Test Preparation

Question 1

The terraform.tfstate file always matches your currently built infrastructure.

A. True
B. False

Answer 1

B. False

Question 2

One remote backend configuration always maps to a single remote workspace.

A. True
B. False

Answer 2

A. True

Question 3

How is the Terraform remote backend different than other state backends such as S3, Consul, etc.?

A. It can execute Terraform runs on dedicated infrastructure on premises or in Terraform Cloud
B. It doesn’t show the output of a terraform apply locally
C. It is only available to paying customers
D. All of the above

Answer 3

A. It can execute Terraform runs on dedicated infrastructure on premises or in Terraform Cloud

Question 4

What is the workflow for deploying new infrastructure with Terraform?

A. terraform plan to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure.
B. Write a Terraform configuration, run terraform show to view proposed changes, and terraform apply to create new infrastructure.
C. terraform import to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure.
D. Write a Terraform configuration, run terraform init, run terraform plan to view planned infrastructure changes, and terraform apply to create new infrastructure.

Answer 4

D. Write a Terraform configuration, run terraform init, run terraform plan to view planned infrastructure changes, and terraform apply to create new infrastructure.

Question 5

A provider configuration block is required in every Terraform configuration.

Answer 5

False

Question 6

You run a local-exec provisioner in a null resource called null_resource.run_script and realize that you need to rerun the script. Which of the following commands would you use first?

A. terraform taint null_resource.run_script
B. terraform apply -target=null_resource.run_script
C. terraform validate null_resource.run_script
D. terraform plan -target=null_resource.run_script

Answer 6

A. terraform taint null_resource.run_script

Question 7

Which provisioner invokes a process on the resource created by Terraform?

A. remote-exec
B. null-exec
C. local-exec
D. file

Answer 7

A. remote-exec

Question 8

Which of the following is not true of Terraform providers?

A. Providers can be written by individuals
B. Providers can be maintained by a community of users
C. Some providers are maintained by HashiCorp
D. Major cloud vendors and non-cloud vendors can write, maintain, or collaborate on Terraform providers
E. None of the above

Answer 8

E. None of the above

Question 9

What command does Terraform require the first time you run it within a configuration directory?

A. terraform import
B. terraform init
C. terraform plan
D. terraform workspace

Answer 9

B. terraform init

Question 10

You have deployed a new webapp with a public IP address on a cloud provider. However, you did not create any outputs for your code. What is the best method to quickly find the IP address of the resource you deployed?

A. Run terraform output ip_address to view the result
B. In a new folder, use the terraform_remote_state data source to load in the state file, then write an output for each resource that you find the state file
C. Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address
D. Run terraform destroy then terraform apply and look for the IP address in stdout

Answer 10

C. Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address

Question 11

Which of the following is not a key principle of infrastructure as code?

A. Versioned infrastructure
B. Golden images
C. Idempotence
D. Self-describing infrastructure

Answer 11

B. Golden images

Question 12

Terraform variables and outputs that set the “description” argument will store that description in the state file.

A. True
B. False

Answer 12

B. False

Question 13

What is the provider for this fictitious resource?

resource "aws_vpc" "main" {
  name = "test"
}

A. vpc
B. main
C. aws
D. test

Answer 13

C. aws

Question 14

If you manually destroy infrastructure, what is the best practice reflecting this change in Terraform?

A. Run terraform refresh
B. It will happen automatically
C. Manually update the state file
D. Run terraform import

Answer 14

A. Run terraform refresh

Question 15

What is not processed when running terraform refresh?

A. State file
B. Configuration file
C. Credentials
D. Cloud provider

Answer 15

B. Configuration file

Question 16

What information does the public Terraform Module Registry automatically expose about published modules?

A. Required input variables
B. Optional inputs variables and default values
C. Outputs
D. All of the above
E. None of the above

Answer 16

D. All of the above

Question 17

If a module uses a local values, you can expose that value with terraform output.

A. True
B. False

Answer 17

A. True

Question 18

You should store secret data in the same version control repository as your Terraform configuration.

A. True
B. False

Answer 18

B. False

Question 19

Which of the following is not a valid string function in Terraform?

A. split
B. join
C. slice
D. chomp

Answer 19

C. slice

Question 20

You have provisioned some virtual machines (VMs) on Google Cloud Platform (GCP) using the gcloud command line tool. However, you are standardizing with Terraform and want to manage these VMs using Terraform instead.
What are the two things you must do to achieve this? (Choose two.)

A. Provision new VMs using Terraform with the same VM names
B. Use the terraform import command for the existing VMs
C. Write Terraform configuration for the existing VMs
D. Run the terraform import-gcp command

Answer 20

B. Use the terraform import command for the existing VMs
C. Write Terraform configuration for the existing VMs

Question 21

You have recently started a new job at a retailer as an engineer. As part of this new role, you have been tasked with evaluating multiple outages that occurred during peak shopping time during the holiday season. Your investigation found that the team is manually deploying new compute instances and configuring each compute instance manually. This has led to inconsistent configuration between each compute instance. How would you solve this using infrastructure as code?

