Hashicorp Terraform Cert Flashcards

Question

True or False: Provisioners should be used as a last resort

Answer 1

true. It is recommended to use inherent mechanisms within your infrastructure deployment to carry out custom tasks when possible

Answer 2

Terraform marks the resource against which the provisioner was to be run so it can be created again on the next run

Answer 3

A Creation Time

Answer 4

destruction - time provisioners can be determined because they have the “when” condition

Answer 5

The order they are listed

Answer 6

b. terraform.tfstate

Answer 7

var.my-var

Answer 8

d. in terraform.tfvars

Answer 9

c. sensitive

Answer 10

- string - number - boolean

Answer 11

- list - set - map - object - tuple

Answer 12

Output variables values are shown on the shell after running terraform apply

Answer 13

It maps real world resources to Terraform configuration

Answer 14

terraform.tfstate

Answer 15

C. prior to any modification operation

Answer 16

False: Terraform state helps boost deployment performance by caching resource attributes for subsequent use

Answer 17

The terraform state command is a utility for manipulating and reading the terraform state file

Answer 18

1. Advanced State Management 2. Manually removing a resource from the Terraform State file so it is not managed by terraform 3. Listing out tracked resources and their details

Answer 19

terraform state list

Answer 20

terraform state rm

Answer 21

terraform state show

Answer 22

to save / store terraform state locally on your system

Answer 23

locks state file so parallel executions don't coincide

Answer 24

False State locking is not supported by all remote state storage backends

Answer 25

A Terraform Module is a container for multiple resources that are used together

Answer 26

To make the terraform code reusable so it can be used elsewhere again and again

Answer 27

True It is called the Root Module and consists of code files in your main working directory

Answer 28

1. Terraform Public Registry 2. A Private Registry 3. Your Local System

Answer 29

False It is a best practice to require a specific version for the module to ensure that there aren't breaking changes when updating the modules

Answer 30

depends_on

Answer 31

C. module..

Answer 32

FALSE Terraform does not allow for User-defined functions, however this does apply to Built-In functions!

Answer 33

terraform-prod

Answer 34

helps insert files into resources

Answer 35

determines the max integer value from a provided list

Answer 36

Creates a singular list out of a provided set of lists

Answer 37

searches for whatever you've passed in a list of elements you pass in

Answer 38

Dynamic Blocks are constructed repeatable nested configuration blocks inside terraform resources

Answer 39

Resource, Data, Provider, and Provisioner

Answer 40

They make your code look cleaner

Answer 41

If you overuse them they can make your code hard to read and maintain

Answer 42

They expect a complex variable type to iterate over They act like for loops and output a nested block for each element in your variable

Answer 43

Only use Dynamic B locks when you need to hide detail in order to build a clearer user interface when writing reusable modules

Answer 44

Formats code for readability Helps in keeping code consistent

Answer 45

terraform fmt

Answer 46

Marks an existing resource, forcing it to be destroyed and recreated Modifies the state file which causes the recreation workflow

Answer 47

terraform taint RESOURCE_ADDRESS

Answer 48

Maps existing resources to Terraform using an “ID” Note: "ID” is dependent on the underlying vendor For example, to import an AWS EC2 instance you’ll need to provide its instance ID

Answer 49

terraform import RESOURCE_ADDRESS ID

Answer 50

Terraform Workspaces are alternate state files within the same working directory

Answer 51

creates a new terraform workspace

Answer 52

Selects a terraform workspace

Answer 53

- Test changes using a parallel, distinct copy of infrastructure - It can be modeled against branches in version control such as Git

Answer 54

A workspace name

Answer 55

terraform.tfstate.d

Answer 56

- Trace - DEBUG - INFO - WARN - ERROR

Answer 57

TF_LOG_PATH

Answer 58

True, its a policy language called Sentinel Language

Answer 59

C. Be approachable by non-programmers

Answer 60

after terraform plan and before terraform apply

Answer 61

- Sandboxing or Guardrails for Automation --- You can apply Sentinel policies against your Terraform code to sandbox your deployments - Codification or Easier Understanding, better collaboration --- it codifies the process of security enforcement in Terraform code - Version Control --- Shared across the organization - Testing and Automation --- Can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Answer 62

Essentially as Guardrails for Automation - You can apply Sentinel policies against your Terraform code to sandbox your deployments

Answer 63

It can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Answer 64

It can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Answer 65

- For enforcing CIS standards across AWS accounts - Checking to make sure only y3.micro instance types are used - Ensuring Security Groups do not allow traffic on Port 22

Answer 66

Its a Secrets Management Software that dynamically provisions credentials and rotates them. It encrypts sensitive data in transit and at rest and provides fine-grained access to secrets using ACLs

Answer 67

Crednetials Sprawl. They can be in multiple places, some not secure at all. Through vault you can manage and protect them very well.

