HashiCorp · Free Practice Questions · Last reviewed May 2026
48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A team is adopting Terraform to manage infrastructure. One requirement is that all configuration changes must be reviewed and approved before being applied. The team wants to ensure that the Terraform state file reflects the actual deployed infrastructure at all times. Which practice should they implement to meet these requirements?
Store state locally and use a manual approval process outside of Terraform.
Store state remotely and use a version control system with pull requests to review changes before applying.
Remote state enables team collaboration and VCS with PRs enforces review.
Store state locally and use a shared network drive for team access.
Have each team member run terraform apply from their local machine after informal discussion.
An organization manages multiple environments (dev, staging, prod) using Terraform. They want to minimize code duplication while allowing environment-specific variable values. Which approach best achieves this goal?
Use a separate Git branch for each environment, each with its own Terraform configuration.
Write a single Terraform configuration that uses count and conditional expressions to create resources based on environment variable.
Use Terraform workspaces with a single configuration and define all variable values in one .tfvars file.
Organize the repository with a shared modules directory and separate subdirectories for each environment that call the same modules with environment-specific .tfvars files.
This structure maximizes reuse and keeps environment-specific variables separate.
A junior administrator wants to practice Terraform by deploying a single web server in AWS. They write a configuration file and run terraform init and terraform apply. The deployment succeeds but they notice the web server is not accessible from the internet. What is the most likely reason?
The instance type chosen does not support public IP addresses.
The terraform init command failed and the apply did not actually create resources.
The subnet is configured as private and does not have a route to the internet.
The security group does not allow inbound HTTP/HTTPS traffic from 0.0.0.0/0.
Security group rules control inbound traffic; without allowing HTTP/HTTPS, the server is not accessible.
A company uses Terraform to manage infrastructure on AWS. They have a configuration that creates an S3 bucket and a DynamoDB table for state locking. The team notices that sometimes when two members run terraform apply simultaneously, they get a state locking error. However, they want to allow concurrent operations on different workspaces. What is the best approach?
Remove the DynamoDB table and use local state files to avoid locking issues.
Configure all team members to use the same workspace so that only one person can apply at a time.
Keep the current setup because the error is harmless and users can retry.
Use separate state files per workspace and ensure each workspace has its own lock entry in DynamoDB; the current setup already supports this.
Workspaces use separate state files and DynamoDB locks per state file, allowing concurrent operations on different workspaces.
Which THREE of the following are benefits of using Infrastructure as Code (IaC) compared to manual infrastructure management?
Automated testing and deployment pipelines can be integrated.
IaC can be tested and deployed in CI/CD.
Infrastructure can be replicated consistently across environments.
Same configuration can be applied to multiple environments with different variables.
The same code can be used for any cloud provider without modification.
Infrastructure can be version controlled and changes tracked.
Configuration files are text, easily versioned.
No learning curve is required; existing knowledge of manual processes applies directly.
You are a DevOps engineer at a growing startup. The infrastructure currently consists of a single AWS EC2 instance running a web application, manually configured. The company plans to scale to multiple instances and environments (development, staging, production). They want to adopt Infrastructure as Code using Terraform. The team has limited experience with Terraform and wants to start small, then gradually adopt more advanced features. The current manual infrastructure must be imported into Terraform. The team also wants to ensure that code changes are reviewed via pull requests before being applied. Which of the following is the best course of action to meet these requirements?
Install Terraform on the existing instance, run terraform init and apply directly to manage it, and store state locally. Have team members share the state file via a shared folder.
Write Terraform configuration from scratch to match the existing instance, but do not import; instead, destroy the old instance and recreate it with Terraform.
Create separate Git branches for each environment (dev, staging, prod) and have each team member work independently on their branch, merging occasionally.
Create a Git repository with a main branch. Write a minimal Terraform configuration that describes the existing EC2 instance. Use terraform import to bring the instance under Terraform management. Store the state file remotely in S3 with DynamoDB locking. Set up a CI pipeline that runs terraform plan on pull requests and requires approval before merging.
This approach imports existing infrastructure, uses remote state for team access, and enforces code review through PRs.
Want more Understand IaC concepts practice?
Practice this domainA DevOps engineer is writing a Terraform configuration to provision an AWS EC2 instance. They want to ensure that the instance is replaced if the AMI ID changes, but not if the instance type changes. Which lifecycle meta-argument should be used?
