CCNA Understand Terraform's purpose Questions

59 questions · Understand Terraform's purpose · All types, answers revealed

1
MCQeasy

A company wants to manage both on-premises and cloud infrastructure with a single tool. Which feature of Terraform makes this possible?

A.Provider plugins
B.State files
C.Provisioners
D.Workspaces
AnswerA

Provider plugins interface with different APIs, allowing Terraform to manage diverse infrastructure.

Why this answer

Terraform's provider plugin architecture allows it to manage resources across different platforms by using provider plugins that interface with each platform's API.

2
Multi-Selectmedium

Which of the following accurately describe core purposes and benefits of using Terraform in a cloud infrastructure environment? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Enables infrastructure as code by allowing users to define resources in declarative configuration files.
.Automates the provisioning and lifecycle management of infrastructure across multiple cloud providers.
.Provides a built-in drift detection mechanism that automatically reverts unauthorized manual changes to infrastructure.
.Supports state management to track the current state of infrastructure and plan changes incrementally.
.Generates real-time billing and cost optimization recommendations for deployed resources.
.Facilitates collaboration through remote state backends and version-controlled configuration files.

Why this answer

Terraform's core purpose is to enable Infrastructure as Code (IaC) by allowing users to define cloud resources in declarative HCL (HashiCorp Configuration Language) files. It automates provisioning and lifecycle management across multiple providers (AWS, Azure, GCP, etc.) using a single workflow. State management is fundamental: Terraform maintains a state file to track real-world resources, enabling incremental planning and safe updates.

Collaboration is facilitated by storing state remotely (e.g., in S3, Terraform Cloud) and using version control for configuration files, ensuring team consistency and auditability.

Exam trap

HashiCorp often tests the misconception that Terraform automatically reverts drift or provides cost optimization, when in fact drift detection is read-only and cost management is outside Terraform's scope.

3
MCQeasy

What is the primary purpose of Terraform's state file?

A.Provide a GUI
B.Execute scripts
C.Map configurations to real-world resources
D.Store secrets
AnswerC

State is the source of truth for existing infrastructure.

Why this answer

The state file maps Terraform configurations to real-world resources, allowing Terraform to track resource metadata and detect drift.

4
Drag & Dropmedium

Drag and drop the steps to destroy infrastructure managed by Terraform in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Destroy plan previews removal; destroy command with confirmation tears down infrastructure.

5
Multi-Selecthard

Which THREE are considered Terraform's best practices?

Select 3 answers
A.Use variables to parameterize configurations
B.Use latest version of all modules
C.Store state securely
D.Use remote state locking
E.Use provisioners for all software installs
AnswersA, C, D

Variables allow reuse and flexibility across environments.

Why this answer

Storing state securely, using variables for parameterization, and enabling remote state locking are key best practices.

6
MCQmedium

An organization uses Terraform Cloud for remote state management. A user runs `terraform apply` locally but receives an error that the state is locked. What is the most likely cause?

A.The Terraform configuration has a syntax error.
B.The user does not have access to the remote state backend.
C.Another user or process is currently running a Terraform operation that modifies the same state.
D.The remote backend is temporarily unavailable.
AnswerC

State locking prevents concurrent writes.

Why this answer

Option C is correct because Terraform Cloud uses a state locking mechanism to prevent concurrent modifications that could corrupt the state file. When a user runs `terraform apply` locally, the command first attempts to acquire a lock on the remote state. If another user or process (e.g., a Terraform Cloud run, a CI/CD pipeline, or another local apply) is already holding that lock, the new operation will fail with a 'state is locked' error.

This is a fundamental safety feature to ensure state consistency.

Exam trap

The trap here is that candidates often confuse a 'state locked' error with a 'backend unavailable' error (Option D) or an 'access denied' error (Option B), but Cisco specifically tests the understanding that a lock error is a concurrency control mechanism, not a connectivity or permission issue.

How to eliminate wrong answers

Option A is wrong because a syntax error in the Terraform configuration would cause a validation failure during `terraform plan` or `terraform apply`, not a state lock error; the lock error is a backend-level issue, not a configuration-level one. Option B is wrong because if the user lacked access to the remote state backend, the error would typically be an authentication or authorization failure (e.g., 'AccessDenied' or '403 Forbidden'), not a state lock message; the lock error implies the user can reach the backend but the state is already locked. Option D is wrong because if the remote backend were temporarily unavailable, the error would be a network or timeout error (e.g., 'RequestError' or 'unable to reach the backend'), not a specific 'state is locked' message; the lock error indicates the backend is reachable and actively reporting a lock.

7
Multi-Selectmedium

A team is evaluating Terraform for managing their multi-cloud infrastructure. Which TWO statements accurately describe Terraform's purpose and capabilities? (Choose two.)

Select 2 answers
A.Terraform requires all configuration files to be placed in a single directory named 'terraform'.
B.Terraform can provision, update, and destroy infrastructure resources across multiple providers.
C.Terraform's configuration language (HCL) is designed to be human-readable and machine-friendly.
D.Terraform uses an imperative language to specify the exact steps to create resources.
E.Terraform is primarily a configuration management tool for installing software on servers.
AnswersB, C

Terraform manages the full lifecycle of infrastructure resources.

Why this answer

Option B is correct because Terraform is designed as an infrastructure-as-code tool that can provision, update, and destroy resources across multiple cloud providers (e.g., AWS, Azure, GCP) and other services using a declarative configuration. This multi-provider capability is a core differentiator from single-cloud tools, enabling consistent workflows for hybrid and multi-cloud environments.

Exam trap

HashiCorp often tests the distinction between declarative (Terraform) and imperative (e.g., Ansible playbooks) approaches, and candidates may confuse Terraform's purpose with configuration management tools like Chef or Puppet.

8
MCQeasy

What does Terraform's declarative model mean for infrastructure changes?

A.You manually approve each step
B.You describe the desired end state
C.You must specify the order of creation
D.You write scripts to create resources
AnswerB

Declarative means stating what you want, not how to get there.

Why this answer

In a declarative model, you describe the desired end state, and Terraform determines the steps to achieve that state, handling dependencies and changes automatically.