Answer 68

- Developers don't need to manage long-lived credentials, making it more secure - You can Inject secrets into your Terraform deployment at runtime - Fine-grained ACLs for access to temporary credentials

Answer 69

Vault allows for storing your secrets in a centralized way and allows you to provide both temporary credentials for usage in your deployments, as well as provide encryption of data at rest and in transit

Answer 70

A repository of publicly available Terraform providers and modules

Answer 71

True, You cad declare a provider and it will automatically go grab it from the registry

Answer 72

Directories hosted in Terraform Cloud, think of it as directories for distinct deployments hosted in Cloud - no worrying about storage, segregation, or even security of your workspaces.

Answer 73

- Stores old versions of state files by default and can be shared between organizations - Maintains a record of all execution activity (allows for auditing and investigating deployments easier) - All Terraform commands are executed on "managed" Terraform Cloud VMs ( you can trigger deployments via a workspace's API or version control system triggers, like Github Actions, or even the Terraform Cloud user interface, and HashiCorp will execute your plan, apply, and init commands on their own hosted and managed VMs)

Answer 74

A Collaboration oriented Terraform Workflow: - remote Terraform Execution - Workspace based org model - Integration with Version Control Systems - Remote State management and CLI Integration - Private Terraform Module registry - Cost estimation and Sentinel Integration features

Answer 75

- The Terraform Configuration is on Disk for OSS Workspaces - The Terraform Configuration is In a linked version control repository or periodically uploaded via API/CLI

Answer 76

The Variable Values are stored as .tfvars, as CLI arguments, or in a shell env for OSS Workspace - The Variable Values are stored In the TF Cloud Workspace for Cloud Workspace

Answer 77

- The State is stored on disk or in a remote backend for OSS Workspace - The State is stored In the TF Cloud Workspace for Cloud Workspace

Answer 78

- The Credentials and Secrets are store in shell env or entered at prompts for OSS Workspace - The Credentials and Secrets are stored In TF Cloud workspace stores as sensitive variables for Cloud Workspace

Answer 79

`terraform force-unlock` or Another option is to use the `terraform state rm` command followed by the `terraform state push` command to forcibly overwrite the state on the remote backend, effectively removing the lock

Answer 80

B. Use of any resource belonging to a particular provider in a resource or data block in the configuration C. Existence of any resource instance belonging to a particular provider in the current state D. Explicit use of a provider block in configuration, optionally including a version constraint

Answer 81

Since a new provider has been introduced. terraform init needs to be run to download the infoblox plugin

Answer 82

Windows AIX Linux macOS Solaris

Answer 83

C. Terraform 1.2.3 D. Terraform 1.2.9 In a required_version parameter in Terraform, the tilde (~) symbol followed by the greater than symbol (>) specifies a "compatible with" version constraint. For example, if your Terraform configuration specifies required_version = "~> 1.12.0", Terraform will accept any version of Terraform 1.12 that is greater than or equal to version 1.12.0 and less than 1.13.0. In other words, Terraform will accept any version of Terraform 1.12 that is considered compatible with version 1.12.0.

Answer 84

The user wants to specify the minimum version of Terraform that is required to run the configuration

Answer 85

The same Terraform version that was used to perform the migration

Answer 86

`terraform get` `terraform init`

Answer 87

A. The registry uses tags to identify module versions. Release tag names must be for the format x.y.z, and can optionally be prefixed with a `v` B. The module must be on GitHub and must be a public repo D. Module repositories must use this three part name format `terraform--

Answer 88

The EC2 Instance labeled `web_server` The EC2 instance labeled web_server is the implicit dependency as the aws_eip cannot be created until the aws_instance labeled web_server has been provisioned and the id is available. Note that aws_s3_bucket.company_data is an explicit dependency for the aws_instance.web_server

Answer 89

In the Terraform public module registry

Answer 90

`terraform validate` It's recommended to run terraform validate before running terraform apply, to ensure that your Terraform code is valid and will not produce unexpected results.

Answer 91

Names that start with a number: 1_invalid_variable_name Names that contain spaces or special characters (other than underscores): invalid variable name Names that contain only numbers: 12345 Names that are the same as Terraform reserved words, such as var, module, data, count, etc.

