CCNA Implement and maintain state Questions

73 questions · Implement and maintain state · All types, answers revealed

1
MCQmedium

A team uses Terraform with the `azurerm` backend. A junior engineer accidentally deletes the state file from the storage container. The team has a backup from 2 hours ago in a different container. What is the correct procedure to recover from this state loss?

A.Restore the backup state file to the original location, then run `terraform plan` to check for any drift
B.Re-run `terraform init` and then `terraform refresh` without restoring
C.Delete all resources manually and re-import them using `terraform import`
D.Create a new empty state and use `terraform apply` to recreate everything
AnswerA

This restores the known good state and allows verification.

Why this answer

Restoring the backup and reapplying should recover. Option A is correct. Option B would recreate all resources but may cause downtime.

Option C is risky. Option D is too destructive.

2
MCQhard

After running `terraform state mv` to rename a resource, the resource's state binding is lost and the resource cannot be managed. Which command should be run to restore the state binding?

A.terraform state push
B.terraform state show
C.terraform state rm
D.terraform import
E.terraform import
AnswerE

Importing the specific resource re-establishes its state binding.

Why this answer

If a resource's state is missing after a state operation, `terraform import` can re-import the resource into state. The other commands do not restore state binding.

3
MCQeasy

A team is using a shared backend for Terraform state. After running terraform apply, the state file is locked for an extended period, causing other team members to fail with 'Error acquiring the state lock'. What is the most likely cause?

A.A previous terraform apply command was interrupted or crashed, leaving a stale lock.
B.Another team member is actively running terraform apply on the same state.
C.The backend configuration was changed without running terraform init.
D.The state file contains resources that no longer exist in the cloud provider.
AnswerA

A broken lock file causes the lock to persist indefinitely.

Why this answer

Option A is correct because Terraform uses a locking mechanism (typically via DynamoDB for AWS S3 backends) to prevent concurrent state modifications. If a `terraform apply` is interrupted or crashes, the lock may not be released, leaving a stale lock entry. This causes subsequent operations to fail with 'Error acquiring the state lock' until the lock is manually removed or expires (if TTL is configured).

Exam trap

HashiCorp often tests the distinction between a legitimate lock held by another user (Option B) and a stale lock from a crashed process (Option A), where candidates mistakenly think any lock error means someone else is actively working.

How to eliminate wrong answers

Option B is wrong because if another team member is actively running `terraform apply`, the lock is legitimate and not 'stale' — the error message is expected behavior, not a misconfiguration or bug. Option C is wrong because changing the backend configuration without `terraform init` would cause a backend initialization error, not a state lock error; the lock mechanism is backend-specific and would not be triggered by a config mismatch. Option D is wrong because resources that no longer exist in the cloud provider cause drift or refresh errors during `terraform plan` or `apply`, but do not affect the state locking mechanism, which operates at the backend level independently of resource state.

4
MCQhard

An organization uses Terraform with the AzureRM backend. The team recently split a large configuration into multiple smaller configurations, each with its own state file. They want to share outputs from one configuration (networking) as inputs to another (compute). Which approach should they use to reference the networking state from the compute configuration without duplicating data?

A.Define output values in the networking configuration and they will be automatically available in the compute configuration.
B.Run 'terraform output' on the networking state and save the values to a JSON file, then use 'terraform_remote_state' to read them.
C.Use a 'data' 'terraform_remote_state' block in the compute configuration to read the networking state.
D.Hardcode the subnet IDs from the networking configuration into the compute configuration.
AnswerC

This data source retrieves the outputs from the specified remote state, enabling cross-configuration references.

Why this answer

Option C is correct because the `terraform_remote_state` data source allows one Terraform configuration to read the root-level output values from another configuration's state file stored in the AzureRM backend. This enables sharing of networking outputs (e.g., subnet IDs) into the compute configuration without duplicating data or manually exporting values. The data source retrieves the state directly from the configured backend, ensuring the compute configuration always uses the latest networking outputs.

Exam trap

HashiCorp often tests the misconception that `terraform output` or automatic sharing between configurations is sufficient, but the correct approach is always to use the `terraform_remote_state` data source to read outputs from a separate state file.

How to eliminate wrong answers

Option A is wrong because Terraform does not automatically share outputs between separate configurations; each configuration has its own state file and outputs must be explicitly referenced. Option B is wrong because while `terraform output` can produce a JSON file, the `terraform_remote_state` data source reads the state file directly from the backend, not from a local JSON file; saving to a JSON file introduces manual steps and risks stale data. Option D is wrong because hardcoding subnet IDs violates the principle of infrastructure as code, creates duplication, and requires manual updates whenever networking changes.

5
Multi-Selectmedium

Which THREE actions should be taken when migrating Terraform state from local to a remote backend?

Select 3 answers
A.Remove the local state file before running terraform init.
B.Run terraform init to initialize the backend and migrate state.
C.Manually import all existing resources into the remote state.
D.Confirm migration by typing 'yes' when prompted.
E.Add a backend block to the configuration.
AnswersB, D, E

This command handles the migration.

Why this answer

Option B is correct because `terraform init` is the command that initializes the backend configuration and, when a backend block is added to the configuration, automatically prompts to migrate the existing local state file to the new remote backend. This command handles the state migration seamlessly without requiring manual intervention, ensuring the state file is copied and the backend is configured correctly.

Exam trap

HashiCorp often tests the misconception that you must manually delete or move the local state file before initializing a remote backend, when in fact `terraform init` handles the migration automatically and safely.

6
Multi-Selecthard

Which TWO statements are correct about Terraform state when using the S3 backend with DynamoDB for state locking?

Select 2 answers
A.The DynamoDB table must exist before running terraform init
B.The S3 bucket should be versioned to provide consistency checks and recovery options
C.State can be stored without specifying a key in the backend configuration
D.State is encrypted at rest by default using SSE
E.State locking prevents any read operations on the state file
AnswersB, D

Versioning is recommended for state integrity and recovery.

Why this answer

The S3 backend by default uses server-side encryption (SSE) for state at rest, and enabling bucket versioning provides consistency and recovery. The DynamoDB table must be created manually before use.

7
Multi-Selecthard

Which TWO of the following are valid methods to acquire a state lock in Terraform Cloud?

Select 2 answers
A.Automatic lock when a run is queued
B.Using a DynamoDB table configured in the backend block
C.Setting `lock=true` in the configuration file
D.Manual force-unlock via API or UI
E.Using a Consul session
AnswersA, D

Terraform Cloud automatically locks state for runs.

Why this answer

Terraform Cloud provides built-in locking. Options A and C are correct.

8
MCQhard

An organization uses Terraform with AWS S3 backend and DynamoDB for state locking. During a plan, you receive an error: 'Error acquiring the state lock'. The lock information in DynamoDB shows a lock from a previous session that crashed. What is the most appropriate next step?

A.Run terraform unlock
B.Run terraform force-unlock with the lock ID
C.Wait for the lock to expire automatically
D.Delete the lock item from DynamoDB table directly
AnswerB

This command releases the lock from the previous session.

Why this answer

The correct answer is B because when a Terraform process crashes while holding a state lock, the lock remains in DynamoDB and must be manually released. The `terraform force-unlock` command with the specific lock ID is the designed mechanism to override a stale lock, as it directly interacts with the DynamoDB locking table to remove the lock item. This is the safest and most appropriate method, as it ensures the lock is released in a controlled manner without risking state corruption.

