Practice TF-003 Read, generate and modify configuration questions with full explanations on every answer.
Start practicing
Read, generate and modify configuration — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A team wants to use Terraform to provision infrastructure across multiple cloud providers. Which configuration approach best supports this goal?
2An operator runs 'terraform plan' and sees that a resource will be replaced. They want to avoid destroying the resource, but still apply other changes. What should they do?
3A Terraform configuration uses a module from the Terraform Registry. After updating the module version in the configuration, the operator runs 'terraform plan' but does not see the changes expected from the new version. What is the most likely cause?
4A developer wants to conditionally create a resource based on a variable that is a boolean. Which syntax should they use?
5An operator wants to pass output values from one Terraform configuration to another as input variables. Which approach is recommended?
6A Terraform configuration includes a resource block with a 'lifecycle' block that has 'create_before_destroy = true'. During an apply, the create step succeeds but the destroy step fails. What is the resulting state?
7A configuration uses variables defined in a 'variables.tf' file. The operator wants to override these variables for a specific run without modifying the file. Which method should they use?
8Which TWO statements about Terraform provisioners are correct?
9Which THREE statements about Terraform modules are correct?
10You are managing a Terraform configuration for a multi-tier application that includes AWS EC2 instances, an RDS database, and an Application Load Balancer. The configuration uses multiple modules and remote state stored in an S3 bucket with DynamoDB locking. Recently, a colleague made changes to the configuration and applied them successfully. However, you now need to make additional changes and, when you run 'terraform plan', you receive an error: "Error: Error acquiring the state lock". The error message indicates that the lock is held by a different user. You have confirmed that your colleague is not currently running Terraform. What is the most appropriate course of action to proceed with your changes?
11A team is writing Terraform configurations for a multi-region deployment. They want to use a module from the public Terraform Registry that provisions AWS VPCs. The module has been updated recently, but the team wants to ensure that all deployments use the same version of the module to avoid unexpected changes. Which configuration approach should they take to lock the module version?
12Which of the following are valid ways to pass input variables to a Terraform configuration? (Select all that apply.)
13Refer to the exhibit. A developer runs 'terraform plan' and receives the following error: 'Error: InvalidAMIID.NotFound: The image id '[ami-0c55b159cbfafe1f0]' does not exist'. What is the most likely cause?
14You are a DevOps engineer at a company that manages infrastructure for multiple environments (dev, staging, prod) using Terraform. Each environment has its own state file stored in an S3 backend with DynamoDB locking. The team recently adopted a policy of running 'terraform plan' in CI/CD pipelines to review changes before applying. However, developers have reported that sometimes the plan output shows that Terraform wants to destroy and recreate resources that were not modified in their code changes. For example, a developer added a new tag to an S3 bucket in the staging environment, but the plan also showed that an unrelated EC2 instance would be replaced. Upon investigation, you notice that the state file for staging was last modified two days ago, but the developer's branch is based on a commit from one week ago. Which action is most likely to resolve the issue and ensure that plans only reflect changes from the current configuration changes?
15What is the most likely cause of this error?
16Which TWO of the following are valid ways to reference a value from a Terraform configuration?
17You are managing a multi-environment Terraform configuration using separate workspaces for 'dev', 'staging', and 'prod'. Each workspace uses the same root module but different variable values stored in terraform.tfvars files per workspace. Your team reports that after a recent change to the root module, running `terraform plan` in the 'dev' workspace shows that it will destroy and recreate a critical RDS database instance, even though no changes were made to the database configuration. The state file for 'dev' is stored in a remote S3 backend with DynamoDB locking. You suspect the issue is related to how Terraform generates and reads configuration. What is the most likely cause?
18Which three of the following are valid methods for reading, generating, or modifying Terraform configuration? (Choose three.)
19Which four of the following are valid techniques for reading, generating, or modifying Terraform configuration? (Choose all that apply. There are four correct answers.)
20Drag and drop the steps to handle sensitive data in Terraform outputs in the correct order.
21Match each Terraform variable type to its example value.
22Which Terraform command is used to check the syntax and internal consistency of configuration files?
23A Terraform plan shows that an AWS EC2 instance will be destroyed and recreated. The team wants to ensure zero downtime during the update. Which lifecycle attribute should be added?
