The correct answer is that the provisioner fails because it references a computed attribute that is not known until after resource creation. In Terraform’s execution model, attributes like `public_ip` are only resolved during the apply phase when the cloud provider assigns the value, meaning they are marked as “unknown” at plan time. Since provisioners run inline with resource creation—not after the resource is fully applied—they cannot use values that are not yet computed, leading to a provisioner failure due to unknown computed attributes. On the HashiCorp Terraform Associate TF-003 exam, this tests your understanding of Terraform’s dependency resolution and lifecycle: a common trap is assuming provisioners behave like outputs or data sources that wait for all values. Remember the memory tip: “Provisioners run during creation, not after completion—if it’s unknown at plan, it’s a fail for the man.”
TF-003 Understand IaC concepts Practice Question
This TF-003 practice question tests your understanding of understand iac concepts. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
```hcl
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
provisioner "local-exec" {
command = "echo ${aws_instance.web.public_ip} > ip.txt"
}
}
```
A developer runs terraform apply with the configuration above. The resource is created successfully, but the provisioner fails because the public_ip attribute is not yet known at plan time. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The provisioner references a computed attribute that is not known until after resource creation.
Option C is correct because the `public_ip` attribute of an AWS instance is a computed attribute that is not known until the resource is created and the cloud provider assigns an IP address. In Terraform, provisioners run during resource creation, but if they reference attributes that are only available after the resource is fully created (i.e., after the apply completes), the plan will fail with an error indicating the value is unknown. This is a fundamental behavior of Terraform's execution model: provisioners execute in the same context as the resource creation, and any attribute that is not known at plan time cannot be used in a provisioner unless it is explicitly deferred using `on_failure = continue` or similar workarounds.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The AMI ID is incorrect.
Why it's wrong here
The AMI ID is valid for Amazon Linux 2.
✗
The local-exec provisioner requires network access to the instance.
Why it's wrong here
local-exec runs on the machine running Terraform, not on the instance.
✓
The provisioner references a computed attribute that is not known until after resource creation.
Why this is correct
The public_ip is not known until after the instance is created and assigned an IP.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The provisioner runs before the state file is written.
Why it's wrong here
Provisioners run after resource creation, not before state write.
Common exam traps
Common exam trap: answer the scenario, not the keyword
HashiCorp often tests the misconception that provisioners run after the resource is fully created and all attributes are available, but the trap is that provisioners execute during the apply phase and cannot use attributes that are not yet known at plan time, even if they will be known later in the same apply.
Detailed technical explanation
How to think about this question
Under the hood, Terraform's plan phase evaluates all expressions to determine if they are known or unknown. Computed attributes like `public_ip` are marked as unknown until the resource is created, and provisioners that reference them will cause a plan error because Terraform cannot guarantee the value will be available at provisioner execution time. A real-world scenario is when using `self.public_ip` in a `local-exec` provisioner to run a script that pings the instance; this fails unless the attribute is explicitly made known by using `depends_on` or by using a `null_resource` with a trigger that forces the provisioner to run after the instance is fully created. This behavior is defined in Terraform's core execution logic and is a common source of confusion for developers migrating from imperative tools like Ansible.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the TF-003 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Understand IaC concepts — This question tests Understand IaC concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The provisioner references a computed attribute that is not known until after resource creation. — Option C is correct because the `public_ip` attribute of an AWS instance is a computed attribute that is not known until the resource is created and the cloud provider assigns an IP address. In Terraform, provisioners run during resource creation, but if they reference attributes that are only available after the resource is fully created (i.e., after the apply completes), the plan will fail with an error indicating the value is unknown. This is a fundamental behavior of Terraform's execution model: provisioners execute in the same context as the resource creation, and any attribute that is not known at plan time cannot be used in a provisioner unless it is explicitly deferred using `on_failure = continue` or similar workarounds.
What should I do if I get this TF-003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This TF-003 practice question is part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the TF-003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.