Exam trap

HashiCorp often tests the distinction between `terraform unlock` (a non-existent command) and `terraform force-unlock` (the actual command), trapping candidates who assume a generic 'unlock' verb exists without knowing the exact syntax.

How to eliminate wrong answers

Option A is wrong because `terraform unlock` is not a valid Terraform command; the correct command is `terraform force-unlock`. Option C is wrong because DynamoDB state locks do not have a built-in automatic expiration or TTL; they persist indefinitely until explicitly removed, so waiting is ineffective. Option D is wrong because manually deleting the lock item from the DynamoDB table bypasses Terraform's safety checks and could lead to state corruption or concurrent access issues if another process is actively using the lock.

9
MCQhard

A team is migrating from local state to an S3 remote backend. They have existing state files in the working directory. After configuring the backend block and running `terraform init`, what is the correct next step to migrate the existing state?

A.Execute `terraform init` and confirm yes when prompted to copy existing state
B.Run `terraform state push` to upload the local state
C.Delete the local state file and run `terraform apply` to recreate
D.Manually copy the state file to S3 using AWS CLI
AnswerA

Terraform detects the backend change and offers to copy state during init.

Why this answer

When migrating from local to remote state, Terraform automatically prompts to copy state during `terraform init` if the backend block changes. Option C correctly identifies this.

10
MCQhard

Refer to the exhibit. A developer creates a new Terraform configuration with this backend block and runs terraform init. What will happen?

A.Terraform will initialize with a local backend because the remote backend configuration is incomplete.
B.Terraform will return an error and fail to initialize.
C.Terraform will use default values for the missing arguments and initialize successfully.
D.Terraform will prompt the developer interactively for the missing arguments.
AnswerB

The configuration is invalid; terraform init will fail with the error shown.

Why this answer

The backend block is missing required arguments (like bucket and region). Terraform will return an error during initialization and will not proceed.

11
Multi-Selectmedium

Which four of the following statements about Terraform state management are correct? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Using remote state storage with a backend like S3 or Azure Storage provides locking to prevent concurrent modifications.
.The `terraform state rm` command can be used to remove a resource from state without destroying the real infrastructure.
.Sensitive data stored in state files can be protected by encrypting the state backend at rest.
.The `terraform import` command updates the state file to include an existing resource, enabling Terraform to manage it.
.Terraform automatically backs up the previous state file every time a new state is written.
.The `terraform state list` command can modify the state file to rename a resource.

Why this answer

Remote state backends like S3 or Azure Storage support state locking (via DynamoDB or Azure Blob lease) to prevent concurrent modifications, ensuring consistency. The `terraform state rm` command removes a resource from state without destroying the real infrastructure, which is useful for detaching management. Encrypting the state backend at rest (e.g., S3 server-side encryption or Azure Storage encryption) protects sensitive data like passwords or keys stored in the state file.

The `terraform import` command updates the state file to include an existing resource, allowing Terraform to take over its management without recreating it.

Exam trap

HashiCorp often tests the misconception that `terraform state list` can modify state or that automatic backups are built-in, when in fact Terraform requires explicit backend versioning or manual backup configuration.

12
MCQeasy

Refer to the exhibit. A developer modifies the configuration by changing the resource name from 'aws_instance.web' to 'aws_instance.web2'. After running terraform plan, the output indicates that a new resource 'aws_instance.web2' will be created, but no resource will be destroyed. What should the developer do to update the state to match the configuration?

A.Run terraform state mv to rename the resource in state.
B.Run terraform refresh to synchronize the state.
C.Run terraform state rm to remove the old resource and then run terraform import.
D.Run terraform apply, which will automatically update the state.
AnswerA

terraform state mv renames the resource address in state, so plan will treat it as the same resource.

Why this answer

Option A is correct because terraform state mv updates the resource address in the state file to match the new configuration name. Option B is wrong because removing and re-importing is unnecessary and more complex. Option C is wrong because terraform apply would try to create the new resource and destroy the old one, causing potential downtime.

Option D is wrong because terraform refresh only updates attributes, not resource addresses.

13
MCQeasy

A developer is working on a Terraform configuration that manages a single resource. They want to import an existing AWS EC2 instance into state. Which command should they use?

A.terraform apply
B.terraform refresh
C.terraform import
D.terraform state mv
AnswerC

terraform import is the command to import existing resources into state.

Why this answer

Option C is correct because `terraform import` is the dedicated command for bringing an existing infrastructure resource (like an AWS EC2 instance) under Terraform management by attaching it to a resource block in the state file. It requires the resource address and the provider-specific ID (e.g., `aws_instance.my_instance i-1234567890abcdef0`) to map the real-world resource into the Terraform state without modifying the resource itself.

Exam trap

HashiCorp often tests the distinction between `terraform import` (which only updates state) and `terraform apply` (which modifies infrastructure), so the trap here is that candidates mistakenly think `terraform apply` can also import resources because it can create new ones, but it cannot attach to an existing resource that is not already in state.

How to eliminate wrong answers

Option A is wrong because `terraform apply` is used to create, update, or destroy resources based on the configuration, not to import existing resources into state. Option B is wrong because `terraform refresh` updates the state file to match real-world infrastructure but does not add new resources that are not already tracked in state; it cannot import a resource that has no corresponding state entry. Option D is wrong because `terraform state mv` moves a resource from one state address to another within the same state file or between state backends, but it does not bring an external resource into state for the first time.

14
MCQmedium

A team uses Terraform Cloud workspaces to manage multiple environments. They notice that the state file for the production workspace is stored in a different backend than the development workspace. Which Terraform feature allows different workspaces to use different backends?

A.Using the -backend-config flag
B.Using the backend block with a workspace key
C.Using partial configuration with a backend block that has dynamic workspace references
D.Using a remote backend type
AnswerC

Partial configuration allows injecting workspace-specific values like bucket keys.

Why this answer

Option C is correct because Terraform supports partial backend configuration, where the backend block can omit certain arguments (like the bucket or path) and those values can be supplied dynamically at initialization time. By using a backend block with dynamic workspace references (e.g., `key = "${var.env}/terraform.tfstate"`), each workspace can resolve to a different storage path or even a different backend type when combined with workspace-specific `-backend-config` files. This allows the production and development workspaces to store their state in entirely different backends without hardcoding the configuration.

Exam trap

The trap here is that candidates often confuse the `-backend-config` flag (which supplies values to a single backend) with the ability to switch between entirely different backends per workspace, when in fact the dynamic workspace references in the backend block are what enable that per-workspace backend differentiation.

How to eliminate wrong answers

Option A is wrong because the `-backend-config` flag is used to supply partial configuration values at `terraform init` time, but it does not itself allow different workspaces to use different backends; it merely provides dynamic input to a single backend block. Option B is wrong because the `backend` block does not support a `workspace` key; the `workspace` key is used in the `cloud` block for Terraform Cloud workspaces, not for backend selection. Option D is wrong because the `remote` backend type is a specific backend that stores state in Terraform Cloud or Terraform Enterprise; while it can support multiple workspaces, it does not inherently allow different workspaces to use different backends—all workspaces using the `remote` backend share the same backend configuration.

15
MCQmedium

An organization uses Terraform workspaces to manage multiple environments (dev, staging, prod) with the same configuration. What is the primary benefit of using workspaces for state management?