A. Implement a ticketing workflow that makes engineers submit a ticket before manually provisioning and configuring a resource
B. Implement a checklist that engineers can follow when configuring compute instances
C. Replace the compute instance type with a larger version to reduce the number of required deployments
D. Implement a provisioning pipeline that deploys infrastructure configurations committed to your version control system following code reviews

Answer 21

D. Implement a provisioning pipeline that deploys infrastructure configurations committed to your version control system following code reviews

Question 22

terraform init initializes a sample main.tf file in the current directory.

A. True
B. False

Answer 22

B. False

Question 23

Which two steps are required to provision new infrastructure in the Terraform workflow? (Choose two.)

A. Destroy
B. Apply
C. Import
D. Init
E. Validate

Answer 23

B. Apply
D. Init

Question 24

Why would you use the terraform taint command?

A. When you want to force Terraform to destroy a resource on the next apply
B. When you want to force Terraform to destroy and recreate a resource on the next apply
C. When you want Terraform to ignore a resource on the next apply
D. When you want Terraform to destroy all the infrastructure in your workspace

Answer 24

B. When you want to force Terraform to destroy and recreate a resource on the next apply

Question 25

Terraform requires the Go runtime as a prerequisite for installation.

A. True
B. False

Answer 25

B. False

Question 26

When should you use the force-unlock command?

A. You see a status message that you cannot acquire the lock
B. You have a high priority change
C. Automatic unlocking failed
D. You apply failed due to a state lock

Answer 26

C. Automatic unlocking failed

Question 27

Terraform can import modules from a number of sources. Which of the following is not a valid source?

A. FTP server
B. GitHub repository
C. Local path
D. Terraform Module Registry

Answer 27

A. FTP server

Question 28

Which of the following is available only in Terraform Enterprise or Cloud workspaces and not in Terraform CLI?

A. Secure variable storage
B. Support for multiple cloud providers
C. Dry runs with terraform plan
D. Using the workspace as a data source

Answer 28

A. Secure variable storage

Question 29

terraform validate validates the syntax of Terraform files.

A. True
B. False

Answer 29

A. True

Question 30

You have used Terraform to create an ephemeral development environment in the cloud and are now ready to destroy all the infrastructure described by your Terraform configuration. To be safe, you would like to first see all the infrastructure that will be deleted by Terraform. Which command should you use to show all of the resources that will be deleted? (Choose two.)

A. Run terraform plan -destroy.
B. This is not possible. You can only show resources that will be created.
C. Run terraform state rm \*.
D. Run terraform destroy and it will first output all the resources that will be deleted before prompting for approval.

Answer 30

A. Run terraform plan -destroy.
D. Run terraform destroy and it will first output all the resources that will be deleted before prompting for approval.

Question 31

Which of the following is the correct way to pass the value in the variable num_servers into a module with the input servers?

A. servers = num_servers
B. servers = variable.num_servers
C. servers = var(num_servers)
D. servers = var.num_servers

Answer 31

D. servers = var.num_servers

Question 32

A Terraform provisioner must be nested inside a resource configuration block.

A. True
B. False

Answer 32

A. True

Question 33

Terraform can run on Windows or Linux, but it requires a Server version of the Windows operating system.

A. True
B. False

Answer 33

B. False

Question 34

What does the default local Terraform backend store?

A. tfplan files
B. Terraform binary
C. Provider plugins
D. State file

Answer 34

D. State file

Question 35

You have multiple team members collaborating on infrastructure as code (IaC) using Terraform, and want to apply formatting standards for readability.
How can you format Terraform HCL (HashiCorp Configuration Language) code according to standard Terraform style convention?

A. Run the terraform fmt command during the code linting phase of your CI/CD process
B. Designate one person in each team to review and format everyone’s code
C. Manually apply two spaces indentation and align equal sign “=” characters in every Terraform file (*.tf)
D. Write a shell script to transform Terraform files using tools such as AWK, Python, and sed

Answer 35

A. Run the terraform fmt command during the code linting phase of your CI/CD process

Question 36

What value does the Terraform Cloud/Terraform Enterprise private module registry provide over the public Terraform Module Registry?

A. The ability to share modules with public Terraform users and members of Terraform Enterprise Organizations
B. The ability to tag modules by version or release
C. The ability to restrict modules to members of Terraform Cloud or Enterprise organizations
D. The ability to share modules publicly with any user of Terraform

Answer 36

C. The ability to restrict modules to members of Terraform Cloud or Enterprise organizations

Question 37

Which task does terraform init not perform?

A. Sources all providers present in the configuration and ensures they are downloaded and available locally
B. Connects to the backend
C. Sources any modules and copies the configuration locally
D. Validates all required variables are present

Answer 37

D. Validates all required variables are present

Question 38

You have declared a variable called var.list which is a list of objects that all have an attribute id. Which options will produce a list of the IDs? (Choose two.)

A. { for o in var.list : o => o.id }
B. var.list[*].id
C. [ var.list[*].id ]
D. [ for o in var.list : o.id ]

Answer 38

B. var.list[*].id
D. [ for o in var.list : o.id ]

Question 39

Which argument(s) is (are) required when declaring a Terraform variable?

A. type
B. default
C. description
D. All of the above
E. None of the above

Answer 39

E. None of the above

Question 40

When using a module block to reference a module stored on the public Terraform Module Registry such as:
~~~
module “consul” {
source = “hashicorp/consul/aws”
}
~~~
How do you specify version 1.0.0?