9
MCQmedium

An organization uses Terraform to deploy resources on AWS. They have separate configuration files for development, staging, and production. To differentiate these environments, they plan to use the same root module with different variable values. Which Terraform feature best supports this use case?

A.Terraform modules
B.Remote state backends
C.Multiple provider configurations
D.Terraform workspaces
AnswerD

Workspaces allow multiple state files for the same configuration, ideal for environments.

Why this answer

Option C is correct. Workspaces allow using the same configuration with separate state files for different environments. Option A (providers) is for different cloud providers, not environments.

Option B (modules) organize code but don't inherently separate state. Option D (remote backends) can be used with workspaces but alone don't provide environment separation.

10
MCQeasy

A company wants to adopt infrastructure as code (IaC) to manage their expanding cloud environment. Which problem does Terraform directly address?

A.Ensuring applications are highly available across regions
B.Automating software installation and patching on servers
C.Eliminating manual configuration drift across environments
D.Providing real-time monitoring and alerting for infrastructure
AnswerC

Terraform's desired state model helps prevent drift by enforcing configuration.

Why this answer

Option A is correct because Terraform provides a declarative way to define and provision infrastructure, ensuring consistency and repeatability. Option B is configuration management, not Terraform's focus. Option C is monitoring, not provisioning.

Option D is partly addressed but not the core purpose; Terraform helps with drift detection but not real-time correction.

11
MCQhard

A team member runs terraform apply with the configuration shown in the exhibit. The apply succeeds, but the output of the local-exec provisioner shows an empty string for the public IP address. What is the most likely cause?

A.There is a dependency cycle between the aws_instance and null_resource causing Terraform to skip the provisioner.
B.The local-exec provisioner only runs during terraform destroy, not during apply.
C.The aws_instance resource does not have a public IP assigned because it is launched in a default VPC without auto-assign public IP, and no Elastic IP is attached.
D.The provisioner cannot access the aws_instance resource's attributes because it is defined in a separate resource block.
AnswerC

Without explicit configuration, the instance may not get a public IP, leaving the attribute empty.

Why this answer

Option C is correct because the `local-exec` provisioner runs on the machine executing Terraform, not on the AWS instance itself. If the instance is launched in a default VPC without `auto-assign public IP` enabled and no Elastic IP is attached, the `self.public_ip` attribute will be an empty string. The provisioner then outputs that empty string, as it simply reads the attribute value from the resource state.

Exam trap

HashiCorp often tests the misconception that `local-exec` runs on the remote instance or that `self.public_ip` is always populated, when in reality it depends on the network configuration and the provisioner's execution context.

How to eliminate wrong answers

Option A is wrong because a dependency cycle would cause Terraform to error out during planning, not silently skip the provisioner; the apply succeeded, so no cycle exists. Option B is wrong because `local-exec` provisioners run during `terraform apply` by default, not only during destroy; `destroy-time` provisioners require explicit `when = destroy`. Option D is wrong because provisioners can access attributes of any resource in the configuration, including `aws_instance`, as long as the resource is referenced (e.g., via `self` or a direct reference); the `null_resource` has a `depends_on` ensuring the instance exists.

12
MCQmedium

During a terraform apply, the state file becomes corrupted. What is the recommended recovery method?

A.Restore from backup
B.Re-run apply
C.Delete the state and re-import all resources
D.Use terraform state pull
AnswerA

Restoring from a recent backup is the safest and most efficient method.

Why this answer

Restoring from a backup is the recommended recovery method for a corrupted state file, as state is critical and backups ensure minimal loss.

13
MCQeasy

A developer runs `terraform plan` and sees that Terraform will create a new S3 bucket and modify a security group. Which Terraform feature allows the developer to review these changes before applying them?

A.The `terraform apply` command
B.The `terraform validate` command
C.The `terraform plan` command
D.The `terraform state` command
AnswerC

Plan shows a preview of changes.

Why this answer

The `terraform plan` command creates an execution plan that shows what actions Terraform will take to achieve the desired state defined in the configuration. It compares the current state with the configuration and outputs a diff-like summary of resources to be created, modified, or destroyed, allowing the developer to review changes before applying them with `terraform apply`.

Exam trap

HashiCorp often tests the distinction between `terraform plan` as a read-only preview and `terraform apply` as the execution command, trapping candidates who confuse 'review' with 'apply' or think `terraform validate` performs a dry-run.

How to eliminate wrong answers

Option A is wrong because `terraform apply` executes the changes and does not provide a review-only preview; it applies the plan and prompts for confirmation unless auto-approved. Option B is wrong because `terraform validate` checks the syntax and internal consistency of the configuration files, not the planned changes against the real infrastructure state. Option D is wrong because `terraform state` is used to inspect or manipulate the Terraform state file (e.g., `terraform state list`, `terraform state show`), not to preview upcoming changes.

14
MCQhard

A company is adopting Terraform to manage its multi-cloud infrastructure on AWS and Azure. The infrastructure team has written several Terraform configurations stored in a Git repository. Each configuration is applied by different team members using their local machines. Recently, the team has been experiencing state file conflicts and inconsistencies, leading to infrastructure drift. The team currently stores the state file locally. They want to ensure that only one person can apply changes at a time and that the state file is always up-to-date. They also want to be able to collaborate effectively without overwriting each other's changes. Which approach should they implement?

A.Use Terraform Cloud to manage state and provide remote operations with locking.
B.Have only one team member run terraform apply from a dedicated machine.
C.Store the state file in a shared Git repository and use git pull/push to sync changes.
D.Use a remote backend such as Amazon S3 with DynamoDB for state locking.
AnswerA

Terraform Cloud provides remote state, locking, and team collaboration features.

Why this answer

Option A is correct because Terraform Cloud provides a managed remote state backend with built-in state locking and remote operations. This ensures that only one person can apply changes at a time (via the locking mechanism), the state file is always up-to-date (stored centrally), and team members can collaborate without overwriting each other's changes. It directly addresses the team's need for exclusive apply access and consistent state.