Set `prevent_destroy = true`
Set `ignore_changes = all`
Set `create_before_destroy = true` and add `instance_type` to `ignore_changes`
Correct: creates new before destroying old, ignores instance type changes.
Set `create_before_destroy = true` only
A team is using Terraform to manage infrastructure across multiple environments (dev, staging, prod). They want to reuse the same root module configuration but with different variable values. Which approach is the most efficient?
Use environment variables to switch between configurations
Use a single state file that includes all environments
Copy the entire configuration into separate directories for each environment
Use Terraform workspaces
Allows multiple environments with the same configuration and separate state.
A Terraform configuration includes a module from the Terraform Registry. After running `terraform init`, the module is downloaded. However, a subsequent `terraform plan` fails with an error that a required provider is not installed, even though it is declared in the module. What is the most likely cause?
The module uses a different Terraform version
The provider version constraint is incompatible
The `required_providers` block is not declared in the root module
Terraform may not install providers only declared in modules; root should also declare them.
The module source URL is incorrect
An organization uses Terraform Cloud for remote state management. They have a workspace that uses the CLI-driven run workflow. A developer runs `terraform plan` locally and sees that the plan succeeds. However, when they push the same configuration to the version control system (VCS) connected to the workspace, the plan fails with a state lock error. What is the most likely reason?
The Terraform version in the VCS pipeline is different
The local `terraform plan` left the state locked in Terraform Cloud
If the plan didn't release the lock, subsequent runs are blocked.
The VCS branch is not configured as the workspace's working branch
The VCS pipeline does not have access to the Terraform Cloud workspace
Which TWO of the following are valid ways to reference a resource attribute in Terraform?
`module.vpc.output`
`data.aws_ami.ubuntu.id`
`var.instance_type`
`module.vpc.vpc_id`
Correct: references the vpc_id output from module vpc.
`aws_instance.web.id`
Correct: references the id attribute of an aws_instance resource named web.
Refer to the exhibit. A developer runs `terraform apply` and the operation succeeds. Later, they manually terminate the EC2 instance through the AWS console. What will happen when the developer runs `terraform apply` again?
Terraform will recreate the EC2 instance and reassociate the Elastic IP
Terraform will detect drift, recreate the instance, and update the EIP association.
The Elastic IP will be disassociated and the instance will be recreated
Terraform will only recreate the EC2 instance without reassociating the Elastic IP
The apply will fail because the Elastic IP is still attached to the terminated instance
Want more Understand Terraform basics practice?
Practice this domainA company wants to manage its infrastructure as code using Terraform. The team has a mix of on-premises servers and cloud resources in AWS and Azure. Which of the following best describes Terraform's purpose in this scenario?
Terraform is a configuration management tool for installing software on existing servers.
Terraform is a cloud-specific orchestration tool that only works with AWS.
Terraform is a monitoring and logging tool for cloud resources.
Terraform is an infrastructure-as-code tool for provisioning and managing any infrastructure across multiple providers.
Correctly defines Terraform's purpose.
A developer runs `terraform plan` and sees that Terraform will create a new S3 bucket and modify a security group. Which Terraform feature allows the developer to review these changes before applying them?
The `terraform apply` command
The `terraform validate` command
The `terraform plan` command
Plan shows a preview of changes.
The `terraform state` command
A team is using Terraform to manage multiple environments (dev, staging, prod) with the same configuration but different variable values. They want to avoid duplicating configuration files. Which Terraform feature is best suited for this?
Terraform modules with separate directories for each environment
Terraform data sources to fetch environment-specific variables
Using multiple Terraform configuration files in a single directory
Terraform workspaces
Workspaces enable multiple environments with one configuration.
An organization uses Terraform Cloud for remote state management. A user runs `terraform apply` locally but receives an error that the state is locked. What is the most likely cause?
The Terraform configuration has a syntax error.
The user does not have access to the remote state backend.
Another user or process is currently running a Terraform operation that modifies the same state.
State locking prevents concurrent writes.
The remote backend is temporarily unavailable.
Which TWO of the following are benefits of using Terraform's infrastructure as code approach?
Provisioning can be automated and repeated consistently across environments.
Automation and consistency are key benefits.
Infrastructure can be version-controlled and reviewed like application code.