A. Modules stored on the public Terraform Module Registry do not support versioning
B. Append ?ref=v1.0.0 argument to the source path
C. Add version = "1.0.0" attribute to module block
D. Nothing, modules stored on the public Terraform Module Registry always default to version 1.0.0

Answer 40

C. Add version = "1.0.0" attribute to module block

Question 41

What features does the hosted service Terraform Cloud provide? (Choose two.)

A. Automated infrastructure deployment visualization
B. Automatic backups
C. Remote state storage
D. A web-based user interface (UI)

Answer 41

C. Remote state storage
D. A web-based user interface (UI)

Question 42

Where does the Terraform local backend store its state?

A. In the /tmp directory
B. In the terraform file
C. In the terraform.tfstate file
D. In the user’s terraform.state file

Answer 42

C. In the terraform.tfstate file

Question 43

Which option can not be used to keep secrets out of Terraform configuration files?

A. A Terraform provider
B. Environment variables
C. A -var flag
D. secure string

Answer 43

D. secure string

Question 44

What is one disadvantage of using dynamic blocks in Terraform?

A. They cannot be used to loop through a list of values
B. Dynamic blocks can construct repeatable nested blocks
C. They make configuration harder to read and understand
D. Terraform will run more slowly

Answer 44

C. They make configuration harder to read and understand

Question 45

Only the user that generated a plan may apply it.

A. True
B. False

Answer 45

B. False

Question 46

Examine the following Terraform configuration, which uses the data source for an AWS AMI. What value should you enter for the ami argument in the AWS instance resource?

data "aws_ami "ubuntu" {
  ...
}

resource "aws_instance" "web" {
  ami = \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
	instance_type = "t2.micro"
	
	tags = {
	  name = "HelloWorld"
	}
}

A. aws_ami.ubuntu
B. data.aws_ami.ubuntu
C. data.aws_ami.ubuntu.id
D. aws_ami.ubuntu.id

Answer 46

C. data.aws_ami.ubuntu.id

Question 47

You need to specify a dependency manually. What resource meta-parameter can you use to make sure Terraform respects the dependency?

Answer 47

depends_on

Question 48

You have never used Terraform before and would like to test it out using a shared team account for a cloud provider. The shared team account already contains 15 virtual machines (VM). You develop a Terraform configuration containing one VM, perform terraform apply, and see that your VM was created successfully. What should you do to delete the newly-created VM with Terraform?

A. The Terraform state file contains all 16 VMs in the team account. Execute terraform destroy and select the newly-created VM.
B. The Terraform state file only contains the one new VM. Execute terraform destroy.
C. Delete the Terraform state file and execute terraform apply.
D. Delete the VM using the cloud provider console and terraform apply to apply the changes to the Terraform state file.

Answer 48

B. The Terraform state file only contains the one new VM. Execute terraform destroy.

Question 49

What is the name assigned by Terraform to reference this resource?

resource "azurerm_resource_group" "dev" {
  name = "test"
	location = "westus"
}

A. dev
B. azurerm_resource_group
C. azurerm
D. test

Answer 49

A. dev

Question 50

Setting the TF_LOG environment variable to DEBUG causes debug messages to be logged into syslog.

A. True
B. False

Answer 50

B. False

Question 51

Where in your Terraform configuration do you specify a state backend?

A. The terraform block
B. The resource block
C. The provider block
D. The datasource block

Answer 51

A. The terraform block

Question 52

In Terraform 0.13 and above, outside of the required_providers block, Terraform configurations always refer to providers by their local names.

A. True
B. False

Answer 52

A. True

Question 53

What command should you run to display all workspaces for the current configuration?

A. terraform workspace
B. terraform workspace show
C. terraform workspace list
D. terraform show workspace

Answer 53

C. terraform workspace list

Question 54

Terraform providers are always installed from the Internet.

A. True
B. False

Answer 54

B. False

Question 55

Which of these is the best practice to protect sensitive values in state files?

A. Blockchain
B. Secure Sockets Layer (SSL)
C. Enhanced remote backends
D. Signed Terraform providers

Answer 55

C. Enhanced remote backends

Question 56

When does terraform apply reflect changes in the cloud environment?

A. Immediately
B. However long it takes the resource provider to fulfill the request
C. After updating the state file
D. Based on the value provided to the -refresh command line argument
E. None of the above

Answer 56

B. However long it takes the resource provider to fulfill the request

Question 57

How would you reference the “name” value of the second instance of this fictitious resource?

resource "aws_instance" "web" {
  count = 2
	name = "terraform-${count.index}"
}

A. element(aws_instance.web, 2)
B. aws_instance.web[1].name
C. aws_instance.web[1]
D. aws_instance.web[2].name
E. aws_instance.web.*.name

Answer 57

B. aws_instance.web[1].name

Question 58

A Terraform provider is not responsible for:

A. Understanding API interactions with some service
B. Provisioning infrastructure in multiple clouds
C. Exposing resources and data sources based on an API
D. Managing actions to take based on resource differences

Answer 58

B. Provisioning infrastructure in multiple clouds

Question 59

Terraform provisioners can be added to any resource block.

A. True
B. False

Answer 59

A. True

Question 60

What is terraform refresh intended to detect?