Answer 92

B. Bitbucket Cloud C. GitHub Enterprise D. GitHub.com E. Azure DevOps Server

Answer 93

`terraform workspace select dev`

Answer 94

`terraform workspace new stage`

Answer 95

`terraform console`

Answer 96

These are where the variable declarations are created so Terraform is aware of these variables within the calling module

Answer 97

- .terraform directory: This directory contains local Terraform state files, which should not be committed to the repository. - terraform.tfstate and terraform.tfstate.backup: These files contain the current state of your infrastructure, and should not be committed to the repository. - tfvars files: These files may contain sensitive information, such as passwords or API keys, and should be kept out of version control. Instead, you can use environment variables or other secure methods to pass this information to Terraform. - *.tfplan files: These files contain the plan generated by Terraform when applying changes to your infrastructure, and may include sensitive information such as resource IDs. They should not be committed to the repository

Answer 98

required_providers

Answer 99

A .ssh B. wimrm

Answer 100

A. to execute one or more commands on the machine running Terraform C. To invoke a local executable

Answer 101

A. Provate Module Repo B. Private Network Connectivity C. Audit Loggs E. SAML/SSO

Answer 102

A. team management and governance

Answer 103

A. `app-cluster` is the child module B. `main.tf` is the calling module

Answer 104

A. interactively on the command line B. use the -backend-config=PATH to specify a seperate config file C. command-line key/value pairs

Answer 105

An API token`

Answer 106

the resource will be updated in place

Answer 107

State locking

Answer 108

resources A local value assigns a name to an expression, so you can use it multiple times within a module without repeating it.

Answer 109

A. Aaron's configuration file can deploy applications in both AWS and GCP C. The configuration file can deploy both QA and Staging infrastructure for applications D. the state file can be stores in Azure but provision applications in AWS There are a ton of benefits of deploying with Terraform and the solution is very capable of managing deployments across multiple clouds. However, state is still required and cannot be disabled.

Answer 110

the value of an input variable

Answer 111

B. update all previously installed plugins to the newest version that compiles with the configuration's version constraints The `-upgrade` will upgrade all previously-selected plugins to the newest version that complies with the configuration's version constraints. This will cause Terraform to ignore any selections recorded in the dependency lock file, and to take the newest available version matching the configured version constraints.

Answer 112

using the same provider with different configurations for different resources To create multiple configurations for a given provider, include multiple provider blocks with the same provider name. For each additional non-default configuration, use the alias meta-argument to provide an extra name segment.

Answer 113

C. none of the above When using sensitive values in your Terraform configuration, all of the configurations mentioned above will result in the sensitive value being written to the state file. Terraform stores the state as plain text, including variable values, even if you have flagged them as sensitive. Terraform needs to store these values in your state so that it can tell if you have changed them since the last time you applied your configuration.

Answer 114

A. consistent B. predictable C. idempotent E. repeatable

Answer 115

the resources that were successfully provisioned will remain as deployed During a terraform apply, any resources that are successfully provisioned are maintained as deployed. On the other hand, resources that failed during the provisioning process, such as a provisioned, will be tainted to be recreated during the next run.

Answer 116

resource block Based on the Terraform code provided in the question, the VPC is defined in a resource block, meaning that there is a VPC resource being defined, such as: resource "aws_vpc" "main" { cidr_block = var.base_cidr_block } If it were locals, the resource would be referred to as `local.aws_vpc` If it were in a data block, it would be referred to as `data.aws_vpc.i.main.id`

Answer 117

use the `-out` flag

Answer 118

Terraform will destroy all of the resources In this case, since there is a state file with resources, Terraform will match the desired state of no resources since the configuration file doesn't include any resources. Therefore, all resources defined in the state file will be destroyed.

Answer 119

Terraform would use the existing module already downloaded.

Answer 120

B. enables code reuse C. supports modules stored locally or remotely D. supports versioning to maintain compatibility

Answer 121

All possible data of a specific Amazon Machine Image(AMI) from AWS When you add a data block to your configuration, Terraform will retrieve all of the available data for that particular resource. It is then up to you to reference a specific attribute that can be exported from that data source. For example, if you include a data block for the aws_ami resource, Terraform will get a ton of attributes about that AMI that you can use elsewhere in your code Within the block body (between { and }) are query constraints defined by the data source. Most arguments in this section depend on the data source, and indeed in this example `most_recent`, `owners` and `tags` are all arguments defined specifically for the aws_ami data source.

Answer 122

Terraform will scan the VMware infrastructure, create a new state file, and compare the state to the configuration file to determine what resources should be created

Answer 123

A. kubernetes backend B. s3 backend (with DynamoDB) C. consul backend The etcd backend doesn't support state locking. While the local backend does support locking via system APIs, you can't use the local backend to share the state across your team.

Answer 124

B. credentials file C. environment variable Use a variable? Well, you could use a variable but that wouldn't really improve security here, since variable defaults or configurations are also stored in plaintext. On the remote system? I don't think this is even a viable option. The creds would need to be read by the local system that is executing Terraform

Answer 125

B. store in a remote backend that encrypts state at rest D. use the S3 backend using the `encrypt` option to ensure state is encrypted Replication? replicating the state file to another location won't prevent the original file from being accessed. Encryption? As of today, Terraform doesn't support any type of native encryption capability when writing and managing state.

