CCNA Iac Concepts Questions

52 questions · Iac Concepts topic · All types, answers revealed

1
Multi-Selecthard

Which two statements accurately describe the difference between declarative and imperative IaC approaches? (Choose two.)

Select 2 answers
A.Imperative is only used for scripting, not IaC
B.Declarative tools are always faster than imperative tools
C.Declarative focuses on the desired outcome, while imperative specifies step-by-step commands
D.Imperative can lead to configuration drift because steps may cause unintended states
E.Declarative eliminates the need for idempotency
AnswersC, D

This is the fundamental difference.

Why this answer

Option C is correct because declarative IaC, as used in Terraform with HCL, allows you to define the desired end state of infrastructure (e.g., 'I want an AWS EC2 instance with AMI ami-0c55b159cbfafe1f0 and instance type t2.micro'), and the tool automatically determines the necessary steps to achieve that state. In contrast, imperative IaC, such as using AWS CLI commands or Ansible playbooks with explicit 'command' modules, requires you to specify each step (e.g., 'run aws ec2 run-instances, then wait, then tag'). This fundamental difference in approach is a core concept in the TF-003 exam.

Exam trap

HashiCorp often tests the misconception that declarative IaC eliminates the need for idempotency, but in reality, declarative tools enforce idempotency through state management and plan generation, making it a key feature rather than an omission.

2
Matchingmedium

Match each Terraform command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Initialize a working directory with provider plugins

Create an execution plan

Execute the actions proposed in a plan

Destroy previously-created infrastructure

Check configuration for syntax and internal consistency

Why these pairings

These are core Terraform CLI commands and their purposes.

3
MCQhard

A user runs 'terraform plan' and gets an error: 'No state file was found!'. Which is the most likely cause?

A.The backend configuration changed after the last apply.
B.The state file was manually edited in S3.
C.Another user ran 'terraform apply' concurrently.
D.The workspace does not exist.
AnswerD

If the workspace is new or deleted, no state file exists.

Why this answer

Option C is correct because the absence of a state file indicates the workspace does not exist or is empty. Option A would cause corruption, not absence. Option B would cause a backend mismatch.

Option D would cause a lock conflict.

4
Multi-Selecteasy

Which two are benefits of using Infrastructure as Code? (Choose two.)

Select 2 answers
A.Guaranteed cost optimization
B.Removes need for cloud providers
C.Reproducible environments
D.Automated documentation
E.Elimination of all manual errors
AnswersC, D

IaC allows exact replication of infrastructure.

Why this answer

A (Reproducible environments) and C (Automated documentation) are key benefits. B is false because manual errors are reduced but not eliminated. D is false because cost optimization is not a direct benefit of IaC.

E is false because IaC still requires cloud providers.

5
MCQhard

An organization manages multiple environments (dev, staging, prod) using Terraform. They want to minimize code duplication while allowing environment-specific variable values. Which approach best achieves this goal?

A.Use a separate Git branch for each environment, each with its own Terraform configuration.
B.Write a single Terraform configuration that uses count and conditional expressions to create resources based on environment variable.
C.Use Terraform workspaces with a single configuration and define all variable values in one .tfvars file.
D.Organize the repository with a shared modules directory and separate subdirectories for each environment that call the same modules with environment-specific .tfvars files.
AnswerD

This structure maximizes reuse and keeps environment-specific variables separate.

Why this answer

Option D is correct because it leverages Terraform's module system to define reusable infrastructure components in a shared directory, while each environment (dev, staging, prod) has its own subdirectory with a root configuration that calls those modules and passes environment-specific `.tfvars` files. This minimizes code duplication by keeping the module logic in one place, and allows per-environment variable values without mixing concerns. It follows the recommended pattern for multi-environment management in Terraform, avoiding the pitfalls of branches, workspaces, or conditional logic that can lead to complexity or state corruption.

Exam trap

HashiCorp often tests the misconception that Terraform workspaces are the correct way to manage multiple long-lived environments, but workspaces are actually designed for short-lived or temporary infrastructure, not for permanent dev/staging/prod separation, because they share the same backend configuration and can lead to accidental state corruption if not carefully isolated.

How to eliminate wrong answers

Option A is wrong because using separate Git branches for each environment leads to configuration drift, merge conflicts, and makes it difficult to promote changes consistently across environments; Terraform state is not designed to be managed across branches. Option B is wrong because using `count` and conditional expressions within a single configuration to create resources based on an environment variable results in a monolithic state file, making it hard to apply changes to one environment without affecting others, and it violates the principle of separating environments for safety and isolation. Option C is wrong because Terraform workspaces share the same configuration and backend, but defining all variable values in one `.tfvars` file forces all workspaces to use the same variable file, which defeats the purpose of environment-specific values; workspaces are better suited for temporary or testing scenarios, not for managing distinct environments like dev, staging, and prod with different variable sets.

6
MCQmedium

A team uses Terraform to manage multiple AWS EC2 instances with a 'count' meta-argument. They need to reference the ID of the third instance in another resource's configuration. Which expression should they use?

A.aws_instance.example[1].id
B.aws_instance.example[2].id
C.element(aws_instance.example.*.id, 3)
D.aws_instance.example[3].id
AnswerB

Index 2 is the third instance (zero-based).

Why this answer

Option D is correct because indices are zero-based, so 'aws_instance.example[2]' refers to the third instance. Option A (index 3) is the fourth. Option B (index 1) is the second.

Option C uses 'element' with index 3, also the fourth.

7
MCQmedium

A company is managing multiple cloud environments (dev, test, prod) using Terraform. They want to ensure consistent configurations across environments while allowing environment-specific values. Which IaC practice best supports this?

A.Using data sources only
B.Hardcoding values
C.Duplicating configuration files
D.Using variables and workspaces
AnswerD

Variables allow customization, and workspaces isolate state for each environment, maintaining consistency.

Why this answer

Using variables and workspaces (C) allows parameterization and separation of environments without duplicating code. Duplicating configuration (A) leads to drift. Data sources (B) fetch data but don't manage environments.

Hardcoding (D) is inflexible.

8
MCQmedium

Refer to the exhibit. A team is using this S3 backend configuration. During a deployment, they receive an error that the state file is locked. What is the most likely cause?

A.The S3 bucket does not exist
B.The region is incorrect
C.The DynamoDB table is not provisioned or the IAM role lacks permissions
D.The key path is incorrect
AnswerC

DynamoDB is used for state locking; if it's missing or inaccessible, lock fails.

Why this answer

Option C is correct because the error message 'state file is locked' directly indicates that Terraform is attempting to acquire a lock on the state using DynamoDB, but the lock table either does not exist or the IAM role used by Terraform lacks the required permissions (dynamodb:PutItem, dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:DescribeTable). Without a properly provisioned DynamoDB table or sufficient IAM permissions, the locking mechanism fails, producing this specific error.

Exam trap

HashiCorp often tests the distinction between S3 access errors and DynamoDB lock errors, so candidates mistakenly attribute the lock error to S3 bucket issues (like missing bucket or wrong region) rather than recognizing it as a DynamoDB-specific failure.