A. Terraform configuration code changes
B. Empty state files
C. State file drift
D. Corrupt state files

Answer 60

C. State file drift

Question 61

Which flag would you add to terraform plan to save the execution plan to a file?

Answer 61

-out=FILENAME

Question 62

What is the name of the default file where Terraform stores the state?

Answer 62

terraform.tfstate

Question 63

A Terraform local value can reference other Terraform local values.

A. True
B. False

Answer 63

A. True

Question 64

Which of the following is not a valid Terraform collection type?

A. list
B. map
C. tree
D. set

Answer 64

C. tree

Question 65

When running the command terraform taint against a managed resource you want to force recreation upon, Terraform will immediately destroy and recreate the resource.

A. True
B. False

Answer 65

B. False

Question 66

All standard backend types support state storage, locking, and remote operations like plan, apply and destroy.

A. True
B. False

Answer 66

B. False

Question 67

How can terraform plan aid in the development process?

A. Validates your expectations against the execution plan without permanently modifying state
B. Initializes your working directory containing your Terraform configuration files
C. Formats your Terraform configuration files
D. Reconciles Terraform’s state against deployed resources and permanently modifies state using the current status of deployed resources

Answer 67

A. Validates your expectations against the execution plan without permanently modifying state

Question 68

You would like to reuse the same Terraform configuration for your development and production environments with a different state file for each. Which command would you use?

A. terraform import
B. terraform workspace
C. terraform state
D. terraform init

Answer 68

B. terraform workspace

Question 69

What is the name assigned by Terraform to reference this resource?

mainresouce "google_compute_instance" "main" {
  name = "test"
}

A. compute_instance
B. main
C. google
D. test

Answer 69

B. main

Question 70

You’re building a CI/CD (continuous integration/ continuous delivery) pipeline and need to inject sensitive variables into your Terraform run. How can you do this safely?

A. Pass variables to Terraform with a -var flag
B. Copy the sensitive variables into your Terraform code
C. Store the sensitive variables in a secure_vars.tf file
D. Store the sensitive variables as plain text in a source code repository

Answer 70

A. Pass variables to Terraform with a -var flag

Question 71

Your security team scanned some Terraform workspaces and found secrets stored in a plaintext in state files. How can you protect sensitive data stored in Terraform state files?

A. Delete the state file every time you run Terraform
B. Store the state in an encrypted backend
C. Edit your state file to scrub out the sensitive data
D. Always store your secrets in a secrets.tfvars file.

Answer 71

B. Store the state in an encrypted backend

Question 72

In contrast to Terraform Open Source, when working with Terraform Enterprise and Cloud Workspaces, conceptually you could think about them as completely separate working directories.

A. True
B. False

Answer 72

A. True

Question 73

You want to know from which paths Terraform is loading providers referenced in your Terraform configuration (*.tf files). You need to enable debug messages to find this out. Which of the following would achieve this?

A. Set the environment variable TF_LOG=TRACE
B. Set verbose logging for each provider in your Terraform configuration
C. Set the environment variable TF_VAR_log=TRACE
D. Set the environment variable TF_LOG_PATH

Answer 73

A. Set the environment variable TF_LOG=TRACE

Question 74

How is terraform import run?

A. As a part of terraform init
B. As a part of terraform plan
C. As a part of terraform refresh
D. By an explicit call
E. All of the above

Answer 74

D. By an explicit call

Question 75

You have a simple Terraform configuration containing one virtual machine (VM) in a cloud provider. You run terraform apply and the VM is created successfully. What will happen if you delete the VM using the cloud provider console, and run terraform apply again without changing any Terraform code?

A. Terraform will remove the VM from state file
B. Terraform will report an error
C. Terraform will not make any changes
D. Terraform will recreate the VM

Answer 75

D. Terraform will recreate the VM

Question 76

Which of these options is the most secure place to store secrets for connecting to a Terraform remote backend?

A. Defined in Environment variables
B. Inside the backend block within the Terraform configuration
C. Defined in a connection configuration outside of Terraform
D. None of above

Answer 76

A. Defined in Environment variables

Question 77

Your DevOps team is currently using the local backend for your Terraform configuration. You would like to move to a remote backend to begin storing the state file in a central location. Which of the following backends would not work?

A. Amazon S3
B. Artifactory
C. Git
D. Terraform Cloud

Answer 77

C. Git

Question 78

Which backend does the Terraform CLI use by default?

A. Terraform Cloud
B. Consul
C. Remote
D. Local

Answer 78

D. Local

Question 79

When you initialize Terraform, where does it cache modules from the public Terraform Module Registry?

A. On disk in the /tmp directory
B. In memory
C. On disk in the .terraform sub-directory
D. They are not cached

Answer 79

C. On disk in the .terraform sub-directory

Question 80

You write a new Terraform configuration and immediately run terraform apply in the CLI using the local backend. Why will the apply fail?

A. Terraform needs you to format your code according to best practices first
B. Terraform needs to install the necessary plugins first
C. The Terraform CLI needs you to log into Terraform cloud first
D. Terraform requires you to manually run terraform plan first

Answer 80

B. Terraform needs to install the necessary plugins first

Question 81

What feature stops multiple admins from changing the Terraform state at the same time?

