HashiCorp Terraform - Practice Exam #1 - Results

All questions
Question 1: Incorrect
Which Terraform command will force a marked resource to be destroyed and
recreated on the next apply?

terraform fmt


terraform refresh
(Incorrect)


terraform taint
(Correct)


terraform destroy

Explanation
The terraform taint command manually marks a Terraform-managed resource as
tainted, forcing it to be destroyed and recreated on the next apply. This command
will not modify infrastructure but does modify the state file in order to mark a
resource as tainted. Once a resource is marked as tainted, the next plan will show
that the resource will be destroyed and recreated. The next terraform apply will
implement this change.

https://www.terraform.io/docs/commands/taint.html

Question 2: Correct
True or False? State is a requirement for Terraform to function.

True
(Correct)


False

Explanation
Terraform requires some sort of database to map Terraform config to the real world.
When you have a resource in your configuration, Terraform uses this map to know
how that resource is represented. Therefore, to map configuration to resources in the
real world, Terraform uses its own state structure.

https://www.terraform.io/docs/state/purpose.html

Question 3: Incorrect
Which of the following is considered a Terraform plugin?

Terraform provider
(Correct)


Terraform logic
(Incorrect)


Terraform language


Terraform tooling

Explanation
Terraform is built on a plugin-based architecture. All providers and provisioners that
are used in Terraform configurations are plugins, even the core types such as AWS
and Heroku. Users of Terraform are able to write new plugins in order to support
new functionality in Terraform.

https://www.terraform.io/docs/plugins/index.html

Question 4: Incorrect
When configuring a remote backend in Terraform, it might be a good idea to
purposely omit some of the required arguments to ensure secrets and other relevant
data are not inadvertently shared with others. What are the ways the remaining
configuration can be added to Terraform so it can initialize and communicate with
the backend? (select three)

command-line key/value pairs
(Correct)


directly querying HashiCorp Vault for the secrets


interactively on the command line
(Correct)


 use the -backend-config=PATH to specify a separate config file
(Correct)

Explanation
You do not need to specify every required argument in the backend configuration.
Omitting certain arguments may be desirable to avoid storing secrets, such as access
keys, within the main configuration. When some or all of the arguments are omitted,
we call this a partial configuration.

With a partial configuration, the remaining configuration arguments must be

provided as part of the initialization process. There are several ways to supply the
remaining arguments:

Interactively: Terraform will interactively ask you for the required values unless
interactive input is disabled. Terraform will not prompt for optional values.

File: A configuration file may be specified via the init command line. To specify a
file, use the -backend-config=PATH option when running terraform init . If the file
contains secrets it may be kept in a secure data store, such as Vault, in which case it
must be downloaded to the local disk before running Terraform.

Command-line key/value pairs: Key/value pairs can be specified via

the init command line. Note that many shells retain command-line flags in a
history file, so this isn't recommended for secrets. To specify a single key/value pair,
use the -backend-config="KEY=VALUE" option when running terraform init .

Question 5: Incorrect
What is the purpose of using the local-exec provisioner? (select two)

ensures that the resource is only executed in the local infrastructure where
Terraform is deployed


to execute one or more commands on the machine running Terraform
(Correct)


executes a command on the resource to invoke an update to the Terraform state
(Incorrect)


to invoke a local executable
(Correct)

Explanation
The local-exec provisioner invokes a local executable after a resource is created.
This invokes a process on the machine running Terraform, not on the resource.

Note that even though the resource will be fully created when the provisioner is run,
there is no guarantee that it will be in an operable state - for example, system
services such as sshd may not be started yet on compute resources.

https://www.terraform.io/docs/provisioners/#how-to-use-provisioners

Question 6: Skipped
In regards to deploying resources in multi-cloud environments, what are some of the
benefits of using Terraform rather than a provider's native tooling? (select three)

Terraform is not cloud-agnostic and can be used to deploy resources across a
single public cloud


Terraform simplifies management and orchestration, helping operators build
large-scale, multi-cloud infrastructure
(Correct)


Terraform can manage cross-cloud dependencies
(Correct)


Terraform can help businesses deploy applications on multiple clouds and on-
premises infrastructure
(Correct)

Explanation
Terraform is a cloud-agnostic tool, and therefore isn't limited to a single cloud
provider, such as AWS CloudFormation or Azure Resource Manager. Terraform
supports all of the major cloud providers and allows IT organizations to focus on
learning a single tool for deploying its infrastructure, regardless of what platform it's
being deployed on

https://www.terraform.io/intro/use-cases.html#multi-cloud-deployment

Question 7: Skipped
True or False? You can migrate the Terraform backend but only if there are no
resources currently being managed.

True


 False
(Correct)

Explanation
If you are already using Terraform to manage infrastructure, you probably want to
transfer to another backend, such as Terraform Cloud, so you can continue managing
it. By migrating your Terraform state, you can hand off infrastructure without de-
provisioning anything.

https://learn.hashicorp.com/tutorials/terraform/cloud-migrate

Question 8: Skipped
Frank has a file named main.tf which is shown below. Which of the following
statements are true about this code? (select two)
1. module "servers" {
2. source = "./app-cluster"
3.
4. servers = 5
5. }


main.tf is the child module


main.tf is the calling module
(Correct)


app-cluster is the calling module


app-cluster is the child module
(Correct)

Explanation
To call a module means to include the contents of that module into the
configuration with specific values for its input variables. Modules are called from
within other modules using module blocks. A module that includes a module block
like this is the calling module of the child module.

The label immediately after the module keyword is a local name, which the calling
module can use to refer to this instance of the module.

https://www.terraform.io/docs/configuration/modules.html#calling-a-child-module

Question 9: Skipped
What are the core Terraform workflow steps to use infrastructure as code?
 
1. 1) Plan
2. 2) Apply
3. 3) Destroy


1. 1) Write
2. 2) Plan
3. 3) Apply

(Correct)


1. 1) Plan
2. 2) Apply
3. 3) Pray


1. 1) Code
2. 2) Validate
3. 3) Apply

Explanation
The core Terraform workflow has three steps:

- Write - Author infrastructure as code.

- Plan - Preview changes before applying.

- Apply - Provision reproducible infrastructure.

This guide walks through how each of these three steps plays out in the context of
working as an individual practitioner, how they evolve when a team is collaborating
on infrastructure, and how Terraform Cloud enables this workflow to run smoothly
for entire organizations.

https://www.terraform.io/guides/core-workflow.html

Question 10: Skipped

In Terraform Enterprise, a workspace can be mapped to how many VCS repos?

2


5


3


1
(Correct)
Explanation
A workspace can only be configured to a single VCS repo, however, multiple
workspaces can use the same repo, if needed. A good explanation of how to
configure your code repositories can be found here.

https://www.terraform.io/docs/cloud/workspaces/creating.html

Question 11: Skipped

You have been given requirements to create a security group for a new application.
Since your organization standardizes on Terraform, you want to add this new security
group with the fewest number of lines of code. What feature could you use to iterate
over a list of required tcp ports to add to the new security group?

splat expression


dynamic block
(Correct)


dynamic backend


terraform import

Explanation
A dynamic block acts much like a for expression, but produces nested blocks
instead of a complex typed value. It iterates over a given complex value and
generates a nested block for each element of that complex value.

You can find more information on dynamic blocks using this link.

Question 12: Skipped

When using parent/child modules to deploy infrastructure, how would you export a
value from one module to import into another module.

For example, a module dynamically deploys an application instance or virtual machine,

and you need the IP address in another module to configure a related DNS record in
order to reach the newly deployed application.


configure the pertinent provider's configuration with a list of possible
IP addresses to use


 export the value using terraform export and input the value using terraform
input


configure an output value in the application module in order to use that value for
the DNS module
(Correct)


preconfigure the IP address as a parameter in the DNS module

Explanation
Output values are like the return values of a Terraform module and have several uses
such as a child module using those outputs to expose a subset of its resource
attributes to a parent module.

https://www.terraform.io/docs/configuration/expressions.html#references-to-
named-values

Question 13: Skipped

What are some of the features of Terraform state? (select three)

determining the correct order to destroy resources
(Correct)


mapping configuration to real-world resources
(Correct)


increased performance
(Correct)


inspection of cloud resources

Explanation
See this page on the purpose of Terraform state and the benefits it provides.
Question 14: Skipped
What happens when a terraform plan is executed?

reconciles the state Terraform knows about with the real-world infrastructure


creates an execution plan and determines what changes are required to achieve
the desired state in the configuration files.
(Correct)
 
applies the changes required in the target infrastructure in order to reach the
desired configuration


the backend is initialized and the working directory is prepped

Explanation
The terraform plan command is used to create an execution plan. Terraform
performs a refresh, unless explicitly disabled, and then determines what actions are
necessary to achieve the desired state specified in the configuration files.

After a plan has been run, it can be executed by running a terraform apply

https://www.terraform.io/docs/commands/plan.html

Question 15: Skipped

By default, where does Terraform store its state file?

Amazon S3 bucket


current working directory
(Correct)


remotely using Terraform Cloud


shared directory

Explanation
By default, the state file is stored in a local file named "terraform.tfstate", but it can
also be stored remotely, which works better in a team environment.

https://www.terraform.io/docs/backends/index.html

Question 16: Skipped

Given the Terraform configuration below, in which order will the resources be
created?
1. resource "aws_instance" "web_server" {
2. ami = "i-abdce12345"
3. instance_type = "t2.micro"
4. }
5.
6. resource "aws_eip" "web_server_ip" {
7. vpc = true
8. instance = aws_instance.web_server.id
9. }
 
resources will be created simultaneously


aws_instance will be created first
aws_eip will be created second
(Correct)


aws_eip will be created first
aws_instance will be created second


no resources will be created

Explanation
The aws_instance will be created first, and then aws_eip will be created second due to
the aws_eip's resource dependency of the aws_instance id

More information on resource dependencies can be found at this link.

Question 17: Skipped

Your organization has moved to AWS and has manually deployed infrastructure
using the console. Recently, a decision has been made to standardize on Terraform
for all deployments moving forward.

What can you do to ensure that all existing is managed by Terraform moving forward
without interruption to existing services?


submit a ticket to AWS and ask them to export the state of all existing resources
and use terraform import to import them into the state file


using terraform import , import the existing infrastructure into your Terraform
state
(Correct)


delete the existing resources and recreate them using new a Terraform
configuration so Terraform can manage them moving forward


resources that are manually deployed in the AWS console cannot be imported by
Terraform

Explanation
Terraform is able to import existing infrastructure. This allows you to take resources
you've created by some other means and bring them under Terraform management.

This is a great way to slowly transition infrastructure to Terraform or to be sure you're

confident that you can use Terraform in the future if it currently doesn't support
every AWS service or feature you need today.

https://www.terraform.io/docs/commands/import.html

Question 18: Skipped

Why is it a good idea to declare the required version of a provider in a Terraform
configuration file?
Larger image


to match the version number of your application being deployed via Terraform


providers are released on a separate schedule from Terraform itself; therefore a
newer version could introduce breaking changes
(Correct)


to remove older versions of the provider


to ensure that the provider version matches the version of Terraform you are
using

Explanation
Providers are plugins released on a separate rhythm from Terraform itself, and so
they have their own version numbers. For production use, you should constrain the
acceptable provider version via configuration. This helps to ensure that new versions
with potentially breaking changes will not be automatically installed by terraform
init in the future.

https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-
providers

Question 19: Skipped

Kristen is using modules to provision an Azure environment for a new application.
She is using the following code and specifying a version of her virtual machine
module to ensure she's calling the correct module. Which of the following provides
support for versioning of a module? (select two)
1. module "compute" {
 2. source = "Azure/compute/azurerm"
3. version = "3.8.0"
4. }


local file paths


modules stored in GitLab


private module registry
(Correct)


public module registry
(Correct)

Explanation
Version constraints are supported only for modules installed from a module registry,
such as the public Terraform Registry or Terraform Cloud's private module registry.
Other module sources can provide their own versioning mechanisms within the
source string itself, or might not support versions at all. In particular, modules
sourced from local file paths do not support version ; since they're loaded from the
same source repository, they always share the same version as their caller.

https://www.terraform.io/docs/configuration/modules.html#module-versions

Question 20: Skipped

When multiple engineers start deploying infrastructure using the same state file,
what is a feature of remote state storage that is critical to ensure the state does not
become corrupt?

encryption


object storage


state locking
(Correct)


workspaces

Explanation
If supported by your backend, Terraform will lock your state for all operations that
could write state. This prevents others from acquiring the lock and potentially
corrupting your state.

State locking happens automatically on all operations that could write state. You
won't see any message that it is happening. If state locking fails, Terraform will not
continue. You can disable state locking for most commands with the -lock flag but
it is not recommended.

https://www.terraform.io/docs/state/locking.html

Question 21: Skipped

Which of the following represents a feature of Terraform Cloud that is NOT free to
customers?

VCS integration


workspace management


team management and governance
(Correct)


private module registry

Explanation
Information on the comparisons of Terraform Cloud can be found at this link.

A really great PDF of the Terraform features can also be found here.

Question 22: Skipped

What Terraform feature is shown in the example below?
1. resource "aws_security_group" "example" {
2. name = "sg-app-web-01"
3.
4. dynamic "ingress" {
5. for_each = var.service_ports
6. content {
7. from_port = ingress.value
8. to_port = ingress.value
9. protocol = "tcp"
10. }
11. }
12. }


local values
 
conditional expression


dynamic block
(Correct)


data source

Explanation
You can dynamically construct repeatable nested blocks like ingress using a
special dynamic block type, which is supported inside resource , data , provider ,
and provisioner blocks.

https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks

Question 23: Skipped

What Terraform command can be used to inspect the current state file?

Example:

Larger image


terraform inspect


terraform state


terraform read


terraform show
(Correct)

Explanation
The terraform show command is used to provide human-readable output from a
state or plan file. This can be used to inspect a plan to ensure that the planned
operations are expected, or to inspect the current state as Terraform sees it.

Machine-readable output can be generated by adding the -json command-line

flag.
Note: When using the -json command-line flag, any sensitive values in Terraform
state will be displayed in plain text.

https://www.terraform.io/docs/commands/show.html

Question 24: Skipped

True or False? Multiple providers can be declared within a single Terraform
configuration file.