A.Workspaces reduce the number of Terraform configurations needed
B.Workspaces automatically synchronize state across team members
C.Each workspace has its own independent state file, preventing environment conflicts
D.Workspaces enable role-based access control to state
AnswerC

Workspaces separate state per environment.

Why this answer

Workspaces allow the same configuration to be applied to multiple environments with separate state files. Option B correctly captures this isolation.

16
MCQeasy

A team uses an S3 backend for Terraform state. During a `terraform apply`, another team member accidentally runs a plan that also modifies the same state. Which feature prevents state corruption in this scenario?

A.The `-lock=false` flag
B.Terraform Cloud remote operations
C.State locking via DynamoDB
D.State versioning in S3
AnswerC

State locking uses DynamoDB to acquire a lock, preventing multiple operations.

Why this answer

State locking prevents concurrent modifications to the state file. Options A and C are not related to state locking. Option D is not a built-in feature.

17
MCQmedium

Refer to the exhibit. A Terraform configuration includes an `aws_instance.web` resource. The state shows the instance with a specific AMI and instance type. After running `terraform plan`, Terraform reports no changes. However, an engineer observes that the actual instance in AWS has a different AMI ID but the same instance type. What is the most likely cause?

A.The instance type was modified after the last apply, but AMI was not
B.The state file has not been refreshed since the manual AMI change; it still reflects the old AMI
C.The `terraform plan` command ignores drift by default
D.The AMI data source is returning a different value each time
AnswerB

Terraform compares state to config, not state to real world, unless refresh happens.

Why this answer

If the state shows the old AMI, but the actual instance has a different AMI, the state is stale. A `terraform refresh` or apply should detect drift. Option C correctly identifies that the state has not been refreshed.

18
MCQhard

A user accidentally ran `terraform state rm` on a critical resource, removing it from state but not destroying the actual infrastructure. Later, they need to re-import the resource. Which sequence of commands correctly accomplishes this?

A.`terraform state push` with the original state file
B.`terraform plan` and then `terraform apply`
C.`terraform refresh` and then `terraform plan`
D.`terraform import` using the resource address and ID of the resource
AnswerD

Import adds the resource back to state without destroying it.

Why this answer

After removal, the resource is unmanaged. `terraform import` re-associates it with state. Option D is the correct sequence.

19
MCQmedium

A team manages infrastructure with Terraform and uses a remote backend in an S3 bucket. After a recent state migration, a developer runs 'terraform plan' and gets an error: 'Error: Error loading state: NoSuchKey: The specified key does not exist.' The developer confirms that the state file exists in the bucket. What is the most likely cause?

A.The backend configuration in the Terraform code does not match the actual state file path.
B.Terraform state locking is enabled but the lock was not released.
C.The S3 bucket policy does not allow reading the state file.
D.S3 bucket versioning is enabled, and the state file is a non-current version.
AnswerA

If the backend key or workspace changed, Terraform looks for a different key, causing NoSuchKey.

Why this answer

The error 'NoSuchKey: The specified key does not exist' indicates that Terraform is looking for the state file at a specific key (path) in the S3 bucket, but that key does not exist. Since the developer confirms the state file exists in the bucket, the most likely cause is a mismatch between the backend configuration in the Terraform code (e.g., the `key` argument) and the actual path where the state file is stored. This often happens after a state migration if the backend configuration was not updated to reflect the new location.

Exam trap

HashiCorp often tests the distinction between access denied errors (403) and missing key errors (404), so the trap here is that candidates might confuse a permission issue with a path mismatch, especially when the state file is confirmed to exist in the bucket.

How to eliminate wrong answers

Option B is wrong because state locking uses a separate lock file (e.g., a DynamoDB table entry) and does not affect the existence or retrieval of the state file itself; a released lock would not cause a 'NoSuchKey' error. Option C is wrong because if the S3 bucket policy denied read access, the error would typically be an access denied (403) error, not a 'NoSuchKey' (404) error. Option D is wrong because versioning does not change the current key; Terraform by default retrieves the latest version of the state file, and a non-current version would still be accessible via the same key with a version ID, but the error indicates the key itself is missing.

20
Multi-Selecteasy

Which THREE of the following are valid strategies to migrate Terraform state from a local backend to a remote backend?

Select 3 answers
A.Use terraform import for each resource
B.Manually copy the local state file to the remote backend storage
C.Change backend configuration and run terraform init -reconfigure
D.Use terraform init with the -migrate-state flag
E.Use the terraform state push command
AnswersB, C, D

This is a valid but manual way to migrate state.

Why this answer

The valid strategies are: change backend config and run `terraform init -reconfigure`, manually copy the state file to the remote location, or use `terraform init -migrate-state`. Other options are not appropriate for state migration.

21
MCQhard

A team uses a Consul backend for Terraform state. They want to encrypt state at rest. What should they do?

A.Store state in an encrypted S3 bucket instead
B.Use Terraform's built-in state encryption feature
C.It is not possible to encrypt state with the Consul backend
D.Enable encryption in the backend configuration using the `encrypt` argument
E.Use Vault Transit Engine to encrypt the state before storing
AnswerD

The Consul backend has an `encrypt` parameter that enables encryption at rest.

Why this answer

The Consul backend supports an `encrypt` argument that can be set to true to enable encryption at rest within Consul.

22
MCQhard

You are a DevOps engineer for a company that uses Terraform to manage infrastructure across multiple AWS accounts (production, staging, development). Each account has its own Terraform configuration and remote state stored in an S3 bucket with DynamoDB locking. Recently, the production deployment pipeline failed with the error: 'Error: Error loading state: AccessDenied: Access Denied'. The pipeline runs under an IAM role that has been working for months. The S3 bucket policy and IAM role permissions have not been changed. However, the team did recently enable S3 bucket versioning and added a lifecycle policy to transition objects to Glacier after 30 days. The state file was last modified 35 days ago. What is the most likely cause of the error?

A.The DynamoDB lock table has a stale lock from a previous deployment that is blocking read access.
B.The IAM role's permissions were inadvertently revoked due to a recent AWS policy change.
C.The S3 bucket policy now denies access to objects older than 30 days due to a new condition key.
D.The state file was transitioned to Amazon S3 Glacier by the lifecycle policy, and Terraform cannot read it without restoration.
AnswerD

Once an object is in Glacier, standard GetObject requests fail with AccessDenied unless the object is restored first.

Why this answer

D is correct because the S3 lifecycle policy transitions objects to the Glacier storage class after 30 days. The state file was last modified 35 days ago, so it has been moved to Glacier. Terraform cannot read objects in the Glacier storage class directly; it requires a restoration (e.g., using `aws s3api restore-object`) before the state can be accessed, resulting in the 'AccessDenied' error.

Exam trap

HashiCorp often tests the distinction between 'AccessDenied' errors caused by storage class transitions (e.g., Glacier) versus permission-based denials, and the trap here is that candidates may assume the error is due to a policy change or stale lock, ignoring the lifecycle policy's effect on object accessibility.

How to eliminate wrong answers

Option A is wrong because a stale DynamoDB lock would cause a 'lock acquisition' error (e.g., 'Error acquiring the state lock'), not an 'AccessDenied' error when loading state. Option B is wrong because the scenario explicitly states that the IAM role permissions and S3 bucket policy have not been changed, so a policy revocation is not the cause. Option C is wrong because S3 bucket policies do not automatically deny access based solely on object age unless a specific condition key (e.g., `s3:ObjectAgeInDays`) is explicitly added to the policy, and the scenario says the policy was not changed.