How to eliminate wrong answers

Option A is wrong because if the S3 bucket did not exist, Terraform would return an error such as 'bucket does not exist' or 'NoSuchBucket', not a state lock error. Option B is wrong because an incorrect region would cause an 'InvalidAccessKeyId' or 'region not found' error when trying to access S3, not a lock-related error. Option D is wrong because an incorrect key path would result in a 'NoSuchKey' error when trying to read the state file, not a lock contention issue.

9
MCQhard

After applying the configuration above, the user changes the AMI to a new value and runs 'terraform apply'. Assuming the new AMI triggers a recreate, what happens during the apply?

A.The existing instance is deleted before the new one is created.
B.Both instances run simultaneously only if the instance type allows it.
C.The new instance is created first, then the old one is deleted.
D.The plan fails because AMI change with create_before_destroy is not allowed.
AnswerC

Create_before_destroy ensures the new resource is ready before removing the old.

Why this answer

Option C is correct because Terraform's default lifecycle behavior for most resources is 'create_before_destroy = false', meaning the old resource is destroyed before the new one is created. However, when a resource's configuration change triggers a recreate (like an AMI change for an AWS instance), Terraform first creates the new instance, then destroys the old one, ensuring minimal downtime. This is the standard behavior for resources that support replacement, as Terraform plans the creation of the new resource before destroying the old one to maintain availability.

Exam trap

HashiCorp often tests the misconception that Terraform always destroys before creating, but the trap here is that for resources requiring replacement (like an AMI change), Terraform defaults to creating the new resource first to minimize downtime, unless explicitly configured otherwise.

How to eliminate wrong answers

Option A is wrong because Terraform does not delete the existing instance before creating the new one when a recreate is triggered; it creates the new instance first to avoid downtime, unless 'create_before_destroy' is explicitly set to false or the resource type defaults to destroy-before-create. Option B is wrong because both instances running simultaneously is not dependent on the instance type; it is a result of Terraform's default 'create_before_destroy' behavior for resources that support replacement, and the instance type does not control this lifecycle ordering. Option D is wrong because an AMI change with 'create_before_destroy' is fully allowed and is a common scenario; Terraform supports this lifecycle configuration and will plan the creation of the new instance before destroying the old one.

10
MCQeasy

Which statement best describes 'immutable infrastructure' in the context of IaC?

A.Configuration is changed via patches and updates
B.Servers are never modified after deployment; new ones are created for updates
C.Resources are shared across environments
D.Infrastructure is version-controlled
AnswerB

This is the core principle of immutability.

Why this answer

Immutable infrastructure means never modifying servers after deployment; instead, new servers are created for any changes (D). A describes mutable. B is generally true but not specific to immutable.

C is not related.

11
MCQhard

Refer to the exhibit. After applying this configuration, a team member manually changes the instance type to 't2.small' via the AWS console. The next `terraform plan` shows a change to revert to 't2.micro'. What does this demonstrate?

A.Terraform's drift detection only
B.Immutable infrastructure pattern
C.Terraform's desired state reconciliation
D.A misconfiguration in the Terraform code
AnswerC

Terraform plans to revert the change to match the configuration, which is reconciliation.

Why this answer

Terraform has detected configuration drift (the manual change) and plans to reconcile back to the desired state defined in configuration (C). A is incorrect because immutable infrastructure would replace the instance entirely. B is partially true but the key point is reconciliation, not just detection.

D is false.

12
MCQmedium

A development team is using a declarative IaC tool. They make a change to the configuration file to add a new security group rule. When they apply the configuration, the tool automatically modifies the existing security group to add the rule. What is this behavior called?

A.Desired state reconciliation
B.Provisioning
C.Imperative execution
D.Resource drift
AnswerA

The tool reconciles the current state to match the desired configuration.

Why this answer

This behavior is called desired state reconciliation because declarative IaC tools like Terraform or AWS CloudFormation compare the current state of infrastructure against the desired state defined in the configuration file. When a new security group rule is added to the configuration, the tool automatically computes the necessary changes to reconcile the actual state with the desired state, creating, updating, or deleting resources as needed. This is a core principle of declarative IaC, where the user specifies the 'what' and the tool handles the 'how'.

Exam trap

The trap here is that candidates confuse the automatic correction of drift with the initial provisioning process, or they mistakenly think that any automated change is 'imperative execution' rather than recognizing the declarative reconciliation loop.

How to eliminate wrong answers

Option B is wrong because provisioning refers to the initial creation and setup of infrastructure resources, not the ongoing process of modifying existing resources to match a desired configuration. Option C is wrong because imperative execution involves explicitly scripting each step (e.g., using AWS CLI commands to add a rule), whereas the question describes a declarative tool that automatically determines the actions. Option D is wrong because resource drift is a condition where the actual state of infrastructure diverges from the desired state over time, not the automatic correction of that divergence through reconciliation.

13
MCQhard

An organization is evaluating IaC tools and wants to minimize configuration drift. Which characteristic of a declarative IaC approach is most effective in preventing drift?

A.Periodic state comparison and correction
B.Manual approval gates
C.Tagging resources
D.Using modules
AnswerA

Declarative tools like Terraform regularly check and enforce desired state, preventing drift.

Why this answer

A declarative IaC approach defines the desired end state of infrastructure, and tools like Terraform use periodic state comparison (e.g., `terraform plan` and `terraform apply`) to detect and correct any configuration drift. This automated reconciliation ensures the actual infrastructure matches the declared configuration, directly preventing drift without manual intervention.

Exam trap

HashiCorp often tests the misconception that drift prevention is achieved through code organization (modules) or operational controls (approvals), rather than the core declarative mechanism of automated state comparison and correction.

How to eliminate wrong answers

Option B is wrong because manual approval gates (e.g., in CI/CD pipelines) enforce process control but do not automatically detect or correct drift in the deployed infrastructure. Option C is wrong because tagging resources is a metadata labeling practice that aids in resource identification and cost allocation, not a mechanism for drift detection or correction. Option D is wrong because using modules promotes code reuse and consistency but does not inherently perform state comparison or auto-remediation against drift.

14
Multi-Selecteasy

Which two commands are part of the standard Terraform workflow for provisioning infrastructure?

Select 2 answers
A.terraform init
B.terraform fmt
C.terraform apply
D.terraform import
E.terraform taint
AnswersA, C

Initializes the working directory for Terraform.

Why this answer

`terraform init` is correct because it initializes a working directory containing Terraform configuration files, downloading the required providers and modules. `terraform apply` is correct because it executes the actions proposed in a Terraform plan to provision or change infrastructure resources. These two commands form the core of the standard workflow: initialize, plan, and apply.

Exam trap

HashiCorp often tests the distinction between provisioning commands and lifecycle or maintenance commands, so candidates may incorrectly select `terraform taint` or `terraform import` because they associate them with changing infrastructure, even though they do not directly provision new resources.

15
MCQhard

A Terraform configuration includes a variable for a database password marked as sensitive. When a user runs 'terraform apply', the password appears as (sensitive) in the plan output. However, they want to pass this password to a provisioner as an environment variable. What should they do?

