The correct answer is to change the root module's required version to ~> 2.70, because the conflict arises when the module declares a provider version constraint (such as ~> 2.70) that is incompatible with the root module's requirement (like >= 3.0). In Terraform, provider version conflicts between root and module occur because the root module's required_providers block sets the ultimate version ceiling, and if the module’s constraint falls outside that range, Terraform cannot find a single satisfying version. On the HashiCorp Terraform Associate TF-003 exam, this scenario tests your understanding of provider versioning semantics and the principle that the root module’s constraints take precedence, but the safest resolution is to align the module’s constraint upward rather than downgrading the root. A common trap is assuming you can simply delete the root constraint or manually edit the .terraform lock file, but those are unsupported or risk losing features. Memory tip: think “module must meet root, not the other way around”—always update the module’s version pin to match the root’s range.
TF-003 Interact with Terraform modules Practice Question
This TF-003 practice question tests your understanding of interact with terraform modules. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
```
$ terraform init
Initializing modules...
Downloading hashicorp/consul/aws 0.7.2 from registry.terraform.io...
- consul in .terraform/modules/consul
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 3.0"...
- Installing hashicorp/aws v3.74.0...
- Installed hashicorp/aws v3.74.0
Error: Unsupported terraform provider version
on .terraform/modules/consul/main.tf line 1, in terraform:
1: terraform {
2: required_providers {
3: aws = {
4: source = "hashicorp/aws"
5: version = "~> 2.70"
6: }
7: }
8: }
The root module requires hashicorp/aws >= 3.0, but the module requires ~> 2.70.
```
What is the correct way to resolve this provider version conflict?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Change the root module's required version to ~> 2.70.
The conflict arises because the module requires a provider version (~> 2.70) that is incompatible with the root's requirement (>= 3.0). The best solution is to update the module's required provider version, if possible, to be compatible with the root. Option A is wrong because removing the root constraint may allow a version that satisfies both, but it's better to update the module. Option B is wrong because downgrading the root version to 2.x may lose features. Option D is wrong because manually editing .terraform is not supported.
Key principle: NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Ignore the module's required_providers and force install the root version.
Why it's wrong here
You cannot override a module's required_providers; it must be updated in the module source.
✗
Remove the required_providers block from the root module.
Why it's wrong here
This may lead to using an older version that satisfies both, but it's not ideal and may cause other issues.
✓
Change the root module's required version to ~> 2.70.
Why this is correct
This aligns the root with the module's requirement, solving the conflict.
Related concept
Static NAT maps one inside address to one outside address.
✗
Manually edit the .terraform/modules/consul/main.tf to change the version.
Why it's wrong here
Manual edits in .terraform are overwritten on init; the module source must be modified.
Common exam traps
Common exam trap: NAT rules depend on direction and matching traffic
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Detailed technical explanation
How to think about this question
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
KKey Concepts to Remember
Static NAT maps one inside address to one outside address.
PAT allows many inside hosts to share one public address using ports.
Inside local and inside global describe the private and translated addresses.
NAT ACLs identify traffic for translation, not always security filtering.
TExam Day Tips
→Identify inside and outside interfaces first.
→Check whether the scenario needs static NAT, dynamic NAT or PAT.
→Do not confuse NAT matching ACLs with normal packet-filtering intent.
Key takeaway
NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related TF-003 NAT questions on configuration and troubleshooting.
Interact with Terraform modules — This question tests Interact with Terraform modules — Static NAT maps one inside address to one outside address..
What is the correct answer to this question?
The correct answer is: Change the root module's required version to ~> 2.70. — The conflict arises because the module requires a provider version (~> 2.70) that is incompatible with the root's requirement (>= 3.0). The best solution is to update the module's required provider version, if possible, to be compatible with the root. Option A is wrong because removing the root constraint may allow a version that satisfies both, but it's better to update the module. Option B is wrong because downgrading the root version to 2.x may lose features. Option D is wrong because manually editing .terraform is not supported.
What should I do if I get this TF-003 question wrong?
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related TF-003 NAT questions on configuration and troubleshooting.
What is the key concept behind this question?
Static NAT maps one inside address to one outside address.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This TF-003 practice question is part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the TF-003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.