CCNA Terraform Advanced Workflow Questions

75 of 91 questions · Page 1/2 · Terraform Advanced Workflow topic · Answers revealed

1
MCQeasy

A team needs to share a Terraform module across multiple projects within their organization. What is the best practice?

A.Use a remote module source such as a Git repository.
B.Copy the module code into each project's directory.
C.Use 'terraform state push' to share state.
D.Use workspace variables to store module code.
AnswerA

Remote modules are reusable and version-controlled.

Why this answer

Option C is correct because using a remote source like a Git repository allows easy sharing and versioning. Option A leads to duplication. Option B is not a standard sharing method.

Option D is for variables, not modules.

2
MCQeasy

What is the purpose of the 'terraform validate' command?

A.To check the validity of provider credentials.
B.To format Terraform configuration files.
C.To check syntax and internal consistency of configuration files.
D.To run unit tests on Terraform modules.
AnswerC

'terraform validate' performs these checks.

Why this answer

The 'terraform validate' command checks the syntax and internal consistency of Terraform configuration files, ensuring that the code is syntactically valid and that references between resources, data sources, and variables are correctly formed. It does not interact with providers or cloud APIs, so it cannot verify credentials or run tests.

Exam trap

HashiCorp often tests the distinction between 'validate' (syntax/consistency check) and 'plan' (which actually contacts providers and checks real-world state), leading candidates to mistakenly think 'validate' verifies credentials or remote resources.

How to eliminate wrong answers

Option A is wrong because 'terraform validate' does not check provider credentials; credential validation occurs during 'terraform init' or 'terraform plan' when the provider attempts to authenticate with the cloud API. Option B is wrong because formatting Terraform files is the purpose of 'terraform fmt', not 'validate'. Option D is wrong because 'terraform validate' does not execute unit tests; testing modules is done with external tools like Terratest or the 'terraform test' command (introduced in later versions), not with 'validate'.

3
MCQmedium

Refer to the exhibit. An operator runs terraform plan and gets the following output. They have not modified the Terraform configuration since the last successful apply. What is the most likely cause of the planned changes?

A.Terraform provider was updated to a new version.
B.The instance was terminated and recreated.
C.Terraform state was corrupted.
D.The instance was modified manually via the AWS console.
AnswerD

Manual changes outside Terraform cause drift, leading to these proposed updates.

Why this answer

The plan shows changes to the AMI and instance type, which are attributes that were not changed in the configuration. This indicates drift caused by manual modifications outside Terraform. Option A is correct because manual changes via the console cause Terraform to detect differences and propose corrections.

4
Multi-Selecthard

Which THREE of the following are capabilities of Terraform Cloud's Sentinel policy framework? (Choose three.)

Select 3 answers
A.Block Terraform runs based on the time of day
B.Enforce that resources have mandatory tags
C.Check that resources comply with security best practices
D.Restrict the creation of certain resource types
E.Estimate the cost of infrastructure changes
AnswersB, C, D

Sentinel can validate resource attributes.

Why this answer

Sentinel can enforce tags, restrict resource types, and check compliance. Cost estimation is a separate feature. Time-based blocking is not a built-in Sentinel capability.

5
Multi-Selecthard

Which THREE of the following are necessary steps to configure OIDC (OpenID Connect) for authenticating Terraform in a CI/CD pipeline?

Select 3 answers
A.Generate a long-lived API token and store it as a secret.
B.Set up an OIDC provider in the target cloud (e.g., AWS IAM OIDC provider).
C.Configure remote backend with static credentials.
D.Add a provider block with assume_role and web_identity_token attributes in Terraform configuration.
E.Create an IAM role in the cloud that the CI job can assume.
AnswersB, D, E

Trust must be established between cloud and CI.

Why this answer

Option B is correct because to authenticate Terraform in a CI/CD pipeline using OIDC, you must first establish trust between the CI platform and the cloud provider by creating an OIDC identity provider (e.g., an AWS IAM OIDC provider). This provider validates the JSON Web Token (JWT) issued by the CI platform (e.g., GitHub Actions, GitLab CI) and maps it to an IAM role, enabling token-based authentication without long-lived secrets.

Exam trap

HashiCorp often tests the misconception that OIDC requires storing a long-lived token (Option A) or that the remote backend must use static credentials (Option C), when in fact OIDC replaces both with a trust-based, token-exchange mechanism that uses the `assume_role` and `web_identity_token` attributes.

6
MCQhard

A DevOps engineer is troubleshooting a failed 'terraform plan' command. The error message is: 'Error: Error acquiring the state lock' followed by a message that the lock is held by another process. The team uses Terraform Cloud with remote state. Which of the following is the most likely cause and correct resolution?

A.Disable state locking in the backend configuration.
B.Wait for the lock to be released automatically.
C.Add the '-lock=false' flag to the plan command.
D.Identify the lock holder via Terraform Cloud UI and use 'terraform force-unlock' to release it.
AnswerD

The lock ID is available in the UI, and force-unlock can release it.

Why this answer

Option D is correct because the state lock in Terraform Cloud is held by another run or process; using the 'force-unlock' command with the correct lock ID from the Terraform Cloud UI can release it. Option A is wrong because there is no such option on the apply command. Option B is wrong because waiting may be indefinite if the lock is stuck.

Option C is wrong because you cannot disable locking in Terraform Cloud.

7
MCQhard

A company uses Terraform to manage multi-cloud infrastructure. They have separate Terraform configurations for AWS and Azure, each with its own state file. They want to share a common set of networking variables (e.g., allowed IP ranges) between these configurations without duplicating data. Which approach best achieves this?

A.Create a module that contains the variable definitions and reference it in both configurations.
B.Define the variables in a 'terraform.tfvars' file and copy it to each configuration directory.
C.Store the variables in a JSON file and use the 'jsondecode' function in each configuration.
D.Use a remote state data source to read the outputs from a dedicated 'globals' workspace.
AnswerD

This allows sharing outputs from a single source of truth without duplication.

Why this answer

Option D is correct because using a remote state data source allows you to read outputs from a dedicated 'globals' Terraform workspace that stores shared networking variables. This approach avoids data duplication and ensures that both AWS and Azure configurations can dynamically consume the same canonical set of values without manual copying or file sharing. It leverages Terraform's native remote state mechanism to securely and consistently share data across separate configurations.

Exam trap

HashiCorp often tests the misconception that modules or variable files can share actual runtime data between separate configurations, when in fact they only define structure or require manual distribution, whereas remote state data sources provide dynamic, centralized sharing without duplication.

How to eliminate wrong answers

Option A is wrong because creating a module with variable definitions only provides a reusable template for declaring variables; it does not share actual values between configurations, so each configuration would still need to supply its own data. Option B is wrong because copying a 'terraform.tfvars' file to each configuration directory duplicates the data, violating the requirement to avoid duplication and introducing drift risk. Option C is wrong because storing variables in a JSON file and using 'jsondecode' still requires the file to be present in each configuration's working directory, leading to duplication and synchronization challenges.

8
Multi-Selectmedium

Which THREE of the following are best practices for Terraform state management?

Select 3 answers
A.Manually edit state files to fix configuration drift.
B.Commit state files to version control.
C.Use workspaces to manage different environments.
D.Store state file in a remote backend with locking enabled.
E.Use 'terraform state rm' to remove resources from state when needed.
AnswersC, D, E

Workspaces isolate state for environments.

Why this answer

Options A, C, and E are correct. A ensures state is shared and locked. C enables environment separation.

E allows removing resources from state for import or drift correction. B is wrong because state files contain sensitive data and should not be in VCS. D is wrong because manual editing is error-prone.

9
MCQmedium

A company uses Terraform Cloud and wants to enforce policy checks before any apply. They have a set of Sentinel policies. Where should they configure these policies to run automatically on all runs?

A.In the terraform apply command with -policy flag.
B.Configure a webhook in the VCS to run policy checks.
C.Create a Policy Set in Terraform Cloud and attach to workspaces.
D.Deploy a Terraform Enterprise instance with custom policy.
AnswerC

Policy Sets run before apply.

Why this answer

Option B is correct because Policy Sets in Terraform Cloud are managed at organization or workspace level. Option A is wrong because sentinel apply is not a command. Option C is wrong because Terraform Enterprise is on-prem, not cloud.

Option D is wrong because VCS integration is for triggering runs, not policies.

10
MCQhard

Refer to the exhibit. A user encounters this error while running 'terraform plan'. What is the best course of action?

A.Run 'terraform force-unlock' with the lock ID after verifying no other process holds the lock
B.Change the backend to local and run plan again
C.Delete the state file and run terraform init
D.Wait for 5 minutes and retry
AnswerA

Force-unlock releases the stale lock if no other process is using it.

Why this answer

The lock appears to be stale (operation type invalid). After verifying that no other process is using Terraform, force-unlock is the appropriate action. Deleting state is dangerous.