23
Multi-Selectmedium

Which TWO of the following are required when configuring a Terraform backend for remote state storage?

Select 2 answers
A.Encryption at rest configuration
B.State locking support
C.A backend type (e.g., s3, azurerm, gcs)
D.Workspace configuration
E.Authentication credentials to access the backend
AnswersC, E

The backend type must be specified.

Why this answer

Backend configuration requires at minimum the backend type and authentication. Options B and D are correct.

24
MCQeasy

What is the purpose of the `terraform state list` command?

A.List all resources in the current state file
B.List all resources in the current state file
C.List all resources defined in the Terraform configuration
D.List all available workspaces
E.List all providers used in the configuration
AnswerB

`terraform state list` outputs resource addresses for all resources in the state.

Why this answer

`terraform state list` lists all resources currently tracked in the state file. It does not show configuration or future plans.

25
MCQeasy

A company uses Terraform with an S3 backend. A user accidentally deletes the state file. What is the best practice to recover the state?

A.Use terraform state pull from the local cache
B.Restore the state file from S3 bucket versioning
C.Use terraform import on all resources
D.Recreate the state from a terraform plan
E.Restore from the local terraform.tfstate.backup
AnswerB

S3 versioning retains previous versions, enabling direct restoration of the state file.

Why this answer

Using S3 versioning is the best practice because it allows you to restore the previous version of the state file. Other options, such as relying on local caches or re-importing resources, are not reliable or efficient.

26
Multi-Selectmedium

Which TWO of the following are true about Terraform workspaces?

Select 2 answers
A.Workspaces can be used to manage different provider configurations
B.All workspaces share the same state file
C.The default workspace can be deleted
D.The default workspace is named 'default'
E.Each workspace has its own state file
AnswersD, E

The default workspace is indeed named 'default'.

Why this answer

Option D is correct because when you create a Terraform workspace, the default workspace is automatically named 'default'. This is the workspace that exists in every Terraform backend configuration unless you explicitly create or switch to another workspace. The name 'default' is a reserved identifier for the initial workspace.

Exam trap

HashiCorp often tests the misconception that workspaces can manage different provider configurations or that all workspaces share a single state file, when in fact workspaces only isolate state and have no effect on provider configuration.

27
MCQeasy

After making manual changes to an AWS resource via the console, a Terraform user wants to update the state file to reflect those changes without modifying infrastructure. Which command should they run?

A.`terraform apply`
B.`terraform refresh`
C.`terraform import`
D.`terraform plan`
AnswerB

Refresh reconciles state with real infrastructure.

Why this answer

`terraform refresh` updates the state file to match real-world infrastructure without making changes. Option C correctly identifies this.

28
MCQmedium

Refer to the exhibit. A developer runs `terraform apply` but receives an error that the state file is locked. Which of the following is a likely cause?

A.The DynamoDB table for locking is not configured
B.The S3 bucket does not exist
C.The IAM user lacks s3:ListBucket permission
D.The encryption key is incorrect
E.Another user has an active plan or apply running
AnswerE

This is the most common cause of a state lock error.

Why this answer

A state lock error typically occurs when another process (e.g., another user's plan or apply) is currently holding the lock. Other issues like bucket existence or permissions would cause different errors.

29
MCQeasy

A new developer joins a project that uses Terraform with a remote backend in GCS (Google Cloud Storage). They clone the repository and run `terraform init` successfully. However, when they run `terraform plan`, they get an error: "Error loading state: AccessDenied: 403 my-project-terraform-state@my-project.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage bucket." What is the most likely resolution?

A.Disable access control on the bucket temporarily
B.Run `terraform init -reconfigure` to regenerate the backend configuration
C.Grant the `Storage Object Viewer` role to the service account on the GCS bucket
D.Change the backend to local state and commit the state to the repository
AnswerC

This allows the service account to read the state file.

Why this answer

The error indicates the service account used by Terraform lacks read access to the GCS bucket. Option B correctly addresses granting IAM permissions.

30
Multi-Selectmedium

Which TWO actions will cause Terraform to update the state file?

Select 2 answers
A.terraform fmt
B.terraform destroy
C.terraform apply
D.terraform validate
E.terraform plan
AnswersB, C

Destroy removes resources and updates the state accordingly.

Why this answer

`terraform apply` and `terraform destroy` both modify the state file. `plan`, `validate`, and `fmt` do not make changes to the state.

31
MCQhard

You are a DevOps engineer at a company that uses Terraform to manage infrastructure in AWS. The team recently adopted Terraform Cloud for remote state management and collaboration. They have a single workspace named 'production' that manages all production resources. Currently, the state file is stored in Terraform Cloud's default backend. The team wants to implement a disaster recovery strategy where they can restore the state file if Terraform Cloud experiences an outage. They also want to ensure that state file backups are taken automatically before every apply. Which approach should they recommend?

A.Manually download the state file from Terraform Cloud UI after each apply
B.Enable S3 replication on Terraform Cloud's internal state storage
C.Switch to an S3 backend with DynamoDB locking and configure Terraform Cloud to run remotely but store state locally
D.Use Terraform Cloud's API to download the state file before each apply and store it in a secure S3 bucket with versioning enabled
AnswerD

This automates backups before each apply and provides a separate location for recovery.

Why this answer

Option D is correct because it provides an automated, auditable backup of the Terraform state file before each apply, using Terraform Cloud's API to download the state and storing it in an S3 bucket with versioning enabled. This ensures disaster recovery capability independent of Terraform Cloud's availability, while versioning allows rollback to any previous state backup. The approach aligns with the requirement for automatic backups before every apply without altering the remote execution model.

Exam trap

The trap here is that candidates may assume Terraform Cloud's internal state storage is configurable or that switching to an S3 backend is compatible with Terraform Cloud's remote execution model, but Terraform Cloud requires its own backend for state management and does not expose underlying storage for replication.

How to eliminate wrong answers

Option A is wrong because manually downloading the state file from the Terraform Cloud UI after each apply is not automated, violates the requirement for backups before every apply, and introduces human error risk. Option B is wrong because Terraform Cloud's internal state storage is a managed service; customers cannot enable S3 replication on it, as they have no access to the underlying storage infrastructure. Option C is wrong because switching to an S3 backend with DynamoDB locking and configuring Terraform Cloud to run remotely but store state locally is contradictory—Terraform Cloud's remote execution requires state to be stored in its backend, and local state storage would break collaboration and remote operations.

32
MCQeasy

Which command can be used to see the current state of a specific resource in the Terraform state?

A.`terraform state show <resource>`
B.`terraform output`
C.`terraform state list`
D.`terraform show`
AnswerA

Shows detailed state for a specific resource.

Why this answer

`terraform state show` displays attributes of a single resource. Option B correct. A lists resources.

C shows plan/output. D shows outputs.

33
MCQmedium

During a deployment, a user runs `terraform apply` but the command fails because the state lock cannot be acquired. They suspect the lock was released after the previous `apply` but is still held. What command can they use to force unlock the state?

A.`terraform init -force-copy`
B.`terraform force-unlock <lock_id>`
C.`terraform state unlock`
D.`terraform break-lock`
AnswerB

This command force releases a stuck lock.

Why this answer

`terraform force-unlock` is the command to manually release a stuck lock. Option B correct. Options A, C, D are not valid or not intended for this purpose.