False


True
(Correct)

Explanation
Multiple provider blocks can exist if a Terraform configuration is composed of
multiple providers, which is a common situation. To add multiple providers in your
configuration, declare the providers, and create resources associated with those
providers.
Question 25: Skipped
Which of the following best describes a Terraform provider?

a plugin that Terraform uses to translate the API interactions with the service or
provider
(Correct)


a container for multiple resources that are used together


serves as a parameter for a Terraform module that allows a module to be
customized


describes an infrastructure object, such as a virtual network, compute instance, or
other components

Explanation
A provider is responsible for understanding API interactions and exposing resources.
Providers generally are an IaaS (e.g., Alibaba Cloud, AWS, GCP, Microsoft Azure,
OpenStack), PaaS (e.g., Heroku), or SaaS services (e.g., Terraform Cloud, DNSimple,
CloudFlare).

https://www.terraform.io/docs/providers/index.html
Question 26: Skipped
Published modules via the Terraform Registry provide which of the following
benefits? (select four)

allow browsing version histories
(Correct)


support from any code repo


automatically generated documentation
(Correct)


show examples and READMEs
(Correct)


support versioning
(Correct)

Explanation
Public modules are managed via Git and GitHub. Publishing a module takes only a
few minutes. Once a module is published, you can release a new version of a module
by simply pushing a properly formed Git tag. The module must be on GitHub and
must be a public repo. This is only a requirement for the public registry. If you're
using a private registry, you may ignore this requirement.

The key here is that HashiCorp uses GitHub for published modules.

Question 27: Skipped

What does the command terraform fmt do?

formats the state file in order to ensure the latest state of resources can be
obtained


rewrite Terraform configuration files to a canonical format and style
(Correct)


updates the font of the configuration file to the official font supported by
HashiCorp


deletes the existing configuration file
Explanation
The terraform fmt command is used to rewrite Terraform configuration files to a
canonical format and style. This command applies a subset of the Terraform
language style conventions, along with other minor adjustments for readability.

Other Terraform commands that generate Terraform configuration will produce

configuration files that conform to the style imposed by terraform fmt , so using
this style in your own files will ensure consistency.

https://www.terraform.io/docs/commands/fmt.html

Question 28: Skipped

In the example below, where is the value of the DNS record's IP address originating
from?
1. resource "aws_route53_record" "www" {
2. zone_id = aws_route53_zone.primary.zone_id
3. name = "www.helloworld.com"
4. type = "A"
5. ttl = "300"
6. records = [module.web_server.instance_ip_addr]
7. }


the regular expression named module.web_server


value of the web_server parameter from the variables.tf file


the output of a module named web_server
(Correct)


by querying the AWS EC2 API to retrieve the IP address

Explanation
In a parent module, outputs of child modules are available in expressions
as module.<MODULE NAME>.<OUTPUT NAME> . For example, if a child module
named web_server declared an output named instance_ip_addr , you could access
that value as module.web_server.instance_ip_addr .

https://www.terraform.io/docs/configuration/expressions.html#references-to-
named-values

Question 29: Skipped

What is the best and easiest way for Terraform to read and write secrets from
HashiCorp Vault?

integration with a tool like Jenkins


API access using the AppRole auth method


CLI access from the same machine running Terraform


Vault provider
(Correct)

Explanation
The Vault provider allows Terraform to read from, write to, and configure Hashicorp
Vault.

https://registry.terraform.io/providers/hashicorp/vault/latest/docs

Question 30: Skipped

True or False? Starting in Terraform v0.12, the Terraform language now has built-in
syntax for creating lists using the [ and ] delimiters, replacing and deprecating
the list () function.

True
(Correct)


False

Explanation
The list function is deprecated. From Terraform v0.12, the Terraform language
has built-in syntax for creating lists using the [ and ] delimiters. Use the built-in
syntax instead. The list function will be removed in a future version of Terraform.

https://www.terraform.io/docs/configuration/functions/list.html

Question 31: Skipped

Stephen is writing brand new code and needs to ensure it is syntactically valid and
internally consistent. Stephen doesn't want to wait for Terraform to access any
remote services while making sure his code is valid. What command can he use to
accomplish this?

terraform validate
 (Correct)


terraform fmt


terraform refresh


terraform show

Explanation
The terraform validate command validates the configuration files in a directory,
referring only to the configuration and not accessing any remote services such as
remote state, provider APIs, etc.

Validate runs checks that verify whether a configuration is syntactically valid and
internally consistent, regardless of any provided variables or existing state. It is thus
primarily useful for general verification of reusable modules, including correctness of
attribute names and value types.

https://www.terraform.io/docs/commands/validate.html

Question 32: Skipped

Select the feature below that best completes the sentence:

The following list represents the different types of __________ available in Terraform.

1. max
2. min
3. join
4. replace
5. list
6. length
7. range


named values


functions
(Correct)


backends


data sources

Explanation
The Terraform language includes a number of built-in functions that you can call
from within expressions to transform and combine values. The Terraform language
does not support user-defined functions, and only the functions built into the
language are available for use.

https://www.terraform.io/docs/configuration/functions.html

Question 33: Skipped

Which flag would be used within a Terraform configuration block to identify the
specific version of a provider required?

required-provider


required_providers
(Correct)


required-version


required_versions

Explanation
For production use, you should constrain the acceptable provider versions via
configuration file to ensure that new versions with breaking changes will not be
automatically installed by terraform init in the future. When terraform init is
run without provider version constraints, it prints a suggested version constraint
string for each provider

For example:

terraform {
required_providers {
aws = ">= 3.1.0"
}
}

https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-
providers
Question 34: Skipped
Select two answers to complete the following sentence:

Before a new provider can be used, it must be ______ and _______. (select two)
 
initialized
(Correct)


uploaded to source control


approved by HashiCorp


declared or used in a configuration file
(Correct)

Explanation
Each time a new provider is added to configuration -- either explicitly via a provider
block or by adding a resource from that provider -- Terraform must initialize the
provider before it can be used. Initialization downloads and installs the provider's
plugin so that it can later be executed.

https://www.terraform.io/docs/configuration/provider-requirements.html#provider-
installation

Question 35: Skipped

What happens when a terraform apply command is executed?

the backend is initialized and the working directory is prepped


reconciles the state Terraform knows about with the real-world infrastructure


creates the execution plan for the deployment of resources


applies the changes required in the target infrastructure in order to reach the
desired configuration
(Correct)

Explanation
The terraform apply command is used to apply the changes required to reach the
desired state of the configuration, or the pre-determined set of actions generated by
a terraform plan execution plan.

https://www.terraform.io/docs/commands/apply.html

Question 36: Skipped

Which of the following connection types are supported by the remote-
exec provisioner? (select two)


ssh
(Correct)


winrm
(Correct)


rdp


smb

Explanation
The remote-exec provisioner invokes a script on a remote resource after it is created.
The remote-exec provisioner supports both ssh and winrm type connections.

More information on remote-exec can be found at this link.

Question 37: Skipped

Terraform-specific settings and behaviors are declared in which configuration block
type?

terraform
(Correct)


data


resource


provider

Explanation
The special terraform configuration block type is used to configure some behaviors
of Terraform itself, such as requiring a minimum Terraform version to apply your
configuration.

https://www.terraform.io/docs/configuration/terraform.html

Question 38: Skipped

Which of the following actions are performed during a terraform init ? (select
three)

download the declared providers which are supported by HashiCorp
(Correct)


provisions the declared resources in your configuration


initializes the backend configuration
(Correct)


initializes downloaded and/or installed providers
(Correct)

Explanation
The terraform init command is used to initialize a working directory containing
Terraform configuration files. This is the first command that should be run after
writing a new Terraform configuration or cloning an existing one from version
control. It is safe to run this command multiple times.

https://www.terraform.io/docs/commands/init.html

https://learn.hashicorp.com/tutorials/terraform/aws-build#create-infrastructure

Question 39: Skipped

HashiCorp offers multiple versions of Terraform, including Terraform open-source,
Terraform Cloud, and Terraform Enterprise. Which of the following Terraform
features are only available in the Enterprise edition? (select three)

Locally hosted installation
(Correct)


Private Network Connectivity
(Correct)


SAML/SSO


Clustering
(Correct)


 Private Module Registry


Audit Logs

Explanation
While there are a ton of features that are available to open source and Cloud users,
there are still a few features that are part of the Enterprise offering which is geared
towards enterprise requirements. With the introduction of Terraform Cloud for
Business, almost all features are now available for a hosted Terraform deployment.
To see what specific features are part of Terraform Cloud and Terraform
Enterprise, check out this link.

Clustering was available for Enterprise for a while, then HashiCorp removed it. As of
January 15, 2021, it's back and you can read more about it at this link.

Question 40: Skipped

In order to make a Terraform configuration file dynamic and/or reusable, static
values should be converted to use what?

regular expressions


output value


module


input variables
(Correct)

Explanation
Input variables serve as parameters for a Terraform module, allowing aspects of the
module to be customized without altering the module's own source code, and
allowing modules to be shared between different configurations.

https://learn.hashicorp.com/tutorials/terraform/aws-variables

Question 41: Skipped

Using multi-cloud and provider-agnostic tools provides which of the following
benefits? (select two)

operations teams only need to learn and manage a single tool to manage
infrastructure, regardless of where the infrastructure is deployed
(Correct)
 
can be used across major cloud providers and VM hypervisors
(Correct)


increased risk due to all infrastructure relying on a single tool for management


slower provisioning speed allows the operations team to catch mistakes before
they are applied

Explanation
Using a tool like Terraform can be advantageous for organizations deploying
workloads across multiple public and private cloud environments. Operations teams
only need to learn a single tool, a single language, and can use the same tooling to
enable a DevOps-like experience and workflows.

https://www.terraform.io/intro/use-cases.html#multi-cloud-deployment

Question 42: Skipped

After executing a terraform plan , you notice that a resource has a tilde (~) next to
it. What does this infer?

the resource will be created


the resource will be destroyed and recreated


Terraform can't determine how to proceed due to a problem with the state file


the resource will be updated in place
(Correct)

Explanation
The prefix -/+ means that Terraform will destroy and recreate the resource, rather
than updating it in-place. Some attributes and resources can be updated in-place
and are shown with the ~ prefix.

https://www.terraform.io/docs/commands/plan.html

https://learn.hashicorp.com/tutorials/terraform/infrastructure-as-code

Question 43: Skipped

What is a downside to using a Terraform provider, such as the Vault provider, to
interact with sensitive data, such as reading secrets from Vault?

Terraform and Vault must be running on the same version


Terraform and Vault must be running on the same physical host


secrets are persisted to the state file and plans
(Correct)


Terraform requires a unique auth method to work with Vault

Explanation
Interacting with Vault from Terraform causes any secrets that you read and write to
be persisted in both Terraform's state file and in any generated plan files. For any
Terraform module that reads or writes Vault secrets, these files should be treated as
sensitive and protected accordingly.

https://registry.terraform.io/providers/hashicorp/vault/latest/docs

Question 44: Skipped

What are the benefits of using Infrastructure as Code? (select five)

Infrastructure as Code provides configuration consistency and standardization
among deployments
(Correct)


Infrastructure as Code allows a user to turn a manual task into a simple,
automated deployment
(Correct)


Infrastructure as Code easily replaces development languages such as Go and
.Net for application development


Infrastructure as Code is relatively simple to learn and write, regardless of a user's
prior experience with developing code
(Correct)


Infrastructure as Code gives the user the ability to recreate an application's
infrastructure for disaster recovery scenarios
(Correct)
 
Infrastructure as Code is easily repeatable, allowing the user to reuse code to
deploy similar, yet different resources
(Correct)

Explanation
If you are new to infrastructure as code as a concept, it is the process of managing
infrastructure in a file or files rather than manually configuring resources in a user
interface. A resource in this instance is any piece of infrastructure in a given
environment, such as a virtual machine, security group, network interface, etc.

At a high level, Terraform allows operators to use HCL to author files containing
definitions of their desired resources on almost any provider (AWS, GCP, GitHub,
Docker, etc) and automates the creation of those resources at the time of
application.

https://www.terraform.io/intro/index.html#infrastructure-as-code

Question 45: Skipped

From the answers below, select the advantages of using Infrastructure as Code.
(select four)

Provide a codified workflow to develop customer-facing applications


Easily change and update existing infrastructure
(Correct)


Provide reusable modules for easy sharing and collaboration
(Correct)


Safely test modifications using a "dry run" before applying any actual changes
(Correct)


Easily integrate with application workflows (GitLab Actions, Azure DevOps, CI/CD
tools)
(Correct)

Explanation
Infrastructure as Code is not used to develop applications, but it can be used to help
deploy or provision those applications to a public cloud provider or on-premises
infrastructure.
All of the others are benefits to using Infrastructure as Code over the traditional way
of managing infrastructure, regardless if it's public cloud or on-premises.

https://www.terraform.io/intro/index.html

Question 46: Skipped

True or False? Workspaces provide identical functionality in the open-source,
Terraform Cloud, and Enterprise versions of Terraform.

True


False
(Correct)

Explanation
Workspaces, managed with the terraform workspace command, isn't the same
thing as Terraform Cloud's workspaces. Terraform Cloud workspaces act more like
completely separate working directories.

CLI workspaces (OSS) are just alternate state files.

Question 47: Skipped

You want to use terraform import to start managing infrastructure that was not
originally provisioned through infrastructure as code. Before you can import the
resource's current state, what must you do in order to prepare to manage these
resources using Terraform?

update the configuration file to include the new resources
(Correct)


shut down or stop using the resources being imported so no changes are
inadvertently missed


run terraform refresh to ensure that the state file has the latest information for
existing resources.


modify the Terraform state file to add the new resources

Explanation
The current implementation of Terraform import can only import resources into
the state. It does not generate a configuration. Because of this, and prior to
running terraform import , it is necessary to manually write
a resource configuration block for the resource to which the imported object will be
mapped.