Waiting might work but is not best practice. Changing backend could cause state mismatch.

11
MCQmedium

An organization wants to use Terraform to manage infrastructure in multiple environments (dev, staging, prod) with the same configuration but different variable values. Which approach should they use?

A.Create separate directories with duplicated configurations
B.Use Terraform workspaces and separate variable files
C.Use a single state file with environment variables
D.Use different versions of Terraform for each environment
AnswerB

Reuses configuration with isolated state and variables.

Why this answer

Terraform workspaces allow you to manage multiple distinct sets of infrastructure resources within the same configuration by maintaining separate state files. By combining workspaces with separate variable definition files (e.g., `dev.tfvars`, `prod.tfvars`), you can reuse the same configuration code while applying environment-specific variable values, avoiding duplication and ensuring consistency across environments.

Exam trap

HashiCorp often tests the misconception that workspaces are the only way to manage multiple environments, but the trap here is that candidates may overlook the need for separate variable files alongside workspaces, or incorrectly think that a single state file with environment variables is sufficient for isolation.

How to eliminate wrong answers

Option A is wrong because creating separate directories with duplicated configurations violates the DRY (Don't Repeat Yourself) principle, leading to configuration drift and increased maintenance overhead. Option C is wrong because using a single state file with environment variables would cause all environments to share the same state, resulting in conflicts and potential corruption when applying changes concurrently. Option D is wrong because using different versions of Terraform for each environment introduces unnecessary complexity and version incompatibility risks, and Terraform version does not solve the need for separate state or variable isolation.

12
Multi-Selectmedium

Which THREE are valid methods to create and manage Terraform workspaces?

Select 3 answers
A.Using version control branches
B.Using tags in AWS
C.Using 'terraform workspace' commands (new, select, delete)
D.Using the Terraform Cloud API
E.Using the Terraform Cloud web UI
AnswersC, D, E

CLI commands directly manage workspaces.

Why this answer

Options A, B, and C are correct. The CLI commands provide direct workspace management. The Terraform Cloud UI allows managing workspaces via GUI.

The Terraform Cloud API allows programmatic management. Option D is wrong because version control branches do not directly manage workspaces. Option E is wrong because tags are not used for workspace management.

13
Multi-Selectmedium

Which TWO of the following are valid ways to import existing infrastructure into Terraform management? (Choose TWO.)

Select 2 answers
A.Use 'terraform validate' to automatically import resources.
B.Use 'terraform state rm' to remove resources from state, then re-add them.
C.Use the 'terraform import' command with the resource address and ID.
D.Write the configuration manually and run 'terraform plan' to refresh state, then adjust.
E.Run 'terraform apply' with an empty configuration to detect resources.
AnswersC, D

This is the primary method for importing existing resources.

Why this answer

Option C is correct because 'terraform import' is the dedicated command to bring existing infrastructure under Terraform management by associating a real-world resource ID with a resource address in state. Option D is correct because you can manually write configuration that matches the existing resource, then run 'terraform plan' to refresh state and detect any drift, allowing you to adjust the configuration until the plan shows no changes.

Exam trap

HashiCorp often tests the misconception that 'terraform validate' or 'terraform apply' can import resources, when in fact only 'terraform import' (or manual configuration with plan refresh) accomplishes this, and candidates confuse validation or apply with the import workflow.

14
MCQmedium

A team is using Terraform Cloud and wants to enforce that all AWS resources created by Terraform have a specific tag. Which feature should they use?

A.Cost estimation
B.Sentinel policies
C.Workspace variables
D.Run tasks
AnswerB

Sentinel enforces policies on configurations before apply.

Why this answer

Sentinel policies allow you to define rules that check configurations before they are applied. Workspace variables store values, cost estimation estimates costs, run tasks integrate third-party tools – none of them enforce tagging rules.

15
MCQmedium

A team uses Terraform Cloud for remote state management. They want to ensure that state file changes are only made through the Terraform Cloud API and not through direct access to the storage backend. Which feature should they enable?

A.Sentinel policy enforcement
B.Remote state locking
C.VCS integration
D.Team tokens
AnswerA

Enforces policies that prevent direct state modifications outside the API.

Why this answer

Option A is correct because Sentinel policy enforcement allows the team to define rules that restrict direct modifications to the state file in the storage backend, ensuring that all state changes must go through the Terraform Cloud API. This prevents bypassing Terraform Cloud's access controls and audit logging, which is essential for maintaining integrity and compliance in remote state management.

Exam trap

HashiCorp often tests the distinction between operational controls (like locking) and policy-based enforcement (like Sentinel), so the trap here is assuming that remote state locking alone prevents unauthorized direct access to the storage backend.

How to eliminate wrong answers

Option B is wrong because remote state locking prevents concurrent operations on the same state file but does not prevent direct access to the storage backend; it only manages locking during Terraform runs. Option C is wrong because VCS integration automates runs from version control commits but does not restrict direct state file access via the storage backend API. Option D is wrong because team tokens authenticate API calls but do not enforce that state changes must originate from the Terraform Cloud API; they can be used to directly access the storage backend if permissions allow.

16
MCQeasy

An operator runs `terraform apply` and receives an error that the state file is locked. What is the most likely cause?

A.The state file is outdated and needs refresh
B.The configuration has a syntax error
C.Another user is running a Terraform operation
D.The user lacks write permissions to the state file
AnswerC

State locking prevents concurrent operations.

Why this answer

Option C is correct because Terraform uses a state locking mechanism (typically via a backend like S3 with DynamoDB, or Consul) to prevent concurrent operations from corrupting the state file. When another user or process is running a Terraform operation (e.g., `apply`, `plan`, `destroy`), the lock is held, and any subsequent `terraform apply` will fail with a 'state file is locked' error. This is a fundamental safety feature to ensure state consistency.

Exam trap

The trap here is that candidates confuse state locking with file permissions (Option D) or assume the error is due to a stale state (Option A), but Cisco specifically tests the understanding that locking is a concurrency control mechanism, not a permission or syntax issue.

How to eliminate wrong answers

Option A is wrong because an outdated state file does not cause a lock error; it would instead cause a refresh prompt or drift detection, not a lock conflict. Option B is wrong because a syntax error in the configuration would be caught during `terraform validate` or `plan`, not during `apply` as a state lock error. Option D is wrong because insufficient write permissions would result in a permissions error (e.g., 'AccessDenied' or 'permission denied'), not a lock error; locking is a separate mechanism from filesystem permissions.

17
Multi-Selectmedium

Which TWO are valid methods to import existing infrastructure into Terraform?

Select 2 answers
A.Use 'terraform state rm' to remove existing state before running apply.
B.Run 'terraform import' with the resource address and ID.
C.Use 'terraform console' to inspect and import.
D.Add resource blocks manually and run 'terraform import' for each resource.
E.Use 'terraform init -migrate-state' to import from another backend.
AnswersB, D

Direct import command.

Why this answer

Options B and D are correct. B involves writing resource blocks manually and then using terraform import. D is the direct import command.

A is not a command. C migrates state, not imports. E is not for import.

18
MCQhard

A team has a monolithic Terraform configuration managing multiple AWS accounts. They want to decompose it into smaller configurations that can be managed independently. What is the recommended strategy?

A.Split the configuration into separate directories per account and resource type, and use remote state sharing.
B.Use Terraform workspaces to separate environments within the same configuration.
C.Create a single super-module that contains all resources.
D.Move everything to Terraform Cloud and use different workspaces.
AnswerA

This allows independent management and collaboration.

Why this answer

Option D is correct because splitting by account and resource type into separate workspaces or directories is a common pattern. Option A is wrong because using a single configuration with many workspaces still has tight coupling. Option B is wrong because pulling all into one module increases complexity.

Option C is wrong because Terraform Cloud workspaces alone do not decompose the code.

19
MCQeasy

A small startup is using Terraform to deploy AWS resources. They have two separate environments: development and production. Currently, they manage two sets of Terraform configuration files in different directories, each with its own state file stored locally. The CEO wants to reduce duplication and simplify management. The team decides to restructure into a single configuration with workspaces. After implementing workspaces, they run `terraform workspace new dev` and `terraform workspace new prod`, then `terraform apply` in the dev workspace. However, when they switch to prod and run `terraform apply`, the plan shows that Terraform wants to recreate all resources instead of managing the existing production resources. What is the most likely reason for this behavior?

A.Workspaces cannot be used for different environments; only for temporary feature branches.
B.The Terraform configuration uses the same resource names in both workspaces, causing conflicts.
C.The team did not migrate the existing production state into the 'prod' workspace.
D.The team must configure a remote backend for workspaces to function correctly.
AnswerC

Workspaces have independent state; existing state must be imported or moved.