A.Use the variable directly; sensitive only affects CLI output.
B.Use the nonsensitive() function around the variable when assigning.
C.Store the password in a local value with sensitive = false.
D.Remove the sensitive flag from the variable.
AnswerB

nonsensitive() allows using the value but keeps it marked sensitive in state.

Why this answer

Option A is correct because 'nonsensitive()' allows using the value while preserving the sensitive flag in state. Option B would expose the password in logs. Option C is false; sensitive affects output.

Option D does not help.

16
Multi-Selectmedium

Which TWO statements about Infrastructure as Code (IaC) are correct?

Select 2 answers
A.IaC is only applicable to cloud-based infrastructure.
B.IaC eliminates configuration drift entirely.
C.IaC enables automated provisioning and management of infrastructure.
D.IaC allows the same configuration to be applied multiple times with the same result.
E.IaC tools require manual execution of scripts.
AnswersC, D

Automation is a core benefit of IaC.

Why this answer

Option C is correct because IaC is fundamentally about automating the provisioning and management of infrastructure through machine-readable definition files, enabling consistent, repeatable deployments without manual intervention. Tools like Terraform use a declarative language (HCL) to define resources, and the IaC engine handles the creation, modification, and deletion of those resources based on the desired state defined in the configuration.

Exam trap

HashiCorp often tests the misconception that IaC eliminates drift entirely, when in reality it only detects and corrects drift through reconciliation, and candidates may also incorrectly assume IaC is cloud-only, missing its applicability to on-premises and hybrid environments.

17
MCQmedium

A company has a Terraform module that creates an AWS VPC with subnets. They want to reuse this module across multiple AWS accounts. What is the best practice for referencing the module from different root configurations?

A.Store the module in a shared S3 bucket and reference it with the module source.
B.Use a module registry and specify a version constraint.
C.Use a data source to fetch the module's output from another state.
D.Copy the module code into each root configuration's directory.
AnswerB

Registries provide versioning and easy sharing.

Why this answer

Option B is correct because using a module registry with version constraints ensures consistency and easy updates. Option A leads to duplication and drift. Option C is for sharing data, not modules.

Option D is possible but lacks native versioning and registry features.

18
MCQmedium

A team uses Terraform to manage AWS resources. After a manual change to an S3 bucket policy through the AWS console, Terraform's next plan shows that it will revert the policy to the configuration. This is an example of which concept?

A.Configuration drift and correction
B.Immutable infrastructure
C.Resource tagging
D.Imperative provisioning
AnswerA

The manual change is drift, and Terraform's plan to revert is correction.

Why this answer

Configuration drift and correction (B) - the manual change caused drift, and Terraform plans to correct it. Immutable infrastructure (A) would involve replacing the resource, not modifying it. Imperative provisioning (C) is not relevant.

Resource tagging (D) is unrelated.

19
MCQhard

An organization uses Terraform Cloud with VCS-driven runs. They have two workspaces: network and application. They want a new run in the application workspace to automatically trigger whenever the network workspace completes a successful plan. What should they configure?

A.Run triggers in the application workspace pointing to the network workspace.
B.A webhook from Terraform Cloud to an external CI system.
C.Use 'terraform apply' with '-target' to simulate dependency.
D.Run triggers in the network workspace pointing to the application workspace.
AnswerA

Run triggers automate downstream runs based on upstream successes.

Why this answer

Run triggers in Terraform Cloud allow one workspace to automatically queue a run in another workspace after a successful plan. By configuring a run trigger in the application workspace that points to the network workspace, any successful plan in the network workspace will automatically initiate a new run in the application workspace, satisfying the requirement without external tools or manual steps.

Exam trap

The trap here is that candidates often confuse the direction of run triggers, thinking they should be configured on the upstream workspace (network) pointing to the downstream (application), when in fact they must be set on the downstream workspace (application) pointing to the upstream (network).

How to eliminate wrong answers

Option B is wrong because a webhook to an external CI system introduces unnecessary complexity and external dependencies; Terraform Cloud’s native run triggers provide the same functionality directly. Option C is wrong because 'terraform apply -target' is used to apply only specific resources within a single workspace, not to trigger cross-workspace runs, and it does not automate dependency-based triggering. Option D is wrong because run triggers are configured in the downstream workspace (the one that needs to be triggered), not in the upstream workspace; pointing from network to application would not cause the application workspace to run when network completes.

20
MCQeasy

A team wants to ensure that their infrastructure configuration repeatedly results in the same environment regardless of the initial state. Which IaC concept is most directly associated with this goal?

A.Version control
B.Idempotency
C.Orchestration
D.Provisioning
AnswerB

Idempotency ensures that applying the same configuration repeatedly yields the same outcome, matching the goal.

Why this answer

Idempotency ensures that applying the same configuration multiple times always results in the same desired state, regardless of the starting state. In Terraform, this is achieved by the provider's ability to detect drift and reconcile the real-world infrastructure with the declared configuration in the .tf files. Without idempotency, repeated runs could create duplicate resources or fail to correct unintended changes.

Exam trap

HashiCorp often tests idempotency by contrasting it with version control, where candidates mistakenly think that simply tracking changes in Git ensures repeatable environments, ignoring that idempotency is about the execution behavior, not the history.

How to eliminate wrong answers

Option A is wrong because version control tracks changes to configuration files over time but does not guarantee that applying those files repeatedly yields the same environment; it only provides history and rollback. Option C is wrong because orchestration coordinates the order and execution of multiple automated tasks (e.g., provisioning, configuration) but does not inherently ensure that each individual operation is idempotent. Option D is wrong because provisioning is the act of creating resources (e.g., via Terraform apply) but does not by itself guarantee that subsequent runs will leave the environment unchanged if the initial state differs.

21
Multi-Selecteasy

Which TWO statements correctly describe Infrastructure as Code principles?

Select 2 answers
A.IaC enables version control of infrastructure configurations.
B.IaC requires manual approval for every infrastructure change.
C.IaC is only applicable to public cloud environments.
D.IaC eliminates the need for configuration management tools.
E.IaC promotes repeatable and consistent deployments.
AnswersA, E

IaC configurations are stored as code, making them easy to version control.

Why this answer

B and D are correct because IaC enables version control of configurations (B) and promotes repeatable, consistent deployments (D). A is incorrect because IaC does not eliminate configuration management tools; they often complement each other. C is incorrect because IaC can automate changes without manual approval for every change.

E is incorrect because IaC is applicable to on-premises, hybrid, and multi-cloud environments, not just public cloud.

22
MCQeasy

A company uses Terraform to deploy virtual machines. They want to ensure that the same exact operating system and software versions are used every time. Which practice supports this?

A.Manually installing software
B.Using a golden image and referencing it in the configuration
C.Using inline userdata scripts
D.Running configuration management after provisioning
AnswerB

A golden image provides a consistent base.

Why this answer

Option B is correct because using a golden image—a pre-configured virtual machine template containing the exact operating system and software versions—ensures consistency across deployments. Terraform can reference this image via the `source_image` or `image_id` argument in a resource like `azurerm_virtual_machine` or `aws_instance`, guaranteeing that every provisioned VM starts from the same immutable baseline.