IaC allows code reviews and version history.
Terraform automatically scales resources based on load.
Manual configuration of servers is eliminated entirely.
Terraform provides real-time monitoring of infrastructure health.
Which THREE of the following are valid Terraform providers?
hashicorp/azurerm
Official Azure provider.
kreuzwerker/docker
hashicorp/kubernetes
Official Kubernetes provider.
hashicorp/aws
Official AWS provider.
hashicorp/cloudwatch
Want more Understand Terraform's purpose practice?
Practice this domainA developer runs `terraform plan` and it fails with a provider plugin error. Which command should they run first to resolve the issue?
terraform validate
terraform apply
terraform fmt
terraform init
Downloads required provider plugins and reinitializes the backend.
A team uses Terraform Cloud for remote state management. They want to ensure that state file changes are only made through the Terraform Cloud API and not through direct access to the storage backend. Which feature should they enable?
Sentinel policy enforcement
Enforces policies that prevent direct state modifications outside the API.
Remote state locking
VCS integration
Team tokens
A company uses Terraform with multiple cloud providers and wants to integrate with their existing CI/CD pipeline. They need to enforce that all infrastructure changes go through code review and automated testing before being applied to production. Which approach best meets these requirements?
Store state in a remote backend and use terraform apply in the pipeline
Configure Terraform Cloud with run triggers and policy checks
Enforces code review and automated testing via workflows.
Use the Terraform CLI in the CI/CD pipeline with remote state
Run terraform apply locally after manual approval
An operator runs `terraform apply` and receives an error that the state file is locked. What is the most likely cause?
The state file is outdated and needs refresh
The configuration has a syntax error
Another user is running a Terraform operation
State locking prevents concurrent operations.
The user lacks write permissions to the state file
An organization wants to use Terraform to manage infrastructure in multiple environments (dev, staging, prod) with the same configuration but different variable values. Which approach should they use?
Create separate directories with duplicated configurations
Use Terraform workspaces and separate variable files
Reuses configuration with isolated state and variables.
Use a single state file with environment variables
Use different versions of Terraform for each environment
A team uses Terraform Cloud with a VCS-backed workflow. They notice that a recent commit triggered a run that failed because of an invalid configuration. The team fixed the configuration and wants to re-run the plan without committing again. Which action should they take?
Amend the previous commit and force push
Create a new commit with the fix
Use the 'Queue Plan' button in the Terraform Cloud UI
Re-runs plan with the same commit.
Run terraform plan locally and apply
Want more Use Terraform outside the core workflow practice?
Practice this domainA team is using a module from the public Terraform Registry. They want to ensure that the module is pinned to a specific version to avoid unexpected changes. Which approach should they use?
Use 'required_providers' block in the root module to lock the module version.
Add a 'version' argument inside the module block.
Set 'version' in the module's source attribute, e.g., source = "terraform-aws-modules/vpc/aws" with version = "3.2.0".
Correct. The version constraint is specified as an argument in the module block alongside the source.
Store the module locally in a vendor directory and reference it by path.
An engineer is refactoring a monolithic Terraform configuration into reusable modules. One module outputs a list of subnet IDs. Another module needs to use these subnet IDs to create resources. What is the best way to pass this data between modules?
Use a Terraform data source in the second module to query the subnets directly.
Define the subnet IDs as a variable in the first module and pass them to the second module via a remote state data source.
Store the subnet IDs in a local file and use the 'file' function to read them in the second module.
Output the subnet IDs from the first module and reference that output as an input variable in the second module's block.
This is the correct pattern: module outputs are consumed as module input variables.
A developer creates a module that provisions an AWS EC2 instance and an S3 bucket. The module outputs the instance ID and bucket ARN. When using this module, the root configuration references module.my_module.instance_id and module.my_module.bucket_arn. After running terraform apply, they notice that the bucket ARN is empty. What is the most likely cause?
The output is defined in the module but not in the root configuration.
The S3 bucket creation depends on another resource that hasn't been created yet.
The output value in the module is defined incorrectly, e.g., referencing a non-existent attribute.
A misdefined output evaluates to empty or null, leading to an empty value.
The IAM role used by Terraform does not have permission to read the bucket ARN.
Which TWO statements about Terraform module sources are correct? (Select TWO.)
A module source can be a local file system path.