Why this answer

Option C is correct because when the team restructured into a single configuration with workspaces, they created new empty workspaces (`dev` and `prod`) but did not migrate the existing production state file into the `prod` workspace. Terraform workspaces maintain separate state files, so without importing the existing production state into the `prod` workspace, Terraform has no record of the existing production resources and plans to create them from scratch. The `terraform workspace new` command creates a fresh, empty state for that workspace.

Exam trap

HashiCorp often tests the misconception that workspaces automatically inherit or share state from previous configurations, when in fact each workspace starts with a completely empty state unless explicitly migrated.

How to eliminate wrong answers

Option A is wrong because workspaces are explicitly designed to manage multiple environments (e.g., dev, staging, prod) from a single configuration, not just for temporary feature branches. Option B is wrong because resource names within a workspace are scoped to that workspace's state; using the same resource names across workspaces does not cause conflicts—each workspace maintains its own independent state. Option D is wrong because while remote backends are recommended for team collaboration, workspaces function perfectly well with local backends; the issue here is the missing state migration, not the backend type.

20
MCQeasy

Refer to the exhibit. Which command was most likely executed?

A.terraform apply
B.terraform plan
C.terraform get
D.terraform init
AnswerD

Terraform init downloads modules and backends, showing such output.

Why this answer

"Initializing modules" is part of terraform init. terraform get also downloads modules but does not initialize backends and providers. terraform plan and apply do not download modules.

21
MCQmedium

An organization uses Terraform Cloud and wants to automate run triggers when a new version of a module is published in a private module registry. What is the recommended method?

A.Create a Git repository with versioned modules and use GitOps.
B.Configure a webhook in the private module registry to notify Terraform Cloud.
C.Schedule terraform plan to run periodically via cron.
D.Use the Terraform Cloud API to poll the registry for new versions.
AnswerB

Webhook allows real-time trigger.

Why this answer

Option A is correct because Terraform Cloud has a webhook integration to trigger runs on registry events. Option B is wrong because API calls would require polling. Option C is wrong because GitOps requires code changes.

Option D is wrong because scheduler is not event-driven.

22
MCQhard

A company uses Terraform with a remote backend (AWS S3). They want to ensure that the state file is encrypted at rest. Which configuration approach guarantees this?

A.Configure the S3 backend with server-side encryption enabled (e.g., 'encrypt = true' and 'kms_key_id').
B.Enable encryption in the AWS provider block.
C.Use 'terraform state encrypt' command.
D.Use 'terraform init -encrypt-state' flag.
AnswerA

S3 backend encryption encrypts state at rest.

Why this answer

Option A is correct because S3 can be configured with server-side encryption, either via bucket policy or default encryption. Options B and D are not real Terraform commands. Option C is incorrect because provider block does not control state encryption.

23
MCQeasy

Refer to the exhibit. A team deploys this configuration. They run 'terraform apply' once and the instance is created. Later, they modify the instance type and run 'terraform apply' again. They notice the provisioner does not run on the second apply. Why?

A.Provisioners run only when the resource is destroyed.
B.The provisioner should be 'remote-exec' to run on updates.
C.The command syntax is incorrect.
D.Provisioners run only when the resource is created, not on subsequent updates.
AnswerD

Provisioners are not re-run on updates unless triggers specify.

Why this answer

Option A is correct because provisioners only run during resource creation, not updates. Option B is wrong because provisioners run on create or destroy, but only if specified. Option C is wrong because the command is valid.

Option D is wrong because the issue is not the type of provisioner.

24
MCQmedium

Refer to the exhibit. The user runs 'terraform plan' and sees that Terraform wants to create the instance. However, the instance already exists in the AWS account with the same configuration. What is the most likely reason?

A.The instance type has changed
B.The instance is not in the Terraform state
C.The AMI ID has changed
D.The provider version is different
AnswerB

If the instance is not in the state file, Terraform sees it as missing and plans to create.

Why this answer

Terraform tracks resources in its state file. If the existing instance is not in the state, Terraform will plan to create it. The AMI and instance type are the same, so changes in them wouldn't cause a create.

25
MCQhard

A company uses Terraform Cloud and wants to ensure that only approved modules from the private registry are used in configurations. How can they enforce this?

A.Restrict module sources in VCS
B.Configure workspace variables to limit module paths
C.Use Sentinel policies to check module sources
D.Use run tasks to scan for module types
AnswerC

Sentinel inspects module source attributes and can block runs.

Why this answer

Sentinel policies can inspect module declarations and block runs if modules come from unapproved sources. VCS restrictions are not always effective. Run tasks and workspace variables do not directly control module sources.

26
Multi-Selecteasy

Which TWO of the following are valid ways to pass variables to Terraform in an automated pipeline?

Select 2 answers
A.Creating a .tfvars file and referencing it with -var-file.
B.Using interactive prompts during terraform apply.
C.Using the -var flag to specify individual variables.
D.Setting environment variables with prefix TERRAFORM_.
E.Using the -vars flag to pass JSON string.
AnswersA, C

Allows multiple variables in file.

Why this answer

Option A is correct because `-var-file` allows you to pass a `.tfvars` file containing variable definitions, which is ideal for automated pipelines where you want to load multiple variables from a version-controlled or dynamically generated file without manual interaction. This approach supports repeatable, non-interactive deployments.

Exam trap

HashiCorp often tests the exact environment variable prefix (`TF_VAR_` vs `TERRAFORM_`) and the existence of non-existent flags like `-vars`, expecting candidates to confuse them with similar-sounding options from other tools.

27
MCQmedium

A DevOps engineer is responsible for maintaining Terraform configurations that manage resources in AWS. The team uses an S3 backend with DynamoDB state locking. The engineer notices that a recent 'terraform plan' command failed with the following error: 'Error: Failed to get existing workspaces: AccessDenied: Access Denied'. Other team members are able to run plans successfully from their machines. The engineer has verified that they have the correct AWS credentials configured via environment variables and that they can list the contents of the S3 bucket using the AWS CLI. The DynamoDB table exists and the engineer can describe it. What is the most likely cause of this error?

A.The DynamoDB table does not have the correct primary key schema.
B.The IAM policy used by Terraform does not include 's3:ListBucket' permission on the S3 bucket.
C.The Terraform configuration has a syntax error in the backend block.
D.The DynamoDB table is not in the same region as the S3 bucket.
AnswerB

The 'get existing workspaces' operation lists objects in the bucket path.

Why this answer

Option B is correct because the error indicates that the IAM user or role does not have permission to call the S3 ListObjects operation on the bucket, even though they can access the bucket directly via CLI (perhaps due to different IAM entity or CLI using different credentials). Option A is wrong because the error message does not mention state lock. Option C is wrong because the engineer can describe the DynamoDB table.

Option D is wrong because the configuration is consistent with other team members.

28
MCQmedium

You are managing a Terraform configuration that deploys resources across multiple AWS accounts using provider aliases. The configuration uses a single backend (S3) to store the state file. Recently, you discovered that the state file has become very large (over 100 MB) and is causing slow operations and timeouts. The team wants to improve performance without losing the ability to manage all resources with a single `terraform apply`. You need to propose a solution. Which approach should you take?

A.Use state encryption to compress the state file
B.Switch the backend from S3 to Terraform Cloud to improve performance
C.Use Terraform workspaces to separate environments into different state files
D.Split the configuration into separate directories for each environment
AnswerC

Reduces state file size per workspace.

Why this answer

Option C is correct because Terraform workspaces allow you to maintain separate state files for different environments (e.g., dev, prod) while using the same configuration and backend. This reduces the size of each state file, improving performance and avoiding timeouts, while still enabling a single `terraform apply` to manage all resources by targeting the appropriate workspace.

Exam trap

HashiCorp often tests the misconception that splitting configurations into separate directories is equivalent to using workspaces, but the key difference is that workspaces maintain a single configuration and backend, allowing unified `terraform apply` while directories require separate runs.

How to eliminate wrong answers

Option A is wrong because state encryption (e.g., using AWS KMS) does not compress the state file; it only encrypts it at rest, so the file size remains unchanged and performance issues persist. Option B is wrong because switching to Terraform Cloud does not inherently reduce state file size; it may improve backend performance but the underlying large state file still causes slow operations. Option D is wrong because splitting the configuration into separate directories would require running `terraform apply` separately for each directory, breaking the requirement to manage all resources with a single `terraform apply`.

29
MCQeasy

A small startup uses Terraform to manage infrastructure on AWS. They store the state file directly in a Git repository (gitignored but accidentally committed) and have no remote backend. The team has two engineers: Alice and Bob. They both run Terraform from their local machines. Recently, they experienced state conflicts where Alice's apply would succeed but subsequently Bob's apply would fail due to state drift. They want a simple solution without adding too much complexity. What should they do?