Exam trap

HashiCorp often tests the distinction between remote state storage (e.g., S3) and remote operations (e.g., Terraform Cloud); the trap here is that candidates see 'remote backend' and assume it solves all collaboration issues, but without remote operations, the apply still runs locally and state locking alone does not prevent concurrent applies from different machines.

How to eliminate wrong answers

Option B is wrong because it introduces a single point of failure and a bottleneck, and does not solve the underlying state locking issue—other team members could still run terraform plan or modify local state, leading to drift. Option C is wrong because storing the state file in a shared Git repository is not safe; Git does not provide state locking, and concurrent git pull/push operations can cause merge conflicts, corruption, or stale state. Option D is wrong because while Amazon S3 with DynamoDB provides state locking and remote storage, it does not offer remote operations (the apply still runs locally), so the team would still need to coordinate who runs apply, and the state file could become stale if multiple users run apply simultaneously without proper locking integration.

15
Multi-Selectmedium

Which TWO of the following are key advantages of using Terraform over manual infrastructure management? (Select TWO.)

Select 2 answers
A.Guaranteed zero downtime during updates
B.Consistent and repeatable deployments
C.Version-controlled infrastructure code
D.Automatic discovery of existing resources
E.Self-healing infrastructure
AnswersB, C

Declarative configurations ensure the same result each time, reducing manual errors.

Why this answer

Options B and E are correct. Version-controlled infrastructure code enables collaboration and audit trails. Consistent and repeatable deployments reduce errors.

Option A is incorrect because Terraform does not auto-discover resources. Option C is not guaranteed. Option D is not a Terraform feature.

16
Multi-Selecteasy

Which TWO statements best describe Terraform's purpose? (Choose two.)

Select 2 answers
A.It is a configuration management tool.
B.It is designed for single-cloud environments.
C.It uses a declarative language.
D.It requires a master node to manage agents.
E.It is an infrastructure provisioning tool.
AnswersC, E

Terraform uses HCL, a declarative language.

Why this answer

Terraform is an infrastructure provisioning tool that uses a declarative language. It is not a configuration management tool, does not require a master node, and supports multiple clouds.

17
MCQmedium

A team is reviewing the Terraform configuration shown in the exhibit. Which statement best describes the relationship between the two resources?

A.The S3 bucket cannot be created until the EC2 instance is running.
B.The S3 bucket depends on the EC2 instance because it is defined after it.
C.The two resources have no dependencies and can be created in any order.
D.The EC2 instance depends on the S3 bucket because the instance uses the bucket name.
AnswerC

No explicit or implicit dependencies.

Why this answer

Option C is correct because Terraform resources are independent by default unless an explicit or implicit dependency is declared. In the exhibit, the S3 bucket and EC2 instance are defined without any `depends_on` argument or attribute reference (e.g., `aws_s3_bucket.example.arn` used in the EC2 instance configuration). Therefore, Terraform can create them in parallel or any order, as there is no directed acyclic graph (DAG) edge enforcing a creation sequence.

Exam trap

HashiCorp often tests the misconception that Terraform creates resources in the order they appear in the configuration file, but the actual dependency mechanism is based on explicit references and `depends_on`, not lexical order.

How to eliminate wrong answers

Option A is wrong because there is no `depends_on` or attribute reference from the S3 bucket to the EC2 instance, so Terraform does not require the EC2 instance to be running before creating the bucket. Option B is wrong because Terraform does not use definition order to determine dependencies; it builds a dependency graph based on explicit references and `depends_on` blocks, not the order in the configuration file. Option D is wrong because the EC2 instance does not reference the S3 bucket's name or any attribute (e.g., `aws_s3_bucket.example.bucket`), so no implicit dependency exists; the instance can be created independently of the bucket.

18
MCQmedium

A team has been managing their AWS infrastructure using a collection of Bash scripts that create resources in a specific order. They frequently encounter issues where resources are created out of order or not properly cleaned up. They want to adopt a more reliable approach that ensures consistent provisioning and teardown. Which action best aligns with Terraform's purpose?

A.Continue using the Bash scripts but add more error handling.
B.Use Terraform but only store state locally on the lead engineer's machine.
C.Convert the scripts into Terraform configuration files and use remote state.
D.Rewrite the scripts as Ansible playbooks for provisioning.
AnswerC

Terraform's declarative model with dependency graph and state solves ordering and consistency.

Why this answer

Terraform's purpose is to manage infrastructure declaratively, handling dependencies and state. Converting to Terraform configs and using the plan/apply workflow ensures consistent provisioning. Continuing with scripts or using Ansible for provisioning are less effective.

19
MCQhard

Which Terraform feature allows managing multiple separate sets of infrastructure from the same configuration?

A.Workspaces
B.Count
C.Providers
D.For_each
AnswerA

Workspaces create separate state files for each environment using the same configuration.

Why this answer

Workspaces allow you to manage multiple distinct environments (e.g., dev, staging, prod) with the same configuration by maintaining separate state files.

20
MCQmedium

A company wants to ensure that Terraform configurations are consistent across teams. What practice should they adopt?

A.Write all code in a single file
B.Use modules from a registry
C.Use provisioners extensively
D.Avoid using variables
AnswerB

Modules encapsulate reusable configuration, ensuring consistency.

Why this answer

Using modules from a registry (e.g., Terraform Registry) promotes reuse, consistency, and best practices across teams.

21
Multi-Selecthard

Which THREE of the following are valid Terraform providers?

Select 3 answers
A.hashicorp/azurerm
B.kreuzwerker/docker
C.hashicorp/kubernetes
D.hashicorp/aws
E.hashicorp/cloudwatch
AnswersA, C, D

Official Azure provider.

Why this answer

Option A is correct because `hashicorp/azurerm` is the official Terraform provider for Microsoft Azure, published by HashiCorp in the Terraform Registry. It allows you to manage Azure resources such as virtual machines, storage accounts, and networking components using Terraform's declarative configuration language.

Exam trap

HashiCorp often tests the distinction between official HashiCorp providers and community providers, as well as the misconception that every AWS service has its own dedicated provider, when in fact all AWS services are bundled under the single `hashicorp/aws` provider.