Local paths are valid module sources.
Modules can only be sourced from the public Terraform Registry.
Running 'terraform plan' automatically downloads any missing modules.
A module source can be a Git repository URL using the SSH protocol.
Git SSH URLs are supported.
The module source is defined in a separate 'source' block within the module.
Which THREE practices are recommended when using Terraform modules? (Select THREE.)
Design modules to have a single clear purpose.
Single-responsibility modules are easier to reuse and test.
Use version constraints when referencing modules from a registry.
Version pinning prevents breaking changes.
Output important resource attributes that consumers may need.
Outputs allow consumers to access created resources.
Hardcode provider-specific details like region inside the module to simplify usage.
Create a new module for each individual resource type.
The above configuration references a module from the Terraform Registry. After running 'terraform init', the user runs 'terraform plan' and gets an error: 'Error: Unsupported argument' for 'version'. What is the most likely cause?
The 'version' argument is not supported for this module because the source is not a registry module.
The version argument is only valid for registry modules. If the source is misconfigured, Terraform might treat it as a non-registry source.
The 'version' argument must be specified as a constraint like '>= 3.19.0' instead of an exact version.
The module source is from a Git repository, which does not support the 'version' argument.
If the source is a Git URL, 'version' is not supported; but the exhibit shows a registry source. However, if the source was actually a Git URL, version would be invalid. The error suggests the source is not a registry module.
The 'version' argument should be placed inside a 'required_providers' block.
Want more Interact with Terraform modules practice?
Practice this domainA team uses Terraform to manage infrastructure. After running 'terraform apply', a developer notices that a new security group rule was added, but then immediately removed. What is the most likely cause?
The security group rule was added manually and Terraform removed it to match the configuration.
Terraform detects drift and reverts changes not in the configuration.
The state file was corrupted and Terraform performed a refresh.
The configuration was changed to remove the rule after the apply.
The developer accidentally ran 'terraform destroy' instead.
During a 'terraform plan', you see the following output: 'Plan: 1 to add, 2 to change, 0 to destroy.' However, after running 'terraform apply', the actual number of resources changed is different. What is the most likely reason?
Terraform state locking prevented the apply from executing correctly.
The state file was corrupted during the apply.
The configuration was modified after the plan was generated.
If the configuration changes between plan and apply, the apply uses the new config, so the plan is outdated.
The 'terraform apply' command includes an implicit refresh that changes the plan.
A DevOps engineer is troubleshooting a failed 'terraform apply'. The error message says: 'Error: Error applying IAM policy: The policy failed validation'. The IAM policy is defined using HCL in a JSON-encoded string. What is the most efficient way to debug this issue?
Run 'terraform plan' to see the detailed error.
Use 'terraform console' to test the policy string.
Use a JSON validator tool to check the policy string in the configuration.
Validating the JSON string locally identifies syntax issues before running apply.
Upgrade to the latest Terraform version.
A team wants to ensure that all Terraform runs are recorded for audit purposes. Which practice should they implement?
Run 'terraform show' after every apply to capture state.
Add the state file to version control after each run.
Enable state locking in the backend configuration.
Configure a remote backend that supports state versioning.
Remote backends like S3 with versioning keep a history of state changes.
Which TWO actions are part of the core Terraform workflow? (Choose two.)
terraform fmt
terraform plan
Plan is the second step in the core workflow.
terraform validate
terraform apply
Apply is the final step in the core workflow.
terraform destroy
Which THREE of the following are valid reasons to use 'terraform refresh'? (Choose three.)
To update the state file when resources were deleted outside of Terraform.
Refresh will mark deleted resources as removed from state.
To detect drift between the state file and actual infrastructure.
Refresh updates state with current resource attributes, revealing drift.
To import existing infrastructure into Terraform management.
To update the state file after making manual changes to resources.
Refresh reconciles state with manual changes.
To update the Terraform configuration with current resource settings.
Want more Use the core Terraform workflow practice?
Practice this domainA team is using a remote backend in Terraform Cloud. After a failed apply, the state file is locked. The team lead wants to unlock the state immediately. What should be done?
Delete the state file from the backend and reinitialize
Run terraform force-unlock with the lock ID
The terraform force-unlock command with the lock ID manually releases the lock.