A.Add the state file to .gitignore and stop versioning it.
B.Configure an S3 backend with DynamoDB locking and have both engineers use the remote state.
C.Continue with the current setup but ask Alice and Bob to coordinate via Slack before running apply.
D.Switch to Terraform Cloud with remote execution for automated locking.
AnswerB

Remote backend with locking prevents conflicts.

Why this answer

Option C is correct because using S3 as a remote backend with a consistent locking mechanism (like DynamoDB) is the standard way to prevent conflicts and maintain a single source of truth. Option A is wrong because manual state file management is error-prone. Option B is wrong because ignoring the state file doesn't solve conflict; they'd have no shared state.

Option D is wrong because Terraform Cloud might be overkill for a small team, but could work. However, C is simpler and directly addresses the problem.

30
Multi-Selecteasy

Which TWO of the following are valid ways to use Terraform outside the core workflow? (Choose two.)

Select 2 answers
A.Using Terraform to manage application secrets lifecycle.
B.Using Terraform outputs as inputs for other tools like Ansible.
C.Using Terraform to install software on existing servers.
D.Using Terraform as a CI/CD pipeline tool.
E.Using Terraform state to generate infrastructure diagrams.
AnswersB, E

Outputs can be consumed by other automation tools.

Why this answer

Option B is correct because Terraform outputs can be consumed by other tools like Ansible via the `terraform output` command or by referencing the state file, enabling integration in multi-tool workflows. Option E is correct because the Terraform state file (`.tfstate`) contains all resource attributes and dependencies, which can be parsed programmatically or with tools like `terraform graph` to generate infrastructure diagrams, extending Terraform's use beyond provisioning.

Exam trap

HashiCorp often tests the distinction between provisioning (Terraform) and configuration management (Ansible, Chef), so candidates mistakenly think Terraform can install software or manage secrets, when it is strictly for infrastructure lifecycle and state-driven outputs.

31
MCQhard

A company uses Terraform Cloud and wants to enforce policies that all EC2 instances must be of type t2.micro or t2.small. Which feature should they use?

A.Run tasks
B.Cost estimation
C.Sentinel policies
D.Terraform validate
AnswerC

Sentinel is the policy-as-code framework for enforcing rules.

Why this answer

Option D is correct because Sentinel is the policy-as-code framework in Terraform Cloud/Enterprise. Option A is for cost tracking. Option B is for security analysis.

Option C is not a Terraform Cloud feature.

32
MCQmedium

A company uses Terraform with a backend configured to store state in Azure Blob Storage. They want to view the current state of resources without performing a plan or apply. Which command should be used?

A.terraform output
B.terraform show
C.terraform state list
D.terraform plan
AnswerC

State list outputs all resource addresses in the state.

Why this answer

Option C (terraform state list) is correct because it directly queries the Terraform state file stored in Azure Blob Storage and lists all resources tracked in that state without triggering a plan or apply. This command is part of the 'terraform state' family, designed specifically for inspecting state outside the core workflow, and it requires no infrastructure changes or API calls to cloud providers.

Exam trap

HashiCorp often tests the distinction between commands that inspect state directly (like terraform state list) versus those that trigger a refresh or plan (like terraform plan or terraform show with a state file), and candidates mistakenly choose terraform show thinking it lists resources, but it actually displays detailed attributes and requires a state file argument.

How to eliminate wrong answers

Option A (terraform output) is wrong because it only displays output values defined in the configuration, not the full list of resources in the state; it is useful for extracting specific values but does not enumerate all managed resources. Option B (terraform show) is wrong because it displays the state or plan file in a human-readable format, but it requires a state file or plan file as input and is not the primary command for simply listing resources; it is more suited for detailed inspection of a plan or state snapshot. Option D (terraform plan) is wrong because it performs a full refresh and comparison against the current infrastructure, which involves API calls to Azure and generates a plan for changes, going far beyond simply viewing the current state without side effects.

33
MCQmedium

A company uses Terraform with multiple workspaces (dev, staging, prod) and a remote backend in an S3 bucket with a DynamoDB lock table. The backend configuration is defined in the main.tf with partial configuration. Developers are required to provide the backend configuration via command-line flags during 'terraform init'. One developer accidentally ran 'terraform init' without the required flags on a Monday morning. The init succeeded and created a local state file in the project directory. Over the next few days, other team members made changes to the workspace and pushed updates to the remote state. The developer who ran local init then runs 'terraform plan' and sees a plan that would recreate all resources. They realize their mistake. How can this situation be prevented in the future?

A.Enable state locking on the local backend to prevent conflicts.
B.Implement a CI/CD pipeline that runs 'terraform init' with the correct backend config and enforces that only pipeline-initiated runs are allowed.
C.Add a 'terraform plan -check' step that warns if state is not remote.
D.Use 'terraform workspace' commands to switch to the correct workspace before running init.
AnswerB

This ensures that remote backend is always used.

Why this answer

Option A is correct by using a pre-commit hook or CI pipeline to validate that the backend is remote. Option B is wrong because locking is separate from backend type. Option C is wrong because workspace commands do not enforce a remote backend.

Option D is wrong because 'terraform plan' does not detect local state by default.

34
Multi-Selectmedium

Which TWO Terraform backends support remote state locking?

Select 2 answers
A.s3
B.local
C.consul
D.inmem
AnswersA, C

S3 backend supports locking via DynamoDB.

Why this answer

Options B and C are correct because the s3 backend supports locking via DynamoDB, and the consul backend supports locking via sessions. Option A (local) does not have remote locking. Option D (http) does not support locking.

Option E (inmem) is an in-memory backend with no persistence or locking.

35
MCQhard

During a CI/CD pipeline run, terraform apply fails halfway through due to a network error. The state file is locked. The team wants to resume from the last successful apply. What should they do?

A.Re-run terraform apply after solving the network issue; Terraform will handle partial state.
B.Run terraform destroy and then reapply.
C.Force unlock the state and then reapply.
D.Manually delete the partially created resources in the cloud console and reapply.
AnswerA

Terraform uses state to know what was created, so reapply will work.

Why this answer

Option C is correct because `terraform apply -lock=false` is dangerous and not recommended. The correct approach is to fix the issue, then re-run `terraform apply` which will attempt to apply the remaining resources because state knows what was already created. Option A is wrong because forcing unlock without investigation can corrupt state.

Option B is wrong because destroy will remove partially created resources. Option D is wrong because manual deletion is error-prone.

36
MCQhard

You are a platform engineer at a large enterprise that uses Terraform Cloud with a VCS-backed workflow for all infrastructure. Your team manages a configuration that provisions AWS EC2 instances for a critical application. Recently, a junior team member accidentally committed a change that removed a required tag from the EC2 instance resource. The change passed the plan stage but was blocked by a Sentinel policy during the apply, preventing the infrastructure from being updated. The team needs to fix the configuration and apply the change. However, the repository is configured to automatically trigger runs on every push to the main branch. The team wants to avoid triggering an unwanted run while they work on the fix. What should the team do?

A.Temporarily disable the VCS connection in Terraform Cloud to prevent runs
B.Run terraform apply locally with the fixed configuration to bypass Terraform Cloud
C.Create a feature branch, fix the configuration, and merge via pull request
D.Amend the commit on main and force push to overwrite history
AnswerC

Standard practice; avoids triggering runs on main until merge.

Why this answer

Option C is correct because using a feature branch and pull request allows the team to fix the configuration without triggering a run on the main branch, since Terraform Cloud’s VCS integration only auto-triggers runs on pushes to the configured branch (typically main). Once the fix is merged via pull request, the change will be applied through the normal VCS-backed workflow, maintaining audit trails and policy enforcement. This approach avoids disrupting the VCS connection or bypassing Terraform Cloud’s governance.

Exam trap

The trap here is that candidates may think disabling the VCS connection or force pushing is acceptable, but Cisco tests the understanding that the VCS-backed workflow is the single source of truth and must not be bypassed or disrupted, even temporarily.

How to eliminate wrong answers

Option A is wrong because temporarily disabling the VCS connection in Terraform Cloud would prevent all runs, including legitimate ones, and requires manual reconnection, which is disruptive and error-prone. Option B is wrong because running terraform apply locally bypasses Terraform Cloud entirely, violating the enterprise requirement for VCS-backed workflow and Sentinel policy enforcement, and the local state would not match the remote state in Terraform Cloud. Option D is wrong because amending the commit on main and force pushing rewrites history, which is dangerous in a shared repository, may break other collaborators’ work, and still triggers a run on the main branch due to the push event.

37
MCQhard

A company uses Terraform with multiple cloud providers and wants to integrate with their existing CI/CD pipeline. They need to enforce that all infrastructure changes go through code review and automated testing before being applied to production. Which approach best meets these requirements?

A.Store state in a remote backend and use terraform apply in the pipeline
B.Configure Terraform Cloud with run triggers and policy checks
C.Use the Terraform CLI in the CI/CD pipeline with remote state
D.Run terraform apply locally after manual approval
AnswerB

Enforces code review and automated testing via workflows.