22
MCQhard

An organization is evaluating Terraform for managing interconnected resources that must be created in a specific order. Why is Terraform's dependency graph handling a key aspect of its purpose?

A.It reduces the amount of code needed
B.It allows all resources to be created in parallel for speed
C.It ensures resources are provisioned in the correct order based on dependencies
D.It enables modularity and code reuse
AnswerC

The graph determines the execution order to handle dependencies.

Why this answer

Terraform builds a dependency graph from configurations to ensure resources are created, updated, or destroyed in the correct order, respecting dependencies. This is fundamental to its role as an infrastructure provisioning tool.

23
Multi-Selectmedium

Which TWO of the following are benefits of using Terraform's infrastructure as code approach?

Select 2 answers
A.Provisioning can be automated and repeated consistently across environments.
B.Infrastructure can be version-controlled and reviewed like application code.
C.Terraform automatically scales resources based on load.
D.Manual configuration of servers is eliminated entirely.
E.Terraform provides real-time monitoring of infrastructure health.
AnswersA, B

Automation and consistency are key benefits.

Why this answer

Option A is correct because Terraform's infrastructure as code approach allows you to define your entire infrastructure in declarative configuration files (HCL). These configurations can be executed repeatedly using `terraform apply`, ensuring that the same provisioning steps are performed consistently across development, staging, and production environments without manual intervention or drift.

Exam trap

HashiCorp often tests the distinction between provisioning and ongoing operational tasks—the trap here is that candidates confuse Terraform's declarative provisioning capabilities with features like autoscaling or monitoring, which are separate concerns handled by other tools in the cloud ecosystem.

24
MCQeasy

A developer is new to infrastructure as code and wants to deploy a simple web server on AWS using a tool that allows them to define the infrastructure in a reusable and version-controlled manner. They are considering using the AWS Management Console, AWS CLI, or Terraform. Which course of action aligns best with Terraform's purpose?

A.Use Terraform to define the web server in a .tf file and run terraform apply.
B.Use the AWS Management Console to manually create the web server.
C.Write a shell script using the AWS CLI to provision resources.
D.Use Terraform but only with local state and no version control.
AnswerA

Terraform's declarative approach suits IaC, allowing version control and automation.

Why this answer

Terraform is designed for infrastructure as code, allowing declarative configuration, version control, and automation. The console is manual, CLI is imperative and not idempotent. Terraform's purpose is to provision infrastructure as code.

25
MCQhard

A DevOps team accidentally deleted their Terraform state file. The actual infrastructure (EC2 instances, security groups, etc.) is still running and unchanged. They have the Terraform configuration files that were used to create the infrastructure. They want to re-establish management of the existing infrastructure without recreating it. Which course of action aligns with Terraform's purpose?

A.Delete all existing infrastructure and run terraform apply to recreate it.
B.Manually edit the configuration to match the existing resources exactly, then run terraform apply.
C.Run terraform plan to generate a new state file automatically.
D.Use terraform import for each resource to bring them into the state file.
AnswerD

Import links existing resources to the configuration, maintaining state without recreation.

Why this answer

Terraform's purpose includes managing existing infrastructure through import. Using terraform import allows you to bring resources into state without recreation. Deleting and recreating is disruptive, and modifying config without state is risky.

26
MCQmedium

Refer to the exhibit. A user attempts to run terraform apply with this configuration. What error will occur?

A.Conflicting access control settings
B.Missing required provider configuration
C.Duplicate resource name "mybucket"
D.Invalid bucket name pattern
AnswerC

Two resources with the same type and name cause a conflict.

Why this answer

Option A is correct. The configuration defines two resources with the same logical name 'mybucket' of the same type (aws_s3_bucket), which is not allowed. Terraform will throw an error about duplicate resource names.

Option B is incorrect because the provider is correctly configured. Option C is not the immediate error; if it were allowed, there would be a conflict but not a syntax error. Option D is incorrect because bucket names are valid.

27
MCQhard

An organization has multiple teams using Terraform to manage shared infrastructure. They want to enforce policies such as requiring specific tags on all resources and preventing the use of certain instance types. Which Terraform feature should they implement to meet these requirements?

A.Terraform workspaces
B.Custom Terraform providers
C.Remote backends with state locking
D.Sentinel policy enforcement
AnswerD

Sentinel is a policy-as-code framework that can enforce rules on Terraform configurations.

Why this answer

Option D is correct. Sentinel policies (or OPA) allow policy-as-code to enforce rules during Terraform runs. Option A (custom providers) is complex and not for policy.

Option B (remote backends) is for state storage. Option C (workspaces) is for environment separation. Sentinel integrates with Terraform Cloud/Enterprise to enforce policies.

28
MCQhard

A company has a Terraform configuration that works correctly in us-east-1 but fails in us-west-2 due to resource availability. What is the best way to handle this?

A.Hardcode region in resources
B.Use count
C.Use data sources
D.Use provisioners
AnswerC

Data sources can fetch regional information like available instance types.

Why this answer

Using data sources to query available resources at plan time allows Terraform to dynamically select valid configurations per region.

29
MCQhard

A company uses AWS CloudFormation for AWS resources and Azure Resource Manager for Azure resources. They want to standardize on a single tool that can manage resources across both clouds with a consistent workflow and support for infrastructure as code. They also want to ensure that their infrastructure can be version-controlled and reviewed. Which approach best fulfills Terraform's purpose?

A.Use a custom Python script that calls both cloud APIs.
B.Continue using CloudFormation for AWS and Resource Manager for Azure.
C.Use Terraform with the AWS and Azure providers to manage all resources.
D.Migrate all resources to a single cloud provider to simplify management.
AnswerC

Terraform's multi-cloud support aligns with the goal of a single tool.

Why this answer

Terraform is purpose-built for multi-cloud infrastructure as code with a unified declarative language. Using separate tools per cloud increases complexity. Terraform's provider model allows managing both AWS and Azure in the same configuration.

30
MCQeasy

A team wants to manage infrastructure across multiple cloud providers using a single tool that supports infrastructure as code. Which tool is best suited for this purpose?