First, add the resources to the configuration file:

resource "aws_instance" "example" {

# ...instance configuration...
}

Then run the following command:

$ terraform import aws_instance.example i-abcd1234

https://www.terraform.io/docs/commands/import.html

Question 48: Skipped

What are some of the problems of how infrastructure was traditionally managed
before Infrastructure as Code? (select three)

Pointing and clicking in a management console is a scalable approach and
reduces human error as businesses are moving to a multi-cloud deployment
model


Traditional deployment methods are not able to meet the demands of the
modern business where resources tend to live days to weeks, rather than months
to years
(Correct)


Requests for infrastructure or hardware required a ticket, increasing the time
required to deploy applications
(Correct)


Traditionally managed infrastructure can't keep up with cyclic or elastic
applications
(Correct)

Explanation
Businesses are making a transition where traditionally-managed infrastructure can no
longer meet the demands of today's businesses. IT organizations are quickly
adopting the public cloud, which is predominantly API-driven.

To meet customer demands and save costs, application teams are architecting their
applications to support a much higher level of elasticity, supporting technology like
containers and public cloud resources. These resources may only live for a matter of
hours; therefore the traditional method of raising a ticket to request resources is no
longer a viable option

Pointing and clicking in a management console is NOT scale and increases the
change of human error.

https://www.terraform.io/intro/index.html#infrastructure-as-code

Question 49: Skipped

Select the answer below that completes the following statement:

Terraform Cloud can be managed from the CLI but requires __________?


authentication using MFA


a TOTP token


a username and password


an API token
(Correct)

Explanation
API and CLI access are managed with API tokens, which can be generated in the
Terraform Cloud UI. Each user can generate any number of personal API tokens,
which allow access with their own identity and permissions. Organizations and teams
can also generate tokens for automating tasks that aren't tied to an individual user.

https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html

Question 50: Skipped

In regards to Terraform state file, select all the statements below which are correct:
(select four)

when using local state, the state file is stored in plain-text
(Correct)


the Terraform state can contain sensitive data, therefore the state file should be
protected from unauthorized access
(Correct)
 
storing state remotely can provide better security
(Correct)


using the mask feature, you can instruct Terraform to mask sensitive data in the
state file


Terraform Cloud always encrypts state at rest
(Correct)


the state file is always encrypted at rest

Explanation
Terraform state can contain sensitive data, depending on the resources in use and
your definition of "sensitive." The state contains resource IDs and all resource
attributes. For resources such as databases, this may contain initial passwords.

When using local state, state is stored in plain-text JSON files.

If you manage any sensitive data with Terraform (like database passwords, user
passwords, or private keys), treat the state itself as sensitive data.

Storing Terraform state remotely can provide better security. As of Terraform 0.9,
Terraform does not persist state to the local disk when remote state is in use, and
some backends can be configured to encrypt the state data at rest.

https://www.terraform.io/docs/state/sensitive-data.html

Question 51: Skipped

After running into issues with Terraform, you need to enable verbose logging to
assist with troubleshooting the error. Which of the following values provides the
MOST verbose logging?

WARN


INFO


ERROR


DEBUG
 
TRACE
(Correct)

Explanation
Terraform has detailed logs that can be enabled by setting the TF_LOG environment
variable to any value. This will cause detailed logs to appear on stderr.

You can set TF_LOG to one of the log levels TRACE , DEBUG , INFO , WARN or ERROR to
change the verbosity of the logs. TRACE is the most verbose and it is the default
if TF_LOG is set to something other than a log level name.

https://www.terraform.io/docs/internals/debugging.html

Question 52: Skipped

Which of the following best describes the default local backend?

The local backend is the directory where resources deployed by Terraform have
direct access to in order to update their current state


The local backend is how Terraform connects to public cloud services, such as
AWS, Azure, or GCP.


The local backend is where Terraform Enterprise stores logs to be processed by
an log collector


The local backend stores state on the local filesystem, locks the state using
system APIs, and performs operations locally.
(Correct)

Explanation
Information on the default local backend can be found at this link.

Example:

terraform {
backend "local" {
path = "relative/path/to/terraform.tfstate"
}
}

Question 53: Skipped

Which of the following Terraform files should be ignored by Git when committing
code to a repo? (select two)

output.tf


terraform.tfvars
(Correct)


terraform.tfstate
(Correct)


variables.tf

Explanation
The .gitignore file should be configured to ignore Terraform files that either contain
sensitive data or aren't required to save.

The terraform.tfstate file contains the terraform state of a specific environment and
doesn't need to be preserved in a repo. The terraform.tfvars file may contain sensitive
data, such as passwords or IP addresses of an environment that you may not want to
share with others.

Question 54: Skipped

Which of the following allows Terraform users to apply policy as code to enforce
standardized configurations for resources being deployed via infrastructure as code?

sentinel
(Correct)


functions


module registry


workspaces

Explanation
Sentinel is an embedded policy-as-code framework integrated with the HashiCorp
Enterprise products. It enables fine-grained, logic-based policy decisions, and can be
extended to use information from external sources.

https://www.hashicorp.com/sentinel
Question 55: Skipped
True or False? Provisioners should only be used as a last resort.

True
(Correct)


False

Explanation
Provisioners are used to execute scripts on a local or remote machine as part of
resource creation or destruction. Provisioners can be used to bootstrap a resource,
cleanup before destroy, run configuration management, etc. Even if the functionality
you need is not available in a provider today, HashiCorp suggests that you
consider local-exec usage as a temporary workaround and to open an issue in the
relevant provider's repo to discuss adding first-class support.

https://www.terraform.io/docs/provisioners/#provisioners-are-a-last-resort

Question 56: Skipped

Rick is writing a new Terraform configuration file and wishes to use modules in order
to easily consume Terraform code that has already been written. Which of the
modules shown below will be created first?
1. terraform {
2. required_providers {
3. aws = {
4. source = "hashicorp/aws"
5. }
6. }
7. }
8.
9. provider "aws" {
10. region = "us-west-2"
11. }
12.
13. module "vpc" {
14. source = "terraform-aws-modules/vpc/aws"
15. version = "2.21.0"
16.
17. name = var.vpc_name
18. cidr = var.vpc_cidr
19.
20. azs = var.vpc_azs
21. private_subnets = var.vpc_private_subnets
22. public_subnets = var.vpc_public_subnets
23.
24. enable_nat_gateway = var.vpc_enable_nat_gateway
25.
26. tags = var.vpc_tags
27. }
28.
29. module "ec2_instances" {
30. source = "terraform-aws-modules/ec2-instance/aws"
31. version = "2.12.0"
32.
33. name = "my-ec2-cluster"
 34. instance_count = 2
35.
36. ami = "ami-0c5204531f799e0c6"
37. instance_type = "t2.micro"
38. vpc_security_group_ids = [module.vpc.default_security_group_id]
39. subnet_id = module.vpc.public_subnets[0]
40.
41. tags = {
42. Terraform = "true"
43. Environment = "dev"
44. }
45. }


1. module "ec2_instances"


1. module "vpc"

(Correct)

Explanation
The VPC module will be executed first since the ec2_instances module has
dependencies on the VPC module.
Both vpc_security_group_ids and subnet_id require outputs from the VPC
module.

https://learn.hashicorp.com/tutorials/terraform/module-use

Question 57: Skipped

Terry is using a module to deploy some EC2 instances on AWS for a new project. He
is viewing the code that is calling the module for deployment, which is shown
below. Where is the value of the security group originating?
1. module "ec2_instances" {
2. source = "terraform-aws-modules/ec2-instance/aws"
3. version = "2.12.0"
4.
5. name = "my-ec2-cluster"
6. instance_count = 2
7.
8. ami = "ami-0c5204531f799e0c6"
9. instance_type = "t2.micro"
10. vpc_security_group_ids = [module.vpc.default_security_group_id]
11. subnet_id = module.vpc.public_subnets[0]
12.
13. tags = {
14. Terraform = "true"
15. Environment = "dev"
16. }


the Terraform public module registry


 from a variable likely declared in a .tfvars file being passed to another module


the output of another module
(Correct)


an environment variable being using during a terraform apply

Explanation
In this example, the module is looking for an output of a second module, called VPC.
A great tutorial to look at this workflow can be found on the HashiCorp Learn site
- https://learn.hashicorp.com/tutorials/terraform/module-use

HashiCorp Terraform - Practice Exam #2 - Results

All questions

Question 1: Skipped

True of False? Rather than use state, Terraform can inspect cloud resources on every
run.

True

False
(Correct)

Explanation
State is a necessary requirement for Terraform to function. And in the scenarios
where Terraform may be able to get away without state, doing so would require
shifting massive amounts of complexity from one place (state) to another place (the
replacement concept).

https://www.terraform.io/docs/state/purpose.html

Question 2: Skipped

The following is a snippet from a Terraform configuration file:

1. provider "aws" {
 2. region = "us-east-1"
3. }
4.
5. provider "aws" {
6. region = "us-west-1"
7. }

which, when validated, results in the following error:-

1. Error: Duplicate provider configuration
2.
3. on main.tf line 5:
4. 5: provider "aws" {
5.
6. A default provider configuration for "aws" was already given at
7. main.tf:1,1-15. If multiple configurations are required, set the "______"
8. argument for alternative configurations.

Fill in the blank in the error message with the correct string from the list below.

label

version

multi

alias
(Correct)

Explanation
An alias meta-arguement is used when using the same provider with different
configurations for different resources.

https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-
instances

Question 3: Skipped

A user creates three workspaces from the command line - prod, dev, and test. Which
of the following commands will the user run to switch to the dev workspace?

terraform workspace dev


terraform workspace -switch dev


terraform workspace select dev
(Correct)


terraform workspace switch dev
Explanation
The terraform workspace select command is used to choose a different
workspace to use for further operations.

https://www.terraform.io/docs/commands/workspace/select.html

Question 4: Skipped

Larissa is interested in using a module to create an AWS VPC. She finds this code but
isn't sure what all the declarations are beyond the source and version (such as "name,
cidr, azs, etc). What are these declarations used for?
1. module "vpc" {
2. source = "terraform-aws-modules/vpc/aws"
3. version = "2.21.0"
4.
5. name = var.vpc_name
6. cidr = var.vpc_cidr
7.
8. azs = var.vpc_azs
9. private_subnets = var.vpc_private_subnets
10. public_subnets = var.vpc_public_subnets
11.
12. enable_nat_gateway = var.vpc_enable_nat_gateway
13.
14. tags = var.vpc_tags
15. }


these are variables that are passed into the child module likely used for resource
creation
(Correct)


these are the outputs that the child module will return

the value of these variables will be obtained from values created within the child
module

this is where the variable declarations are so Terraform is aware of these variables
within the calling module
Explanation
These are the input variables that are being set for the child module, in which the
child module will likely use to create resources. These variables are declared
elsewhere, likely in a variables.tf file, and the values are pulled from either the default
value, a .tfvars file, environment variable, or from another resource.

https://learn.hashicorp.com/tutorials/terraform/module-use#set-values-for-module-
input-variables

Question 5: Skipped
Environment variables can be used to set variables. The environment variables must
be in the format "____"_<variablename> . Select the correct prefix string from the
following list.

TF_VAR_NAME

TF_ENV_VAR

TF_VAR
(Correct)


TF_ENV
Explanation
Environment variables can be used to set variables. The environment variables must
be in the format TF_VAR_name and this will be checked last for a value. For example:
export TF_VAR_region=us-west-1
export TF_VAR_ami=ami-049d8641
export TF_VAR_alist='[1,2,3]'
export TF_VAR_amap='{ foo = "bar", baz = "qux" }'

https://www.terraform.io/docs/commands/environment-variables.html
Question 6: Skipped

True or False? By default, Terraform destroy will prompt for confirmation before
proceeding.

True
(Correct)


False
Explanation
Terraform destroy will always prompt for confirmation before executing unless
passed the -auto-approve flag.
$ terraform destroy
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.

Enter a value:

Question 7: Skipped
A user runs terraform init on their RHEL based server and per the output, two
provider plugins are downloaded:
1. $ terraform init
2.
3. Initializing the backend...
4.
5. Initializing provider plugins...
6. - Checking for available provider plugins...
7. - Downloading plugin for provider "aws" (hashicorp/aws) 2.44.0...
8. - Downloading plugin for provider "random" (hashicorp/random) 2.2.1...
9.
10. Terraform has been successfully initialized!

Where are these plugins downloaded to?


/etc/terraform/plugins

The .terraform.d directory in the directory terraform init was executed in.

The .terraform.plugins directory in the directory terraform init was executed in.

The .terraform/plugins directory in the directory terraform init was executed in.
(Correct)

Explanation
By default, terraform init downloads plugins into a subdirectory of the working
directory, .terraform/plugins, so that each working directory is self-contained.

https://www.terraform.io/docs/plugins/basics.html#installing-plugins

Question 8: Skipped

Which of the following is an invalid variable name?


instance_name

web

count
(Correct)


var1
Explanation
count is a reserved word. The count parameter on resources can simplify
configurations and let you scale resources by simply incrementing a number.

https://www.terraform.io/intro/examples/count.html
Question 9: Skipped

Oscar is modifying his Terraform configuration file but isn't 100% sure it's correct. He
is afraid that changes made could negatively affect production workloads. How can
Oscar validate the changes that will be made without impacting existing workloads?

run a terraform validate to ensure the changes won't impact the production
workloads

run terraform apply using a local-exec provisioner so the configuration won't
impact existing workloads

run a terraform plan and validate the changes that will be made
(Correct)


run terraform refresh to compare his existing configuration file against the
current one
Explanation
The terraform plan command is used to create an execution plan. Terraform
performs a refresh, unless explicitly disabled, and then determines what actions are
necessary to achieve the desired state specified in the configuration files. This
command is a convenient way to check whether the execution plan for a set of
changes matches your expectations without making any changes to real resources or
to the state.

https://www.terraform.io/docs/commands/plan.html

Question 10: Skipped

Terraform Enterprise (also referred to as pTFE) requires what type of backend

database for a clustered deployment?