Why this answer

Option B is correct because Terraform Cloud's run triggers and policy checks (e.g., Sentinel) enforce that all infrastructure changes must pass code review and automated testing before being applied. This integrates directly with the CI/CD pipeline by requiring a pull request to trigger a plan, which is then reviewed and approved via Terraform Cloud's governance controls, ensuring no change reaches production without validation.

Exam trap

HashiCorp often tests the misconception that simply using a remote backend or running terraform apply in a pipeline is sufficient for governance, but the key requirement here is enforced code review and automated testing, which only Terraform Cloud's policy checks and run triggers provide natively.

How to eliminate wrong answers

Option A is wrong because storing state in a remote backend and using terraform apply in the pipeline does not inherently enforce code review or automated testing; it only centralizes state management, leaving the pipeline to apply changes without mandatory review gates. Option C is wrong because using the Terraform CLI in the CI/CD pipeline with remote state still lacks built-in policy enforcement or review workflows; it requires custom scripting to add approval steps, which is not a native feature. Option D is wrong because running terraform apply locally after manual approval bypasses the CI/CD pipeline entirely, violating the requirement to integrate with the existing pipeline and failing to enforce automated testing.

38
MCQmedium

The user runs `terraform init` successfully, but then `terraform plan` still fails with a different error: "Error: No configuration files found in this directory." The directory contains backend.tf and main.tf. What is the most likely cause?

A.The backend block is misconfigured.
B.The user is not in the same directory as the .tf files.
C.The workspace name in the backend configuration is incorrect.
D.The main.tf file contains invalid syntax.
AnswerB

Terraform only finds .tf files in the current directory.

Why this answer

The error 'No configuration files found in this directory' indicates that Terraform cannot locate any .tf files in the current working directory. Even though the directory contains backend.tf and main.tf, the user must be in that directory when running `terraform plan`. This is a common path issue, not a configuration or syntax problem.

Exam trap

HashiCorp often tests the distinction between configuration errors (like syntax or backend issues) and operational errors (like working directory), leading candidates to overthink complex backend or syntax problems when the real issue is a simple path mismatch.

How to eliminate wrong answers

Option A is wrong because a misconfigured backend block would cause an error during `terraform init` or `terraform plan` related to state initialization, not a 'no configuration files' error. Option C is wrong because an incorrect workspace name would cause an error about workspace state or backend configuration, not a missing configuration files error. Option D is wrong because invalid syntax in main.tf would produce a syntax error during parsing, not a 'no configuration files' error.

39
MCQmedium

A team uses Terraform workspaces to manage multiple environments (dev, staging, prod). They are currently in the 'dev' workspace and want to run a plan for the 'staging' workspace without switching workspaces. Which command sequence should they use?

A.terraform plan -workspace=staging
B.terraform plan -var=workspace=staging
C.terraform workspace select staging && terraform plan
D.terraform plan -state=staging.tfstate
AnswerC

Select the target workspace first, then run plan.

Why this answer

Option C is correct because you must select the workspace first with 'terraform workspace select staging' and then run plan. Option A is wrong because '-workspace' is not a valid flag. Option B is wrong because the variable approach does not change workspace.

Option D is wrong because 'terraform plan -state=staging.tfstate' does not switch workspaces.

40
Multi-Selecthard

Which TWO of the following are true about Terraform Cloud's run lifecycle? (Choose two.)

Select 2 answers
A.Policy checks can be skipped for emergency changes
B.A plan can be discarded without applying
C.An apply can be manually confirmed if auto-apply is disabled
D.Cost estimation is automatically generated for every run
E.A plan that fails due to policy violations can still be applied with admin override
AnswersB, C

Users can discard plans.

Why this answer

Option B is correct because Terraform Cloud allows users to discard a plan without applying it, which is useful when the proposed changes are not desired or need to be revised. This is a standard part of the run lifecycle where a plan can be reviewed and then discarded, preventing any infrastructure changes from being made.

Exam trap

HashiCorp often tests the misconception that policy checks can be skipped or that cost estimation is automatic, when in reality both require specific configuration or admin intervention, and the run lifecycle strictly enforces these stages.

41
Multi-Selecteasy

Which TWO statements about using Terraform with remote backends are correct?

Select 2 answers
A.Remote backends require manual state migration.
B.Remote backends store state in a shared location.
C.Remote backends store state in the local filesystem.
D.Remote backends cannot be used with Terraform Cloud.
E.Remote backends enable state locking.
AnswersB, E

Remote backends store state in a shared location accessible to all team members.

Why this answer

Remote backends enable state locking and store state in a shared location, preventing conflicts and enabling team collaboration. The other options are incorrect: remote backends do not store state locally, can be used with Terraform Cloud, and migration can be automated.

42
Multi-Selecthard

Which THREE are valid use cases for the 'terraform state replace-provider' command?

Select 3 answers
A.Migrating a provider from one registry to another (e.g., from registry.terraform.io to a private registry).
B.Upgrading the provider to a new major version.
C.Changing the provider's configuration region from us-east-1 to eu-west-1.
D.Migrating from a community provider to an official provider.
E.Changing the provider source from one namespace to another (e.g., hashicorp/aws to mycompany/aws).
AnswersA, D, E

Registry change is a source change.

Why this answer

Options A, B, and C are correct. Replacing a provider is needed when the source changes (e.g., from community to official, after a namespace migration, or moving between registries). Option D is wrong because changing the provider version does not require replace-provider; use version constraints and 'terraform init -upgrade'.

Option E is wrong because changing provider configuration (e.g., region) does not change the provider identity in state.

43
MCQmedium

An organization wants to use Terraform to manage resources across multiple accounts and regions, with different team members responsible for different environments. Which Terraform feature helps separate state and configuration for each environment?

A.Providers
B.Modules
C.Workspaces
D.Backends
AnswerC

Create separate state files for each environment.

Why this answer

Workspaces allow multiple state files within the same backend, isolating environments. Modules organize code but don't separate state. Providers define connectivity to cloud providers.

Backends store state but don't inherently separate environments.

44
MCQhard

An organization uses Terraform Cloud with a VCS-backed workspace connected to a GitHub repository. They want to trigger a speculative plan without creating a run (i.e., without costing compute resources or being displayed in the workspace). Which approach is appropriate?

A.Push a new commit to the GitHub repository with a 'plan' label.
B.Use the 'plan -out' flag with a special path to avoid creating a run.
C.Use the Terraform Cloud API to queue a plan with 'auto-apply' disabled.
D.Run 'terraform plan' from a local CLI configured with the same workspace and a remote backend.
AnswerD

Local CLI plans do not create runs in Terraform Cloud by default.

Why this answer

Option B is correct because running 'terraform plan' from a local CLI that is configured with the same workspace and a remote backend will produce a speculative plan that is displayed locally and does not create a run in Terraform Cloud by default. Option A is wrong because VCS pushes create formal runs. Option C is wrong because the API creates runs.

Option D is wrong because there is no built-in '--speculative' flag.

45
MCQmedium

An organization uses Terraform to provision infrastructure and then Ansible to configure it. They want to pass dynamic IP addresses from Terraform to Ansible. What is a recommended approach?

A.Use environment variables in the pipeline to pass IP addresses.
B.Use the terraform_remote_state data source in a dummy Terraform configuration.
C.Store outputs in Consul KV store and have Ansible read from there.
D.Use terraform output -json and parse it in Ansible as an inventory.
AnswerD

Output JSON can be consumed by Ansible.

Why this answer

Option B is correct because Terraform can output values as JSON and Ansible can read them. Option A is wrong because environment variables are not suitable for complex data. Option C is wrong because remote state data source is for other Terraform workspaces, not Ansible.

Option D is wrong because consul kv store adds unnecessary complexity.

46
MCQhard

A DevOps team manages infrastructure for a large e-commerce platform using Terraform with a remote backend in an S3 bucket with DynamoDB state locking. Recently, a team member ran `terraform apply` from their local machine but the command failed with the error: 'Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed'. The state file is not locked according to the DynamoDB table. After investigation, the team finds that the DynamoDB table has a TTL attribute enabled on the 'LockID' field, and old lock records are automatically deleted after a few minutes. The team suspects that another engineer's `terraform plan` process from a CI/CD pipeline might have created a lock that was subsequently deleted by TTL before it was released, causing the conflict. Which action should the team take to prevent this issue from recurring?

A.Switch to using local state files to avoid the locking issue entirely.
B.Disable the TTL attribute on the DynamoDB table that stores lock information.
C.Increase the TTL value to 24 hours to ensure locks are not deleted during normal operations.
D.Use `terraform force-unlock` before each `terraform apply` to clear any stale locks.
AnswerB

TTL should not be used on state lock tables; manual cleanup if needed.

