Terraform Associate Quiz

A team wants different engineers to reproduce the same cloud environment. What is the most relevant benefit of using Terraform?

Answer:

Terraform represents desired infrastructure in configuration files that teams can review and version-control.

You reapply the same Terraform configuration after the infrastructure already matches it. What result is normally expected?

Answer:

Terraform compares configuration, state, and remote objects and reports no changes when they already match.

After cloning a Terraform repository for the first time, which command prepares the required providers and modules?

Answer:

terraform init initializes the working directory and prepares its backend, providers, and modules.

A team must apply exactly the changes that reviewers approved for production. Which workflow is appropriate?

Answer:

Passing a saved plan to apply executes the same plan that reviewers inspected.

In CI, you want to check Terraform configuration syntax and internal consistency without changing infrastructure. Which command is most appropriate?

Answer:

terraform validate checks configuration syntax and internal consistency without modifying remote resources.

An environment variable must accept only dev, stg, or prod, and invalid input should fail early. What should you use?

Answer:

Input variable validation defines a condition and error message so invalid values fail early.

A computed naming string is reused by several resources but should not be exposed as external input. What should you use?

Answer:

Local values name reusable expressions inside a configuration without exposing them as caller inputs.

Subnets are keyed by name, and adding another name should preserve stable identity for existing instances. Which meta-argument fits best?

Answer:

for_each identifies instances by map or set keys, providing stable, meaningful resource addresses.

A team shares one configuration and must prevent concurrent state updates from corrupting state. Which approach is most appropriate?

Answer:

Shared remote state with locking provides one source of truth and prevents conflicting writes.

A resource block is renamed, but the remote object must not be recreated. How can you record this refactor in configuration?

Answer:

A moved block maps the old address to the new one so Terraform can update state without recreating the object.

An existing manually created object must be brought under Terraform management. What is the essential first concept?

Answer:

Import associates an existing object with a Terraform resource address in state; matching configuration is also needed for ongoing management.

An output is marked sensitive = true. Which statement about this setting is correct?

Answer:

Sensitive marking reduces accidental display, but the value can still exist in state, which needs access control and encryption.

A team must use the same provider source and compatible version range. Where should these requirements be declared?

Answer:

required_providers declares source addresses and version constraints, while the lock file records selected versions.

The same AWS provider must manage resources in two regions. Which method is appropriate?

Answer:

Provider aliases let a configuration define multiple instances of one provider and select or pass them explicitly.

A root module needs the VPC ID created by a child module. What must the child module provide?

Answer:

A child-module output is its public interface and can be referenced as module.name.output_name.

A Registry module is used in production. Which setting best reduces unexpected breaking changes?

Answer:

A Registry module version constraint controls eligible releases so upgrades can be reviewed.

A pull request should trigger a plan in a shared environment for team review. Which HCP Terraform setup is appropriate?

Answer:

A VCS-connected workspace can start remote runs from commits or pull requests and share plans with the team.

Infrastructure changes that violate organization rules must be rejected before apply. Which HCP Terraform concept addresses this?

Answer:

Policy as code evaluates plans against organization rules and can block or warn on noncompliant runs.

CI must authenticate to a cloud provider without storing long-lived access keys in Terraform variables. Which approach is preferred?

Answer:

Short-lived credentials or OIDC-style dynamic authentication reduce storage and exposure of static secrets.

terraform plan reports that an argument is not present in the provider schema. What should you check first?

Answer:

Provider resource schemas can vary by version, so inspect the lock file, selected version, and matching documentation.

Which best describes Terraform declarative approach?

Answer:

You declare the desired state, and Terraform plans and applies the changes needed to converge from the current state.

Which correctly distinguishes terraform plan from apply?

Answer:

plan presents the diff without changing anything; apply executes the plan against real infrastructure.

Which command automatically rewrites configuration files to the canonical style?

Answer:

terraform fmt formats HCL to the canonical style, easing reviews and stabilizing diffs.

To avoid accidentally destroying managed resources, what should you check before destroy?

Answer:

destroy can remove all managed resources in the target; always confirm the workspace and the destroy plan.

You want to create a replacement before destroying the old one to avoid downtime. Which lifecycle setting fits?

Answer:

create_before_destroy provisions the new resource before deleting the old one during replacement, reducing downtime.

You want to ignore drift on specific attributes to avoid unnecessary changes. Which setting fits?

Answer:

ignore_changes tells Terraform to ignore drift on listed attributes, avoiding needless changes from external updates.

Which is an appropriate measure given that the Terraform state file can contain secrets?

Answer:

State may hold plaintext secrets, so protect it with an encrypted backend and access controls.

To detect drift between state and real infrastructure without making changes, what do you use?

Answer:

plan refreshes against reality and reports drift versus configuration without changing infrastructure.

Which file, generated by terraform init, records the exact selected provider versions for reproducibility?

Answer:

The lock file pins selected provider versions and hashes so every environment uses the same versions.

Which command intentionally upgrades providers and updates the lock file?

Answer:

init -upgrade updates providers/modules within constraints and refreshes the lock file.

When calling a module, what do you define so callers can pass values in?

Answer:

Module input variables are the entry point for caller parameters, while outputs are the exit for results.

You want to reuse a common network setup across projects. What is the appropriate Terraform approach?

Answer:

Extracting a module and pinning its version improves maintainability and consistency across reuse.

Which is a key benefit of remote runs in HCP Terraform?

Answer:

Remote runs execute centrally, unifying state, logs, access, and variables for team operations.

Which is appropriate when receiving a secret value through a variable?

Answer:

Mark secret variables sensitive to redact display, pass them via secured tfvars/env/secret stores, and remember the value can persist in state.

An apply fails because it cannot acquire the state lock. What should you check or do first?

Answer:

First confirm no concurrent run; only force-unlock a genuinely stale lock, carefully. Deleting state casually is dangerous.