Cassandra

MSSQL

PostgreSQL
(Correct)


MySQL
Explanation
External Services mode stores the majority of the stateful data used by the instance
in an external PostgreSQL database and an external S3-compatible endpoint or
Azure blob storage. There is still critical data stored on the instance that must be
managed with snapshots. Be sure to check the PostgreSQL Requirements for
information that needs to be present for Terraform Enterprise to work. This option is
best for users with expertise managing PostgreSQL or users that have access to
managed PostgreSQL offerings like AWS RDS.

Check out the Pre-requisite document for more information

- https://www.terraform.io/docs/enterprise/before-installing/index.html

Question 11: Skipped

In order to reduce the time it takes to provision resources, Terraform uses

parallelism. By default, how many resources will Terraform provision concurrently
during a terraform apply ?

5

20

10
(Correct)


50
Explanation
Terraform can limit the number of concurrent operations as Terraform walks the
graph using the -parallelism=n argument. The default value for this setting is 10 .
This setting might be helpful if you're running into API rate limits.

https://www.terraform.io/docs/internals/graph.html#walking-the-graph

Question 12: Skipped

From the code below, identify the implicit dependency:

1. resource "aws_eip" "public_ip" {
2. vpc = true
3. instance = aws_instance.web_server.id
4. }
5.
6. resource "aws_instance" "web_server" {
7. ami = "ami-2757f631"
8. instance_type = "t2.micro"
9. depends_on = [aws_s3_bucket.company_data]
10. }


 The EC2 instance labeled web_server
(Correct)


The EIP with an id of ami-2757f631

The S3 bucket labeled company_data

The AMI used for the EC2 instance
Explanation
The EC2 instance labeled web_server is the implicit dependency as
the aws_eip cannot be created until the aws_instance labeled web_server has
been provisioned and the id is available.

Note that aws_s3_bucket.example is an explicit dependency.

https://learn.hashicorp.com/tutorials/terraform/dependencies

Question 13: Skipped

Select the most accurate statement to describe the Terraform language from the
following list.

Terraform is a mutable, declarative, Infrastructure as Code configuration
management language based on Hashicorp Configuration Language, or
optionally JSON.

Terraform is an immutable, declarative, Infrastructure as Code provisioning
language based on Hashicorp Configuration Language, or optionally JSON.
(Correct)


Terraform is an immutable, procedural, Infrastructure as Code configuration
management language based on Hashicorp Configuration Language, or
optionally JSON.

Terraform is a mutable, procedural, Infrastructure as Code provisioning language
based on Hashicorp Configuration Language, or optionally YAML.
Explanation
Terraform is not a configuration management tool
- https://www.terraform.io/intro/vs/chef-puppet.html

Terraform is a declarative language

- https://www.terraform.io/docs/configuration/index.html
Terraform supports a syntax that is JSON compatible
- https://www.terraform.io/docs/configuration/syntax-json.html

Terraform is primarily designed on immutable infrastructure principles

- https://www.hashicorp.com/resources/what-is-mutable-vs-immutable-
infrastructure

Question 14: Skipped

In the example below, the depends_on argument creates what type of dependency?
1. resource "aws_instance" "example" {
2. ami = "ami-2757f631"
3. instance_type = "t2.micro"
4. depends_on = [aws_s3_bucket.company_data]
5. }


explicit dependency
(Correct)


non-dependency resource

internal dependency

implicit dependency
Explanation
Sometimes there are dependencies between resources that are not visible to
Terraform. The depends_on argument is accepted by any resource and accepts a list
of resources to create explicit dependencies for.

https://learn.hashicorp.com/tutorials/terraform/dependencies

Question 15: Skipped

In Terraform, most resource dependencies are handled automatically. Which of the

following statements describes best how Terraform resource dependencies are
handled?

Resource dependencies are handled automatically by
the depends_on meta_argument, which is set to true by default.


Resource dependencies are identified and maintained in a file
called resource.dependencies . Each terraform provider is required to maintain a
list of all resource dependencies for the provider and it's included with the plugin
 during initialization when terraform init is executed. The file is located in
the terraform.d folder.


The Terraform binary contains a built-in reference map of all defined Terraform
resource dependencies. Updates to this dependency map are reflected in
terraform versions. To ensure you are working with the latest resource
dependency map you much be running the latest version of Terraform.

Terraform analyzes any expressions within a resource block to find references to
other objects and treats those references as implicit ordering requirements when
creating, updating, or destroying resources.
(Correct)

Explanation
Terraform analyzes any expressions within a resource block to find references to
other objects and treats those references as implicit ordering requirements when
creating, updating, or destroying resources.

https://www.terraform.io/docs/configuration/resources.html

Question 16: Skipped

Which are some of the benefits of using Infrastructure as Code in general? (select
three)

it can be shared
(Correct)


it is always platform agnostic

it can be versioned
(Correct)


it can be reused
(Correct)

Explanation
Infrastructure as Code has many benefits, including being able to create a blueprint
of your data center which can be versioned, shared, and reused. However, in a
general sense, not all IaC tools are platform agnostic like Terraform.

https://www.terraform.io/intro/index.html#infrastructure-as-code

Question 17: Skipped

Harry has deployed resources on Azure for his organization using Terraform.
However, he has discovered that his co-workers Ron and Ginny have manually
created a few resources using the Azure console. Since it's company policy to
manage production workloads using IaC, how can Harry start managing these
resources in Terraform without negatively impacting the availability of the deployed
resources?

resources created outside of Terraform cannot be managed by Terraform

run a terraform get to retrieve other resources that are not under Terraform
management

rewrite the Terraform configuration file to deploy new resources, run a terraform
apply , and migrate users to the newly deployed resources. Manually delete the
other resources created by Ron and Ginny.

use terraform import to import the existing resources under Terraform
management
(Correct)

Explanation
The terraform import command is used to import existing resources into
Terraform. This allows you to take resources that you’ve created by some other
means and bring them under Terraform management.

Note that terraform import DOES NOT generate configuration, it only modifies state.
You'll still need to write a configuration block for the resource for which it will be
mapped using the terraform import command.

https://www.terraform.io/docs/commands/import.html

Question 18: Skipped

A user has created three workspaces using the command line - prod, dev, and test.
The user wants to create a fourth workspace named stage . Which command will the
user execute to accomplish this?

terraform workspace create stage

terraform workspace new stage
(Correct)


terraform workspace -new stage
 
terraform workspace -create stage
Explanation
The terraform workspace new command is used to create a new workspace.

https://www.terraform.io/docs/commands/workspace/new.html

Question 19: Skipped

Which of the following terraform subcommands could be used to remove the lock
on the state for the current configuration?

Removing the lock on a state file is not possible

unlock

force-unlock
(Correct)


state-unlock
Explanation
terraform force-unlock removes the lock on the state for the current
configuration. Be very careful forcing an unlock, as it could cause data corruption and
problems with your state file.

https://www.terraform.io/docs/commands/force-unlock.html

Question 20: Skipped

True or False? The terraform refresh command is used to reconcile the state
Terraform knows about (via its state file) with the real-world infrastructure. If drift is
detected between the real-world infrastructure and the last known-state, it will
modify the infrastructure to correct the drift.

True

False
(Correct)

Explanation
The terraform refresh command is used to reconcile the state Terraform knows
about (via its state file) with the real-world infrastructure. This can be used to detect
any drift from the last-known state, and to update the state file.
This does not modify infrastructure but does modify the state file. If the state is
changed, this may cause changes to occur during the next plan or apply.

https://www.terraform.io/docs/commands/refresh.html

Question 21: Skipped

Which of the following statements best describes the Terraform list(...) type?

a collection of named attributes that each have their own type.

a collection of values where each is identified by a string label.

a sequence of values identified by consecutive whole numbers starting with zero.
(Correct)


a collection of unique values that do not have any secondary identifiers or
ordering.
Explanation
A terraform list is a sequence of values identified by consecutive whole numbers
starting with zero.

https://www.terraform.io/docs/configuration/types.html#structural-types

Question 22: Skipped

True or False? When using the Terraform provider for Vault, the tight integration
between these HashiCorp tools provides the ability to mask secrets in the terraform
plan and state files.


False
(Correct)


True
Explanation
Currently, Terraform has no mechanism to redact or protect secrets that are returned
via data sources, so secrets read via this provider will be persisted into the Terraform
state, into any plan files, and in some cases in the console output produced while
planning and applying. These artifacts must, therefore, all be protected accordingly.

https://learn.hashicorp.com/tutorials/terraform/secrets-vault

Question 23: Skipped

Henry has been working hard on automating his infrastructure for a new application
using Terraform. His organization has standardized on Azure for application
workloads. Currently, he has his application running successfully, but he has added a
new resource to create a DNS record using the Infoblox provider. He has added the
new resource but gets an error when he runs a terraform plan . What should Henry
do first before running a plan and apply?

you can't mix resources from different providers within the same configuration
file, so Henry should create a module for the DNS resource and reference it from
the main configuration

Henry should run a terraform plan -refresh=true to update the state for the
new DNS resource

the Azure plugin doesn't support Infoblox directly, so Henry needs to put the
DNS resource in another configuration file

since he has introduced a new provider, a terraform init needs to be run to
download the Infoblox plugin
(Correct)

Explanation
In this scenario, Henry has introduced a new provider. Therefore, Terraform needs to
download the plugin to support the new resource that he has added. A terraform
init will download the Infoblox plugin. Once that is complete, a plan and apply can
be executed as needed.

https://www.terraform.io/docs/commands/init.html

Question 24: Skipped

A "backend" in Terraform determines how state is loaded and how an operation such
as apply is executed. Which of the following is not a supported backend type?

artifactory

s3

terraform enterprise

consul

github
 (Correct)

Explanation
GitHub is not a supported backend type. Check out the supported backends using
the link below. Remember there is the "local" backend and then there are remote
backends that store state elsewhere. Remote backends (and locking) are needed
when more than one person is interacting with the same state file.

https://www.terraform.io/docs/backends/types/index.html

Question 25: Skipped

When multiple arguments with single-line values appear on consecutive lines at the
same nesting level, HashiCorp recommends that you:

put arguments in alphabetical order
1. name = "www.example.com"
2. records = [aws_eip.lb.public_ip]
3. type = "A"
4. ttl = "300"
5. zone_id = aws_route53_zone.primary.zone_id


align their equals signs
1. ami = "abc123"
2. instance_type = "t2.micro"

(Correct)


place a space in between each line
1. type = "A"
2.
3. ttl = "300"
4.
5. zone_id = aws_route53_zone.primary.zone_id


place all arguments using a variable at the top
1. ami = var.aws_ami
2. instance_type = var.instance_size
3. subnet_id = "subnet-0bb1c79de3EXAMPLE"
4. tags = {
5. Name = "HelloWorld"
6. }

Explanation
HashiCorp style conventions suggest you that align the equals sign for consecutive
arguments for easing readability for configurations
ami = "abc123"
instance_type = "t2.micro"

https://www.terraform.io/docs/configuration/style.html
Question 26: Skipped

What is the result of the following terraform function call?

> lookup({a="hello", b="goodbye"}, "c", "what?")


hello

goodbye

c

what?
(Correct)

Explanation
lookup retrieves the value of a single element from a map, given its key. If the given
key does not exist, the given default value is returned instead. In this case, the
function call is searching for the key "c". Because there is no key "c", the default value
of "what?" is returned.

https://www.terraform.io/docs/configuration/functions/lookup.html

Question 27: Skipped

In the following code snippet, the block type is identified by which string?
1. resource "aws_instance" "db" {
2. ami = "ami-123456"
3. instance_type = "t2.micro"
4. }


"aws_instance"

resource
(Correct)


"db"

instance_type
Explanation
The format of resource block configurations is as follows:

<block type> "<resource type>" "<local name/label>"

https://www.terraform.io/docs/configuration/resources.html

Question 28: Skipped

True or False? Each Terraform workspace uses its own state file to manage the
infrastructure associated with that particular workspace.

False

True
(Correct)

Explanation
The persistent data stored in the backend belongs to a workspace. Initially, the
backend has only one workspace, called "default", and thus there is only one
Terraform state associated with that configuration.

https://www.terraform.io/docs/state/workspaces.html#workspace-internals

Question 29: Skipped

Which of the following commands will launch the Interactive console for Terraform
interpolations?

terraform console
(Correct)


terraform cmdline

terraform

terraform cli
Explanation
The terraform console command provides an interactive console for
evaluating expressions.

https://www.terraform.io/docs/commands/console.html

Question 30: Skipped

What feature of Terraform Cloud and/or Terraform Enterprise can you publish and
maintain a set of custom modules which can be used within your organization?

private module registry
(Correct)
 
remote runs

custom VCS integration

Terraform registry
Explanation
You can use modules from a private registry, like the one provided by Terraform
Cloud. Private registry modules have source strings of the
form <HOSTNAME>/<NAMESPACE>/<NAME>/<PROVIDER> . This is the same format as the
public registry, but with an added hostname prefix.

https://www.datocms-assets.com/2885/1602500234-terraform-full-feature-pricing-
tablev2-1.pdf

Question 31: Skipped

What is the result of the following terraform function call?

> index(["a", "b", "c"], "c")


0

2
(Correct)


true

1
Explanation
index finds the element index for a given value in a list starting with index 0.
Therefore, "a" is at index 0, "b" is at index 1, and "c" is at index 2.

https://www.terraform.io/docs/configuration/functions/index.html

Question 32: Skipped

Why might a user opt to include the following snippet in their configuration file?
1. terraform {
2. required_version = ">= 0.12"
3. }


 this ensures that all Terraform providers are above a certain version to match the
application being deployed

Terraform 0.12 introduced substantial changes to the syntax used to write
Terraform configuration
(Correct)


versions before Terraform 0.12 were not approved by HashiCorp to be used in
production

The user wants to ensure that the application being deployed is a minimum
version of 0.12
Explanation
You can use required_version to ensure that a user deploying infrastructure is
using Terraform 0.12 or greater, due to the vast number of changes that were
introduced. As a result, many previously written configurations had to be converted
or rewritten.

https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-
terraform-version

Question 33: Skipped

When Terraform needs to be installed in a location where it does not have internet
access to download the installer and upgrades, the installation is generally known as
to be __________.

a private install

non-traditional

air-gapped
(Correct)


disconnected
Explanation
A Terraform Enterprise install that is provisioned on a network that does not have
Internet access is generally known as an air-gapped install. These types of installs
require you to pull updates, providers, etc. from external sources vs. being able to
download them directly.

https://www.terraform.io/docs/enterprise/before-installing/network-
requirements.html#egress
Question 34: Skipped

When writing Terraform code, HashiCorp recommends that you use how many
spaces between each nesting level?