24A developer has a module that outputs a list of subnet IDs. They want to use this list to create an EC2 instance in each subnet using for_each. Which for_each expression is correct?
25Which command displays the output values defined in the configuration after apply?
26A team has two resources: an AWS security group and an EC2 instance that uses it. Terraform does not automatically detect the dependency. Which argument should be added to the instance resource?
27A team wants to reuse a VPC module across multiple environments. They need to pass outputs from one module as inputs to another. Which configuration is correct?
28Which command initializes a Terraform working directory by downloading providers and modules?
29A configuration creates multiple AWS instances using count. The developer wants to output the IDs of all instances. Which output block is valid? (Choose the best answer.)
30A module requires an input variable named 'vpc_id'. How should the calling configuration pass the VPC ID from another module's output?
31Which TWO statements about Terraform data sources are correct?
32Which THREE variable declarations are valid in Terraform?
33Which TWO scenarios require the use of the depends_on argument?
34Refer to the exhibit. A terraform plan shows that the instance will be replaced. What will be the order of operations?
35Refer to the exhibit. You need to add a security group to each instance. You have a local value defined as 'security_group_map = { "subnet-1" = "sg-1", "subnet-2" = "sg-2" }'. Which expression should be used to reference the security group ID in the resource block?
36Refer to the exhibit. What is the purpose of this output block?
37A developer needs to retrieve the current state of an AWS EC2 instance that was created by Terraform but the configuration file is missing. Which command will output the attributes of the instance in a format suitable for generating a configuration?
38An engineer modifies a Terraform configuration by increasing the instance_count for an AWS EC2 resource from 2 to 5. After running terraform plan, which change will be displayed?
39A team has an existing S3 bucket created outside Terraform. They want to manage it with Terraform by importing its state. Which of the following is the correct sequence of commands to read the bucket's configuration and avoid drift?
40A team uses remote state stored in an S3 bucket with DynamoDB locking. A developer wants to read the current state outputs locally without making changes. Which command should they use?
41In Terraform, which block is used to define a default value for a variable that can be overridden at runtime?
42A Terraform configuration uses a for_each expression to create multiple subnets. After applying, one subnet's configuration needs to be modified. The engineer updates the resource block's map key for that subnet. What will terraform plan show?
43A team stores sensitive secrets in AWS Secrets Manager and wants to reference them in Terraform without exposing the values. Which approach is most secure and recommended?
44When running terraform plan, the output indicates that a resource will be replaced (destroy then create) due to a change in the 'name' attribute. However, the engineer only changed a tag. What is the most likely cause?
45An operator wants to test an expression used in a Terraform configuration without running a plan or apply. Which command allows interactive evaluation of expressions?
46A team runs terraform plan and sees changes that are unexpected. Which TWO actions should they take to investigate before applying?
47An organization wants to reference outputs from a root module in another Terraform configuration. Which THREE methods are valid for reading those outputs?
48A DevOps engineer wants to modify the Terraform configuration to control resource lifecycle behavior. Which TWO meta-arguments can be used to influence the order of creation and destruction?
49A developer has a Terraform configuration that includes an output block. They run `terraform apply` and then want to quickly retrieve the output value without re-running the entire apply. Which command should they use?
50An operator modifies a Terraform configuration to change the `ami` attribute of an `aws_instance` resource. When they run `terraform plan`, they see that the resource will be destroyed and recreated. They want to avoid the recreation and instead update the instance in-place. What is the best approach?
51A team is using a remote backend for Terraform state. After merging a pull request that modifies the configuration, the pipeline runs `terraform plan` and sees an unexpected diff for a resource that was not changed in the code. The state file is up-to-date with the infrastructure. What is the most likely cause?
52A junior engineer is asked to review a Terraform configuration that defines a module from the Terraform Registry. Which file in the module’s root directory typically contains the description of the module’s inputs and outputs?
53A DevOps engineer needs to generate multiple similar AWS EC2 instances from a single resource block. They want each instance to have a unique name tag based on an index. Which approach should they use?
54An organization has a policy that all AWS S3 buckets must have versioning enabled. They want to ensure that even if someone removes the `versioning` block from the configuration, the bucket still has versioning enabled after `terraform apply`. Which lifecycle configuration should they add to the `aws_s3_bucket` resource?