Answer 126

A. provides the ability to version control the infrastructure and application architecture B. API-driven workflows D. enables self-service for developers and operators alike While Terraform can indeed help with the security of your applications, it won't guarantee it

Answer 127

if the resource was created inside of a module, then the module will require an output block to export that value. That said, output blocks that are created in a module aren't displayed on the Terraform CLI. Therefore, you need to create an output block in the parent/calling module to output the value while referencing the output in the module. Because of this, the correct answer requires you to create an output in the parent module and reference the output value from the module.

Answer 128

A. Terraform Enterprise C. Terraform OSS/CLI Terraform OSS and Terraform Enterprise are versions of Terraform that can be installed locally on your own servers, therefore giving you the ability to manage both the Terraform binary and the underlying operating system where Terraform runs. WRONG ANSWERS: Although Terraform Cloud for Business does offer Cloud Agents that could be used to provision resources on your local infrastructure on-premises, it is a hosted solution and you would NOT have full control over the operating system that runs the Terraform platform. Terraform Cloud (free) does not meet either of these use cases since you can't deploy to on-premises nor can you manage the underlying operating system since it's a hosted service.

Answer 129

True You can change your backend configuration at any time. You can change both the configuration itself as well as the type of backend (for example from "consul" to "s3"). Terraform will automatically detect any changes in your configuration and request a reinitialization. As part of the reinitialization process, Terraform will ask if you'd like to migrate your existing state to the new configuration. This allows you to easily switch from one backend to another.

Answer 130

B. all providers are automatically included when downloading Terraform Providers are treated as plugins for Terraform, and during a terraform init process, the required providers are downloaded to the local machine that is executing Terraform so they can be used. Therefore, not all providers are included with Terraform when you download the latest version from terraform.io.

Answer 131

True The terraform graph command is used to generate a visual representation of either a configuration or execution plan. The output is in the DOT format, which can be used by GraphViz to generate charts.

Answer 132

subnet = module.prod_subnet.subnet_id Using interpolation, you can reference the output of an exported value by using the following syntax: module.. Don't forget that before you can reference data/values from a module, the module has to have an output declared that references the desired value(s).

Answer 133

A. the default value will be found in the state file if no other value was set for the variable B. the variables marked as sensitive are still stored in the state file, even though the values are obfuscated form the CLI Output Beyond the value, you won't find the variable name or description in the state file because they are simply used on the development side of Terraform, and not the backend operational aspect of how Terraform works.

Answer 134

Since the variable was declared within the module, it cannot be referenced outside of the module When using modules, it's common practice to declare variables outside of the module and pass the value(s) to the child module when it is called by the parent/root module. However, it's perfectly acceptable to declare a variable inside of a module if you needed. Any variables declared inside of a module are only directly refrencable within that module. You can't directly reference that variable outside of the module. You can, however, create an output in the module to export any values that might be needed outside of the module.

Answer 135

each.value.ip Sort of testing two different things here - a complex map variable plus the for_each argument. A for_each argument will iterate over a map or set of strings and create a similar instance/resource for each item in the map or set. In our case, the map is the input variable and the "each" would be the higher-level map, so prod and dev. Underneath each value, there are two arguments, both az and ip that you can choose from. The input variable that is shown in this example is essentially a map of maps.

Answer 136

`A. `terraform state list` Running a terraform state list does not cause Terraform to refresh its state. This command simply reads the state file but it will not modify it.

Answer 137

True If a module or provider is marked as official, it is owned and maintained by HashiCorp themselves. There are other modules/providers available in the registry that are maintained by third-party partners, or even individuals. This also means that not all of the modules published to the Terraform registry are validated or verified by HashiCorp. Many folks will use the public module registry as a starting place to create their own custom modules needed to meet requirements.

Answer 138

True When you execute a terraform console command, you'll get this output: $ terraform console Acquiring state lock. This may take a few moments... >

Answer 139

B. execute your Terraform on infrastructure either locally or in Terraform Cloud Using an enhanced storage backend allows you to execute your Terraform on infrastructure either locally or in Terraform Cloud. Note that this enhanced storage backend term has now been deprecated by Terraform but it's likely to show up in the test for a while. See the note below from this site:

Answer 140

A. State Management B. Private Module Registry D. Remote Operations Single Sign-On is a feature of Terraform Enterprise and Terraform Cloud for Business.

Answer 141

Defined outside of Terraform Anytime you can configure these credentials outside of Terraform is your best choice. Environment variables would be the second most-secure choice here.

Answer 142

`terraform apply -replace`

Answer 143

`terraform state show aws_internet_gateway.demo`

Answer 144

`terraform apply -destroy` `terraform destroy`

Answer 145

`terraform validate`

Answer 146

`terrafrom init`

Answer 147

aws_subnet.private_subnets[*] You can reference all of the subnets created by this for_each by using a [*] at the end of the resource address like this aws_subnet.private_subnets[*]