1

5

2
(Correct)


4
Explanation
HashiCorp style conventions state that you should use 2 spaces between each
nesting level to improve the readability of Terraform configurations.

Check this link for more information

Question 35: Skipped

Select all features which are exclusive to Terraform Enterprise and Terraform Cloud
for Business (select three).

Sentinel

Self-Service Infrastructure
(Correct)


Audit Logging
(Correct)


Cost Estimation

SAML/SSO
(Correct)

Explanation
Self-Service Infrastructure, Audit Logging, and SAML/SSO are only available in
Terraform Cloud for Business or Terraform Enterprise.

This is a really good table that breaks down the features per Terraform offering.
Question 36: Skipped

Anyone can publish and share modules on the Terraform Public Module Registry ,
and meeting the requirements for publishing a module is extremely easy. Select from
the following list all valid requirements. (select three)

Module repositories must use this three-part name format, terraform-
<PROVIDER>-<NAME>.
(Correct)


The registry uses tags to identify module versions. Release tag names must be for
the format x.y.z, and can optionally be prefixed with a v .
(Correct)


The module must be on GitHub and must be a public repo.
(Correct)


The module must be PCI/HIPPA compliant.
Explanation
The list below contains all the requirements for publishing a module. Meeting the
requirements for publishing a module is extremely easy. The list may appear long
only to ensure we're detailed, but adhering to the requirements should happen
naturally.

GitHub. The module must be on GitHub and must be a public repo. This is only a
requirement for the public registry. If you're using a private registry, you may ignore
this requirement.

Named terraform-<PROVIDER>-<NAME> . Module repositories must use this three-

part name format, where <NAME> reflects the type of infrastructure the module
manages and <PROVIDER> is the main provider where it creates that infrastructure.
The <NAME> segment can contain additional hyphens. Examples: terraform-
google-vault or terraform-aws-ec2-instance .

Repository description. The GitHub repository description is used to populate the

short description of the module. This should be a simple one-sentence description of
the module.

Standard module structure. The module must adhere to the standard module
structure. This allows the registry to inspect your module and generate
documentation, track resource usage, parse submodules and examples, and more.
x.y.z tags for releases. The registry uses tags to identify module versions. Release
tag names must be a semantic version, which can optionally be prefixed with a v .
For example, v1.0.4 and 0.9.2 . To publish a module initially, at least one release
tag must be present. Tags that don't look like version numbers are ignored.

https://www.terraform.io/docs/registry/modules/publish.html#requirements

Question 37: Skipped

Sara has her entire application automated using Terraform, but she now needs to
start including more infrastructure pieces, such as creating a new subnet, DNS
record, and load balancer. Like the Terraform pro she is, Sara requires that these new
resources be created within modules so she can easily reuse the code later. However,
Sara is having problems getting the subnet_id from the subnet module to pass to
the load balancer module. What could fix this problem?

add an output that references the subnet module and retrieve the value
using module.subnet.subnet_id in the load balancer module
(Correct)


references to resources in a module cannot be used within other modules

publish the module to a Terraform registry first

move the subnet and load balancer resource into the main configuration file so
they can easily be referenced
Explanation
Modules also have output values, which are defined within the module with
the output keyword. You can access them by referring to module.<MODULE
NAME>.<OUTPUT NAME> . Like input variables, module outputs are listed under
the outputs tab in the Terraform registry.

Module outputs are usually either passed to other parts of your configuration, or
defined as outputs in your root module.

https://learn.hashicorp.com/tutorials/terraform/module-use#define-root-output-
values

Question 38: Skipped

Where does Terraform OSS store the local state for workspaces?

directory called terraform.tfstate.d
 (Correct)


a file called terraform.tfstate.backup

directory called terraform.workspaces.tfstate

a file called terraform.tfstate
Explanation
For local state, Terraform stores the workspace states in a directory
called terraform.tfstate.d .

https://www.terraform.io/docs/state/workspaces.html#workspace-internals

Question 39: Skipped

Terraform is distributed as a single binary and available for many different platforms.
Select all Operating Systems that Terraform is available for. (select five)

macOS
(Correct)


FreeBSD
(Correct)


Linux
(Correct)


Solaris
(Correct)


Windows
(Correct)


Unix
Explanation
There is no Terraform binary for Unix. Terraform is available for macOS, FreeBSD,
OpenBSD, Linux, Solaris, Windows.

https://www.terraform.io/downloads.html

Question 40: Skipped

Terraform Cloud is more powerful when you integrate it with your version control
system (VCS) provider. Select all the supported VCS providers from the answers
below. (select four)

CVS Version Control

GitHub Enterprise
(Correct)


GitHub
(Correct)


Azure DevOps Server
(Correct)


Bitbucket Cloud
(Correct)

Explanation
Terraform Cloud supports the following VCS providers as of November 2020:

- GitHub

- GitHub.com (OAuth)

- GitHub Enterprise

- GitLab.com

- GitLab EE and CE

- Bitbucket Cloud

- Bitbucket Server

- Azure DevOps Server

- Azure DevOps Services

https://www.terraform.io/docs/cloud/vcs/index.html#supported-vcs-providers

Question 41: Skipped

Terraform has detailed logs which can be enabled by setting the _________
environmental variable.

TF_TRACE

TF_LOG
(Correct)


TF_DEBUG

TF_INFO
Explanation
Terraform has detailed logs that can be enabled by setting the TF_LOG environment
variable to any value. This will cause detailed logs to appear on stderr.

You can set TF_LOG to one of the log levels TRACE , DEBUG , INFO , WARN or ERROR to
change the verbosity of the logs. TRACE is the most verbose and it is the default
if TF_LOG is set to something other than a log level name.

https://www.terraform.io/docs/internals/debugging.html

Question 42: Skipped

When using constraint expressions to signify a version of a provider, which of the

following are valid provider versions that satisfy the expression found in the
following code snippet: (select two)
1. terraform {
2. required_providers {
3. aws = "~> 1.2.0"
4. }
5. }


1.2.9
(Correct)


1.3.1

1.2.3
(Correct)


1.3.0
Explanation
~> 1.2.0 will match any non-beta version of the provider between >=
1.2.0 and < 1.3.0 . For example, 1.2.X

https://www.terraform.io/docs/configuration/modules.html#gt-1-2-0-1

Question 43: Skipped

What is the result of the following terraform function call?

> zipmap(["a", "b"], [1, 2])


{
"a" = 1
"b" = 2
}
(Correct)


[
"a" = 1
"b" = 2
]

{
"a",
"b",
"1",
"2",
}

[
"a",
"b",
"1",
"2",
]
Explanation
zipmap constructs a map from a list of keys and a corresponding list of values. A
map is denoted by { } whereas a list is denoted by [ ].

https://www.terraform.io/docs/configuration/functions/zipmap.html

Question 44: Skipped

When using providers that require the retrieval of data, such as the HashiCorp Vault
provider, in what phase does Terraform actually retrieve the data required, assuming
you are following the standard workflow of write, plan, and apply?

terraform destroy


terraform plan
(Correct)


terraform apply


terraform init
Explanation
It is important to consider that Terraform reads from data sources during
the plan phase and writes the result into the plan. For something like a Vault token
which has an explicit TTL, the apply must be run before the data, or token, in this
case, expires, otherwise, Terraform will fail during the apply phase.

Another example of this is AWS credentials:

The token is generated from the moment the configuration retrieves the temporary
AWS credentials (on terraform plan or terraform apply ). If the apply run is
confirmed after the 120 seconds, the run will fail because the credentials used to
initialize the Terraform AWS provider has expired. For these instances or large multi-
resource configurations, you may need to adjust the default_lease_ttl_seconds .

Check out the blue box under this section for more
information: https://learn.hashicorp.com/tutorials/terraform/secrets-vault#provision-
compute-instance

Question 45: Skipped

Emma is a Terraform expert, and she has automated all the things with Terraform.
During a recent deployment, a virtual machine was deployed but a local script did
not work correctly, and therefore needs to be destroyed and recreated. How can
Emma easily have Terraform recreate this one resource without having to destroy
everything that was created?

use terraform state rm to remove the resource from the state file, which will
cause Terraform to recreate the instance again

use terraform import to import the error so Terraform is aware of the problem
 
use terraform refresh to refresh the state and make Terraform aware of the
error

use terraform taint to mark the virtual machine as tainted
(Correct)

Explanation
The terraform taint command manually marks a Terraform-managed resource as
tainted, forcing it to be destroyed and recreated on the next apply. This
command will not modify infrastructure, but does modify the state file in order to
mark a resource as tainted. Once a resource is marked as tainted, the next plan will
show that the resource will be destroyed and recreated and the next apply will
implement this change.

You could also use terraform destroy -target <virtual machine> and destroy
only the virtual machine and then run a terraform apply again.

https://www.terraform.io/docs/commands/taint.html

Question 46: Skipped

Which of the following variable declarations is going to result in an error?


1. variable "example" {
2. description = "This is a test"
3. type = map
4. default = {"one" = 1, "two" = 2, "Three" = "3"}
5. }


1. variable "example" {
2. type = object({})
3. }


1. variable "example" {
2. description = "This is a variable description"
3. type = list(string)
4. default = {}
5. }

(Correct)


1. variable "example" {}

Explanation
Lists are defined with [ ], maps are defined with { }.

https://www.terraform.io/docs/configuration/types.html#structural-types
Question 47: Skipped

Complete the following sentence:

The terraform state command can be used to ____


There is no such command

refresh the existing state

create a new state file

modify the current state, such as removing items
(Correct)

Explanation
The terraform state command is used for advanced state management. Rather
than modify the state directly, the terraform state commands can be used in
many cases instead.

To refresh Terraform state, use the command terraform refresh.

https://www.terraform.io/docs/commands/state/index.html

Question 48: Skipped

Which Terraform command will check and report errors within modules, attribute
names, and value types to make sure they are syntactically valid and internally
consistent?

terraform fmt


terraform show


terraform validate
(Correct)


terraform format
Explanation
The terraform validate command validates the configuration files in a directory,
referring only to the configuration and not accessing any remote services such as
remote state, provider APIs, etc.
Validate runs checks that verify whether a configuration is syntactically valid and
internally consistent, regardless of any provided variables or existing state. It is thus
primarily useful for general verification of reusable modules, including the
correctness of attribute names and value types.

https://www.terraform.io/docs/commands/validate.html

Question 49: Skipped

True or False? terraform init cannot automatically download community

providers.
Larger image


True

False
(Correct)

Explanation
With Terraform 0.13, terraform init can now automatically download community
providers.

https://www.hashicorp.com/blog/automatic-installation-of-third-party-providers-
with-terraform-0-13

Question 50: Skipped

Provider dependencies are created in several different ways. Select the valid provider
dependencies from the following list: (select three)

Existence of any provider plugins found locally in the working directory.

Existence of any resource instance belonging to a particular provider in the
current state.
(Correct)


Explicit use of a provider block in configuration, optionally including a version
constraint.
(Correct)
 
Use of any resource belonging to a particular provider in a resource or data block
in the configuration.
(Correct)

Explanation
The existence of a provider plugin found locally in the working directory does not
itself create a provider dependency. The plugin can exist without any reference to it
in the terraform configuration.

https://www.terraform.io/docs/commands/providers.html

Question 51: Skipped

Freddy and his co-worker Jason are deploying resources in GCP using Terraform for
their team. After resources have been deployed, they need to destroy the cloud-
based resources to save on costs. However, two other team members, Michael and
Chucky, are using a Cloud SQL instance for testing and are asking to keep it running.

How can Freddy and Jason easily destroy all other resources without negatively
impacting the database?


delete the entire state file using the terraform state rm command and manually
delete the other resources in GCP

run a terraform state rm command to remove the Cloud SQL instance from
Terraform management before running the terraform destroy command
(Correct)


run a terraform destroy , modify the configuration file to include only the Cloud
SQL resource, and then run a terraform apply


take a snapshot of the database, run a terraform destroy , and then recreate the
database in the GCP console by restoring the snapshot
Explanation
In this case, the easiest way to accomplish this is to remove the database from the
terraform state file, removing that resource from Terraform management. Afterward,
the team can use the terraform destroy command which will delete all other
resources.

All other options would be too time-consuming or would cause an outage to the
database.
https://www.terraform.io/docs/commands/state/rm.html

Question 52: Skipped

During a terraform apply , a resource is successfully created but eventually fails

during provisioning. What happens to the resource?

it is automatically deleted

Terraform attempts to provision the resource up to three times before exiting
with an error

the resource is marked as tainted
(Correct)


the terraform plan is rolled back and all provisioned resources are removed
Explanation
If a resource successfully creates but fails during provisioning, Terraform will error
and mark the resource as "tainted". A resource that is tainted has been physically
created, but can't be considered safe to use since provisioning failed.

Terraform also does not automatically roll back and destroy the resource during the
apply when the failure happens, because that would go against the execution plan:
the execution plan would've said a resource will be created, but does not say it will
ever be deleted.

https://www.terraform.io/docs/provisioners/index.html#creation-time-provisioners

Question 53: Skipped

While Terraform is generally written using the HashiCorp Configuration Language

(HCL). What other syntax can Terraform be expressed in?