Why this answer

Disabling TTL on the DynamoDB table ensures that lock records are not automatically deleted, so the state locking mechanism works correctly. Option B is wrong because increasing the TTL still risks deletion before release. Option C is wrong because `force-unlock` is a reactive measure, not preventive.

Option D is wrong because using local state would lose locking and central management.

47
MCQeasy

A developer wants to use a module from the Terraform Registry in their configuration. Which block is required in the root module?

A.module "my-module" { source = "..." }
B.resource "my-module" { ... }
C.provider "my-module" { source = "..." }
D.data "my-module" { ... }
AnswerA

Correct syntax for calling a module.

Why this answer

Option B is correct because modules are called using the 'module' block with a 'source' argument. Option A is a provider block used for providers. Option C is a data source.

Option D is a resource block.

48
MCQeasy

A team is migrating from using local state to a remote backend for collaboration. They want to ensure that team members cannot overwrite each other's changes. Which feature should they enable?

A.State locking (e.g., DynamoDB)
B.S3 bucket versioning
C.Force unlock command
D.Workspace isolation
AnswerA

Locking prevents simultaneous applies.

Why this answer

State locking prevents concurrent modifications by ensuring that only one operation can modify the Terraform state at a time. When using a remote backend like S3 with DynamoDB, Terraform acquires a lock before writing to the state file and releases it after completion, preventing race conditions and state corruption.

Exam trap

HashiCorp often tests the distinction between state locking (preventing concurrent writes) and state versioning (enabling rollback), causing candidates to confuse S3 versioning as a solution for overwrite prevention.

How to eliminate wrong answers

Option B is wrong because S3 bucket versioning tracks changes and allows recovery of previous state versions, but does not prevent concurrent writes or overwrites. Option C is wrong because the force unlock command is a manual override to release a stuck lock, not a feature to prevent overwrites. Option D is wrong because workspace isolation separates state files for different environments but does not coordinate access within the same workspace.

49
MCQhard

During a `terraform apply`, the operation fails mid-way due to a network outage, leaving some resources created. The operator wants to resume applying from where it left off without destroying the already-created resources. What should they do?

A.Run terraform apply again
B.Run terraform destroy and then apply
C.Run terraform refresh
D.Run terraform apply -auto-approve
AnswerA

Idempotent; creates missing resources.

Why this answer

Option A is correct because Terraform uses a state file to track the resources it manages. When `terraform apply` fails mid-way, the state file is updated to reflect the resources that were successfully created. Running `terraform apply` again will cause Terraform to compare the current state with the configuration, detect that the already-created resources exist, and proceed to create only the remaining resources, effectively resuming from where it left off without destroying anything.

Exam trap

The trap here is that candidates may think a failed apply requires a full destroy or refresh, but Terraform's state-driven design allows idempotent resumption, and the exam tests understanding that `terraform apply` is the correct command to re-run after any partial failure.

How to eliminate wrong answers

Option B is wrong because `terraform destroy` would delete all resources, including those already created, which defeats the goal of resuming without destruction. Option C is wrong because `terraform refresh` only updates the state file to match real-world infrastructure; it does not create any resources or resume a failed apply. Option D is wrong because `terraform apply -auto-approve` simply skips the interactive approval prompt; it does not change the core behavior of the apply command and would still work correctly, but the key issue is that the operator must run `terraform apply` again, and the `-auto-approve` flag is irrelevant to the question's focus on resuming without destruction.

50
MCQhard

A CI/CD pipeline runs 'terraform plan' and needs to automatically approve only if no resources will be destroyed. Which approach should be used?

A.Run 'terraform apply -auto-approve' after a successful plan.
B.Run 'terraform plan -destroy' and check the exit code.
C.Run 'terraform fmt' to check for formatting issues.
D.Run 'terraform validate' to ensure no destroys are needed.
E.Run 'terraform plan -out=plan.tfplan', then 'terraform show -json plan.tfplan' and parse the output for destroy actions.
AnswerE

Correctly parses the plan to detect destroy actions.

Why this answer

Option A is correct because 'terraform show -json plan.tfplan' outputs the plan in JSON format, which can be parsed to detect destroy actions. Option B is wrong because '-destroy' flag always shows destroy actions, not a detection method. Option C is wrong because auto-approve would apply without checking.

Option D is wrong because validate only checks syntax, not changes. Option E is wrong because fmt only formats code.

51
MCQmedium

A developer accidentally deleted a resource from the Terraform state file using 'terraform state rm'. The resource still exists in the cloud provider. How can the developer re-import the resource without affecting other resources?

A.Re-run 'terraform apply' to recreate the resource.
B.Use 'terraform state push' with a previous state backup.
C.Run 'terraform refresh' to discover and add the resource.
D.Use 'terraform import' with the resource address and ID.
AnswerD

Import adds the resource back to state.

Why this answer

Option A is correct because 'terraform import' can re-import the specific resource using its ID. Option B is wrong because 'terraform apply' with existing state would try to create the resource, potentially conflicting. Option C is wrong because 'terraform refresh' would not add the resource; it only updates existing state.

Option D is wrong because 'terraform state push' is for pushing a state file, not importing.

52
MCQhard

You are a platform engineer at a large e-commerce company that uses Terraform Enterprise to manage thousands of infrastructure resources across multiple teams. The company has a central 'networking' workspace that provisions shared VPCs and subnets, and several application workspaces that consume these networking resources via remote state data sources. Recently, the networking team changed the CIDR block of a shared subnet from '10.0.1.0/24' to '10.0.2.0/24' and applied the change successfully. However, the application teams are now reporting that their Terraform runs are failing with errors indicating that the subnet ID they reference does not exist. The application workspaces use the following configuration to consume the subnet: ```hcl data "terraform_remote_state" "networking" { backend = "remote" config = { organization = "mycompany" workspaces = { name = "networking" } } } resource "aws_instance" "app" { subnet_id = data.terraform_remote_state.networking.outputs.subnet_id ... } ``` The application workspaces have not been modified recently. The networking workspace output 'subnet_id' now contains the ID of the updated subnet. What is the most likely cause of the failures?

A.The application workspaces do not have permission to read the networking workspace's state.
B.The networking workspace output variable 'subnet_id' was removed or renamed.
C.The application workspaces are using a cached version of the remote state outputs and need to run 'terraform plan' to refresh.
D.The application workspaces need to update the remote state data source to reference the new subnet ID.
AnswerC

Terraform caches remote state data for the duration of a run; a new plan refreshes the data.

Why this answer

Option C is correct because Terraform caches remote state data during the planning phase, and the `terraform_remote_state` data source only fetches the latest state when `terraform plan` or `terraform apply` is executed. Since the application workspaces have not been modified or re-planned, they are using a stale cached version of the networking workspace's outputs, which still contains the old subnet ID. Running `terraform plan` forces a refresh of the remote state data, retrieving the updated `subnet_id` and resolving the error.

Exam trap

The trap here is that candidates may assume the remote state data source always reads the latest state on every run, when in fact Terraform caches the data from the last plan and only refreshes it during a new plan or apply operation.

How to eliminate wrong answers

Option A is wrong because if the application workspaces lacked permission to read the networking workspace's state, the error would be an authorization failure (e.g., 403 Forbidden), not a 'subnet ID does not exist' error. Option B is wrong because the scenario explicitly states that the networking workspace output 'subnet_id' now contains the ID of the updated subnet, meaning the output was not removed or renamed. Option D is wrong because the remote state data source configuration does not need to be updated; it already references the correct workspace and output name, and the issue is simply that the cached data is stale.

53
MCQmedium

A company has a Terraform configuration that creates many AWS resources. They want to check the estimated cost of the plan before applying. Which approach should they use?

A.Use 'terraform plan -cost' command.
B.Manually use 'terraform show -json' and parse pricing.
C.Enable cost estimation in Terraform Cloud.
D.Use 'terraform validate' with a custom script.
AnswerC

Terraform Cloud can estimate costs for AWS resources.

Why this answer

Option A is correct because Terraform Cloud provides cost estimation as a built-in feature. Options B and D are not available. Option C is a manual analysis but not a built-in feature.

54
MCQeasy

Which Terraform command is used to validate the syntax of configuration files without accessing any cloud provider?

A.terraform validate
B.terraform fmt
C.terraform plan
D.terraform init
AnswerA

Validates syntax and internal consistency without accessing providers.

Why this answer

`terraform validate` checks syntax and internal consistency of configuration files. `init` initializes backends and providers, `plan` accesses remote state, `fmt` formats code.

55
MCQeasy

A developer wants to see the list of resources currently managed by Terraform in the state file. Which command should they use?

A.terraform graph
B.terraform output
C.terraform show
D.terraform state list
AnswerD

Lists all resources in the state file.

Why this answer

`terraform state list` lists all resources in the state. `output` shows outputs, `show` shows state or plan details, `graph` creates a dependency graph.