Exam trap

HashiCorp often tests the misconception that userdata scripts or configuration management tools can guarantee identical software versions, but the trap is that these methods depend on external sources (repositories, scripts) that can change over time, whereas a golden image captures a fixed, immutable state at build time.

How to eliminate wrong answers

Option A is wrong because manually installing software introduces human error and configuration drift, defeating the goal of repeatable, identical deployments. Option C is wrong because inline userdata scripts (e.g., cloud-init) run at first boot and can install software, but they are prone to failures from network issues, repository changes, or script updates, and do not guarantee the same exact versions every time. Option D is wrong because running configuration management (e.g., Ansible, Chef) after provisioning applies changes to a running system, which can still result in version inconsistencies if the base image or package repositories differ.

23
Multi-Selecthard

Which three characteristics are associated with immutable infrastructure as practiced by Terraform?

Select 3 answers
A.New versions are deployed by creating new instances
B.Configuration drift is accepted
C.Rollbacks are performed by redeploying a previous version
D.Resources are replaced rather than modified in place
E.In-place updates are preferred
AnswersA, C, D

New instances are provisioned for each version.

Why this answer

Option A is correct because immutable infrastructure in Terraform involves deploying new versions by creating entirely new instances rather than modifying existing ones. This aligns with Terraform's resource lifecycle, where changes to certain attributes trigger destruction and recreation, ensuring a consistent and reproducible state.

Exam trap

The trap here is that candidates confuse immutable infrastructure with mutable patterns, mistakenly thinking that in-place updates or accepting drift are acceptable, when Terraform's immutable model strictly replaces resources to enforce consistency.

24
Drag & Dropmedium

Drag and drop the steps to initialize a Terraform working directory in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Initialization begins after writing configs; terraform init downloads providers/modules, creates .terraform directory, and validate checks syntax.

25
MCQeasy

A Terraform user wants to visualize the execution order of resources before applying changes. Which command provides a dependency graph view?

A.terraform graph
B.terraform show
C.terraform plan
D.terraform output
AnswerA

Generates a visual dependency graph.

Why this answer

The `terraform graph` command generates a visual representation of the dependency graph for Terraform resources, showing the execution order based on implicit and explicit dependencies. This allows users to see which resources will be created, updated, or destroyed in sequence before applying changes. It outputs DOT format, which can be rendered with tools like Graphviz.

Exam trap

HashiCorp often tests the distinction between commands that show execution plans (`terraform plan`) versus those that visualize the underlying dependency graph (`terraform graph`), leading candidates to mistakenly choose `terraform plan` for graph visualization.

How to eliminate wrong answers

Option B is wrong because `terraform show` displays the current state or a saved plan file, not a dependency graph of execution order. Option C is wrong because `terraform plan` shows the execution plan as a textual diff of changes, not a visual dependency graph. Option D is wrong because `terraform output` retrieves output values from the state, not any graph or execution order visualization.

26
Multi-Selecthard

Which THREE of the following are benefits of using Infrastructure as Code (IaC) compared to manual infrastructure management?

Select 3 answers
A.Automated testing and deployment pipelines can be integrated.
B.Infrastructure can be replicated consistently across environments.
C.The same code can be used for any cloud provider without modification.
D.Infrastructure can be version controlled and changes tracked.
E.No learning curve is required; existing knowledge of manual processes applies directly.
AnswersA, B, D

IaC can be tested and deployed in CI/CD.

Why this answer

Option A is correct because IaC enables infrastructure to be defined in code, which can be integrated into automated CI/CD pipelines. Tools like Terraform or AWS CloudFormation allow infrastructure validation, testing, and deployment to be automated, reducing human error and speeding up delivery.

Exam trap

HashiCorp often tests the misconception that IaC is cloud-agnostic without modification, but in reality, provider-specific APIs and resource types require code changes, even when using abstraction layers like Terraform.

27
MCQeasy

A team is evaluating Terraform and Ansible for infrastructure provisioning. They note that Terraform describes the desired end state, while Ansible defines steps to reach that state. This difference is best described as:

A.Declarative vs imperative
B.Client-server vs agentless
C.Immutable vs mutable
D.Push vs pull
AnswerA

Terraform declares desired state; Ansible defines imperative steps.

Why this answer

Option C correctly identifies the declarative vs imperative paradigm. Option A (immutable vs mutable) describes update strategies. Options B and D are architectural patterns.

28
MCQmedium

Refer to the exhibit. What will happen when you run terraform plan?

A.The plan will prompt for the name interactively.
B.The plan will succeed and create the IAM user with a generated name.
C.The plan will fail with an error about missing required argument.
D.The plan will create the user with the path only.
AnswerC

Terraform validates required arguments; missing 'name' causes a validation error.

Why this answer

Option B is correct because the configuration is missing the required 'name' argument for an IAM user, so Terraform will fail validation with an error. Option A is incorrect because Terraform does not generate a name for required arguments. Option C is incorrect because Terraform does not prompt for missing arguments interactively.

Option D is incorrect because the resource cannot be created without the required name.

29
MCQhard

A team of five engineers uses Terraform with a remote backend in AWS S3 with DynamoDB state locking. One engineer runs 'terraform apply' but it hangs at 'Acquiring state lock'. What is the most likely cause?

A.Another engineer has an active lock from a previous run that was not released.
B.The S3 bucket policy denies the request.
C.A recent 'terraform init' was run without the proper backend configuration.
D.The DynamoDB table is in a different AWS region.
AnswerA

A held lock causes 'terraform apply' to wait until the lock is released.

Why this answer

The most likely cause is that another engineer has an active lock from a previous run that was not released. Terraform uses DynamoDB state locking to prevent concurrent modifications to the state file. When `terraform apply` hangs at 'Acquiring state lock', it indicates that the lock item in the DynamoDB table is still present, meaning a prior operation either crashed, was interrupted, or the lock was not explicitly released via `force-unlock`.

Exam trap

HashiCorp often tests the distinction between a hang (lock contention) and a hard failure (access denied, region mismatch, or backend misconfiguration), so the trap here is that candidates may confuse a permission or configuration error with a lock acquisition timeout.

How to eliminate wrong answers

Option B is wrong because if the S3 bucket policy denied the request, Terraform would fail with an access denied error, not hang indefinitely at the lock acquisition phase. Option C is wrong because a recent `terraform init` without proper backend configuration would cause a backend initialization error or state mismatch, not a hang at the lock step. Option D is wrong because the DynamoDB table being in a different AWS region would cause a connectivity or access error, not a hang; Terraform would fail quickly with a timeout or region mismatch error.

30
MCQhard

A developer runs terraform apply with the configuration above. The resource is created successfully, but the provisioner fails because the public_ip attribute is not yet known at plan time. What is the most likely cause?

A.The AMI ID is incorrect.
B.The local-exec provisioner requires network access to the instance.
C.The provisioner references a computed attribute that is not known until after resource creation.
D.The provisioner runs before the state file is written.
AnswerC

The public_ip is not known until after the instance is created and assigned an IP.