XML

TypeScript

YAML

JSON
(Correct)

Explanation
The constructs in the Terraform language can also be expressed in JSON syntax,
which is harder for humans to read and edit but easier to generate and parse
programmatically.
Question 54: Skipped

Whenever you add a new module to a configuration, Terraform must install the
module before it can be used. What two commands can be used to install and
update modules? (select two)

terraform plan


terraform refresh


terraform init
(Correct)


terraform get
(Correct)

Explanation
Both the terraform get and terraform init commands will install and update
modules. The terraform init command will also initialize backends and install
plugins.

https://learn.hashicorp.com/tutorials/terraform/module-
create?in=terraform/modules#install-the-local-module

Question 55: Skipped

Choose the correct answer which fixes the syntax of the following Terraform code:
1. resource "aws_security_group" "vault_elb" {
2. name = "${var.name_prefix}-vault-elb"
3. description = Vault ELB
4. vpc_id = var.vpc_id
5. }


1. resource "aws_security_group" "vault_elb" {
2. name = "${var.name_prefix}-vault-elb"
3. description = "Vault ELB"
4. vpc_id = var.vpc_id
5. }

(Correct)


1. resource "aws_security_group" "vault_elb" {
2. name = "${var.name_prefix}-vault-elb"
3. description = [Vault ELB]
 4. vpc_id = var.vpc_id
5. }


1. resource "aws_security_group" "vault_elb" {
2. name = "${var.name_prefix}-vault-elb"
3. description = var_Vault ELB
4. vpc_id = var.vpc_id
5. }


1. resource "aws_security_group" "vault_elb" {
2. name = "${var.name_prefix}-vault-elb"
3. description = "${Vault ELB}"
4. vpc_id = var.vpc_id
5. }

Explanation
When assigning a value to an argument, it must be enclosed in quotes ("...") unless it
is being generated programmatically.

https://www.terraform.io/docs/configuration/syntax.html#arguments-and-blocks

Question 56: Skipped

Which of the following is not a valid Terraform string function?


format

join

tostring
(Correct)


replace
Explanation
tostring is not a string function, it is a type conversion
function. tostring converts its argument to a string value.

https://www.terraform.io/docs/configuration/functions/tostring.html

Question 57: Skipped

Elijah has created a module called "my_test_module" and committed it to GitHub.

Over time, several commits have been made with updates to the module, each
tagged in GitHub with an incremental version number. Which of the following lines
would be required in a module configuration block in terraform to select tagged
version v1.0.4?

source = "git::https://example.com/my_test_module.git#tag=v1.0.4"
 
source = "git::https://example.com/my_test_module.git@tag=v1.0.4"

source = "git::https://example.com/my_test_module.git&ref=v1.0.4"

source = "git::https://example.com/my_test_module.git?ref=v1.0.4"
(Correct)

Explanation
By default, Terraform will clone and use the default branch (referenced by HEAD ) in
the selected repository. You can override this using the ref argument:
module "vpc" {
source = "git::https://example.com/vpc.git?ref=v1.2.0"
}

The value of the ref argument can be any reference that would be accepted by
the git checkout command, including branch and tag names.

https://www.terraform.io/docs/modules/sources.html#selecting-a-revision

HashiCorp Terraform - Practice Exam #3 - Results

Question 1: Skipped

Given the following snippet of code, what does servers = 4 reference?

1. module "servers" {
2. source = "./modules/aws-servers"
3.
4. servers = 4
5. }


the number of times the module will be executed

servers is not a valid configuration for a module


the value of an input variable
 (Correct)


the output variable of the module
Explanation
When calling a child module, values can be passed to the module to be used within
the module itself.

https://www.terraform.io/docs/modules/composition.html

Question 2: Skipped

True or False? A terraform plan is a required step before running a terraform

apply ?


True

False
(Correct)

Explanation
If no explicit plan file is given on the command line, terraform apply will create a
new plan automatically and prompt for approval to apply it

https://www.terraform.io/guides/core-workflow.html

Question 3: Skipped

What happens when you apply a Terraform configuration using terraform apply ?
(select two)

Terraform downloads any required plugins

Terraform updates the state file with configuration changes made during the
execution
(Correct)


Terraform makes infrastructure changes defined in your configuration.
(Correct)


Terraform recreates all the infrastructure defined in the configuration file

Terraform formats your configuration to the standard canonical format and style
Explanation
The terraform apply command is used to apply the changes required to reach the
desired state of the configuration, or the pre-determined set of actions generated by
a terraform plan execution plan.

https://www.terraform.io/docs/commands/apply.html

Question 4: Skipped

Philip works at a payment processing company and manages the organization's

VMware environment. He recently provisioned a new cluster for a production
environment. To ensure everything is working as expected, Philip has been using
Terraform and the VMware vSphere client to create and destroy new virtual
machines. Currently, there are three virtual machines running on the new cluster, so
Philip runs terraform destroy to remove the remaining virtual machines from the
cluster. However, Terraform only removes two of the virtual machines, leaving one
virtual machine still running.

Why would Terraform only remove two of the three virtual machines?


Terraform can only destroy a maximum of 2 resources per terraform
destroy execution


the virtual machine was marked with vSphere tags to prevent it from being
destroyed

the vSphere provider credentials are invalid, and therefore Terraform cannot
reach the third virtual machine

the remaining virtual machine was not created by Terraform, therefore Terraform
is not aware of the virtual machine and cannot destroy it
(Correct)

Explanation
The terraform destroy command terminates resources defined in your Terraform
configuration. This command is the reverse of terraform apply in that it terminates
all the resources specified by the configuration. It does not destroy resources running
elsewhere that are not described in the current configuration.

https://learn.hashicorp.com/tutorials/terraform/aws-destroy

Question 5: Skipped
Scenario: You are deploying a new application and want to deploy it to multiple AWS
regions within the same configuration file. Which of the following features will allow
you to configure this?

using the default provider along with a single defined provider

one provider block that defines multiple regions

multiple provider blocks using an alias
(Correct)


a provider with multiple versions defined
Explanation
You can optionally define multiple configurations for the same provider, and select
which one to use on a per-resource or per-module basis. The primary reason for this
is to support multiple regions for a cloud platform; other examples include targeting
multiple Docker hosts, multiple Consul hosts, etc.

https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-
configurations

Question 6: Skipped

Variables and their default values are typically declared in a main.tf or terraform.tf
file. What type of file can be used to set explicit values for the current working
directory that will override the default variable values?

.tfstate file

.tfvars file
(Correct)


.txt file

.sh file
Explanation
To set lots of variables, it is more convenient to specify their values in a variable
definitions file (with a filename ending in either .tfvars or .tfvars.json )

https://www.terraform.io/docs/configuration/variables.html

Question 7: Skipped
True or False? A main.tf file is always required when using Terraform?

False
(Correct)


True
Explanation
Although main.tf is the standard name, it's not necessarily required. Terraform will
look for any file with a .tf or .tf.json extension when running terraform
commands.

https://www.terraform.io/docs/configuration/index.html#code-organization

Question 8: Skipped

Teddy is using Terraform to deploy infrastructure using modules. Where is the

module below stored?
1. module "monitoring_tools" {
2. source = "././modules/monitoring_tools"
3.
4. cluster_hostname = module.k8s_cluster.hostname
5. }


in a public GitLab repository

locally on the instance running Terraform
(Correct)


on the Terraform public module registry

a private module registry in Terraform Cloud (free)
Explanation
A local path must begin with either ./ or ../ to indicate that a local path is
intended, to distinguish from a module registry address.

https://www.terraform.io/docs/modules/sources.html#terraform-registry

Question 9: Skipped

True or False? Terraform is designed to work with public cloud platforms, and
organizations that wish to use it for on-premises infrastructure (private cloud) should
look for an alternative solution.

True
 
False
(Correct)

Explanation
Terraform is designed to work with almost any infrastructure that provides an API.
Terraform is very frequently used to provision infrastructure atop VMware
infrastructure, along with traditional, physical security or infrastructure service
solutions. Additional information can be found in this article referenced by the Exam
Objective #1 - https://www.hashicorp.com/blog/infrastructure-as-code-in-a-private-
or-public-cloud
Question 10: Skipped

Based on the Terraform code below, what block type is used to define the VPC?
1. vpc_id = aws_vpc.main.id


locals block

data block

provider block

resource block
(Correct)

Explanation
Based on the Terraform code provided in the question, the VPC is defined in a
resource block, meaning that there is a VPC resource being defined, such as:
resource "aws_vpc" "main" {
cidr_block = var.base_cidr_block
}

If it were locals, the resource would be referred to as local.aws_vpc

If it were in a data block, it would be referred to as data.aws_vpc.i.main.id

https://www.terraform.io/docs/configuration/resources.html

Question 11: Skipped

Infrastructure as Code (Iac) provides many benefits to help organizations deploy

application infrastructure much faster than clicking around in the console. What are
additional benefits to IaC? (select three)

 code can easily be shared and reused
(Correct)


allows infrastructure to be versioned
(Correct)


can always be used to deploy the latest features and services

creates a blueprint of your data center
(Correct)


eliminates parallelism
Explanation
Infrastructure is described using a high-level configuration syntax. This allows a
blueprint of your datacenter to be versioned and treated as you would any other
code. Additionally, infrastructure can be shared and re-used.

Infrastructure as Code almost always uses parallelism to deploy resources faster. And
depending on the solution being used, it doesn't always have access to the latest
features and services available on cloud platforms or other solutions.

https://www.terraform.io/intro/index.html#infrastructure-as-code

Question 12: Skipped

Which of the following best describes a "data source"?


enables Terraform to fetch data for use elsewhere in the Terraform configuration
(Correct)


maintains a list of strings to store the values of declared outputs in Terraform

a file that contains the current working version of Terraform

provides required data for declared variables used within the Terraform
configuration
Explanation
Data sources allow data to be fetched or computed for use elsewhere in Terraform
configuration. Use of data sources allows a Terraform configuration to make use of
information defined outside of Terraform, or defined by another separate Terraform
configuration.
https://www.terraform.io/docs/configuration/data-sources.html

Question 13: Skipped

Which feature of Terraform Enterprise can be used to enforce fine-grained policies to

enforce standardization and cost controls before resources are provisioned with
Terraform?

module registry

remote runs

workspaces

sentinel
(Correct)

Explanation
Sentinel is an embedded policy-as-code framework integrated with the HashiCorp
Enterprise products. It enables fine-grained, logic-based policy decisions, and can be
extended to use information from external sources.

https://www.terraform.io/docs/cloud/sentinel/index.html

Question 14: Skipped

Terraform has detailed logs that can be enabled using the TF_LOG environment
variable. Which of the following log levels is the most verbose, meaning it will log the
most specific logs?

ERROR


DEBUG


INFO


TRACE
(Correct)

Explanation
You can set TF_LOG to one of the log levels TRACE , DEBUG , INFO , WARN or ERROR to
change the verbosity of the logs. TRACE is the most verbose and it is the default
if TF_LOG is set to something other than a log level name.
https://www.terraform.io/docs/internals/debugging.html

Question 15: Skipped

There are an endless number of benefits of using Terraform within your organization.
Which of the following are true statements regarding Terraform. (select three)

Terraform is cloud-agnostic but requires a specific provider for the cloud platform
(Correct)


Terraform can manage dependencies within a single cloud, but not cross-cloud

A single Terraform configuration file can be used to manage multiple providers
(Correct)


Terraform can simplify both management and orchestration of deploying large-
scale, multi-cloud infrastructure
(Correct)

Explanation
All of the answers are benefits to using Terraform, except that Terraform can manage
dependencies across multiple cloud providers.

https://www.terraform.io/intro/use-cases.html#multi-cloud-deployment

Question 16: Skipped

You have created a brand new workspace for a new project, and have added all of
your Terraform configuration files in the new directory. Before you execute a
terraform plan, you want to validate the configuration using the terraform
validate command. However, Terraform returns the error:
1. $ terraform validate
2. Error: Could not load plugin

What would cause this error when trying to validate the configuration?

the credentials for the provider are invalid

the directory does not contain valid Terraform configuration files

the configuration is invalid

the directory was not initialized
(Correct)
Explanation
terraform validate requires an initialized working directory with any referenced
plugins and modules installed. If you don't initiate the directory, you will get an error
stating you need to run a terraform init

https://www.terraform.io/docs/commands/validate.html

Question 17: Skipped

True or False? Any sensitive values referenced in the Terraform code, even as
variables, will end up in plain text in the state file.

False

True
(Correct)

Explanation
Any values that are retrieved in a data block or referenced as variables will show up
in the state file.

https://www.terraform.io/docs/state/sensitive-data.html

Question 18: Skipped

What feature of Terraform provides an abstraction above the upstream API and is
responsible for understanding API interactions and exposing resources?

Terraform provisioner

Terraform backend

Terraform provider
(Correct)


Terraform configuration file
Explanation
Terraform relies on plugins called "providers" to interact with remote systems.

Terraform configurations must declare which providers they require so that

Terraform can install and use them. Additionally, some providers require
configuration (like endpoint URLs or cloud regions) before they can be used.

https://www.terraform.io/docs/configuration/blocks/providers/index.html
Question 19: Skipped

Michael has deployed many resources in AWS using Terraform and can easily update
or destroy resources when required by the application team. A new employee,
Dwight, is working with the application team and deployed a new EC2 instance
through the AWS console. When Michael finds out, he decided he wants to manage
the new EC2 instance using Terraform moving forward. He opens his terminal and
types:

$ terraform import aws_instance.web_app_42 i-b54a26b28b8acv7233

However, Terraform returns the following error: Error: resource address

"aws_instance.web_app_42" does not exist in the configuration.

What does Michael need to do first in order to manage the new Amazon EC2
instance with Terraform?


create a configuration for the new resource in the Terraform configuration file,
such as:
1. resource "aws_instance" "web_app_42" {
2. # (resource arguments)
3. }

(Correct)


import the configuration of the EC2 instance called web_app_42 from AWS first


configure the appropriate tags on the Amazon EC2 resource so Terraform knows
that it should manage the resource moving forward

Terraform cannot manage resources that were provisioned manually
Explanation
The terraform import command is used to import existing resources into
Terraform. However, Terraform will not create a configuration for the imported
resource. The Terraform operator must create/add a configuration for the resource
that will be imported first. Once the configuration is added to the configuration file,
the terraform import command can be executed to manage the resource using
Terraform.

https://www.terraform.io/docs/commands/import.html

Question 20: Skipped

Based on the code provided, how many subnets will be created in the AWS account?
variables.tf

1. variable "private_subnet_names" {
2. type = list(string)
3. default = ["private_subnet_a", "private_subnet_b", "private_subnet_c"]
4. }
5. variable "vpc_cidr" {
6. type = string
7. default = "10.0.0.0/16"
8. }
9. variable "public_subnet_names" {
10. type = list(string)
11. default = ["public_subnet_1", "public_subnet_2"]
12. }

main.tf
1. resource "aws_subnet" "private_subnet" {
2. count = length(var.private_subnet_names)
3. vpc_id = aws_vpc.vpc.id
4. cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index)
5. availability_zone = data.aws_availability_zones.available.names[count.index]
6.
7. tags = {
8. Name = var.private_subnet_names[count.index]
9. Terraform = "true"
10. }
11. }


3
(Correct)


0

1

2
Explanation
The code above will create three subnets. The value of count is determined by the
number of strings included in the private_subnet_names variable.

https://www.terraform.io/docs/configuration/functions/length.html

Question 21: Skipped

True or False? A backend configuration is required for using Terraform.