A.Ansible
B.Terraform
C.AWS CloudFormation
D.Chef
AnswerB

Terraform is designed for multi-cloud infrastructure provisioning using declarative configuration.

Why this answer

Terraform is an infrastructure provisioning tool that supports multiple cloud providers through plugins. Ansible is a configuration management tool, Chef is also configuration management, and CloudFormation is AWS-specific.

31
Multi-Selecteasy

Which TWO statements accurately describe key purposes of Terraform?

Select 2 answers
A.Terraform enables declarative infrastructure provisioning.
B.Terraform provides built-in security scanning.
C.Terraform automates continuous delivery pipelines.
D.Terraform supports multi-cloud and multi-provider environments.
E.Terraform manages both mutable and immutable infrastructure.
AnswersA, D

Terraform uses declarative configuration files to define and provision infrastructure.

Why this answer

Option B is correct because Terraform uses declarative configuration to define desired infrastructure state. Option D is correct because Terraform is designed to work with multiple cloud providers and services. Option A is misleading: Terraform primarily manages immutable infrastructure.

Option C is incorrect: Terraform does not automate CI/CD pipelines directly. Option E is not a core purpose; security scanning is external.

32
Matchingmedium

Match each Terraform error code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Success – no errors

Error – command failed

Error – CLI argument parsing error

Error – configuration errors

Error – state lock error

Why these pairings

Terraform exit codes indicate the result of command execution.

33
Multi-Selectmedium

Which TWO are benefits of Terraform's immutable infrastructure approach?

Select 2 answers
A.Easier rollbacks
B.Better performance
C.Faster provisioning
D.Lower cost
E.Reduced configuration drift
AnswersA, E

Immutable infrastructure allows you to redeploy a previous version easily.

Why this answer

Immutable infrastructure reduces configuration drift and simplifies rollbacks by replacing rather than modifying resources.

34
Multi-Selectmedium

Which three of the following best describe the core purpose and capabilities of Terraform? (Choose three.)

Select 3 answers
.It is an infrastructure as code tool that allows you to define and provision data center infrastructure using a declarative configuration language.
.It can manage both low-level components like compute instances and high-level components like DNS records across multiple cloud providers.
.It maintains a state file to map real-world resources to your configuration and to track metadata such as resource dependencies.
.It is primarily a configuration management tool for installing and configuring software on existing servers.
.It only supports public cloud providers (AWS, Azure, GCP) and cannot manage on-premises infrastructure.
.It requires a running daemon or agent on each target machine to execute resource changes.

Why this answer

Terraform is an infrastructure as code (IaC) tool that uses a declarative configuration language (HCL) to define and provision data center infrastructure. It manages both low-level components (e.g., compute instances, storage) and high-level components (e.g., DNS records, SaaS resources) across multiple cloud providers and on-premises systems via providers. Terraform maintains a state file to map real-world resources to your configuration, track metadata like dependencies, and enable incremental updates.

Exam trap

HashiCorp often tests the misconception that Terraform is a configuration management tool or requires agents, aiming to confuse candidates who conflate IaC provisioning with software configuration management tools like Chef or Puppet.

35
MCQhard

A team uses Terraform to manage infrastructure in AWS. They have a single workspace and store state in an S3 bucket with DynamoDB locking. After a recent apply, the state file became corrupted due to a network interruption during the state write. The team needs to recover the state and prevent future corruption. They have not enabled any backup or versioning. What should they do?

A.Enable S3 bucket versioning and DynamoDB point-in-time recovery, then use terraform state pull to retrieve a previous state version.
B.Use terraform force-unlock to release the lock and reapply the configuration.
C.Manually edit the state file in S3 to fix the corruption.
D.Delete the state file and run terraform import for all resources.
AnswerA

Versioning allows restoring previous state files; point-in-time recovery ensures DynamoDB lock table can be restored. This is the best recovery path.

Why this answer

Option B is correct: enabling S3 bucket versioning and DynamoDB point-in-time recovery provides backup and restoration capabilities. With versioning, they can revert to a previous state version. Point-in-time recovery for DynamoDB helps recover the lock table.

Then 'terraform state pull' can retrieve the good state. Option A is risky and not recommended. Option C is overly destructive and loses all state.

Option D does not fix corruption.

36
MCQeasy

Refer to the exhibit. What does this output show?

A.Resources to be created
B.Resources in the configuration
C.Resources that are out of sync
D.Resources managed by Terraform
AnswerD

State list enumerates existing resources under management.

Why this answer

The `terraform state list` output shows all resources currently tracked in the state file, indicating resources managed by Terraform.

37
MCQhard

Refer to the exhibit. A team is troubleshooting a Terraform deployment. What information can be inferred from this state file?

A.The Terraform version is outdated and must be upgraded.
B.There is one EC2 instance of type t2.micro with a dependency on a security group.
C.The instance ID is invalid and needs to be recreated.
D.The security group dependency was not applied.
AnswerB

The state shows exactly one instance with those attributes and a dependency.

Why this answer

Option B is correct. The state indicates one managed resource of type aws_instance named 'web' with instance type t2.micro and a dependency on aws_security_group.web_sg. Option A is incorrect because the dependency is listed.

Option C is incorrect because version 1.5.0 is current. Option D is incorrect because the ID is plausible; without further context, we cannot assume it's invalid.

38
Multi-Selectmedium

Which TWO tasks are better suited for configuration management tools than Terraform?

Select 2 answers
A.Installing software packages
B.Managing network ACLs
C.Provisioning a VPC
D.Creating IAM roles
E.Configuring web server settings
AnswersA, E

Configuration management tools like Ansible or Chef are ideal for software installation.

Why this answer

Installing software packages and configuring server settings are the domain of configuration management, while Terraform excels at provisioning.

39
Multi-Selecthard

Which THREE statements accurately describe Terraform state? (Select THREE.)

Select 3 answers
A.State is used to map real-world resources to configuration.
B.State can be shared among team members using remote backends.
C.State contains sensitive data by default.
D.State is automatically locked to prevent concurrent modifications.
E.State is stored locally by default.
AnswersA, B, E

State keeps track of resource metadata to associate real resources with config.