56
Multi-Selectmedium

Which TWO of the following are valid use cases for using Terraform Cloud's Sentinel policies? (Choose two.)

Select 2 answers
A.Provide cost estimates for infrastructure changes
B.Enforce that all Terraform code follows a specific formatting style
C.Enforce that all AWS instances are of a specific type
D.Automatically rotate database passwords
E.Enforce that all resources have required tags
AnswersC, E

Sentinel can restrict resource attributes.

Why this answer

Option C is correct because Sentinel policies can enforce that all AWS instances are of a specific type by using a `validate` rule that checks the `aws_instance` resource's `instance_type` attribute against an allowed list. This is a common compliance use case for Sentinel in Terraform Cloud, where policy-as-code ensures infrastructure adheres to organizational standards before provisioning.

Exam trap

HashiCorp often tests the distinction between Sentinel's policy enforcement capabilities and other Terraform Cloud features (like cost estimation or formatting tools), so candidates mistakenly select options that are valid Terraform functions but not Sentinel use cases.

57
MCQmedium

Based on the exhibit, what will happen to the existing Elastic IP (aws_eip.web_eip) when this plan is applied?

A.It will remain unchanged
B.It will be updated in-place
C.It will be created
D.It will be destroyed
AnswerD

The '-' symbol indicates destroy.

Why this answer

Option D is correct because the Terraform configuration shows that the `aws_eip.web_eip` resource is no longer defined in the configuration after the plan is applied. Terraform will detect that the resource exists in the state but is absent from the configuration, and by default, it will destroy the Elastic IP to reconcile the state with the configuration. This is standard Terraform behavior for resources removed from `.tf` files.

Exam trap

HashiCorp often tests the misconception that removing a resource from configuration leaves it unchanged in the cloud, but Terraform's default behavior is to destroy any resource not present in the configuration, unless lifecycle rules or `removed` blocks are used.

How to eliminate wrong answers

Option A is wrong because Terraform does not leave orphaned resources; if a resource is removed from the configuration, it will be destroyed unless explicitly protected with `prevent_destroy` or `lifecycle` settings. Option B is wrong because in-place updates occur only when the resource still exists in the configuration but has attribute changes; here the resource is entirely absent, so no update is possible. Option C is wrong because the resource already exists in the state (as indicated by the exhibit showing an existing Elastic IP), so Terraform will not create a new one; it will destroy the existing one.

58
MCQhard

A Terraform configuration uses a module from the public registry. After a provider update, the module's resources fail to create. What is the most probable cause?

A.The provider binary is corrupted
B.The state file is corrupted
C.The module is incompatible with the new provider version
D.The backend configuration is incorrect
AnswerC

Most likely cause; module may depend on removed or changed provider features.

Why this answer

Provider updates often introduce breaking changes, and modules may rely on older provider features. Incompatibility with a new provider version can cause failures. Other options are less likely.

59
Multi-Selectmedium

Which TWO of the following are valid ways to use Terraform outside the core workflow (i.e., in automation or CI/CD pipelines)?

Select 2 answers
A.Using the Terraform CLI in a CI/CD pipeline with -auto-approve after a successful plan.
B.Using 'terraform state mv' to reorganize state files.
C.Using 'terraform init -from-module' to force module re-download.
D.Using the Terraform Cloud API to trigger runs and check results.
E.Using 'terraform graph' to generate visual output.
AnswersA, D

Common automation pattern.

Why this answer

Options A and D are correct. A uses the CLI with -auto-approve in a pipeline. D uses the Terraform Cloud API to trigger runs.

B is not a common pattern. C is for state migration. E is a tool for visualization, not automation.

60
MCQeasy

A developer runs `terraform plan` and it fails with a provider plugin error. Which command should they run first to resolve the issue?

A.terraform validate
B.terraform apply
C.terraform fmt
D.terraform init
AnswerD

Downloads required provider plugins and reinitializes the backend.

Why this answer

The `terraform init` command is the correct first step because it initializes the working directory, downloads the required provider plugins, and sets up the backend configuration. A provider plugin error typically indicates that the provider plugins are missing, outdated, or not properly installed, and `terraform init` resolves this by fetching the correct versions from the Terraform registry.

Exam trap

HashiCorp often tests the misconception that `terraform validate` can fix runtime errors, but candidates must remember that `validate` only checks syntax and schema, not the availability of external dependencies like provider plugins.

How to eliminate wrong answers

Option A is wrong because `terraform validate` checks the syntax and internal consistency of the configuration files but does not download or install provider plugins, so it cannot fix a missing or corrupted provider. Option B is wrong because `terraform apply` attempts to execute the plan and apply changes, but it will fail if the provider plugins are not available, and it is not designed to resolve plugin installation issues. Option C is wrong because `terraform fmt` only reformats the configuration files for consistent style and has no effect on provider plugin availability or installation.

61
MCQmedium

Refer to the exhibit. A Terraform Cloud plan includes an EC2 instance of type 't2.medium'. The team uses Sentinel policies. Which action should they take to proceed?

A.Modify the Sentinel policy to allow t2.medium.
B.Disable the policy check for this run.
C.Change the instance type in the configuration to t2.micro or t2.small.
D.Override the policy in the run using Terraform Cloud UI.
AnswerC

Comply with the policy.

Why this answer

Option B is correct because the policy must be satisfied by using an allowed instance type. Options A, C, and D are not appropriate: A would change policy which may be against organization rules; C implies override but policy is enforced; D disables checks entirely.

62
MCQmedium

A team uses an S3 backend with DynamoDB for state locking. They notice that sometimes terraform plan fails because the state is locked. What is the best practice to handle this in an automated pipeline?

A.Serialize pipeline runs to avoid concurrent execution
B.Use force-unlock before each plan
C.Increase the lock timeout
D.Use -lock=false in the pipeline
AnswerA

Prevents concurrent runs, the root cause of locking conflicts.

Why this answer

The best practice is to prevent concurrent runs by serializing pipeline execution. Using -lock=false disables locking entirely, increasing lock timeout may help but doesn't address the root cause. force-unlock should only be used when the lock holder is known to have failed.

63
MCQeasy

Which Terraform command is used to bring existing infrastructure that was created outside of Terraform under Terraform management?

A.terraform state push
B.terraform apply
C.terraform import
D.terraform refresh
AnswerC

Import is used to bring existing resources into Terraform state.

Why this answer

Option A is correct because 'terraform import' is specifically designed to import existing infrastructure into Terraform state. Option B is wrong because 'terraform state push' is for manually updating state. Option C is wrong because 'terraform apply' creates resources, not imports.

Option D is wrong because 'terraform refresh' updates state but does not import new resources.

64
MCQeasy

A user wants to see the current state of resources in a human-readable format without making changes. Which command should they use?

A.terraform output
B.terraform state list
C.terraform plan
D.terraform show
AnswerD

Displays current state in human-readable format.

Why this answer

Option D, `terraform show`, is correct because it displays the current state of managed resources in a human-readable format (defaulting to plain text) without making any changes. This command reads the state file directly and presents its contents, making it ideal for inspection and debugging. Unlike `terraform plan`, it does not generate an execution plan or propose modifications.

Exam trap

HashiCorp often tests the distinction between commands that inspect state (`terraform show`, `terraform state list`) versus those that generate plans or modify state, and the trap here is confusing `terraform plan` (which can show proposed changes) with a read-only view of the current state.

How to eliminate wrong answers

Option A is wrong because `terraform output` only shows the values of defined output variables, not the full state of all resources. Option B is wrong because `terraform state list` merely lists resource addresses in the state without displaying their attributes or configuration details. Option C is wrong because `terraform plan` creates an execution plan that compares current state with configuration and can propose changes, which is not a read-only view of the current state.

65
Multi-Selectmedium

Which four of the following are valid ways to integrate Terraform into an automated pipeline or use it outside the core manual workflow? (Choose all that apply.)

Select 4 answers
.Running `terraform plan` and `terraform apply` in a CI/CD pipeline using environment variables for backend configuration.
.Using Terraform Cloud's API-driven run workflow to trigger plans and applies via a REST API call.
.Invoking the Terraform binary with the `-auto-approve` flag in a script to skip interactive approval.
.Using the `terraform output` command in a shell script to fetch infrastructure values for use by other tools.
.Editing the `.tfstate` file directly to modify resource attributes before applying changes in automation.
.Using `terraform init` with the `-from-module` flag to import existing infrastructure into state without a configuration file.

Why this answer

All four correct options represent valid methods for using Terraform outside the core interactive manual workflow. Running `terraform plan` and `terraform apply` in a CI/CD pipeline with environment variables for backend configuration is a standard automation pattern. Terraform Cloud's API-driven run workflow allows programmatic triggering of runs, which is essential for integration with external systems.

The `-auto-approve` flag skips the interactive approval prompt, enabling non-interactive execution in scripts. Using `terraform output` in shell scripts is a common way to extract and pass infrastructure data to downstream tools.