True

False
(Correct)
Explanation
This is false. If you don't provide a backend configuration, Terraform will use the local
default backend. Remote Backends are completely optional. You can successfully
use Terraform without ever having to learn or use a remote backend. However, they
do solve pain points that afflict teams at a certain scale. If you're an individual, you
can likely get away with never using backends.

https://www.terraform.io/docs/backends

Question 22: Skipped

Which of the following is not a benefit of Terraform state?


reduces the number of outbound traffic by requiring state is stored locally
(Correct)


determines the dependency order for deployed resources

increases performance by reducing the requirement to query multiple resources
at once

provides a one-to-one mapping of the configuration to real-world resources
Explanation
Terraform state is required and there are many benefits that are outlined in this
documentation:

https://www.terraform.io/docs/state/purpose.html

Question 23: Skipped

A provider alias is used for what purpose in a Terraform configuration file?


alias isn't used with providers, they are used with provisioners

using the same provider with different configurations for different resources
(Correct)


to signify what cloud-based region to deploy resources

to use as shorthand for resources to be deployed with the referenced provider
Explanation
To create multiple configurations for a given provider, include
multiple provider blocks with the same provider name. For each additional non-
default configuration, use the alias meta-argument to provide an extra name
segment.

https://www.terraform.io/docs/configuration/providers.html

Question 24: Skipped

Rigby is implementing Terraform and was given a configuration that includes the
snippet below. Where is this particular module stored?
1. module "consul" {
2. source = "hashicorp/consul/aws"
3. version = "0.1.0"
4. }


locally in the hashicorp/consul/aws directory


a private module registry supported by your organization

locally but a directory back from the current directory

public Terraform registry
(Correct)

Explanation
Modules on the public Terraform Registry can be referenced using a registry source
address of the form <NAMESPACE>/<NAME>/<PROVIDER> , with each module's
information page on the registry site including the exact address to use.

https://www.terraform.io/docs/modules/sources.html#terraform-registry

Question 25: Skipped

Larissa is an experienced IT professional and is working to learn Terraform to manage

the F5 load balancers that front-end customer-facing applications. Larissa writes
great code, but her formatting seldom meets the Terraform canonical formatting and
style recommended by HashiCorp. What built-in tool or command can Larissa use to
easily format her code to meet the recommendations for formatting Terraform code?

$ terraform lint


$ terraform fmt
(Correct)


$ terraform refresh
 
$ terraform validate
Explanation
The terraform fmt command is used to rewrite Terraform configuration files to a
canonical format and style. This command applies a subset of the Terraform
language style conventions, along with other minor adjustments for readability.

https://www.terraform.io/docs/commands/fmt.html

Question 26: Skipped

Which of the following are the benefits of using modules in Terraform? (select three)

enables code reuse
(Correct)


supports versioning to maintain compatibility
(Correct)


supports modules stored locally or remotely
(Correct)


allows modules to be stored anywhere accessible by Terraform
Explanation
All of these are examples of the benefits of using Terraform modules except where
they can be stored. Modules can only be supported in certain sources found at the
following link:

https://www.terraform.io/docs/modules/sources.html

Question 27: Skipped

Which of the following Terraform CLI commands are valid? (select five)

$ terraform initialize


$ terraform login
(Correct)


$ terraform taint
(Correct)
 
$ terraform workspace select
(Correct)


$ terraform show
(Correct)


$ terraform fmt
(Correct)


$ terraform delete
Explanation
terraform delete and terraform initialize are not valid Terraform CLI
commands.

Correct Answers:

The terraform taint command manually marks a Terraform-managed resource as

tainted, forcing it to be destroyed and recreated on the next apply.

he terraform fmt command is used to rewrite Terraform configuration files to a

canonical format and style.

The terraform workspace select command is used to choose a different

workspace to use for further operations.

The terraform show command is used to provide human-readable output from a

state or plan file. This can be used to inspect a plan to ensure that the planned
operations are expected, or to inspect the current state as Terraform sees it.

The terraform login command can be used to automatically obtain and save an
API token for Terraform Cloud, Terraform Enterprise, or any other host that offers
Terraform services.

https://www.terraform.io/docs/commands/fmt.html

Question 28: Skipped

Given a Terraform config that includes the following code, how would you reference
the last instance that will be created?
1. resource "aws_instance" "web" {
2. # ...
3. for_each = {
 4. "terraform": "value1",
5. "resource": "value2",
6. "indexing": "value3",
7. "example": "value4",
8. }
9. }


aws_instance.web[4]

aws_instance.example

aws_instance.web[3]

aws_instance.web["example"]
(Correct)

Explanation
The following specifications apply to index values on modules and resources with
multiple instances:

[N] where N is a 0 -based numerical index into a resource with multiple instances
specified by the count meta-argument. Omitting an index when addressing a
resource where count > 1 means that the address references all instances.

["INDEX"] where INDEX is a alphanumerical key index into a resource with multiple
instances specified by the for_each meta-argument.

https://www.terraform.io/docs/internals/resource-addressing.html

Question 29: Skipped

When using a Terraform provisioner, it's common that Terraform needs credentials to
access the API for the underlying platform, such as VMware, AWS, or Google Cloud.
While there are many ways to accomplish this, what are three options that you can
provide these credentials? (select three)

directly in the provisioner block by hardcoding or using a variable
(Correct)


integrated services, such as AWS IAM or Azure Managed Service Identity
(Correct)


using a remote-exec

 use environment variables
(Correct)

Explanation
You can use methods such as static credentials, environment variables, share
credentials/configuration file, or other methods. For example, the AWS provider can
use many different options as seen here:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication

Each provider is different, and you should check the documentation to see what is
supported for each one you want to use.

Question 30: Skipped

True or False? Performing a terraform plan can modify the existing Terraform state
file.

False
(Correct)


True
Explanation
The ultimate goal of a terraform plan is to compare the configuration file against
the current state file and read any outputs related to the current figuration. While
a terraform plan does perform a terraform refresh by default, the terraform
plan does not actually result in changes to the state file.

For additional information, check out this Q&A discussion that I had with another
student.

https://www.terraform.io/docs/commands/plan.html

Question 31: Skipped

Terraform Cloud provides organizations with many features not available to those
running Terraform open-source to deploy infrastructure. Select the
ADDITIONAL features that organizations can take advantage of by moving to
Terraform Cloud. (select three)

VCS connection
(Correct)


remote runs
 (Correct)


private module registry
(Correct)


providers

public module registry
Explanation
Terraform Cloud offers many features, even in the free version, that organizations can
quickly take advantage of. This is the best table that compares the features available
in Terraform OSS vs. Terraform Cloud and Terraform Enterprise.

https://www.datocms-assets.com/2885/1602500234-terraform-full-feature-pricing-
tablev2-1.pdf

Question 32: Skipped

AutoPlants, Inc is a new startup that uses AI and robotics to grow sustainable and
organic vegetables for California farmers' markets. The organization can quickly burst
into the public cloud during the busy season using Terraform to provision additional
resources to process AI computations and images. Since its compute stack is
proprietary and critical to the organization, it needs a solution to create and publish
Terraform modules that only its engineers and architects can use.

Which feature can provide this functionality?


Terraform Enterprise Workspaces

public module registry

Sentinel

private module registry
(Correct)

Explanation
HashiCorp Terraform Enterprise and Cloud offerings deliver a private version of the
Module Registry. This allows organizations to safely share private modules with their
internal teams.

https://www.terraform.io/docs/cloud/registry/index.html
Question 33: Skipped

Scenario: You have a Terraform configuration file with no defined resources.

However, there is a related state file for resources that were created on AWS. What
happens when you run a terraform apply ?

Terraform will scan the AWS infrastructure and create a new configuration file
based on the state file.

Terraform will destroy all of the resources
(Correct)


Terraform will not perform any operations.

Terraform will produce an error since there are no resources defined
Explanation
In this case, since there is a state file with resources, Terraform will match the desired
state of no resources since the configuration file doesn't include any resources.
Therefore, all resources defined in the state file will be destroyed.

https://www.terraform.io/docs/state/purpose.html

Question 34: Skipped

Fill in the correct answers below:

Infrastructure as Code (IaC) makes infrastructure changes _______, ________, ________,

and __________. (select four)


idempotent
(Correct)


highly-available

repeatable
(Correct)


consistent
(Correct)


predictable
 (Correct)

Explanation
IaC makes changes idempotent, consistent, repeatable, and predictable. Without IaC,
scaling up infrastructure to meet increased demand may require an operator to
remotely connect to each machine and then manually provision and configure many
servers by executing a series of commands/scripts. They might open multiple
sessions and move between screens, which often results in skipped steps or slight
variations between how work is completed, necessitating rollbacks. Perhaps a
command was run incorrectly on one instance and reverted before being re-run
correctly.

https://www.hashicorp.com/blog/infrastructure-as-code-in-a-private-or-public-cloud

Question 35: Skipped

Based on the following code, which of the resources will be created first?
1. resource "aws_instance" "data_processing" {
2. ami = data.aws_ami.amazon_linux.id
3. instance_type = "t2.micro"
4.
5. depends_on = [aws_s3_bucket.customer_data]
6. }
7.
8. module "example_sqs_queue" {
9. source = "terraform-aws-modules/sqs/aws"
10. version = "2.1.0"
11.
12. depends_on = [aws_s3_bucket.customer_data, aws_instance.data_processing]
13. }
14.
15. resource "aws_s3_bucket" "customer_data" {
16. acl = "private"
17. }
18.
19. resource "aws_eip" "ip" {
20. vpc = true
21. instance = aws_instance.data_processing.id
22. }


aws_eip.ip


example_sqs_queue


aws_instance.data_processing


aws_s3_bucket.customer_data
(Correct)

Explanation
In this example, the only resource that does not have an implicit or an explicit
dependency is the aws_s3_bucket.customer_data . Every other resource defined in
this configuration has a dependency on another resource.

https://learn.hashicorp.com/tutorials/terraform/dependencies

Question 36: Skipped

You are an Infrastructure Engineer at Strategies, Inc, which is a new organization that
provides marketing services to startups. All of your infrastructure is provisioned and
managed by Terraform. Despite your pleas to not make changes outside of
Terraform, sometimes the other engineers log into the cloud platform and make
minor changes to resolve problems.

What Terraform command can you use to reconcile the state with the real-world
infrastructure in order to detect any drift from the last-known state?


terraform state show


terraform validate


terraform graph


terraform refresh
(Correct)

Explanation
The terraform refresh command is used to reconcile the state Terraform knows
about (via its state file) with the real-world infrastructure. This can be used to detect
any drift from the last-known state, and to update the state file.

https://www.terraform.io/docs/commands/refresh.html

Question 37: Skipped

Aaron is new to Terraform and has a single configuration file that is ready to be
deployed. Which of the following can be true about this configuration file? (select
three)

Aaron's configuration file can deploy applications in both AWS and GCP
(Correct)


 the configuration file can deploy both QA and Staging infrastructure for
applications
(Correct)


the state can be disabled when deploying to multiple clouds to prevent sensitive
data from being shared across cloud platforms

the state file can be stored in Azure but provision applications in AWS
(Correct)

Explanation
There are a ton of benefits of deploying with Terraform and the solution is very
capable of managing deployments across multiple clouds. However, state is still
required and cannot be disabled.

https://www.terraform.io/intro/use-cases.html#multi-cloud-deployment

Question 38: Skipped

When deploying an EC2 instance in AWS, for example, what value is the data source
returning?
1. data "aws_ami" "amzlinux2" {
2. most_recent = true
3. owners = ["amazon"]
4.
5. filter {
6. name = "name"
7. values = ["amzn2-ami-hvm-*-x86_64-ebs"]
8. }
9. }

1. resource "aws_instance" "vault" {

2. ami = data.aws_ami.amzlinux2.id
3. instance_type = "t3.micro"
4. key_name = "vault-key"
5. vpc_security_group_ids = var.sg
6. subnet_id = var.subnet
7. associate_public_ip_address = "true"
8. user_data = file("vault.sh")
9.
10. tags = {
11. Name = "vault"
12. }
13. }


the latest used AMI for the Amazon Linux 2 image

the IP address of an EC2 instance running in AWS

the AMI ID for the latest version of the Amazon Linux 2 image
 (Correct)


a custom AMI for Amazon Linux 2
Explanation
Within the block body (between { and } ) are query constraints defined by the data
source. Most arguments in this section depend on the data source, and indeed in this
example most_recent , owners and tags are all arguments defined specifically
for the aws_ami data source.

https://www.terraform.io/docs/configuration/data-sources.html#using-data-sources

Question 39: Skipped

There are multiple ways to authenticate when using a Terraform provider. However,
several methods will result in sensitive information being written to the state file,
which is not desirable. Which method below will not result in sensitive information
being written to the state file.

using a tfvars file

using environment variables
(Correct)


using a declared variable

retrieving the credentials from a data source, such as HashiCorp Vault
Explanation
The only method list above that will not result in the username/password to be
written to the state file is environment variables. All of the other options will result in
the provider's credentials in the state file.

https://www.terraform.io/docs/state/sensitive-data.html

Question 40: Skipped

Given the following snippet of code, what will the value of the "Name" tag equal
after a terraform apply ?
1. variable "name" {
2. description = "The username assigned to the infrastructure"
3. default = "data_processing"
4. }
5.
6. variable "team" {
7. description = "The team responsible for the infrastructure"
8. default = "IS Team"
9. }
 10.
11. locals {
12. name = (var.name != "" ? var.name : random_id.id.hex)
13. owner = var.team
14. common_tags = {
15. Owner = local.owner
16. Name = local.name
17. }
18. }


a random hex value

an empty string

data_processing
(Correct)