Why this answer

Options A, B, and D are correct. By default, state is stored locally. Remote backends enable sharing state among team members.

State maps real-world resources to configuration for tracking. Option C is false because state may contain sensitive data but not by default—only if resources have sensitive attributes. Option E is false because state locking must be explicitly supported by the backend (e.g., S3 with DynamoDB).

40
MCQmedium

A team has been manually modifying cloud resources outside of Terraform. They now find that Terraform plans show changes that don't match their expectations. What core concept of Terraform's purpose does this situation violate?

A.Declarative configuration with desired state
B.Idempotency
C.Immutable infrastructure
D.Procedural scripting
AnswerA

Terraform uses a desired state model; manual changes violate this principle.

Why this answer

Terraform's purpose is to manage infrastructure based on a declarative desired state. Manual changes cause state drift, making the configuration inconsistent with actual resources. The correct answer is 'Desired state management'.

41
MCQhard

An organization has a multi-cloud strategy using Terraform. They need to ensure that secrets such as API keys are not stored in plaintext in the configuration files. Which Terraform feature should they use to securely manage sensitive data?

A.Terraform variable definitions with environment variables
B.Terraform workspaces
C.Integration with a secrets management tool like Vault
D.Terraform state file encryption
E.Terraform's sensitive parameter in output blocks
AnswerC

Vault provides secure storage and dynamic secrets, keeping them out of configuration files.

Why this answer

Option E is correct because integrating with a secrets management tool like Vault provides secure storage and retrieval of secrets. Option A (workspaces) separates state but not secrets. Option B (state encryption) protects state but not the source code.

Option C (environment variables) still exposes secrets in the execution environment. Option D (sensitive parameter) only masks output, not the source.

42
MCQmedium

A DevOps engineer needs to integrate Terraform with a CI/CD pipeline. What is a common practice?

A.Run terraform plan in a pull request
B.Avoid using variables
C.Use -auto-approve always
D.Store state in a local file
AnswerA

Plan in PRs gives visibility into changes before apply.

Why this answer

Running `terraform plan` in a pull request allows team members to review proposed changes before applying them, promoting collaboration and safety.

43
MCQhard

A team is using Terraform to manage multiple environments (dev, staging, prod) with the same configuration but different variable values. They want to avoid duplicating configuration files. Which Terraform feature is best suited for this?

A.Terraform modules with separate directories for each environment
B.Terraform data sources to fetch environment-specific variables
C.Using multiple Terraform configuration files in a single directory
D.Terraform workspaces
AnswerD

Workspaces enable multiple environments with one configuration.

Why this answer

Terraform workspaces allow you to manage multiple environments (e.g., dev, staging, prod) using the same root configuration and variable definitions, but with separate state files. This avoids duplicating configuration files while enabling environment-specific variable values via `terraform.workspace` interpolation or separate `.tfvars` files per workspace. Option D is correct because workspaces are the native Terraform feature designed for this exact use case.

Exam trap

HashiCorp often tests the misconception that Terraform modules (Option A) are the primary tool for environment separation, but modules are for code reuse, not state isolation—workspaces handle state separation without duplicating configuration.

How to eliminate wrong answers

Option A is wrong because using separate directories for each environment with modules still duplicates the root configuration and state files, which is exactly what the team wants to avoid. Option B is wrong because data sources are used to fetch or compute data from providers (e.g., AWS, Azure) at plan/apply time, not to manage environment-specific variable values or state separation. Option C is wrong because placing multiple configuration files in a single directory does not inherently separate state or variable values per environment; it would still require manual management and risks state corruption.

44
Multi-Selectmedium

Which TWO of the following are core components of Terraform's workflow? (Select TWO.)

Select 2 answers
A.terraform validate
B.terraform init
C.terraform install
D.terraform destroy
E.terraform plan
AnswersB, E

Initializes providers, modules, and backend configuration.

Why this answer

Options A and C are correct. `terraform init` initializes the working directory, and `terraform plan` creates an execution plan. Option B is not a valid command. Option D (`validate`) is a subcommand but not part of the core workflow (init, plan, apply).

Option E (`destroy`) is a separate command, not part of the core provisioning workflow.

45
MCQmedium

A team wants to use Terraform to manage their AWS infrastructure. They have existing resources created manually. What is the recommended approach to bring these resources under Terraform management?

A.Delete the existing resources and recreate them using Terraform configuration.
B.Use terraform plan to detect existing resources and automatically adopt them.
C.Write Terraform configuration that matches existing resources and run terraform apply.
D.Use terraform import to bring each resource into state.
AnswerD

Import is the correct workflow to adopt existing infrastructure into Terraform.

Why this answer

Option D is correct because the `terraform import` command is designed to bring existing resources into Terraform state so they can be managed. Option A is disruptive and unnecessary. Option B may cause errors if configurations don't match exactly.

Option C is not a feature that automatically discovers resources.

46
MCQhard

Your organization manages a multi-cloud infrastructure using Terraform. The infrastructure includes an AWS VPC with subnets and EC2 instances, and an Azure resource group with virtual networks and VMs. The Terraform configuration is stored in a Git repository, and state is stored in an S3 bucket with DynamoDB locking. Recently, a developer updated the configuration to add a new security group rule in AWS, but after running `terraform apply`, the rule was not created. The developer verified that the configuration file contains the rule. Additionally, the developer noticed that the state file shows the security group exists but without the new rule. The developer ran `terraform plan` again, and it shows that the rule will be created. However, when applying, it fails with a 'timeout' error. The operations team suspects network connectivity issues to the S3 backend. What is the best course of action to resolve this issue?

A.Run `terraform init` again to reinitialize the backend.
B.Migrate the state backend to Terraform Cloud, and use remote operations for applies.
C.Increase the timeout value in the Terraform provider configuration.
D.Disable state locking by removing the DynamoDB table reference.
AnswerB

Terraform Cloud runs applies in a controlled environment, avoiding local network issues.