34
MCQeasy

A user wants to remove a specific resource from Terraform state without destroying the actual infrastructure. Which command should they use?

A.terraform state rm resource
B.terraform taint resource
C.terraform state mv resource
D.terraform destroy -target=resource
AnswerA

This removes the resource from state without affecting the real infrastructure.

Why this answer

The `terraform state rm` command is the correct choice because it removes a specified resource from the Terraform state file without making any API calls to the actual infrastructure provider. This allows the resource to be detached from Terraform management while leaving the real-world resource running, which is exactly what the user wants.

Exam trap

HashiCorp often tests the distinction between state manipulation commands that affect only the state file versus commands that trigger actual infrastructure changes, so candidates may confuse `terraform state rm` with `terraform destroy` or `terraform taint`.

How to eliminate wrong answers

Option B is wrong because `terraform taint` marks a resource for recreation on the next apply, but it does not remove the resource from state or leave the infrastructure intact. Option C is wrong because `terraform state mv` moves a resource to a different address within the state file, but it does not remove it from state or detach it from management. Option D is wrong because `terraform destroy -target=resource` will actually delete the specified infrastructure resource, which is the opposite of what the user wants.

35
Multi-Selectmedium

Which TWO of the following are valid methods to share data between Terraform configurations?

Select 2 answers
A.Use output variables across configurations
B.Use modules to share state
C.Use depends_on to pass values
D.Store shared data in a common backend and read it via data sources
E.Use terraform_remote_state data source
AnswersD, E

Same as A, but a broader description.

Why this answer

Option D is correct because storing shared data in a common backend (e.g., an S3 bucket with DynamoDB locking) and reading it via data sources (like the `terraform_remote_state` data source) allows different Terraform configurations to consume outputs from one another without duplicating state or breaking isolation. This pattern is the recommended way to share data across configurations because it leverages the backend's locking and consistency guarantees.

Exam trap

HashiCorp often tests the misconception that output variables alone can be used across configurations, but they require an explicit data source like `terraform_remote_state` to be consumed externally.

36
Multi-Selecthard

Which THREE of the following are best practices for managing Terraform state?

Select 3 answers
A.Edit state files directly to fix drift
B.Use remote backends to store state files
C.Enable versioning on the state storage backend
D.Store state files locally to avoid network latency
E.Use state locking to prevent concurrent modifications
AnswersB, C, E

Remote backends enable sharing and locking.

Why this answer

Remote backends (e.g., S3, Azure Storage, Terraform Cloud) store state outside the local filesystem, enabling team collaboration, durability, and integration with state locking and encryption. This prevents loss of state due to local machine failure and ensures all team members work from the same state file, which is critical for consistent infrastructure management.

Exam trap

HashiCorp often tests the misconception that local state is simpler and thus better for small teams, but the exam expects you to recognize that remote backends with locking and versioning are mandatory best practices for any collaborative or production Terraform workflow.

37
MCQmedium

An organization uses a shared remote backend. They want to prevent concurrent apply operations that could corrupt the state. What built-in mechanism does Terraform provide?

A.State locking
B.File permissions on the remote state file
C.Workspace isolation
D.State locking
E.Backend versioning
AnswerA

Terraform's state locking ensures only one operation modifies the state at a time.

Why this answer

Terraform uses state locking to prevent concurrent writes. When one operation holds the lock, others must wait or fail. This is built-in for supported backends.

38
MCQeasy

A user runs `terraform apply` and receives an error: 'Error acquiring the state lock'. What is the most likely cause?

A.Another user is running a Terraform command that modifies state.
B.The state file is missing.
C.The backend configuration is invalid.
D.The Terraform provider is incompatible.
AnswerA

Only one operation can hold the state lock at a time.

Why this answer

The error indicates another operation holds the state lock. Option B is correct because only one user can modify state at a time. Option A is incorrect because missing state file would cause a different error.

Option C is incorrect because backend configuration errors appear during init, not apply. Option D is incorrect because provider incompatibility causes plugin errors.

39
Multi-Selectmedium

Which TWO statements about Terraform state locking are correct?

Select 2 answers
A.State locking prevents concurrent modifications to the same state file.
B.State locking is enabled by default when using a local state backend.
C.State locking is not supported in Terraform Cloud.
D.State locking is only necessary when multiple team members are running terraform apply simultaneously.
E.State locking requires a backend that supports locking, such as S3 with DynamoDB table.
AnswersA, E

Locking serializes access to state, preventing conflicts.

Why this answer

Option A is correct because state locking prevents concurrent operations on the same state file. Option C is correct because remote backends like S3 require DynamoDB table to support locking. Option B is false because local state does not have locking by default.

Option D is false because Terraform Cloud does support locking, but it's not automatically handled without configuration (actually it is automatic, but we made the statement false for this question). Option E is false because locking is important for any team size.

40
MCQhard

A Terraform state file is stored in an S3 bucket with versioning enabled. During a deployment, the state file becomes corrupted due to a network error. What is the best way to recover?

A.Use `terraform state pull` to overwrite the corrupted state.
B.Run `terraform import` to import all resources.
C.Restore the previous version of the state file from S3 versioning.
D.Delete the state file and run `terraform apply` to recreate all resources.
AnswerC

Versioning provides a quick rollback to a good state.

Why this answer

S3 versioning allows restoring previous state versions. Option B correct. Option A would destroy resources if state is deleted.

Option C pulls existing state, not helpful. Option D is too manual.

41
MCQmedium

An organization stores state files in an S3 backend with encryption. However, some resource attributes (e.g., database passwords) are stored in plaintext within the state. What is the recommended approach to avoid storing sensitive values in state?

A.Use a secrets backend like Vault to retrieve secrets at runtime and store only references in state
B.Set the `sensitive` parameter on all resources
C.Enable state encryption with a stronger algorithm
D.Use the `terraform state rm` command after apply to remove sensitive attributes
AnswerA

This ensures secrets are never written to state, only referenced.

Why this answer

Terraform can mark outputs as sensitive to hide them from display, but they may still be stored in state. Option A is a common practice to avoid storing secrets directly.

42
MCQmedium

Refer to the exhibit. A user runs `terraform state list` and receives the output shown. The configuration defines an `aws_instance.web` resource with count = 3 and an `aws_s3_bucket.data` resource. After some changes, the user runs `terraform plan` and sees that the plan wants to create a new `aws_instance.web[2]` and destroy the existing `aws_instance.web[2]`. What is the most likely cause?

A.The state file was corrupted.
B.The count was changed from 3 to 2 and back to 3.
C.The AMI was updated, causing replacement only for index 2.
D.The instance type was changed, causing replacement.
AnswerB

Reducing then increasing count causes recreation of the highest index resource.

Why this answer

If count was reduced to 2 and then increased back to 3, Terraform will see the existing resource at index 2 as needing to be recreated because its address may have changed. Option A is the most likely. Option B could cause update in-place if no destroy, but create+destroy suggests index reassignment.

Option C is unlikely. Option D is unrelated.

43
MCQmedium

A team of five engineers manages infrastructure using Terraform with remote state stored in an S3 bucket and state locking via a DynamoDB table. After a power outage, an engineer notices that a terraform apply command fails with the message: 'Error: Error acquiring the state lock'. The engineer suspects that a lock from a previous run has not been released. The team needs to proceed with applying changes. Which action should the engineer take to resolve the issue safely?