Exam trap

HashiCorp often tests the misconception that directly editing the state file or using non-existent flags like `-from-module` are valid automation techniques, when in fact Terraform strictly enforces state management through its CLI and API to prevent corruption and drift.

66
MCQhard

A Terraform practitioner wants to ensure that the access keys used by a provider are not visible in plan output. Which Terraform attribute should be used when defining the provider?

A.encrypted
B.sensitive
C.hidden
D.secret
AnswerB

Marks a variable as sensitive so its value is not displayed in CLI output.

Why this answer

The `sensitive` attribute on provider configuration (via variables) prevents values from being displayed in CLI output, including plan output. There is no `secret` or `hidden` attribute. `encrypted` is not a Terraform attribute for this purpose.

67
MCQeasy

A team wants to import an existing AWS S3 bucket named 'my-bucket' into Terraform state. The resource block is defined as 'aws_s3_bucket.my_bucket'. Which command should be used?

A.terraform import my-bucket aws_s3_bucket.my_bucket
B.terraform import 'aws_s3_bucket.my_bucket' 'my-bucket'
C.terraform import aws_s3_bucket.my_bucket my-bucket
D.terraform import aws_s3_bucket.my-bucket my-bucket
AnswerC

Correct syntax and order.

Why this answer

Option D is correct because the import command syntax is 'terraform import <resource_address> <id>'. The resource address is 'aws_s3_bucket.my_bucket' and the ID is the bucket name 'my-bucket'. Option A has the wrong order.

Option B uses a hyphen in the resource name. Option C is correct syntax but with unnecessary quotes. Option D is the standard syntax.

68
Matchingmedium

Match each Terraform meta-argument to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create multiple instances from one resource block

Create multiple instances from a map or set of strings

Explicitly specify hidden resource dependencies

Control resource creation/destruction behavior

Select a non-default provider configuration

Why these pairings

Meta-arguments are available across all resource types.

69
MCQeasy

A DevOps team is integrating Terraform into a CI/CD pipeline using Jenkins. They want to ensure that the pipeline fails if the Terraform plan contains destructive changes. Which approach best achieves this?

A.Run terraform apply and parse the output for destroy messages.
B.Run terraform validate and check output for errors.
C.Run terraform destroy --target and fail if any resources are destroyed.
D.Run terraform plan -detailed-exitcode and fail pipeline if exit code is 2.
AnswerD

Exit code 2 means there are changes; pipeline can check this.

Why this answer

Option D is correct because `terraform plan -detailed-exitcode` returns exit code 2 if there are changes, allowing pipeline failure. Option A is wrong because `terraform validate` only checks syntax. Option B is wrong because `terraform apply` will apply changes, not just fail on destructive ones.

Option C is wrong because `terraform destroy` destroys resources, not suitable.

70
MCQmedium

An organization uses Terraform Cloud for team collaboration. They have a workspace that manages production infrastructure. Due to a security policy, they must ensure that all changes go through a peer review process before they are applied. How can they enforce this requirement?

A.Enable 'apply on merge' and set the workspace to require approval before applying.
B.Require all changes to be submitted via a VCS pull request.
C.Use run triggers to automatically apply after a successful plan in another workspace.
D.Lock the workspace and only unlock it for approved changes.
AnswerA

This ensures that runs are created on merge and require explicit approval before apply.

Why this answer

Option A is correct because enabling 'apply on merge' combined with requiring approval before applying enforces a peer review process: changes must be merged via a VCS pull request (triggering the plan), and then a separate approval step is needed before Terraform Cloud applies the changes. This ensures that no change is applied without explicit human approval after the plan is reviewed.

Exam trap

The trap here is that candidates confuse 'requiring a VCS pull request' (option B) with enforcing peer review, but without the approval step, the apply can still happen automatically after merge, bypassing the intended review gate.

How to eliminate wrong answers

Option B is wrong because requiring all changes to be submitted via a VCS pull request alone does not enforce peer review before apply; it only ensures changes are proposed via PR, but the apply could still happen automatically without manual approval. Option C is wrong because run triggers automatically apply after a successful plan in another workspace, bypassing any peer review or approval step for the target workspace. Option D is wrong because locking the workspace and only unlocking it for approved changes is a manual, error-prone process that does not enforce a consistent peer review workflow and does not integrate with VCS or Terraform Cloud's native approval mechanisms.

71
MCQmedium

A company uses Terraform with remote state stored in an S3 bucket. An operator accidentally runs 'terraform destroy' on a production workspace and wants to recover the state before the operation. What is the best course of action?

A.Re-run 'terraform apply' to recreate resources.
B.Restore the state file from a DynamoDB backup.
C.Use 'terraform state pull' to retrieve the last known state.
D.Restore the state file from the S3 bucket's versioning if enabled.
AnswerD

S3 versioning allows you to revert to a previous version of the state file.

Why this answer

Option B is correct because S3 versioning allows restoring previous versions of the state file. Option A is wrong because DynamoDB is used for locking, not state storage. Option C is wrong because terraform state pull would retrieve the current (post-destroy) state.

Option D is wrong because re-running apply would attempt to recreate resources using the current state, which is empty.

72
Multi-Selectmedium

Which TWO of the following are best practices when using Terraform in a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Run terraform apply automatically after plan
B.Use version control for configurations
C.Store state in the source repository
D.Use remote state with locking
E.Use terraform import to manage existing resources
AnswersB, D

Tracks changes and enables collaboration.

Why this answer

Remote state with locking ensures consistency and prevents corruption. Version control tracks changes. Storing state in source repo is not secure.

Auto-applying after plan is risky without approval. terraform import is for importing existing resources, not a CI/CD best practice.

73
MCQmedium

A company wants to use Terraform to manage resources across AWS and Azure. They need a single workflow that can apply changes to both providers. What is the best practice?

A.Use separate Terraform configurations for each provider
B.Use Terraform Cloud workspaces with different providers
C.Use Terraform workspaces to separate providers
D.Define both providers in a single configuration
AnswerD

Allows unified workflow.

Why this answer

Option D is correct because Terraform allows multiple providers to be defined in a single configuration, enabling a unified workflow to manage resources across AWS and Azure. By declaring both providers in the same root module, a single `terraform apply` can create, update, or destroy resources from both clouds in the correct order, leveraging Terraform's dependency graph to handle cross-provider dependencies. This is the recommended best practice for multi-cloud management with a single workflow.

Exam trap

The trap here is that candidates confuse workspaces (which isolate state for different environments) with provider separation, leading them to choose option C, when in fact workspaces do not change the provider definitions in a configuration.

How to eliminate wrong answers

Option A is wrong because using separate configurations for each provider would require separate `terraform apply` runs, breaking the single workflow requirement and introducing manual coordination or external orchestration. Option B is wrong because Terraform Cloud workspaces are designed to manage multiple environments (e.g., dev, prod) with the same provider configuration, not to separate providers; using different workspaces for different providers would still require separate configurations or state files, not a single workflow. Option C is wrong because Terraform workspaces are a state isolation mechanism for the same configuration, not a way to separate providers; they cannot change which providers are used in a single configuration, and using workspaces to separate providers would still require multiple configurations or manual switching.

74
Multi-Selectmedium

Which TWO of the following are benefits of using Terraform Cloud Run Tasks?

Select 2 answers
A.Integrate with third-party tools for security scanning.
B.Simplify state management by offloading to Terraform Cloud.
C.Provide an approval gate for manual intervention.
D.Enforce custom policies before allowing an apply.
E.Automatically reduce costs by identifying unused resources.
AnswersA, D

Run Tasks can call external services during runs.

Why this answer

Options A and C are correct. Run Tasks allow integration with third-party tools during the plan/apply phase (A), and they can enforce compliance checks before approval (C). Option B is wrong because run tasks don't directly avoid costs.

Option D is wrong because they don't simplify state management. Option E is wrong because approval is separate.

75
Multi-Selecteasy

Which THREE of the following are valid methods to manage Terraform state in a team environment? (Choose three.)

Select 3 answers
A.Storing state in a version control system
B.Using a remote backend like S3 with DynamoDB locking
C.Using Terraform workspaces with a remote backend
D.Storing state locally and sharing via network drive
E.Using Terraform Cloud to manage state
AnswersB, C, E

Standard team approach.

Why this answer

Option B is correct because using a remote backend like Amazon S3 with DynamoDB locking provides a centralized, durable, and consistent state storage solution. DynamoDB implements a distributed lock mechanism using conditional writes to prevent concurrent state modifications, ensuring state integrity in team environments.

Exam trap

HashiCorp often tests the misconception that version control systems like Git can safely manage Terraform state, but they lack the locking and atomicity required for concurrent team workflows.

Page 1 of 2 · 91 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Terraform Advanced Workflow questions.