55After running `terraform plan`, a developer sees the following line in the output: `Plan: 1 to add, 0 to change, 0 to destroy.` What does this indicate?
56A configuration defines a variable `instance_type` with a default value `t2.micro`. After running `terraform apply`, the operator notices that the instances are being created with type `t2.small`. They check the configuration file and see the default is `t2.micro`. What is the most likely cause?
57Which TWO of the following are best practices when writing Terraform configuration for a team? (Select TWO.)
58Which THREE of the following are valid ways to modify a Terraform configuration to rename a resource without destroying and recreating it? (Select THREE.)
59Which TWO of the following commands can be used to read and inspect the current Terraform state? (Select TWO.)
60A team is using Terraform to manage a multi-tier application on AWS. The configuration includes resources for VPC, subnets, security groups, and EC2 instances. Recently, a developer manually created an additional security group in the AWS console for testing, and now the team wants to manage it via Terraform. They have updated the configuration to include this security group with the same name and rules. When they run `terraform plan`, it shows that the security group will be created, but the existing one is not detected. They want to bring the existing security group under Terraform management without recreating it. The team is using a remote backend with state locking. What should they do?
61A large organization uses Terraform to manage hundreds of AWS resources across multiple accounts. They have a central repository with modules for common patterns. A new engineer is tasked with adding a new feature that requires modifying the configuration of an existing S3 bucket to enable server-side encryption. The current configuration for the bucket is defined in a module that is used by many other teams. The engineer adds an `aws_s3_bucket_server_side_encryption_configuration` resource as recommended by the latest AWS provider. After running `terraform plan`, they see that the plan will create the new encryption resource but also shows an in-place update to the bucket itself. They check the bucket resource and see that it has a `server_side_encryption_configuration` argument that is deprecated. The engineer wants to ensure backward compatibility and avoid breaking other teams' configurations. What is the best course of action?
62A startup uses Terraform to manage their cloud infrastructure. They have a single configuration file that defines an AWS EC2 instance. They want to add an Elastic IP (EIP) and associate it with the instance. The engineer modifies the configuration to add an `aws_eip` resource and references the instance ID. They run `terraform plan` and it shows that the EIP will be created. However, when they run `terraform apply`, they get an error: "Error: Error associating EIP: ... The instance ID 'i-1234567890abcdef0' does not exist." The instance was created successfully in a previous apply. What is the most likely cause?
63Which TWO statements about Terraform configuration files are correct? (Choose two.)
64A team uses Terraform to manage multiple environments (dev, staging, prod) with a shared networking module. The module defines a variable 'cidr_block' with no default. In the root module, they have a file dev.tfvars containing 'cidr_block = "10.0.0.0/16"'. When running 'terraform plan' while in the dev workspace, they receive: 'Error: No value for required variable cidr_block'. They have already run 'terraform init' and confirmed the workspace is 'dev'. What is the most likely cause and correct action?
65A company manages a large Terraform configuration with an S3 backend and DynamoDB locking. After initial setup, they modify the backend block in the main.tf to change the S3 bucket name. Running 'terraform plan' yields: 'Backend reinitialization required. Please run "terraform init".' They run 'terraform init' but it prompts to migrate state from the old bucket to the new one. The old bucket is empty (no state files) because the configuration has never been applied. The team wants to avoid unnecessary state migration. Which step should they take?
66Which TWO statements about Terraform's handling of input variables are true?
67What will happen when this configuration is applied?
68A DevOps engineer is managing a multi-cloud infrastructure using Terraform. The team relies on a module sourced from the Terraform Registry to deploy a standard web application. This module defines an input variable called 'instance_count' with a default value of 2. For the production environment, the engineer wants to deploy 3 instances. They create a root module configuration that references the module. In the root module's main.tf, they write a block that sets instance_count = 3. However, when they run terraform plan, the output indicates that the module will still use instance_count = 2. The engineer double-checks the configuration: the root module's main.tf is syntactically correct, the module source points to the correct registry module and version, and they have run terraform init and terraform validate without errors. What is the most likely reason the variable override is not taking effect?
The Read, generate and modify configuration domain covers the key concepts tested in this area of the TF-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all TF-003 domains — no account required.
The Courseiva TF-003 question bank contains 68 questions in the Read, generate and modify configuration domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Read, generate and modify configuration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included