Why this answer

Option C is correct because the `public_ip` attribute of an AWS instance is a computed attribute that is not known until the resource is created and the cloud provider assigns an IP address. In Terraform, provisioners run during resource creation, but if they reference attributes that are only available after the resource is fully created (i.e., after the apply completes), the plan will fail with an error indicating the value is unknown. This is a fundamental behavior of Terraform's execution model: provisioners execute in the same context as the resource creation, and any attribute that is not known at plan time cannot be used in a provisioner unless it is explicitly deferred using `on_failure = continue` or similar workarounds.

Exam trap

HashiCorp often tests the misconception that provisioners run after the resource is fully created and all attributes are available, but the trap is that provisioners execute during the apply phase and cannot use attributes that are not yet known at plan time, even if they will be known later in the same apply.

How to eliminate wrong answers

Option A is wrong because an incorrect AMI ID would cause the resource creation itself to fail (e.g., invalid AMI error from AWS), not a provisioner failure due to an unknown attribute. Option B is wrong because the `local-exec` provisioner runs on the machine where Terraform is executed, not on the instance, so it does not require network access to the instance; it only needs local network access to reach the instance if the command itself (e.g., curl) targets the instance's IP. Option D is wrong because the provisioner runs after the resource is created and the state file is written (the state is updated during the apply, before provisioners execute), so the state file is available; the failure is due to the attribute being unknown at plan time, not due to state file timing.

31
MCQmedium

During development, a Terraform user wants to check that their configuration is syntactically valid and internally consistent before running 'terraform plan'. Which command should they use?

A.terraform init
B.terraform refresh
C.terraform validate
D.terraform fmt
AnswerC

Validates configuration syntax and internal logic.

Why this answer

The `terraform validate` command checks that a Terraform configuration is syntactically valid and internally consistent, such as verifying that resource names are unique and that references to other resources or data sources are correctly formed. It runs without requiring any cloud provider credentials or state, making it ideal for early-stage validation before `terraform plan`.

Exam trap

HashiCorp often tests the distinction between validation and formatting, so the trap here is that candidates confuse `terraform fmt` (which only fixes code style) with `terraform validate` (which checks for actual errors in the configuration).

How to eliminate wrong answers

Option A is wrong because `terraform init` initializes the working directory by downloading provider plugins and modules, but it does not validate the configuration's syntax or internal consistency. Option B is wrong because `terraform refresh` updates the state file with real-world infrastructure, which requires existing state and credentials, and it does not perform configuration validation. Option D is wrong because `terraform fmt` rewrites configuration files to a canonical format and style, but it does not check for syntactic or semantic validity.

32
MCQeasy

An organization wants to ensure that running the same Terraform configuration multiple times produces the same result without unintended changes. Which IaC concept is most critical for this goal?

A.Dynamic provider credentials
B.Modularity
C.Version control
D.Idempotency
AnswerD

Idempotency guarantees repeated runs produce the same outcome.

Why this answer

Idempotency ensures that applying the same Terraform configuration multiple times results in the same desired state, with no unintended changes on subsequent runs. Terraform achieves this by comparing the current state (stored in a state file) with the desired configuration and only making changes necessary to reconcile differences. This is the core principle behind Terraform's 'plan and apply' workflow, which guarantees repeatable infrastructure provisioning.

Exam trap

HashiCorp often tests the distinction between 'version control' and 'idempotency' by presenting version control as a plausible answer, since it is a fundamental IaC practice, but the question specifically asks about producing the same result across multiple runs, which is the definition of idempotency.

How to eliminate wrong answers

Option A is wrong because dynamic provider credentials (e.g., using AWS STS AssumeRole) relate to authentication and access control, not to ensuring repeatable, unchanged results across multiple runs. Option B is wrong because modularity improves code organization and reusability but does not inherently guarantee that repeated executions produce the same outcome; a non-idempotent module can still cause drift. Option C is wrong because version control tracks changes to configuration files over time but does not enforce that applying the same configuration multiple times yields identical infrastructure state; it is a best practice for collaboration, not a mechanism for idempotent execution.

33
Multi-Selectmedium

Which two are primary benefits of using Infrastructure as Code (IaC) with Terraform?

Select 2 answers
A.Consistent and repeatable deployments
B.Version-controlled infrastructure definitions
C.Real-time monitoring of infrastructure
D.Manual configuration of each resource
E.Automatic scaling based on CPU usage
AnswersA, B

IaC enforces consistency across environments.

Why this answer

Option A is correct because Terraform's declarative configuration files define the desired state of infrastructure, enabling consistent and repeatable deployments across environments. By applying the same configuration, Terraform ensures that the infrastructure is provisioned identically every time, eliminating configuration drift and manual errors.

Exam trap

HashiCorp often tests the distinction between IaC's provisioning benefits and operational features like monitoring or auto-scaling, leading candidates to confuse Terraform's declarative state management with runtime management tools.

34
MCQmedium

A startup is adopting Terraform to manage their cloud infrastructure. They want to ensure that changes to infrastructure are reviewed and approved before being applied. Which practice aligns with Infrastructure as Code principles to achieve this?

A.Implement a Git-based workflow with pull requests and automated plan reviews.
B.Use Terraform workspaces to separate environments and manually apply changes.
C.Store Terraform state files in a version control system to track changes.
D.Encourage developers to run terraform apply directly on production.
AnswerA

This enforces code review and automated validation, aligning with IaC best practices.

Why this answer

Option C is correct because it incorporates code review and automated validation, core IaC practices. Option A is wrong because state files contain sensitive data and should not be stored in VCS normally; remote backends are recommended. Option B is partially correct but manual apply without review is not best practice.

Option D is dangerous as it bypasses review and can lead to unintended changes.

35
MCQeasy

A junior administrator wants to practice Terraform by deploying a single web server in AWS. They write a configuration file and run terraform init and terraform apply. The deployment succeeds but they notice the web server is not accessible from the internet. What is the most likely reason?

A.The instance type chosen does not support public IP addresses.
B.The terraform init command failed and the apply did not actually create resources.
C.The subnet is configured as private and does not have a route to the internet.
D.The security group does not allow inbound HTTP/HTTPS traffic from 0.0.0.0/0.
AnswerD

Security group rules control inbound traffic; without allowing HTTP/HTTPS, the server is not accessible.

Why this answer

Option D is correct because even if the web server is deployed in a public subnet with a public IP address, the security group acts as a virtual firewall at the instance level. By default, AWS security groups block all inbound traffic. Without an explicit rule allowing inbound HTTP (port 80) or HTTPS (port 443) traffic from 0.0.0.0/0, the web server will not respond to internet requests, making it inaccessible from the internet.

Exam trap

HashiCorp often tests the misconception that a public subnet or public IP alone guarantees internet accessibility, when in fact the security group's inbound rules are the primary gatekeeper for traffic reaching the instance.

How to eliminate wrong answers

Option A is wrong because all AWS instance types support the assignment of public IP addresses; the ability to assign a public IP is controlled by the subnet's auto-assign public IP setting or the instance's network interface configuration, not the instance type. Option B is wrong because if terraform init had failed, terraform apply would not proceed to create resources; the question states the deployment succeeded, meaning both commands completed without error. Option C is wrong because a private subnet would prevent internet access entirely, but the question does not specify the subnet type; the most common and direct reason for a web server being inaccessible after a successful deployment is the lack of an inbound security group rule for HTTP/HTTPS traffic.

