Terraform Documentation Reference:

terraform state rm - HashiCorp Documentation

This is the meta-argument that you must include in any non-default provider configurations, as it allows you to give a friendly name to the configuration and reference it in other parts of your code. The other options are either invalid or irrelevant for this purpose.

 If you manually destroy infrastructure, Terraform will automatically detect the change and update the state file during the next plan or apply. Terraform compares the current state of the infrastructure with the desired state in the configuration and generates a plan to reconcile the differences. If a resource is missing from the infrastructure but still exists in the state file, Terraform will attempt to recreate it. If a resource is present in the infrastructure but not in the state file, Terraform will ignore it unless you use the terraform import command to bring it under Terraform’s management. References = [Terraform State]

In Terraform Cloud, you can switch between workspaces using both the web UI and CLI. The statement that you "must use the CLI" is false. Workspaces can securely store cloud credentials, offer role-based access control, and integrate with VCS to trigger plan and apply operations.

Purpose of Refresh-Only Mode: Running Terraform inrefresh-only modeupdates Terraform's state file with the current state of resources in your infrastructure without making changes to the resources themselves.

Context of Terraform Import: When usingterraform import, you’re adding existing resources to the state file, and running Terraform in refresh-only mode before this operation can ensure that any initial configuration syncs precisely with the actual state.

For more on refresh-only mode in relation to terraform import, refer to Terraform's import documentation.

Rationale for Correct Answer:When using count, Terraform creates resources indexed starting at 0.With count = 2, the instances are indexed as:

First instance → aws_instance.web[0]

Second instance → aws_instance.web[1]

To reference the name attribute of the second instance, the correct syntax is:

aws_instance.web[1].name

Analysis of Incorrect Options (Distractors):

A. [2]: Incorrect because indexing starts at 0 and only indices 0 and 1 exist.

B. *.name: Returns a list of all names, not a single instance value.

D. [1]: References the whole resource object, not the name attribute.

E. element(...): Incorrect syntax and wrong index; also unnecessary when direct indexing is available.

Key Concept:Understanding resource indexing with count and zero-based indexing in Terraform.

The command that makes your code more human readable is terraform fmt. This command is used to rewrite Terraform configuration files to a canonical format and style, following the Terraform language style conventions and other minor adjustments for readability. The command is optional, opinionated, and has no customization options, but it is recommended to ensure consistency of style across different Terraform codebases. Consistency can help your team understand the code more quickly and easily, making the use of terraform fmt very important. You can run this command on your configuration files before committing them to source control or as part of your CI/CD pipeline. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

The terraform import command allows Terraform to takeexistinginfrastructure andbring it under Terraform’s management.

A (terraform get)is incorrect because it is used to fetch modules.

B (terraform refresh)is incorrect because it only updates Terraform's state to match the infrastructure but does not import resources.

D (terraform init)is incorrect because it only initializes the Terraform working directory.

Official Terraform Documentation Reference:

terraform import - HashiCorp Documentation

This is not a responsibility of a Terraform provider, as it does not make sense grammatically or logically. A Terraform provider is responsible for exposing resources and data sources based on an API, managing actions to take based on resource differences, and understanding API interactions with some service.

E (✅Correct)–IaC aims to eliminate manual cloud console workflowsby using code-based automation.

A, B, C (✅Advantages of IaC)– IaC enablesself-service deployment, API-driven workflows, and dynamic resource scaling.

D (diff command)– While useful, troubleshooting via diff is not acore advantageof IaC.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

The key principle of infrastructure as code that is not listed among the options is golden images. Golden images are pre-configured, ready-to-use virtual machine images that contain a specific set of software and configuration. They are often used to create multiple identical instances of the same environment, such as for testing or production. However, golden images are not a principle of infrastructure as code, but rather a technique that can be used with or without infrastructure as code. The other options are all key principles of infrastructure as code, as explained below:

Self-describing infrastructure: This means that the infrastructure is defined in code that describes its desired state, rather than in scripts that describe the steps to create it. This makes the infrastructure easier to understand, maintain, and reproduce.

Idempotence: This means that applying the same infrastructure code multiple times will always result in the same state, regardless of the initial state. This makes the infrastructure consistent and predictable, and avoids errors or conflicts caused by repeated actions.

Versioned infrastructure: This means that the infrastructure code is stored in a version control system, such as Git, that tracks the changes and history of the code. This makes the infrastructure code reusable, auditable, and collaborative, and enables practices such as branching, merging, and rollback. References = [Introduction to Infrastructure as Code with Terraform], [Infrastructure as Code in a Private or Public Cloud]

Rationale for Correct Answer: Locals are evaluated as expressions, and one local can reference another using local.. This supports building up derived values cleanly:

locals {

env = "prod"

app_name = "api-${local.env}"

}

Analysis of Incorrect Options (Distractors):

B (False): Incorrect—Terraform explicitly supports local-to-local references.

Key Concept: Local values (locals) and expression references.