Why this answer

Option B is correct because the timeout error when applying, despite a successful plan, indicates that the issue is not with the configuration or state locking but with the network connectivity to the S3 backend during the apply operation. Migrating to Terraform Cloud with remote operations moves the execution environment to Terraform Cloud's infrastructure, which has reliable connectivity to the S3 backend, bypassing the local network issues. This resolves the timeout without altering the configuration or compromising state integrity.

Exam trap

HashiCorp often tests the distinction between provider-level timeouts (for API calls to cloud providers) and backend-level timeouts (for state storage), leading candidates to incorrectly choose increasing provider timeouts when the issue is actually with backend connectivity.

How to eliminate wrong answers

Option A is wrong because `terraform init` reinitializes the backend configuration but does not fix network connectivity issues to the S3 backend; the timeout occurs during the apply, not during initialization. Option C is wrong because increasing the timeout in the provider configuration affects API calls to AWS or Azure, not the HTTP timeout for the S3 backend connection; the timeout error is from the backend, not the provider. Option D is wrong because disabling state locking by removing the DynamoDB table reference would allow concurrent state modifications, risking state corruption and race conditions, and does not address the underlying network connectivity issue.

47
MCQeasy

Refer to the exhibit. A developer runs terraform plan and sees the above output. What will happen when terraform apply is executed?

A.The existing EC2 instance is replaced due to a change in instance_type.
B.A new EC2 instance is created with instance_type t2.small, and the old one is destroyed.
C.The existing EC2 instance's instance_type is changed to t2.small in-place.
D.No changes will be made because the plan shows an update.
AnswerC

The tilde (~) and 'updated in-place' indicate a modification without recreation.

Why this answer

Option B is correct. The plan shows 'updated in-place' with a tilde (~) indicating modification, not recreation. The instance_type will change from t2.micro to t2.small without destroying the instance.

Option A describes replacement (force new), which is not indicated. Option C is incorrect because AWS allows in-place modification of instance_type for stopped instances. Option D is incorrect because the plan shows one change.

48
MCQmedium

Refer to the exhibit. What is the primary purpose of the version constraint '~> 4.0'?

A.Allows any version in the 4.0 range including patch updates.
B.Allows only exact version 4.0.
C.Allows versions 4.0 through 5.0.
D.Allows any version 4.0 or higher.
AnswerA

The pessimistic constraint allows versions 4.0, 4.1, 4.2, etc., but not 5.0.

Why this answer

Option C is correct because the pessimistic version constraint (~>) allows only the rightmost version component to increment. For '~> 4.0', it means any version >= 4.0 and < 5.0, so patch updates are allowed. Option A is wrong because it would be '>= 4.0'.

Option B is wrong because exact version is '= 4.0'. Option D is wrong because that range would be '>= 4.0, < 5.0' which is same as ~> 4.0 but not the intended explanation; actually D is also partially correct but in exam context, 'including patch updates' is more precise.

49
MCQmedium

A team uses a remote backend (S3) with state locking via DynamoDB. One team member runs terraform apply and it fails mid-way. Another team member immediately tries to run terraform plan. What is likely to happen?

A.The plan will run successfully because the lock is automatically released after failure.
B.The plan will run but the state file will be corrupted.
C.The plan will fail with an error indicating the state is locked.
D.The plan will run successfully and show any partial changes.
AnswerC

DynamoDB-backed locking persists until manually released or after a timeout.

Why this answer

Option C is correct. The failed apply may have left a lock on the state, so the plan will fail to acquire the lock. Option A is incorrect because the lock is not automatically released after a failure in all backends.

Option B is possible but the lock prevents it. Option D is incorrect because state is not automatically corrupted; it may be inconsistent but not necessarily corrupt.

50
MCQeasy

A junior DevOps engineer is asked to explain the primary purpose of Terraform. Which statement best describes Terraform's purpose?

A.Terraform is a monitoring tool that tracks infrastructure changes.
B.Terraform is a scripting tool for automating manual tasks in cloud environments.
C.Terraform is a configuration management tool that installs and configures software on servers.
D.Terraform is an infrastructure provisioning tool that manages cloud and on-premises resources using declarative configuration.
AnswerD

This accurately describes Terraform's purpose: declarative IaC provisioning.

Why this answer

Option B is correct because Terraform is a declarative infrastructure provisioning tool that manages cloud and on-premises resources as code. Option A is incorrect because configuration management (e.g., Ansible) is a different category. Option C is incorrect because Terraform is not a scripting tool but an IaC tool.

Option D is incorrect because monitoring is not Terraform's core purpose.

51
Multi-Selecteasy

Which TWO statements accurately describe the purpose of Terraform? (Choose two.)

Select 2 answers
A.Terraform allows users to define infrastructure resources in a declarative configuration language.
B.Terraform can be used to create, modify, and destroy infrastructure resources.
C.Terraform is designed to work exclusively with AWS.
D.Terraform is a configuration management tool used for installing software on existing servers.
E.Terraform is a continuous integration and deployment tool.
AnswersA, B

Terraform uses HCL to declare desired state.

Why this answer

Option A is correct because Terraform uses HashiCorp Configuration Language (HCL) to define infrastructure as code in a declarative manner, meaning users specify the desired end state of resources without scripting the step-by-step process. This declarative approach allows Terraform to automatically determine the necessary actions to reach that state, making infrastructure management predictable and repeatable.

Exam trap

The trap here is that candidates often confuse Terraform's provisioning role with configuration management (Option D) or mistakenly assume it is cloud-specific (Option C), because many introductory examples focus on AWS, but Terraform's multi-provider support is a core design principle.

52
MCQhard

Refer to the exhibit. What is the purpose of the data source?

A.To create a new AMI
B.To fetch an existing AMI ID
C.To define a variable
D.To output the AMI name
AnswerB

The data source retrieves the AMI ID of the latest Ubuntu 20.04 image.

Why this answer

The data source queries the AWS API to fetch information about an existing AMI that matches the specified filters, returning its ID for use in the resource.

53
MCQeasy

A new user is learning Terraform. They write a configuration file and run terraform apply expecting to provision resources. However, they forgot to run terraform init first. What will happen?