A. Version control
B. Backend types
C. Provider constraints
D. State locking

Answer 81

D. State locking

Question 82

A fellow developer on your team is asking for some help in refactoring their Terraform code. As part of their application’s architecture, they are going to tear down an existing deployment managed by Terraform and deploy new. However, there is a server resource named aws_instance.ubuntu[1] they would like to keep to perform some additional analysis. What command should be used to tell Terraform to no longer manage the resource?

A. terraform apply rm aws_instance.ubuntu[1]
B. terraform state rm aws_instance.ubuntu[1]
C. terraform plan rm aws_instance.ubuntu[1]
D. terraform delete aws_instance.ubuntu[1]

Answer 82

B. terraform state rm aws_instance.ubuntu[1]

Question 83

Terraform can only manage resource dependencies if you set them explicitly with the depends_on argument.

A. True
B. False

Answer 83

B. False

Question 84

A terraform apply can not ________ infrastructure.

A. change
B. destroy
C. provision
D. import

Answer 84

D. import

Question 85

You need to constrain the GitHub provider to version 2.1 or greater.
Which of the following should you put into the Terraform 0.12 configuration’s provider block?

A. version >= 2.1
B. version ~> 2.1
C. version = "<= 2.1"
D. version = ">= 2.1"

Answer 85

D. version = ">= 2.1"

Question 86

You just scaled your VM infrastructure and realized you set the count variable to the wrong value. You correct the value and save your change.
What do you do next to make your infrastructure match your configuration?

A. Run an apply and confirm the planned changes
B. Inspect your Terraform state because you want to change it
C. Reinitialize because your configuration has changed
D. Inspect all Terraform outputs to make sure they are correct

Answer 86

A. Run an apply and confirm the planned changes

Question 87

Terraform provisioners that require authentication can use the ________ block.

A. connection
B. credentials
C. secrets
D. ssh

Answer 87

A. connection

Question 88

terraform validate reports syntax check errors from which of the following scenarios?

A. Code contains tabs indentation instead of spaces
B. There is missing value for a variable
C. The state files does not match the current infrastructure
D. None of the above

Answer 88

B. There is missing value for a variable

Question 89

Which of the following is allowed as a Terraform variable name?

A. count
B. name
C. source
D. version

Answer 89

B. name

Question 90

What type of block is used to construct a collection of nested configuration blocks?

A. for_each
B. repeated
C. nesting
D. dynamic

Answer 90

D. dynamic

Question 91

Module variable assignments are inherited from the parent module and do not need to be explicitly set.

A. True
B. False

Answer 91

B. False

Question 92

If writing Terraform code that adheres to the Terraform style conventions, how would you properly indent each nesting level compared to the one above it?

A. With four spaces
B. With a tab
C. With three spaces
D. With two spaces

Answer 92

D. With two spaces

Question 93

Which of the following is not an action performed by terraform init?

A. Create a sample main.tf file
B. Initialize a configured backend
C. Retrieve the source code for all referenced modules
D. Load required provider plugins

Answer 93

A. Create a sample main.tf file

Question 94

HashiCorp Configuration Language (HCL) supports user-defined functions.

A. True
B. False

Answer 94

B. False

Question 95

How can you trigger a run in a Terraform Cloud workspace that is connected to a Version Control System (VCS) repository?

A. Only Terraform Cloud organization owners can set workspace variables on VCS connected workspaces
B. Commit a change to the VCS working directory and branch that the Terraform Cloud workspace is connected to
C. Only members of a VCS organization can open a pull request against repositories that are connected to Terraform Cloud workspaces
D. Only Terraform Cloud organization owners can approve plans in VCS connected workspaces

Answer 95

B. Commit a change to the VCS working directory and branch that the Terraform Cloud workspace is connected to

Question 96

Terraform and Terraform providers must use the same major version number in a single configuration.

A. True
B. False

Answer 96

B. False

Question 97

Which statement describes a goal of infrastructure as code?

A. An abstraction from vendor specific APIs
B. Write once, run anywhere
C. A pipeline process to test and deliver software
D. The programmatic configuration of resources

Answer 97

D. The programmatic configuration of resources

Question 98

When using Terraform to deploy resources into Azure, which scenarios are true regarding state files? (Choose two.)

A. When a change is made to the resources via the Azure Cloud Console, the changes are recorded in a new state file
B. When a change is made to the resources via the Azure Cloud Console, Terraform will update the state file to reflect them during the next plan or apply
C. When a change is made to the resources via the Azure Cloud Console, the current state file will not be updated
D. When a change is made to the resources via the Azure Cloud Console, the changes are recorded in the current state file

Answer 98

B. When a change is made to the resources via the Azure Cloud Console, Terraform will update the state file to reflect them during the next plan or apply
C. When a change is made to the resources via the Azure Cloud Console, the current state file will not be updated

Question 99

You need to deploy resources into two different cloud regions in the same Terraform configuration. To do that, you declare multiple provider configurations as follows:

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias = "west"
	region = "us-west-2"
}

What meta-argument do you need to configure in a resource block to deploy the resource to the us-west-2 AWS region?

A. alias = west
B. provider = west
C. provider = aws.west
D. alias = aws.west

Answer 99

C. provider = aws.west

Question 100

You have declared an input variable called environment in your parent module. What must you do to pass the value to a child module in the configuration?