A.Wait for the lock to expire automatically (locks have a 5-minute TTL).
B.Delete the lock record from the DynamoDB table using the AWS CLI.
C.Run terraform force-unlock with the lock ID obtained from the error message.
D.Run terraform apply with the -lock=false flag to bypass locking.
AnswerC

force-unlock is the safe way to remove a lock when the holding process is no longer running.

Why this answer

Option B is correct. terraform force-unlock is the intended method to remove a stuck lock, provided the lock holder process is dead. Option A is incorrect because locks do not automatically expire (unless specially configured with TTL). Option C is risky as directly modifying DynamoDB may lead to inconsistent state.

Option D bypasses locking entirely, which can cause state corruption if other operations are in progress.

44
Multi-Selectmedium

Which three of the following are valid command-line operations that modify the Terraform state? (Choose three.)

Select 3 answers
A.`terraform plan`
B.`terraform apply -auto-approve`
C.`terraform state rm`
D.`terraform state list`
E.`terraform import`
AnswersB, C, E

Applies changes and updates state.

Why this answer

`terraform import` writes state for imported resources (A correct). `terraform state rm` removes resources from state (B correct). `terraform apply` writes new state (D correct). `terraform state list` and `plan` are read-only.

45
Multi-Selecteasy

Which TWO of the following are valid reasons to use Terraform state?

Select 2 answers
A.Automatically applying changes when configuration files are saved.
B.Storing sensitive data like passwords and API keys.
C.Providing a backup of the infrastructure to restore in case of disaster.
D.Improving performance for large infrastructures by caching resource attributes.
E.Mapping real-world resources to configuration.
AnswersD, E

State caches attribute values, reducing API calls during planning.

Why this answer

Option D is correct because Terraform state acts as a cache for resource attributes, which significantly improves performance for large infrastructures. By storing the current state of resources locally or remotely, Terraform avoids making repeated API calls to the cloud provider for every `plan` or `apply` operation, reducing latency and API rate limits. This caching mechanism is essential for efficiently managing complex deployments with hundreds or thousands of resources.

Exam trap

HashiCorp often tests the misconception that Terraform state is a backup or disaster recovery mechanism, but in reality, it is a mapping and caching layer that must be managed carefully to avoid drift and corruption.

46
MCQhard

Refer to the exhibit. An engineer sees this error. Which command should they run to force-unlock?

A.terraform force-unlock my-company-terraform-state/prod/terraform.tfstate
B.terraform unlock -id=123456
C.terraform state unlock 123456
D.terraform init -force-unlock=123456
E.terraform force-unlock 123456
AnswerE

This is the correct command using the lock ID.

Why this answer

The `terraform force-unlock` command requires the lock ID as an argument. In the exhibit, the lock ID is '123456', so the correct command is `terraform force-unlock 123456`. Other options use incorrect syntax or incorrect identifiers.

47
MCQhard

An organization uses Terraform Cloud workspaces to manage multiple environments. They notice that after promoting a configuration change from development to production workspace, the production workspace's state file contains references to resources that were only created in development. What is the most likely cause?

A.The workspaces were configured to use the same S3 backend and prefix, causing state overlap.
B.The user ran `terraform state mv` to move resource instances from development to production workspace.
C.A user manually edited the production state file to include development resources.
D.The development workspace's output values were used in production via `terraform_remote_state`.
AnswerB

This directly moves resource addresses between workspace states.

Why this answer

Option C is correct because `terraform state mv` can move resources between workspace state files. Options A and D would cause data references but not state file content changes. Option B is unlikely as manual editing is error-prone.

48
MCQeasy

A user wants to use a remote state backend for the first time. After adding the backend configuration, which command must they run to migrate the state from local to remote?

A.`terraform plan`
B.`terraform init`
C.`terraform apply`
D.`terraform state push`
AnswerB

This command initializes the backend and offers to copy state.

Why this answer

`terraform init` with backend configuration will prompt to migrate state. Option A correct. Options B, C, D are not designed for initial migration.

49
MCQhard

A user runs `terraform plan` and notices that the plan includes 'Outgoing changes' for a number of resources that were not modified in the configuration. What is the most likely cause?

A.The provider version has changed.
B.The resources were manually changed in the cloud provider.
C.The backend configuration changed.
D.The state file is outdated and needs to be refreshed.
AnswerD

State may not reflect current infrastructure, causing planned changes.

Why this answer

`terraform plan` compares configuration to state. If state is outdated (e.g., after manual changes), plan will show drift even without config changes. Option A correct.

Option B could cause, but less likely. Option C is possible but most likely state is not refreshed. Option D unrelated.

50
MCQhard

Refer to the exhibit. A developer updates the network state and runs terraform apply. The aws_instance.web is not recreated. Which statement explains this behavior?

A.The instance resource does not reference the remote state data source, so changes to the remote state do not trigger recreation.
B.Terraform automatically locks the remote state to prevent changes during apply.
C.The security group resource depends on the remote state, and it was updated, but the instance was not affected.
D.The remote state data source is cached and only refreshes every hour.
AnswerA

Terraform only recreates resources when their own arguments change. The instance does not use any output from the remote state.

Why this answer

The data source data.terraform_remote_state.network is read during planning and is not stored in state. If the remote state changes, Terraform will see the new vpc_id and may update the security group, but the instance resource does not depend on the remote state, so it is not affected.

51
MCQmedium

A team is using a remote backend in Terraform Cloud. After a failed apply, the state file is locked. The team lead wants to unlock the state immediately. What should be done?

A.Delete the state file from the backend and reinitialize
B.Run terraform force-unlock with the lock ID
C.Manually edit the state file to remove the lock
D.Run terraform unlock
AnswerB

The terraform force-unlock command with the lock ID manually releases the lock.

Why this answer

The `terraform force-unlock` command with the lock ID is the correct way to manually unlock a state file in Terraform Cloud after a failed apply. This command overrides the backend's lock mechanism, which is designed to prevent concurrent modifications and state corruption. Deleting or editing the state file would bypass Terraform's safety guarantees and risk data loss or inconsistency.

Exam trap

The trap here is that candidates may confuse `terraform force-unlock` with a non-existent `terraform unlock` command, or mistakenly think that deleting or editing the state file is a valid workaround, when in fact Terraform's state locking is enforced at the backend API level and requires the proper command with the lock ID.

How to eliminate wrong answers

Option A is wrong because deleting the state file from the backend destroys the entire state history and can cause Terraform to lose track of managed resources, leading to orphaned infrastructure or re-creation attempts. Option C is wrong because manually editing the state file is unsupported and dangerous; it can corrupt the state, break Terraform's internal structure, and is not a valid operation for removing a lock. Option D is wrong because `terraform unlock` is not a valid Terraform command; the correct command is `terraform force-unlock`, which requires the lock ID as an argument.

52
Multi-Selecteasy

Which two statements about Terraform state files are true? (Choose two.)

Select 2 answers
A.State files are automatically encrypted at rest by all backends.
B.State files should be stored in version control.
C.State files are used to map configuration to real-world resources.
D.State files can be shared across multiple users simultaneously without issues.
E.State files can contain sensitive data such as database passwords.
AnswersC, E

This is the primary function of state.

Why this answer

State files contain resource attributes, including sensitive outputs, so A is true. State provides a mapping, so D is true. B is false because state files should not be in version control.

C is false because concurrent writes would corrupt state. E is false because not all backends provide encryption.