36
MCQmedium

A team is adopting Terraform to manage infrastructure. One requirement is that all configuration changes must be reviewed and approved before being applied. The team wants to ensure that the Terraform state file reflects the actual deployed infrastructure at all times. Which practice should they implement to meet these requirements?

A.Store state locally and use a manual approval process outside of Terraform.
B.Store state remotely and use a version control system with pull requests to review changes before applying.
C.Store state locally and use a shared network drive for team access.
D.Have each team member run terraform apply from their local machine after informal discussion.
AnswerB

Remote state enables team collaboration and VCS with PRs enforces review.

Why this answer

Storing state remotely (e.g., in S3, Azure Storage, or Terraform Cloud) enables state locking and versioning, which is essential for team collaboration. Using a version control system with pull requests ensures that all configuration changes are reviewed and approved before being applied, meeting the requirement for change control. This combination also ensures the state file accurately reflects deployed infrastructure by preventing concurrent modifications and providing an audit trail.

Exam trap

HashiCorp often tests the misconception that local state with manual processes is sufficient for team collaboration, but the trap here is that without remote state and version-controlled review, you cannot guarantee state consistency or enforce an approval gate, leading to drift and conflicts.

How to eliminate wrong answers

Option A is wrong because storing state locally prevents team collaboration and state locking, and a manual approval process outside of Terraform does not integrate with Terraform's workflow, risking state drift and concurrent apply conflicts. Option C is wrong because a shared network drive lacks state locking and versioning, leading to corruption or overwrites when multiple team members run terraform apply simultaneously. Option D is wrong because having each team member run terraform apply from their local machine after informal discussion bypasses any formal review or approval process, and local state files will diverge, causing inconsistency and potential infrastructure drift.

37
Multi-Selectmedium

Which of the following are key benefits of using Infrastructure as Code (IaC) compared to manual infrastructure management? (Choose four.)

Select 4 answers
.Enables repeatable and consistent infrastructure deployments
.Reduces the risk of human error in configuration
.Allows infrastructure to be version-controlled and audited
.Automatically fixes all security vulnerabilities in the infrastructure
.Provides self-healing infrastructure without any additional tooling
.Facilitates collaboration through code reviews and sharing of configurations

Why this answer

Infrastructure as Code (IaC) enables repeatable and consistent deployments by defining infrastructure in declarative or procedural configuration files, eliminating the variability of manual steps. It reduces human error by automating provisioning tasks that are prone to typos or omissions when performed manually. Version control systems like Git allow infrastructure configurations to be tracked, audited, and rolled back, while code reviews and shared modules promote team collaboration and standardization.

Exam trap

HashiCorp often tests the misconception that IaC inherently provides self-healing or automatic security remediation, when in fact these capabilities require additional tooling and are not core features of IaC itself.

38
MCQmedium

You are a DevOps engineer at a growing startup. The infrastructure currently consists of a single AWS EC2 instance running a web application, manually configured. The company plans to scale to multiple instances and environments (development, staging, production). They want to adopt Infrastructure as Code using Terraform. The team has limited experience with Terraform and wants to start small, then gradually adopt more advanced features. The current manual infrastructure must be imported into Terraform. The team also wants to ensure that code changes are reviewed via pull requests before being applied. Which of the following is the best course of action to meet these requirements?

A.Install Terraform on the existing instance, run terraform init and apply directly to manage it, and store state locally. Have team members share the state file via a shared folder.
B.Write Terraform configuration from scratch to match the existing instance, but do not import; instead, destroy the old instance and recreate it with Terraform.
C.Create separate Git branches for each environment (dev, staging, prod) and have each team member work independently on their branch, merging occasionally.
D.Create a Git repository with a main branch. Write a minimal Terraform configuration that describes the existing EC2 instance. Use terraform import to bring the instance under Terraform management. Store the state file remotely in S3 with DynamoDB locking. Set up a CI pipeline that runs terraform plan on pull requests and requires approval before merging.
AnswerD

This approach imports existing infrastructure, uses remote state for team access, and enforces code review through PRs.

Why this answer

Option D is correct because it follows the best practices for adopting Infrastructure as Code with Terraform in a team setting. It starts by writing a minimal configuration that matches the existing EC2 instance, uses `terraform import` to bring it under management without downtime, stores state remotely in S3 with DynamoDB locking for collaboration and consistency, and sets up a CI pipeline to run `terraform plan` on pull requests with approval gates, ensuring code review before changes are applied.

Exam trap

HashiCorp often tests the misconception that you must destroy and recreate infrastructure to adopt IaC, or that local state sharing is acceptable for teams, when in fact `terraform import` and remote state with locking are the correct approaches for zero-downtime adoption and collaboration.

How to eliminate wrong answers

Option A is wrong because storing state locally in a shared folder leads to state file corruption, conflicts, and no locking mechanism, which violates the requirement for safe team collaboration and code review via pull requests. Option B is wrong because destroying the existing instance to recreate it with Terraform causes unnecessary downtime and risk, whereas `terraform import` can bring the instance under management without disruption. Option C is wrong because having separate Git branches for each environment without a unified main branch and CI pipeline leads to configuration drift, lack of code review, and no controlled promotion of changes across environments.

39
Matchingmedium

Match each Terraform cloud/enterprise feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Organize state and runs for different environments

Integrate third-party policy or compliance checks

Policy as code framework for governance

Store state securely in Terraform Cloud

Trigger runs automatically from version control

Why these pairings

Terraform Cloud extends open-source capabilities.

40
Drag & Dropmedium

Drag and drop the steps to upgrade Terraform providers in a configuration in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Check versions, update constraints, upgrade with init, then plan to validate.

41
Multi-Selecteasy

A team is defining their Infrastructure as Code strategy. Which two of the following are key benefits of using IaC compared to manual configuration?

Select 2 answers
A.Faster deployment and provisioning.
B.Reduced need for monitoring.
C.Elimination of all security vulnerabilities.
D.Automatic recovery from any infrastructure failure.
E.Consistent and repeatable infrastructure setups.
AnswersA, E

Automated provisioning is faster than manual processes.

Why this answer

Options A and C are correct. IaC enables faster provisioning and ensures consistency and repeatability. Option B is false because IaC does not eliminate all security vulnerabilities.

Option D is false because IaC does not automatically recover from failures. Option E is false because monitoring is still necessary.

42
MCQeasy

A company manages multiple AWS accounts using Terraform. They have a central repository where all Terraform configurations are stored. Recently, a developer accidentally ran terraform destroy on a production workspace and deleted critical resources. The team wants to implement safeguards to prevent such incidents while still allowing developers to test changes in non-production environments. They currently use Terraform Cloud for remote state management and runs. Which course of action should the team take to minimize risk?

A.Store the production Terraform state file locally and restrict access to it.
B.Use Terraform's built-in lifecycle prevent_destroy on all production resources.
C.Implement run tasks in Terraform Cloud that require approval for any destroy operation on workspaces tagged as 'production'.
D.Remove all developers' access to the Terraform Cloud API and only allow operations via pull requests.
AnswerC

Run tasks can enforce policy checks and require manual approval for destructive actions.