A. Add node_count = var.node_count
B. Declare the variable in a terraform.tfvars file
C. Declare a node_count input variable for child module
D. Nothing, child modules inherit variables of parent module

Answer 100

C. Declare a node_count input variable for child module

Question 101

If a module declares a variable with a default, that variable must also be defined within the module.

A. True
B. False

Answer 101

B. False

Question 102

Which option cannot be used to keep secrets out of Terraform configuration files?

A. Environment Variables
B. Mark the variable as sensitive
C. A Terraform provider
D. A -var flag

Answer 102

B. Mark the variable as sensitive

Question 103

Which of the following arguments are required when declaring a Terraform output?

A. sensitive
B. description
C. default
D. value

Answer 103

D. value

Question 104

Your risk management organization requires that new AWS S3 buckets must be private and encrypted at rest. How can Terraform Enterprise automatically and proactively enforce this security control?

A. With a Sentinel policy, which runs before every apply
B. By adding variables to each TFE workspace to ensure these settings are always enabled
C. With an S3 module with proper settings for buckets
D. Auditing cloud storage buckets with a vulnerability scanning too

Answer 104

A. With a Sentinel policy, which runs before every apply

Question 105

Most Terraform providers interact with ____________.

A. API
B. VCS Systems
C. Shell scripts
D. None of the above

Answer 105

A. API

Question 106

terraform validate validates that your infrastructure matches the Terraform state file.

A. True
B. False

Answer 106

B. False

Question 107

What does terraform import allow you to do?

A. Import a new Terraform module
B. Use a state file to import infrastructure to the cloud
C. Import provisioned infrastructure to your state file
D. Import an existing state file to a new Terraform workspace

Answer 107

C. Import provisioned infrastructure to your state file

Question 108

In the below configuration, how would you reference the module output vpc_id?

module "vpc" {
  source = "terraform-and-modules/vpc/aws"
  cidr = "10.0.0.0/16"
  name = "test-vpc"
}

Answer 108

module.vpc.vpc_id

Question 109

How would you reference the Volume IDs associated with the ebs_block_device blocks in this configuration?

resource "aws_instance" "example" {
  ami = "ami-abc123"
  instance_type = "t2.micro"

  ebs_block_device {
    device_name = "sda2"
    volume_size = 16
  }

  ebs_block_device {
    device_name = "sda3"
    volume_size = 20
  }
}

A. aws_instance.example.ebs_block_device.[*].volume_id
B. aws_instance.example.ebs_block_device.volume_id
C. aws_instance.example.ebs_block_device[sda2,sda3].volume_id
D. aws_instance.example.ebs_block_device.*.volume_id

Answer 109

D. aws_instance.example.ebs_block_device.*.volume_id

Question 110

What does state locking accomplish?

A. Copies the state file from memory to disk
B. Encrypts any credentials stored within the state file
C. Blocks Terraform commands from modifying the state file
D. Prevents accidental deletion of the state file

Answer 110

C. Blocks Terraform commands from modifying the state file

Question 111

You just upgraded the version of a provider in an existing Terraform project. What do you need to do to install the new provider?

A. Run terraform apply -upgrade
B. Run terraform init -upgrade
C. Run terraform refresh
D. Upgrade your version of Terraform

Answer 111

B. Run terraform init -upgrade

Question 112

A module can always refer to all variables declared in its parent module.

A. True
B. False

Answer 112

B. False

Question 113

When you use a remote backend that needs authentication, HashiCorp recommends that you:

A. Use partial configuration to load the authentication credentials outside of the Terraform code
B. Push your Terraform configuration to an encrypted git repository
C. Write the authentication credentials in the Terraform configuration files
D. Keep the Terraform configuration files in a secret store

Answer 113

A. Use partial configuration to load the authentication credentials outside of the Terraform code

Question 114

You have a simple Terraform configuration containing one virtual machine (VM) in a cloud provider. You run terraform apply and the VM is created successfully. What will happen if you terraform apply again immediately afterwards without changing any Terraform code?

A. Terraform will terminate and recreate the VM
B. Terraform will create another duplicate VM
C. Terraform will apply the VM to the state file
D. Nothing

Answer 114

D. Nothing

Question 115

A junior admin accidentally deleted some of your cloud instances. What does Terraform do when you run terraform apply?

A. Build a completely brand new set of infrastructure
B. Tear down the entire workspace infrastructure and rebuild it
C. Rebuild only the instances that were deleted
D. Stop and generate an error message about the missing instances

Answer 115

C. Rebuild only the instances that were deleted

Question 116

You have created a main.tf Terraform configuration consisting of an application server, a database, and a load balancer. You ran terraform apply and all resources were created successfully. Now you realize that you do not actually need the load balancer so you run terraform destroy without any flags What will happen?

A. Terraform will destroy the application server because it is listed first in the code
B. Terraform will prompt you to confirm that you want to destroy all the infrastructure
C. Terraform will destroy the main.tf file
D. Terraform will prompt you to pick which resource you want to destroy
E. Terraform will immediately destroy all the infrastructure

Answer 116

B. Terraform will prompt you to confirm that you want to destroy all the infrastructure

Question 117

Which type of block fetches or computes information for use elsewhere in a Terraform configuration?