A.Terraform will successfully apply the configuration because validate is enough.
B.Terraform will automatically run init before applying.
C.Terraform will prompt to run init and then continue.
D.Terraform will return an error stating that the working directory is not initialized.
AnswerD

Terraform requires initialization to download providers and modules.

Why this answer

Option B is correct. Running apply without init will fail because providers and modules are not initialized. Option A is incorrect because init is a prerequisite.

Option C is incorrect because terraform validate does not initialize. Option D is incorrect because the failure will prevent any provisioning.

54
MCQhard

Which Terraform feature helps manage dependencies between resources?

A.data source
B.output
C.depends_on
D.provisioner
AnswerC

`depends_on` explicitly defines resource dependencies.

Why this answer

The `depends_on` argument explicitly specifies dependencies, ensuring resources are created or destroyed in the correct order.

55
MCQmedium

A company wants to manage its infrastructure as code using Terraform. The team has a mix of on-premises servers and cloud resources in AWS and Azure. Which of the following best describes Terraform's purpose in this scenario?

A.Terraform is a configuration management tool for installing software on existing servers.
B.Terraform is a cloud-specific orchestration tool that only works with AWS.
C.Terraform is a monitoring and logging tool for cloud resources.
D.Terraform is an infrastructure-as-code tool for provisioning and managing any infrastructure across multiple providers.
AnswerD

Correctly defines Terraform's purpose.

Why this answer

Option D is correct because Terraform is explicitly designed as an infrastructure-as-code tool that uses declarative configuration files to provision and manage resources across multiple providers, including on-premises servers (via providers like vSphere or Hyper-V) and cloud platforms like AWS and Azure. Its provider model allows it to abstract away the underlying APIs, making it provider-agnostic and suitable for hybrid environments.

Exam trap

HashiCorp often tests the misconception that Terraform is a configuration management tool (like Ansible) or that it is limited to a single cloud provider, so candidates must remember that Terraform is a provisioning tool for infrastructure resources across multiple providers, not for software configuration or monitoring.

How to eliminate wrong answers

Option A is wrong because Terraform is not a configuration management tool like Ansible, Puppet, or Chef; it does not install software or manage state on existing servers—it provisions infrastructure resources. Option B is wrong because Terraform is not cloud-specific; it supports over 100 providers, including AWS, Azure, GCP, and on-premises solutions, through its plugin-based architecture. Option C is wrong because Terraform does not perform monitoring or logging; tools like CloudWatch, Azure Monitor, or Prometheus handle those tasks, while Terraform focuses on the lifecycle (create, read, update, delete) of infrastructure resources.

56
MCQeasy

A junior DevOps engineer is learning about Infrastructure as Code (IaC) and asks why Terraform is preferred over manual configuration in cloud consoles. Which of the following is the primary benefit of using Terraform for infrastructure management?

A.It can only manage infrastructure on major cloud providers like AWS, Azure, and GCP.
B.It automatically rolls back any failed infrastructure changes.
C.It enables version-controlled, repeatable, and automated infrastructure provisioning.
D.It uses an imperative approach where you specify exact commands to execute.
AnswerC

IaC allows infrastructure to be managed as code, enabling versioning, review, and automation.

Why this answer

Option C is correct because Terraform's core value proposition is enabling infrastructure as code (IaC), which allows teams to define infrastructure in declarative configuration files, version control them with Git, and provision consistently across environments. This repeatability and automation eliminate the drift and manual errors inherent in clicking through cloud consoles, making infrastructure management auditable, collaborative, and scalable.

Exam trap

The trap here is that candidates confuse declarative (Terraform) with imperative (e.g., Ansible or shell scripts) approaches, or assume Terraform's state management includes automatic rollback, when in fact it only provides a plan and requires explicit user action to revert changes.

How to eliminate wrong answers

Option A is wrong because Terraform is not limited to major cloud providers; it uses a plugin-based provider architecture that supports hundreds of providers, including on-premises solutions like VMware, OpenStack, and custom APIs via the Terraform Provider SDK. Option B is wrong because Terraform does not automatically roll back failed changes; it creates a state file to track resources and can detect drift, but rollbacks require manual intervention or a separate 'terraform destroy' and re-apply of a previous configuration. Option D is wrong because Terraform uses a declarative approach, not imperative; you define the desired end state in HCL (HashiCorp Configuration Language), and Terraform determines the necessary actions to reach that state, unlike imperative tools that require step-by-step commands.

57
MCQhard

A DevOps engineer runs terraform plan and sees that a resource will be destroyed and recreated, but they expected an in-place update. The resource is an AWS EC2 instance with a specific AMI. Which attribute change is most likely causing the destruction?

A.The AMI ID was changed.
B.The security group list was modified.
C.The tags were updated.
D.The instance type was reduced from large to micro.
AnswerA

AMI changes force a new instance because the root volume is tied to the AMI.

Why this answer

Option A is correct. Changing the AMI ID typically forces replacement of an EC2 instance because the underlying image changes. Option B (security groups) can be updated in-place.

Option C (tags) are modifiable without replacement. Option D (instance type) can be changed in-place if the instance is stopped (though plan may show in-place); but generally AMI changes force new.

58
MCQmedium

Refer to the exhibit. What does this output indicate?

A.A resource will be modified
B.A resource will be destroyed
C.No changes
D.A resource will be created
AnswerA

1 to change indicates an existing resource will be updated.

Why this answer

The plan shows 0 resources to add, 1 to change, and 0 to destroy, meaning an existing resource will be modified.

59
Multi-Selectmedium

Which THREE are part of Terraform's core workflow? (Choose three.)

Select 3 answers
A.Apply
B.Import
C.Plan
D.Destroy
E.Write
AnswersA, C, E

Apply executes the plan.

Why this answer

The core Terraform workflow consists of Write (author configuration), Plan (preview changes), and Apply (execute changes). Destroy is a subcommand of Apply, and Import is a separate command for bringing existing resources under management.

Ready to test yourself?

Try a timed practice session using only Understand Terraform's purpose questions.