Manually edit the state file to remove the lock
Run terraform unlock
An organization uses Terraform with AWS S3 backend and DynamoDB for state locking. During a plan, you receive an error: 'Error acquiring the state lock'. The lock information in DynamoDB shows a lock from a previous session that crashed. What is the most appropriate next step?
Run terraform unlock
Run terraform force-unlock with the lock ID
This command releases the lock from the previous session.
Wait for the lock to expire automatically
Delete the lock item from DynamoDB table directly
A developer is working on a Terraform configuration that manages a single resource. They want to import an existing AWS EC2 instance into state. Which command should they use?
terraform apply
terraform refresh
terraform import
terraform import is the command to import existing resources into state.
terraform state mv
A team uses Terraform Cloud workspaces to manage multiple environments. They notice that the state file for the production workspace is stored in a different backend than the development workspace. Which Terraform feature allows different workspaces to use different backends?
Using the -backend-config flag
Using the backend block with a workspace key
Using partial configuration with a backend block that has dynamic workspace references
Partial configuration allows injecting workspace-specific values like bucket keys.
Using a remote backend type
After running terraform apply, you see the error: 'Error: Error loading state: state snapshot was created by Terraform v0.12.0, but this is Terraform v1.2.0'. What should you do to resolve this?
Run terraform state upgrade
Run terraform apply with no changes to upgrade the state format
Running terraform apply will upgrade the state to the current version.
Delete the state file and reimport resources
Downgrade Terraform to v0.12.0
A user wants to remove a specific resource from Terraform state without destroying the actual infrastructure. Which command should they use?
terraform state rm resource
This removes the resource from state without affecting the real infrastructure.
terraform taint resource
terraform state mv resource
terraform destroy -target=resource
Want more Implement and maintain state practice?
Practice this domainA team wants to use Terraform to provision infrastructure across multiple cloud providers. Which configuration approach best supports this goal?
Define multiple provider blocks, one for each cloud provider.
Allows using multiple providers in the same configuration.
Use a single provider block that supports multiple clouds.
Terraform cannot manage multiple clouds in one configuration.
Create separate workspaces for each cloud provider.
An operator runs 'terraform plan' and sees that a resource will be replaced. They want to avoid destroying the resource, but still apply other changes. What should they do?
Use 'terraform apply -replace=resource_address' to replace only that resource.
Add a 'lifecycle' block with 'create_before_destroy = true'.
Creates new resource before destroying old one, reducing downtime.
Set 'ignore_changes' to the attribute causing the replacement.
Add 'prevent_destroy = true' to the resource.
A Terraform configuration uses a module from the Terraform Registry. After updating the module version in the configuration, the operator runs 'terraform plan' but does not see the changes expected from the new version. What is the most likely cause?
The operator did not run 'terraform get' to update modules.
The operator did not run 'terraform init' after changing the version.
'terraform init' downloads the specified module version.
The operator did not run 'terraform refresh' to update state.
The module version constraint is stored in the state file and must be updated.
A developer wants to conditionally create a resource based on a variable that is a boolean. Which syntax should they use?
Use 'if var.create' inside the resource block
Use 'for_each = var.create ? [1] : []'
Use 'count = var.create'
Use 'count = var.create ? 1 : 0'
Correct pattern: count with ternary.
An operator wants to pass output values from one Terraform configuration to another as input variables. Which approach is recommended?
Hardcode the output values in a variables file for the second configuration.
Store outputs in a shared file and use 'file()' function to read them.
Use a remote state data source to read the outputs from the first configuration's state.
Data sources allow reading outputs from remote state.
Use environment variables to pass the output values.
A Terraform configuration includes a resource block with a 'lifecycle' block that has 'create_before_destroy = true'. During an apply, the create step succeeds but the destroy step fails. What is the resulting state?
Only the new resource remains in state, old resource is destroyed.
The state is empty for that resource address.
Only the old resource remains in state.
Both the old and new resources are in state.
New resource created; old resource not destroyed.
Want more Read, generate and modify configuration practice?
Practice this domainThe TF-003 exam has 57 questions and must be completed in 60 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 8 domains: Understand IaC concepts, Understand Terraform basics, Understand Terraform's purpose, Use Terraform outside the core workflow, Interact with Terraform modules, Use the core Terraform workflow, Implement and maintain state, Read, generate and modify configuration. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official HashiCorp TF-003 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.