A. provider
B. resource
C. local
D. data

Answer 117

D. data

Question 118

You have just developed a new Terraform configuration for two virtual machines with a cloud provider. You would like to create the infrastructure for the first time. Which Terraform command should you run first?

A. terraform apply
B. terraform plan
C. terraform show
D. terraform init

Answer 118

D. terraform init

Question 119

All modules published on the official Terraform Module Registry have been verified by HashiCorp.

A. True
B. False

Answer 119

B. False

Question 120

You have to initialize a Terraform backend before it can be configured.

A. True
B. False

Answer 120

B. False

Question 121

Which of the following does terraform apply change after you approve the execution plan? (Choose two.)

A. Cloud infrastructure
B. The .terraform directory
C. The execution plan
D. State file
E. Terraform code

Answer 121

A. Cloud infrastructure
D. State file

Question 122

A Terraform backend determines how Terraform loads state and stores updates when you execute ________.

A. apply
B. taint
C. destroy
D. All of the above
E. None of the above

Answer 122

E. None of the above

Question 123

What does Terraform use .terraform.lock.hcl file for?

A. Tracking provider dependencies
B. There is no such file
C. Preventing Terraform runs from occurring
D. Storing references to workspaces which are locked

Answer 123

D. Storing references to workspaces which are locked

Question 124

You’ve used Terraform to deploy a virtual machine and a database. You want to replace this virtual machine instance with an identical one without affecting the database. What is the best way to achieve this using Terraform?

A. Use the terraform state rm command to remove the VM from state file
B. Use the terraform taint command targeting the VMs then run terraform plan and terraform apply
C. Use the terraform apply command targeting the VM resources only
D. Delete the Terraform VM resources from your Terraform code then run terraform plan and terraform apply

Answer 124

B. Use the terraform taint command targeting the VMs then run terraform plan and terraform apply

Question 125

How do you specify a module’s version when publishing it to the public Terraform Module Registry?

A. The module’s configuration page on the Terraform Module Registry
B. Terraform Module Registry does not support versioning modules
C. The release tags in the associated repo
D. The module’s Terraform code

Answer 125

C. The release tags in the associated repo

Question 126

Terraform plan updates your state file.

A. True
B. False

Answer 126

B. False

Question 127

To check if all code in a Terraform configuration with multiple modules is properly formatted without making changes, what command should be run?

A. terraform fmt -check
B. terraform fmt -write-false
C. terraform fmt list -recursive
D. terraform fmt -check -recursive

Answer 127

D. terraform fmt -check -recursive

Question 128

As a member of the operations team, you need to run a script on a virtual machine created by Terraform. Which provision is best to use in your Terraform code?

A. null-exec
B. local-exec
C. remote-exec
D. file

Answer 128

C. remote-exec

Question 129

You are using a networking module in your Terraform configuration with the name label my_network. In your main configuration you have the following code:

output: "net_id" {
  value = module.my_network.vnet_id
}

When you run terraform validate, you get the following error:

Error: Reference to undeclared output value

  on main.tf line 12, in output "net_id":
  12: value = module.my_network.vnet_id

What must you do to successfully retrieve this value from your networking module?

A. Define the attribute vnet_id as a variable in the networking module
B. Change the referenced value to module.my_network.outputs.vnet_id
C. Define the attribute vnet_id as an output in the networking module
D. Change the referenced value to my_network.outputs.vnet_id

Answer 129

D. Change the referenced value to my_network.outputs.vnet_id

Question 130

You are writing a child Terraform module which provisions an AWS instance. You want to make use of the IP address returned in the root configuration. You name the instance resource “main”. Which of these is the correct way to define the output value using HCL2?

A.
~~~
output “instance_ip_addr {
value = “${aws_instance.main.private_ip}”
}
~~~
B.
~~~
output “instance_ip_addr {
return aws_instance.main.private_ip
}
~~~

Answer 130

A.
~~~
output “instance_ip_addr {
value = “${aws_instance.main.private_ip}”
}
~~~

Question 131

How can a ticket-based system slow down infrastructure provisioning and limit the ability to scale? (Choose two.)

A. A full audit trail of the request and fulfillment process is generated
B. A request must be submitted for infrastructure changes
C. As additional resources are required, more tickets are submitted
D. A catalog of approved resources can be accessed from drop down lists in a request form

Answer 131

B. A request must be submitted for infrastructure changes
C. As additional resources are required, more tickets are submitted

Question 132

Which of the following statements about Terraform modules is not true?

A. Modules must be publicly accessible
B. Modules can be called multiple times
C. Module is a container for one or more resources
D. Modules can call other modules

Answer 132

A. Modules must be publicly accessible

Question 133

Which Terraform collection type should you use to store key/value pairs?

A. tuple
B. set
C. map
D. list

Answer 133

C. map

Question 134

You have used Terraform to create an ephemeral development environment in the cloud and are now ready to destroy all the infrastructure described by your Terraform configuration. To be safe, you would like to first see all the infrastructure that will be deleted by Terraform. Which command should you use to show all of the resources that will be deleted? (Choose two.)

A. Run terraform plan -destroy
B. Run terraform show -destroy
C. Run terraform destroy and it will first output all the resources that will be deleted before prompting for approval
D. Run terraform show -destroy

Answer 134

A. Run terraform plan -destroy
C. Run terraform destroy and it will first output all the resources that will be deleted before prompting for approval

Question 135

When do you need to explicitly execute terraform refresh?