IS Team
Explanation
The syntax of a conditional expression first names the condition. In this example,
if var.name is not ( != ) empty, assign the var.name value; else, assign the
new random_id resource as the name value.
Since var.name equals data_processing, then the value of Name will
equal data_processing .

https://www.terraform.io/docs/configuration/expressions/conditionals.html

Question 41: Skipped

What function does the terraform init -upgrade command perform?


upgrades the Terraform configuration file(s) to use the referenced Terraform
version

upgrades the backend to the latest supported version

update all previously installed plugins to the newest version that complies with
the configuration’s version constraints
(Correct)


upgrades all of the referenced modules and providers to the latest version of
Terraform
Explanation
The -upgrade will upgrade all previously-selected plugins to the newest version that
complies with the configuration's version constraints. This will cause Terraform to
ignore any selections recorded in the dependency lock file, and to take the newest
available version matching the configured version constraints.

https://www.terraform.io/docs/commands/init.html#upgrade-1

Question 42: Skipped

Which type of configuration block assigns a name to an expression that can be used
multiple times within a module without having to repeat it?

local
(Correct)


backend

provider

resources
Explanation
A local value assigns a name to an expression, so you can use it multiple times within
a module without repeating it.

https://www.terraform.io/docs/configuration/locals.html

Question 43: Skipped

Margaret is calling a child module to deploy infrastructure for her organization. Just
as a good architect does (and suggested by HashiCorp), she specifies the module
version she wants to use even though there are newer versions available. During
a terrafom init , Terraform downloads v0.0.5 just as expected. What would happen
if Margaret removed the version parameter in the module block?
1. module "consul" {
2. source = "hashicorp/consul/aws"
3. version = "0.0.5"
4.
5. servers = 3
6. }


Terraform would skip the module

Terraform would download the latest version of the module

Terraform would use the existing module already downloaded
 (Correct)


Terraform would return an error, as the version parameter is required
Explanation
When using modules installed from a module registry, HashiCorp recommends
explicitly constraining the acceptable version numbers to avoid unexpected or
unwanted changes. The version argument accepts a version constraint string.
Terraform will use the newest installed version of the module that meets the
constraint; if no acceptable versions are installed, it will download the newest version
that meets the constraint.

https://www.terraform.io/docs/configuration/blocks/modules/syntax.html#version

Question 44: Skipped

Ralphie has executed a terraform apply using a complex Terraform configuration

file. However, a few resources failed to deploy due to incorrect variables. After the
error is discovered, what happens to the resources that were successfully
provisioned?

the resources that were successfully provisioned will remain as deployed
(Correct)


resources successfully deployed are marked as tainted

Terraform rolls back the configuration due to the error, therefore the resources
are automatically destroyed

Terraform deletes the resources on the next run
Explanation
During a terraform apply, any resources that are successfully provisioned are
maintained as deployed.

On the other hand, resources that failed during the provisioning process, such as a
provisioned, will be tainted to be recreated during the next
run. https://www.terraform.io/docs/provisioners/index.html#creation-time-
provisioners

Question 45: Skipped

Jeff is a DevOps Engineer for a large company and is currently managing the
infrastructure for many different applications using Terraform. Recently, Jeff received
a request to remove a specific VMware virtual machine from Terraform as it is no
longer needed by the application team. Jeff opens his terminal and issues the
command:
1. $ terraform state rm vsphere_virtual_machine.app1
2.
3. Removed vsphere_virtual_machine.app1
4. Successfully removed 1 resource instance(s).

The next time that Jeff runs a terraform apply , the resource is not marked to be
deleted. In fact, Terraform is stating that it is creating another identical resource.
1. .....
2. An execution plan has been generated and is shown below.
3. Resource actions are indicated with the following symbols:
4. + create
5.
6. Terraform will perform the following actions:
7.
8. # vsphere_virtual_machine.app1 will be created

What would explain this behavior?


after running the terraform rm command, Jeff needs to run a Terraform plan first
to tell Terraform of the updated configuration. A plan will instruct Terraform that
the resource should be deleted upon the next terraform apply


Jeff removed the resource from the state file, and not the configuration file.
Therefore, Terraform is no longer aware of the virtual machine and assumes Jeff
wants to create a new one since the virtual machine is still in the Terraform
configuration file
(Correct)


the resource was manually deleted within the VMware infrastructure and needs to
be recreated

the state file was not saved before the terraform apply was executed, therefore
Terraform sees that the resource is still in the state file
Explanation
Because Jeff manually deleted the resource from the state file, Terraform was no
longer aware of the virtual machine. When Jeff ran a terraform apply , it refreshed
the state file and discovered that the configuration file declared a virtual machine but
it was not in state, therefore Terraform needed to create a virtual machine so the
provisioned infrastructure matched the desired configuration, which is the Terraform
configuration file.

Hopefully, this isn't a tricky one but I thought it was good to test on, especially
since terraform state commands are listed in Objective 4 of the exam. In this case,
Jeff should NOT have removed the resource from the state file, but rather remove it
from the configuration file and run a terraform plan/apply . In this scenario,
Terraform would recognize that the virtual machine was no longer needed and
would have destroyed it.

https://www.terraform.io/docs/commands/state/list.html

Question 46: Skipped

Using the Terraform code below, where will the resource be provisioned?
1. provider "aws" {
2. region = "us-east-1"
3. }
4.
5. provider "aws" {
6. alias = "west"
7. region = "us-west-2"
8. }
9.
10. provider "aws" {
11. alias = "eu"
12. region = "eu-west-2"
13. }
14.
15. resource "aws_instance" "vault" {
16. ami = data.aws_ami.amzlinux2.id
17. instance_type = "t3.micro"
18. key_name = "ec2_key"
19. vpc_security_group_ids = var.vault_sg
20. subnet_id = var.vault_subnet
21. user_data = file("vault.sh")
22.
23. tags = {
24. Name = "vault"
25. }
26. }


us-west-1

us-west-2

us-east-1
(Correct)

Explanation
The resource above will be created in the default region of us-east-1, since the
resource does signify an alternative provider configuration. If the resource needs to
be created in one of the other declared regions, it should have looked like this, where
"aws" signifies the provider name and "west" signifies the alias name as such
<PROVIDER NAME>.<ALIAS>:
resource "aws_instance" "vault" {
provider = aws.west
 ami = data.aws_ami.amzlinux2.id
instance_type = "t3.micro"
key_name = "ec2_key"
vpc_security_group_ids = var.vault_sg
subnet_id = var.vault_subnet
user_data = file("vault.sh")

tags = {
Name = "vault"
}
}

https://www.terraform.io/docs/configuration/providers.html#selecting-alternate-
provider-configurations
Question 47: Skipped

True or False? Before a terraform validate can be run, the directory must be
initialized.

False

True
(Correct)

Explanation
Validation requires an initialized working directory with any referenced plugins and
modules installed. If the directory is NOT initialized, it will result in an error.
$ terraform validate

Error: Could not load plugin

Plugin reinitialization required. Please run "terraform init".

Plugins are external binaries that Terraform uses to access and manipulate
resources. The configuration provided requires plugins which can't be located,
don't satisfy the version constraints, or are otherwise incompatible.

Terraform automatically discovers provider requirements from your

configuration, including providers used in child modules. To see the
requirements and constraints, run "terraform providers".

Failed to instantiate provider "registry.terraform.io/hashicorp/aws" to obtain

schema: unknown provider "registry.terraform.io/hashicorp/aws"

https://www.terraform.io/docs/commands/validate.html
Question 48: Skipped

Pam just finished up a new Terraform configuration file and has successfully
deployed the configuration on Azure using Terraform open-source. After confirming
the configuring on Azure, Pam changes to a new workspace and then heads to lunch.
When she arrives back at her desk, Pam decides to destroy the resources to save on
cost. When Pam executes a terraform destroy, the output indicates there are no
resources to delete.

Why can't Pam delete the newly created resources in Azure?

1. $ terraform destroy
2.
3. An execution plan has been generated and is shown below.
4. Resource actions are indicated with the following symbols:
5.
6. Terraform will perform the following actions:
7.
8. Plan: 0 to add, 0 to change, 0 to destroy.


there is no Terraform state in the current workspace she is working in
(Correct)


an Azure administrator manually deleted the resources

the Terraform state was deleted when she created the new workspace

Terraform reached the maximum timeout while Pam was away from lunch,
therefore the resources were automatically destroyed
Explanation
Workspaces isolate their state, so if Pam runs a terraform destroy , Terraform will
not see any existing state for this configuration. Pam may use the
command terraform workspace select <name> to choose the original workspace
where the Azure resources were provisioned in order to properly destroy them in
Azure.

https://www.terraform.io/docs/cli/workspaces/index.html

Question 49: Skipped

When running a terraform plan , how can you save the plan so it can be applied at
a later time?

use the -save parameter


use the -out parameter
(Correct)


you cannot save a plan

use the -file parameter
Explanation
The optional -out argument can be used to save the generated plan to a file for
later execution with terraform apply , which can be useful when running Terraform
in automation.

https://www.terraform.io/docs/commands/plan.html

Question 50: Skipped

Terraform Cloud Agents are a feature that allows Terraform Cloud to communicate
with private infrastructure, such as VMware hosts running on-premises. Which
version of Terraform Cloud supports this feature?

Terraform Cloud for Business
(Correct)


Terraform Team and Governance

Terraform Cloud Free
Explanation
This newer feature is only available on Terraform Cloud for Business

https://www.hashicorp.com/products/terraform/pricing

Question 51: Skipped

When a terraform apply is executed, where is the AWS provider retrieving

credentials to create cloud resources in the code snippet below?
1. provider "aws" {
2. region = us-east-1
3. access_key = data.vault_aws_access_credentials.creds.access_key
4. secret_key = data.vault_aws_access_credentials.creds.secret_key
5. }
 
from the .tfvars file called vault


From a variable called vault_aws_access_credentials


from a script that is executing commands against Vault

From a data source that is retrieving credentials from HashiCorp Vault. Vault is
dynamically generating the credentials on Terraform's behalf.
(Correct)

Explanation
In this case, Terraform is using a data source to gather credentials from Vault. The
data block would look something like this:
data "vault_aws_access_credentials" "creds" {
backend = vault_aws_secret_backend.aws.path
role = vault_aws_secret_backend_role.role.name
}

https://www.terraform.io/docs/configuration/data-sources.html
Question 52: Skipped

Both Terraform CLI and Terraform Cloud offer a feature called "workspaces". Which
of the following statements are true regarding workspaces? (select three)

Run history is logged in a file underneath the working directory of a CLI
workspace

CLI workspaces are alternative state files in the same working directory
(Correct)


Each CLI workspace coincides with a different VCS repo

Terraform Cloud manages infrastructure collections with a workspace whereas CLI
manages collections of infrastructure resources with a persistent working
directory
(Correct)


Terraform Cloud maintains the state version and run history for each workspace
(Correct)

Explanation
Workspaces are similar concepts in all versions of Terraform, although they behave
differently depending on the platform they are being used on.

https://www.terraform.io/docs/cloud/workspaces/index.html

https://www.terraform.io/docs/state/workspaces.html

Question 53: Skipped

Scenario: You have a Terraform configuration file defining resources to deploy on

VMware, yet there is no related state file. What happens when you run a terraform
apply ?


Terraform will produce an error since there is no state file

All existing infrastructure on VMware will be deleted, and the resources defined in
the configuration file will be created.

Since there is no state file associated with this configuration file, the defined
resources will be created on the VMware infrastructure.
(Correct)


Terraform will scan the VMware infrastructure, create a new state file, and
compare the state to the configuration file to determine what resources should
be created.
Explanation
If there is no state file associated with a Terraform configuration file, a terraform
apply will create the resources defined in the configuration file. This is a normal
workflow during the first terraform apply that is executed against a configuration
file. This, of course, assumes that the directory has been initialized using
a terraform init

https://www.terraform.io/docs/state/purpose.html

Question 54: Skipped

Which of the following commands can be used to detect configuration drift?


terraform taint


terraform init


terraform fmt
 
terraform refresh
(Correct)

Explanation
If the state has drifted from the last time Terraform ran, refresh allows that drift to
be detected.

https://www.hashicorp.com/blog/detecting-and-managing-drift-with-terraform

Question 55: Skipped

HashiCorp offers multiple versions of Terraform to meet the needs of individuals to

large enterprises. Which of the following offerings provide access to a private
module registry? (select four)

Terraform Enterprise (self-hosted)
(Correct)


Terraform Cloud - Team & Governance
(Correct)


Terraform Cloud - Business
(Correct)


Terraform Cloud - Free
(Correct)


Terraform Open-Source
Explanation
The Private Module Registry is available in all versions of Terraform except for Open
Source.

https://www.datocms-assets.com/2885/1602500234-terraform-full-feature-pricing-
tablev2-1.pdf

Question 56: Skipped

What happens if multiple users attempt to run a terraform apply simultaneously

when using a remote backend? (select two)

if the backend does not support locking, the state file could become corrupted
(Correct)
 
the Terraform apply will work for both users

if the backend supports locking, the first terraform apply will lock the file for
changes, preventing the second user from running the apply
(Correct)


both users will get an error
Explanation
If the state is configured for remote state, the backend selected will determine what
happens. If the backend supports locking, the file will be locked for the first user, and
that user's configuration will be applied. The second user's terraform apply will
return an error that the state is locked.

If the remote backend does not support locking, the state file could become
corrupted, since multiple users are trying to make changes at the same time.

https://www.terraform.io/docs/state/locking.html

Question 57: Skipped

Which of the following Terraform features is NOT available in the open-source

version?

public module registry

sentinel policies
(Correct)


remote backend

public cloud providers
Explanation
All of the options are available to open-source users except for Sentinel, which is
only available in Terraform Enterprise and Terraform Cloud paid tiers.

https://www.hashicorp.com/products/terraform/pricing