Why this answer

Option A is correct because Terraform Cloud run tasks can enforce approval workflows for destroy operations on production workspaces. Option B is wrong because removing API access entirely is too restrictive and hinders legitimate operations. Option C is wrong because storing state locally goes against best practices and is insecure.

Option D is wrong because prevent_destroy is a meta-argument that blocks all destroy operations, not just accidental ones, and is not a flexible safeguard.

43
MCQhard

A team manages a multi-tier application consisting of web servers, application servers, and databases deployed across AWS and Azure. Historically, they have provisioned infrastructure manually using cloud consoles and ad-hoc scripts. To improve consistency and reduce errors, they decide to adopt Terraform for Infrastructure as Code. After initial rollout, they encounter problems: some team members still make direct changes via the cloud console to quickly fix issues, causing configuration drift between the Terraform state and actual resources. They also need to manage three distinct environments (development, staging, production) with different configurations (e.g., instance sizes, database settings). The team consists of five people with a limited budget for additional tools. Which course of action best addresses these challenges while adhering to IaC principles?

A.Store Terraform state in a shared S3 bucket with DynamoDB locking, and have each team member apply their own changes locally after review.
B.Use Terraform workspaces to manage environments and enforce that all changes go through version-controlled Terraform configs, disabling direct console changes via IAM policies.
C.Assign each environment to a different Terraform provider alias and use manual planning to ensure correctness.
D.Implement a CI/CD pipeline that runs terraform plan and apply automatically on merges to the main branch, and use Terraform Cloud's Sentinel policies to prevent drift.
AnswerD

CI/CD automates deployments and enforces that only version-controlled configs are applied; Sentinel can detect and prevent drift.

Why this answer

Option C is correct because implementing CI/CD with automated plan/apply and using Sentinel policies to prevent drift directly addresses both issues: drift from manual changes and environment management. Option A helps with environment separation but doesn't prevent drift; IAM policies can restrict console changes but are not part of IaC best practices. Option B improves state management but local applies can still lead to drift.

Option D uses provider aliases which are not designed for environment separation, and manual planning does not prevent drift.

44
MCQeasy

Which of the following is a primary benefit of using Infrastructure as Code?

A.Faster provisioning through automation
B.Removes dependency on cloud providers
C.Guarantees zero downtime during updates
D.Eliminates the need for cloud credentials
AnswerA

Automation speeds up resource creation and reduces manual effort.

Why this answer

Faster provisioning through automation (B) is a core benefit because IaC allows quick and repeatable deployments. A is false because credentials are still needed. C is false because IaC does not guarantee zero downtime.

D is false because you still depend on cloud providers.

45
MCQhard

A company manages a microservices application across multiple AWS accounts using Terraform. They have a dedicated 'infrastructure' repository with Terraform configurations for each account. The team recently migrated their Terraform state to a centralized S3 backend with DynamoDB locking. After the migration, they notice that when two developers run `terraform apply` simultaneously in the same workspace, one of them receives a lock error, but the other proceeds normally. The team wants to ensure that only one apply runs at a time across all workspaces. However, they also need to allow concurrent operations on different workspaces. The current backend configuration uses a single DynamoDB table for all workspaces. What should the team do to achieve their goals?

A.Use a single DynamoDB table but increase the lock timeout
B.Remove the backend configuration and use local state with manual locking
C.Use a separate DynamoDB table for each workspace to isolate locks
D.Disable locking to allow parallel operations
AnswerC

Separate tables allow concurrent applies on different workspaces while maintaining locking per workspace.

Why this answer

The problem is that using a single DynamoDB table with a single lock key means all workspaces share the same lock, preventing concurrent applies on different workspaces. Option D is correct: Use a separate DynamoDB table for each workspace, which isolates locks per workspace. Option A is dangerous.

Option B does not solve the cross-workspace contention because the lock key is shared. Option C loses centralized state.

46
MCQhard

In Terraform, the `terraform plan` command compares the current state with the configuration. This is an example of which IaC principle?

A.Version control integration
B.Continuous delivery
C.Modular architecture
D.Desired state enforcement
AnswerD

Terraform plan shows what changes are needed to achieve the desired configuration.

Why this answer

The `terraform plan` command compares the current state (what is deployed) with the configuration (what is declared) and computes the changes needed to align the real-world infrastructure with the declared configuration. This is the essence of desired state enforcement: the tool continuously reconciles the actual state toward the user-defined desired state, rather than executing imperative steps. Option D is correct because Terraform's core loop—plan, apply, refresh—is built around this declarative, state-driven model.

Exam trap

HashiCorp often tests the distinction between declarative (desired state enforcement) and imperative (step-by-step) approaches, and the trap here is that candidates confuse the `plan` command's output with a simple diff report rather than recognizing it as the core mechanism of Terraform's declarative state reconciliation model.

How to eliminate wrong answers

Option A is wrong because version control integration refers to storing Terraform configurations in Git or similar systems, not to the behavior of `terraform plan`. Option B is wrong because continuous delivery is a software engineering practice for automating deployments through pipelines, not a principle demonstrated by a single command that compares state. Option C is wrong because modular architecture is about organizing configurations into reusable modules (e.g., using `module` blocks), which is unrelated to the state-comparison mechanism of `terraform plan`.

47
MCQmedium

Based on the exhibit, what can be inferred about the Terraform state and configuration?

A.The aws_instance.db resource is in state but not in configuration, so it will be destroyed.
B.The configuration for aws_instance.db has been added back to the .tf files.
C.The aws_instance.db resource was manually deleted from the AWS console.
D.The aws_instance.web resource is being imported into Terraform management.
AnswerA

Terraform plans to destroy resources that are in state but removed from configuration.

Why this answer

The `terraform plan` output shows that `aws_instance.db` exists in the state file but is absent from the current configuration. Terraform interprets this as a resource that should be removed to align the real-world infrastructure with the configuration, so it will be destroyed. This is a core behavior of Terraform's desired-state management: any resource in state but not in configuration is marked for deletion.

Exam trap

HashiCorp often tests the distinction between resources missing from configuration (destroy) versus resources missing from the real world (re-create), and the trap here is confusing manual deletion with configuration removal.

How to eliminate wrong answers

Option B is wrong because if the configuration for `aws_instance.db` had been added back, the plan would show an update or no change, not a destroy. Option C is wrong because manual deletion from the AWS console would cause Terraform to detect the resource as missing and plan to re-create it, not destroy it. Option D is wrong because importing a resource would produce a plan that shows the resource being added to state without a destroy action, and the exhibit shows a destroy, not an import.

48
Multi-Selectmedium

Which three practices help maintain consistency and reduce configuration drift in IaC? (Choose three.)

Select 3 answers
A.Storing state files remotely and locking them
B.Implementing CI/CD pipelines with automated testing
C.Regularly running terraform plan and apply
D.Using manual changes to fix minor issues
E.Allowing multiple team members to run apply simultaneously
AnswersA, B, C

Remote state with locking prevents concurrent modifications that could cause drift.