The Terraform collection type that should be used to store key/value pairs is map. A map is a collection of values that are accessed by arbitrary labels, called keys. The keys and values can be of any type, but the keys must be unique within a map. For example, var = { key1 = "value1", key2 = "value2" } is a map with two key/value pairs. Maps are useful for grouping related values together, such as configuration options or metadata. References = [Collection Types], [Map Type Constraints]

A module can declare a variable with a default value without requiring the caller to define it. This allows the module to provide a sensible default behavior that can be customized by the caller if needed. References = [Module Variables]

The statement that you must use the CLI to switch between workspaces is false. Terraform Cloud workspaces are different from Terraform CLI workspaces. Terraform Cloud workspaces are required and represent all of the collections of infrastructure in an organization. They are also a major component of role-based access in Terraform Cloud. You can grant individual users and user groupspermissions for one or more workspaces that dictate whether they can manage variables, perform runs, etc. You can create, view, and switch between Terraform Cloud workspaces using the Terraform Cloud UI, the Workspaces API, or the Terraform Enterprise Provider5. Terraform CLI workspaces are optional and allow you to create multiple distinct instances of a single configuration within one working directory. They are useful for creating disposable environments for testing or experimenting without affecting your main or production environment. You can create, view, and switch between Terraform CLI workspaces using the terraform workspace command6. The other statements about Terraform Cloud workspaces are true. They have role-based access controls that allow you to assign permissions to users and teams based on their roles and responsibilities. You can create and manage roles using the Teams API or the Terraform Enterprise Provider7. Plans and applies can be triggered via version control system integrations that allow you to link your Terraform Cloud workspaces to your VCS repositories. You can configure VCS settings, webhooks, and branch tracking to automate your Terraform Cloud workflow8. They can securely store cloud credentials as sensitive variables that are encrypted at rest and only decrypted when needed. You can manage variables using the Terraform Cloud UI, the Variables API, or the Terraform Enterprise Provider9. References = [Workspaces]5, [Terraform CLI Workspaces]6, [Teams and Organizations]7, [VCS Integration]8, [Variables]9

The terraform apply command changes both the cloud infrastructure and the state file after you approve the execution plan. The command creates, updates, or destroys the infrastructure resources to match theconfiguration. It also updates the state file to reflect the new state of the infrastructure. The .terraform directory, the execution plan, and the Terraform code are not changed by the terraform apply command. References = Command: apply and Purpose of Terraform State

Terraform detects infrastructure drift by comparing thestate filewith the actual infrastructure.

When an instance ismanually deleted, Terraformsees it as missingand marks it for recreation.

Running terraform apply willonly recreate the missing instanceswhile leaving the rest of the infrastructure unchanged.

Explanation of incorrect answers:

A (Tear down everything and rebuild)– Incorrect. Terraform does not destroy existing infrastructure unless explicitly told to.

B (Build a completely new set of infrastructure)– Incorrect. Terraform does not create duplicates unless configuration changes.

D (Stop and error out)– Incorrect. Terraform does not fail; itrebuilds missing resourcesautomatically.

Official Terraform Documentation Reference:

Handling Infrastructure Drift

Referencing Terraform Built-in Functions:

✅chomp: removes trailing newlines

✅join: combines list into string

✅split: splits string into list

❌slice:is nota valid Terraform string function (it's used in other languages like Python)

Rationale for Correct Answer: To provision new infrastructure, Terraform’s core workflow is:

terraform plan to create an execution plan (what will be created/changed/destroyed).

terraform apply to execute that plan and provision the infrastructure.

These two steps represent the essential “preview then create” workflow Terraform objectives emphasize.

Analysis of Incorrect Options (Distractors):

A (Import): Used to bring existing resources under Terraform management; not required for provisioning new infrastructure.

C (Validate): Useful for checking syntax and internal consistency, but not required to provision.

E (Init): Typically required before first use in a new working directory (providers/modules/backend setup), but the question asks which steps are required in the workflow to provision—the required provisioning steps are plan + apply.

Key Concept: Terraform CLI workflow: plan → apply for provisioning.

Rationale for Correct Answer: A major IaC advantage is declarative desired state: you describe what you want, and the tool figures out the necessary create/update/delete API calls to converge infrastructure to that end state. This reduces manual API orchestration and makes changes repeatable and reviewable.

Analysis of Incorrect Options (Distractors):

A: Incorrect—IaC reduces the need to write individual API calls; that’s the point.

B: Incorrect—IaC tools typically use provider plugins and APIs; efficiency is not about “calling CLI tools.”

C: Incorrect—IaC configurations define desired state; “current state” is discovered via refresh/state, not defined as the goal.

Key Concept: Declarative IaC: define end state, tool determines API actions.

Rationale for Correct Answer: Data sources are referenced using the address format:data...Here, the type is aws_ami, the name is web, and the attribute is id, so the correct reference is data.aws_ami.web.id.

Analysis of Incorrect Options (Distractors):

A (aws_ami.web.id): Incorrect because it omits the required data. prefix. This looks like a managed resource reference, not a data source.

B (web.id): Incorrect because Terraform references must include the full address (type and name); web alone is ambiguous.

D (data.web.id): Incorrect because it omits the data source type (aws_ami).

Key Concept: Terraform addressing and attribute references for data sources.