53
MCQeasy

Refer to the exhibit. A user has this backend configuration. The user then runs `terraform init` and receives an error: 'NoSuchBucket: The specified bucket does not exist'. What is the most likely cause?

A.The bucket does not exist and needs to be created.
B.The AWS region is wrong.
C.The DynamoDB table is missing.
D.The credentials lack S3 permissions.
AnswerA

NoSuchBucket error means the bucket doesn't exist in the specified region.

Why this answer

The error 'NoSuchBucket' indicates the bucket does not exist in the specified region. Option D is correct. Option A would give a different error.

Option B would give access denied. Option C is irrelevant.

54
MCQmedium

A user wants to inspect the current attributes of a specific resource in the Terraform state. Which command should they use?

A.terraform state list <resource>
B.terraform output
C.terraform state show <resource>
D.terraform plan
E.terraform show
AnswerC

This command outputs the full state data for the given resource address.

Why this answer

`terraform state show <resource>` displays the attributes and metadata of a specific resource as stored in the state.

55
Matchingmedium

Match each Terraform state command to its action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

List resources in the state

Show details of a single resource in state

Move an item in the state

Remove an item from the state

Download current state from backend

Why these pairings

State management commands allow direct state manipulation.

56
MCQeasy

Refer to the exhibit. What does the output indicate?

A.The Terraform configuration defines three resources
B.The state file tracks three resources
C.Three providers are configured
D.Three workspaces are in use
E.The plan will create three resources
AnswerB

These are the resources currently stored in the state.

Why this answer

The `terraform state list` command lists all resources currently tracked in the state file. Here it shows three resources: a VPC, a subnet, and an EC2 instance.

57
MCQhard

Refer to the exhibit. A user runs `terraform plan` and receives this error. The user is using a local backend. Which of the following is the most likely cause?

A.The workspace is not selected correctly.
B.The configured state file path's directory does not exist.
C.The state file is corrupted.
D.The backend is misconfigured for remote state.
AnswerB

The parent directory must exist for Terraform to create the state file.

Why this answer

For local backend, specifying a `path` in the configuration to a non-existent directory causes this error because Terraform cannot create the state file in a missing directory. Option A is correct. Option B would not cause this error.

Option C would cause different errors. Option D is unrelated.

58
Multi-Selectmedium

Which THREE of the following are best practices for Terraform state management in a team environment?

Select 3 answers
A.Use separate state files for different environments (dev, prod)
B.Store state files in a version control repository
C.Enable state locking to prevent concurrent modifications
D.Store state files in a remote backend shared by the team
E.Manually edit the state file to correct drift
AnswersA, C, D

Separation reduces blast radius.

Why this answer

Best practices include remote state, state locking, and isolating environments. Options A, B, and D are correct.

59
MCQmedium

A developer runs `terraform apply` and receives the error: 'Error acquiring the state lock'. Another engineer is currently running `terraform plan`. What should the developer do?

A.Run terraform init to reinitialize the backend
B.Wait for the lock to be released automatically
C.Run terraform force-unlock with the lock ID
D.Run terraform plan with -lock=false to bypass the lock
E.Delete the lock file from the S3 bucket
AnswerB

The lock will be released when the other engineer's plan completes. Waiting is the safest approach.

Why this answer

The safest action is to wait for the lock to be released. Force-unlocking without proper cause can corrupt the state, and disabling locks can cause concurrency issues.

60
MCQeasy

Which of the following is NOT a valid backend type for storing Terraform state?

A.terraform cloud
B.local
C.kubernetes
D.s3
E.http
AnswerC

Kubernetes is not a supported Terraform backend for state storage.

Why this answer

The official Terraform backends include s3, local, http, and terraform cloud. Kubernetes is not a standard backend type.

61
MCQmedium

A DevOps engineer manages infrastructure with Terraform using an S3 backend with DynamoDB locking. During a `terraform apply`, the engineer's network connection drops. After reconnecting, they run `terraform plan` and get an error: "Error acquiring the state lock." The lock is from the previous session. The engineer has verified that no other operations are running. What is the appropriate next step to proceed?

A.Delete the DynamoDB table and recreate it
B.Wait 15 minutes for the lock to expire automatically
C.Use `terraform force-unlock <lock_id>` to remove the stale lock
D.Run `terraform init` to reset the backend connection
AnswerC

Force-unlock removes the lock entry in DynamoDB.

Why this answer

When a lock is stuck, the correct action is to force-unlock using the lock ID. Option B is correct.

62
MCQmedium

A team uses an S3 backend with DynamoDB locking. They accidentally delete the DynamoDB table used for state locking. What is the immediate consequence?

A.Terraform commands that require state locking will fail with a locking error.
B.State operations will continue without locking, risking corruption.
C.Terraform will automatically create a new DynamoDB table.
D.The state file will be migrated to local storage.
AnswerA

Without the DynamoDB table, lock operations fail, causing errors.

Why this answer

When the DynamoDB table is deleted, Terraform cannot acquire or release locks, so any command needing locking (apply, plan, destroy) will fail. Option A is correct. Option B is incorrect because Terraform will not proceed without lock; it returns an error.

Options C and D are not automatic behaviors.

63
Multi-Selecthard

A team uses an S3 backend for state storage with DynamoDB locking. They want to migrate to a new S3 bucket. Which two steps are necessary to perform a successful state migration? (Choose two.)

Select 2 answers
A.Run `terraform plan` to verify no resource changes before migration.
B.Delete the old state file after migration.
C.Run `terraform init -reconfigure` to update the backend configuration.
D.Manually copy the state file from the old bucket to the new bucket.
E.Update the `backend` block in the Terraform configuration with the new bucket name.
AnswersC, E

This command initializes the new backend and copies state.

Why this answer

To migrate state to a new backend, update the backend configuration (D) and run `terraform init -reconfigure` (A) to initialize the new backend and copy state automatically. Option B is not needed because `init` copies state. Option C is dangerous.

Option E is good practice but not necessary.

64
MCQmedium

A company uses Terraform to manage infrastructure across multiple AWS accounts. They want to use a single S3 bucket to store state files for all accounts, but ensure that state files are isolated per account. What is the best approach?

A.Use Terraform workspaces with a single state file
B.Use separate state files with unique S3 key prefixes per account
C.Store all state in the same S3 key
D.Use a DynamoDB table with different lock IDs per account
AnswerB

Unique key prefixes ensure each account has its own state file.

Why this answer

Option B is correct because using separate state files with unique S3 key prefixes per account ensures that each AWS account's Terraform state is stored in the same S3 bucket but logically isolated. This approach leverages S3's hierarchical key structure to prevent cross-account state contamination, while still allowing centralized management. Terraform's backend configuration supports dynamic key prefixes (e.g., `key = "account-${var.account_id}/terraform.tfstate"`), enabling per-account isolation without requiring separate buckets or workspaces.

Exam trap

The trap here is that candidates confuse Terraform workspaces with true state isolation across accounts, not realizing that workspaces only provide logical separation within a single backend path and do not prevent cross-account state conflicts when using a shared S3 bucket.

How to eliminate wrong answers

Option A is wrong because Terraform workspaces store state files within the same backend path (same S3 key) by default, using a directory-like structure (e.g., `env:/workspace_name`), which does not provide true isolation per AWS account—state files can still be accidentally overwritten or accessed across workspaces if the backend key is not carefully managed. Option C is wrong because storing all state in the same S3 key would cause all accounts to share a single state file, leading to conflicts, corruption, and inability to manage separate infrastructure stacks. Option D is wrong because DynamoDB lock IDs are used for state locking and consistency, not for isolating state files per account; different lock IDs do not prevent state file collisions when multiple accounts write to the same S3 key.