Why this answer

Regularly running terraform plan/apply (B) enforces desired state. Storing state remotely with locking (D) prevents concurrent modifications. CI/CD pipelines with automated testing (E) validate changes.

A is wrong because manual changes cause drift. C is wrong because simultaneous applies cause conflicts.

49
MCQhard

A company uses Terraform to manage infrastructure on AWS. They have a configuration that creates an S3 bucket and a DynamoDB table for state locking. The team notices that sometimes when two members run terraform apply simultaneously, they get a state locking error. However, they want to allow concurrent operations on different workspaces. What is the best approach?

A.Remove the DynamoDB table and use local state files to avoid locking issues.
B.Configure all team members to use the same workspace so that only one person can apply at a time.
C.Keep the current setup because the error is harmless and users can retry.
D.Use separate state files per workspace and ensure each workspace has its own lock entry in DynamoDB; the current setup already supports this.
AnswerD

Workspaces use separate state files and DynamoDB locks per state file, allowing concurrent operations on different workspaces.

Why this answer

Option D is correct because Terraform natively supports per-workspace state files, and when using a remote backend like S3 with DynamoDB for state locking, each workspace's state file is stored at a distinct path in S3. The DynamoDB lock entry is tied to the specific state file path via the LockID, so concurrent operations on different workspaces acquire separate locks and do not conflict. This setup allows multiple team members to run terraform apply simultaneously as long as they are working in different workspaces.

Exam trap

HashiCorp often tests the misconception that DynamoDB locking is global across all workspaces, when in fact the lock is scoped to the specific state file path, which includes the workspace name.

How to eliminate wrong answers

Option A is wrong because removing the DynamoDB table and using local state files eliminates state locking entirely, which can lead to state corruption if multiple users apply changes concurrently, even on different workspaces. Option B is wrong because configuring all team members to use the same workspace defeats the purpose of allowing concurrent operations and forces serialization of all applies, reducing team productivity. Option C is wrong because the state locking error is not harmless; it indicates a real conflict that can cause corruption or inconsistent state if ignored, and simply retrying does not address the underlying need for concurrent workspace-level isolation.

50
MCQeasy

You are a platform engineer at a growing startup. The company currently manages infrastructure manually by SSH-ing into servers to install packages and update configurations. As the team grows, this approach has led to frequent configuration drift, inconsistent environments, and manual errors. Deploying a new environment takes several days and requires detailed runbooks. The CTO has asked you to propose a solution that improves consistency, reduces deployment time, and enables version control of infrastructure. You are evaluating Infrastructure as Code (IaC) tools like Terraform. Which course of action best addresses the CTO's requirements?

A.Improve SSH key management and use configuration management tools like Ansible to apply changes.
B.Migrate all applications to containers and use Kubernetes for orchestration.
C.Adopt Terraform to define all infrastructure as code, store configurations in a Git repository, and use a CI/CD pipeline to apply changes automatically.
D.Create more detailed runbooks and require peer review for all manual changes.
AnswerC

Declarative IaC with automation addresses all requirements.

Why this answer

Option C is correct because Terraform directly addresses the CTO's requirements by enabling infrastructure as code (IaC), which ensures consistent, repeatable deployments through declarative configuration files stored in Git for version control. Using a CI/CD pipeline to automatically apply changes eliminates manual SSH errors, reduces deployment time from days to minutes, and prevents configuration drift by enforcing a single source of truth for infrastructure state.

Exam trap

HashiCorp often tests the distinction between configuration management tools (like Ansible) and infrastructure provisioning tools (like Terraform), trapping candidates who confuse managing software on existing servers with defining and versioning the infrastructure itself.

How to eliminate wrong answers

Option A is wrong because improving SSH key management and using Ansible for configuration management still relies on imperative, agent-based execution against existing servers, which does not provide the declarative, version-controlled infrastructure provisioning that Terraform offers; it also does not inherently prevent configuration drift across environments. Option B is wrong because migrating to containers and Kubernetes addresses application deployment and orchestration, not the underlying infrastructure provisioning (e.g., VMs, networks, storage), and introduces unnecessary complexity for a startup that has not yet solved basic infrastructure consistency. Option D is wrong because creating more detailed runbooks and requiring peer review only reduces manual errors marginally but does not automate provisioning, eliminate configuration drift, or enable version control of infrastructure; it perpetuates the slow, error-prone manual process.

51
Multi-Selectmedium

Which three statements correctly describe concepts of Infrastructure as Code (IaC) as implemented by Terraform? (Choose three.)

Select 3 answers
.IaC enables consistent and repeatable provisioning of infrastructure by defining resources in declarative configuration files.
.With IaC, infrastructure changes can be version-controlled, reviewed, and rolled back using the same workflows as application code.
.Terraform's execution plan is a key IaC feature that allows you to preview changes before applying them, reducing the risk of unintended modifications.
.In Terraform, the desired state is described imperatively, meaning you specify the exact commands to create, modify, or delete resources in order.
.Terraform relies on a mutable infrastructure model, where changes are applied directly to existing resources without destroying and recreating them.
.IaC eliminates the need for manual configuration entirely by automatically detecting and fixing all configuration drift without human intervention.

Why this answer

The first three options are correct because they accurately describe core IaC principles as implemented by Terraform. IaC uses declarative configuration files to define infrastructure, enabling consistent and repeatable provisioning. Version control of these files allows changes to be reviewed and rolled back like application code.

Terraform's execution plan is a critical feature that previews changes before applying them, reducing risk of unintended modifications.

Exam trap

HashiCorp often tests the distinction between declarative and imperative approaches, and the trap here is that candidates may incorrectly assume Terraform uses imperative syntax because they confuse 'desired state' with 'step-by-step commands'.

52
MCQeasy

A team uses the backend configuration above. What is the primary benefit of storing state remotely in S3?

A.Automatic encryption of state files
B.Reducing the number of API calls to AWS
C.Enabling state sharing and locking across the team
D.Faster Terraform execution times
AnswerC

Remote backend allows multiple users to access and lock state.

Why this answer

Storing Terraform state remotely in S3 is the standard practice for team collaboration because it allows multiple team members to access and modify the same state file, preventing conflicts. Combined with DynamoDB for state locking, it ensures that only one person runs `terraform apply` at a time, avoiding race conditions and state corruption. This is the primary benefit over local state storage, which is single-user by design.

Exam trap

HashiCorp often tests the misconception that remote state is about performance (faster execution) or security (automatic encryption), when the actual core purpose is enabling safe, concurrent team collaboration through state sharing and locking.

How to eliminate wrong answers

Option A is wrong because S3 does not automatically encrypt state files by default; server-side encryption (SSE-S3 or SSE-KMS) must be explicitly configured in the backend block or bucket policy. Option B is wrong because storing state remotely in S3 does not reduce API calls to AWS; in fact, it may increase them due to state retrieval and locking operations. Option D is wrong because remote state storage typically increases execution time due to network latency for downloading/uploading the state file, not faster execution.

Ready to test yourself?

Try a timed practice session using only Iac Concepts questions.