A. Before every terraform plan
B. Before every terraform apply
C. Before every terraform import
D. None of the above

Answer 135

D. None of the above

Question 136

All Terraform Cloud tiers support team management and governance.

A. True
B. False

Answer 136

B. False

Question 137

What advantage does an operations team that uses infrastructure as code have?

A. The ability to delete infrastructure
B. The ability to update existing infrastructure
C. The ability to reuse best practice configurations and settings
D. The ability to autoscale a group of servers

Answer 137

C. The ability to reuse best practice configurations and settings

Question 138

You have modified your Terraform configuration to fix a typo in the Terraform ID of a resource from aws_security_group.http to aws_security_group.http

Original Configuration:

resource "aws_security_group" "htp" {
  name = "http"
  ingress {
    from_port = "80"
    to_port = "80"
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
	}
}

Updated Configuration:
~~~
resource “aws_security_group” “http” {
name = “http”
ingress {
from_port = “80”
to_port = “80”
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}
}
~~~
Which of the following commands would you run to update the ID in state without destroying the resource?

A. terraform mv aws_security_group.htp aws_security_group.http
B. terraform apply
C. terraform refresh

Answer 138

A. terraform mv aws_security_group.htp aws_security_group.http

Question 139

You are creating a Terraform configuration which needs to make use of multiple providers, one for AWS and one for Datadog. Which of the following provider blocks would allow you to do this?

A.
~~~
provider {
“aws” {
profile = var.aws_profile
region = var.aws_region
}
“datadog” {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
}
}

B.

provider “aws” {
profile = var.aws_profile
region = var.aws_region
}
provider “datadog” {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
}
~~~
C.
~~~
terraform {
provider “aws” {
profile = var.aws_profile
region = var.aws_region
}
provider “datadog” {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
}
}
~~~

Answer 139

B.
~~~
provider “aws” {
profile = var.aws_profile
region = var.aws_region
}
provider “datadog” {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
}
~~~

Question 140

Terraform variable names are saved in the state file.

A. True
B. False

Answer 140

B. False

Question 141

Terraform Cloud is available only as a paid offering from HashiCorp.

A. True
B. False

Answer 141

B. False

Question 142

Which of the following is not a way to trigger terraform destroy?

A. Using the destroy command with auto-approve
B. Running terraform destroy from the correct directory and then typing “yes” when prompted in the CLI
C. Passing –destroy at the end of a plan request
D. Delete the state file and run terraform apply

Answer 142

C. Passing –destroy at the end of a plan request
D. Delete the state file and run terraform apply

Question 143

Which of the following is not an advantage of using infrastructure as code operations?

A. Self-service infrastructure deployment
B. Troubleshoot via a Linux diff command
C. Public cloud console configuration workflows
D. Modify a count parameter to scale resources
E. API driven workflows

Answer 143

C. Public cloud console configuration workflows

Question 144

You’re writing a Terraform configuration that needs to read input from a local file called id_rsa.pub. Which built-in Terraform function can you use to import the file’s contents as a string?

A. fileset("id_rsa.pub")
B. filebase64("id_rsa.pub")
C. templatefile("id_rsa.pub")
D. file("id_rsa.pub")

Answer 144

D. file("id_rsa.pub")

Question 145

What does Terraform use providers for? (Choose three.)

A. Provision resources for on-premises infrastructure services
B. Simplify API interactions
C. Provision resources for public cloud infrastructure services
D. Enforce security and compliance policies
E. Group a collection of Terraform configuration files that map to a single state file

Answer 145

A. Provision resources for on-premises infrastructure services
B. Simplify API interactions
C. Provision resources for public cloud infrastructure services

Question 146

You can reference a resource created with for_each using a Splat (*) expression.

A. True
B. False

Answer 146

B. False

Question 147

How does Terraform determine dependencies between resources?

A. Terraform automatically builds a resource graph based on resources, provisioners, special meta-parameters, and the state file, if present.
B. Terraform requires all dependencies between resources to be specified using the depends_on parameter
C. Terraform requires resources in a configuration to be listed in the order they will be created to determine dependencies
D. Terraform requires resource dependencies to be defined as modules and sourced in order

Answer 147

A. Terraform automatically builds a resource graph based on resources, provisioners, special meta-parameters, and the state file, if present.

Question 148

Which parameters does terraform import require? (Choose two.)

A. Path
B. Provider
C. Resource ID
D. Resource address

Answer 148

C. Resource ID
D. Resource address

Question 149

Once a new Terraform backend is configured with a Terraform code block, which command(s) is (are) used to migrate the state file?

A. terraform apply
B. terraform push
C. terraform destroy, then terraform apply
D. terraform init

Answer 149

D. terraform init

Question 150

What does this code do?

terraform {
  required_providers {
    aws = "~> 3.0"
  }
}

A. Requires any version of the AWS provider >= 3.0 and < 4.0
B. Requires any version of the AWS provider >= 3.0
C. Requires any version of the AWS provider after the 3.0 major release, like 4.1
D. Requires any version of the AWS provider > 3.0

Answer 150

A. Requires any version of the AWS provider >= 3.0 and < 4.0