65
MCQhard

Refer to the exhibit. A developer runs terraform plan and sees "No changes". However, the developer knows that manual changes were made to the infrastructure outside Terraform. What is the most likely reason terraform plan does not detect the drift?

A.The manual changes were made to resources not managed by Terraform.
B.Terraform only detects drift when running terraform apply.
C.The manual changes were reverted before the plan was run.
D.Terraform plan does not refresh state by default; it uses the existing state file.
AnswerD

By default, terraform plan runs a refresh to update state before planning, but if the refresh is skipped or fails, drift may not be detected.

Why this answer

Terraform plan compares the state file to the configuration. If the state file does not reflect manual changes (because it was not refreshed), terraform plan may not detect drift unless -refresh-only or a refresh is performed.

66
MCQhard

After running terraform apply, you see the error: 'Error: Error loading state: state snapshot was created by Terraform v0.12.0, but this is Terraform v1.2.0'. What should you do to resolve this?

A.Run terraform state upgrade
B.Run terraform apply with no changes to upgrade the state format
C.Delete the state file and reimport resources
D.Downgrade Terraform to v0.12.0
AnswerB

Running terraform apply will upgrade the state to the current version.

Why this answer

Option B is correct because running `terraform apply` with no changes triggers Terraform to automatically upgrade the state file format to the version compatible with the current Terraform binary (v1.2.0). Terraform state files are versioned internally, and when a newer version of Terraform reads an older state format, it performs an in-place upgrade during the next state write operation, such as an apply that results in no changes. This avoids manual intervention or data loss.

Exam trap

HashiCorp often tests the misconception that there is a dedicated `terraform state upgrade` command, leading candidates to choose Option A, but Terraform handles state format upgrades implicitly during apply operations, not via a separate command.

How to eliminate wrong answers

Option A is wrong because `terraform state upgrade` is not a valid Terraform command; the correct command for upgrading state format is `terraform apply` with no changes or `terraform init -upgrade` for provider upgrades, not a dedicated state upgrade command. Option C is wrong because deleting the state file and reimporting resources is unnecessarily destructive and error-prone; it would require manual re-import of every resource, losing any existing state metadata and risking configuration drift. Option D is wrong because downgrading Terraform to v0.12.0 is a backward step that would lose access to features and fixes in v1.2.0, and it does not resolve the version mismatch; the state file would still be in the older format and would need to be upgraded eventually.

67
MCQhard

In a CI/CD pipeline, Terraform state is stored in Terraform Cloud. A pipeline run fails with the error: 'State version conflict'. What is the most likely cause?

A.Authentication failure with Terraform Cloud
B.Missing or incorrect backend configuration
C.State file exceeds maximum size limit
D.Terraform version mismatch between local and remote
E.Two runs started at the same time
AnswerB

A state version conflict can occur if the backend configuration is misconfigured, leading to mismatched state versions.

Why this answer

A state version conflict typically occurs when two runs attempt to modify the state simultaneously, even if Terraform Cloud serializes runs. This can happen if a run is triggered while another is still in progress.

68
Drag & Dropmedium

Drag and drop the steps to use Terraform modules from the registry in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Registry modules are sourced; init downloads, variables configure, plan/apply deploy.

69
MCQhard

Refer to the exhibit. A team member receives this error when running terraform apply. What is the most likely cause?

A.The state file is corrupted and needs to be restored from backup.
B.Another user is currently running terraform apply on the same state.
C.The S3 bucket containing the state has been deleted.
D.A previous Terraform process was terminated abruptly, leaving a stale lock.
AnswerD

The "OperationTypeInvalid" indicates the lock was not properly released.

Why this answer

The lock info shows an operation type "OperationTypeInvalid", which typically occurs when a previous Terraform process was terminated abruptly (e.g., Ctrl+C, crash), leaving the lock in place.

70
MCQhard

Refer to the exhibit. A developer runs terraform plan and receives this error. What should the developer do to resolve the error?

A.Run terraform plan again; the error will self-resolve after a few minutes.
B.Run terraform init -migrate-state to migrate the state to the new region.
C.Update the backend configuration in the Terraform code to match the previous region.
D.Run terraform state rm to remove the state file and start fresh.
AnswerB

This command reinitializes the backend and migrates the existing state to the new backend configuration.

Why this answer

The error indicates that the backend configuration has changed (the region changed from us-east-1 to us-west-2). Terraform requires re-initialization when backend configuration changes.

71
MCQmedium

A team uses a remote state backend with partial configuration. They have a `backend` block with only the `bucket` attribute, and the rest of the backend configuration is provided via CLI during `terraform init`. Which of the following best describes the purpose of partial configuration?

A.It reduces the number of files needed for configuration.
B.It is required when using Terraform Cloud.
C.It enables state locking.
D.It allows sensitive backend configuration to be provided dynamically, avoiding hardcoding.
AnswerD

This is the main benefit of partial configuration.

Why this answer

Partial configuration allows passing backend settings via CLI or environment variables, preventing hardcoded secrets. Option A correct. Others are not primary purposes.

72
MCQhard

Your organization uses Terraform Cloud with a remote execution mode. There are two workspaces: `app-prod` and `app-staging`. The state for `app-prod` is stored in the `prod` workspace, and `app-staging` in the `staging` workspace. Recently, a new developer joined the team and tried to run `terraform plan` locally for the `app-staging` workspace. They received an error: "S3Backend bucket 'my-company-tf-state' does not exist." The developer is not using Terraform Cloud locally. The team uses a remote backend configuration with Terraform Cloud. What is the most likely cause?

A.The developer forgot to run `terraform workspace select staging`
B.The Terraform Cloud workspace `app-staging` is not set to use remote state
C.The developer lacks AWS credentials to access the S3 bucket
D.The developer is running Terraform locally without having the correct backend configuration; they should run `terraform init -reconfigure` to reinitialize backend settings for local execution
AnswerD

If the backend is pointing to a non-existent S3 backend (e.g., misconfigured), reinit fixes it.

Why this answer

If the developer is running Terraform locally without Terraform Cloud, they need to reconfigure the backend to local state or use the remote backend properly. Option D correctly identifies that the developer should use `terraform init -reconfigure` to set up the remote backend locally.

73
MCQhard

A company manages multiple microservices across AWS accounts. Each service has its own Terraform configuration and state file stored in a shared S3 bucket. The team uses `terraform_remote_state` data sources to read outputs from other services' state files. A service team recently changed the output structure in their state, breaking the `terraform_remote_state` calls from other services. The affected services now show errors during plan. What is the best practice to avoid such cross-service dependency issues?

A.Publish service outputs to a dedicated data store (e.g., AWS SSM Parameter Store or Consul) and have other services consume those values instead of reading state directly
B.Use versioning on the S3 bucket and revert to a previous state version
C.Lock the state files and require approval for any changes
D.Store outputs in a configuration management database and read from there
AnswerA

This decouples dependencies and uses a stable API.

Why this answer

Cloud-native integration patterns with explicit contracts (like SSM Parameter Store) are more robust than raw state reading. Option D is correct.

Ready to test yourself?

Try a timed practice session using only Implement and maintain state questions.