Module version is required to reference a module on the Terraform Module Registry.
- A . True
- B . False
B
Explanation:
Module version is optional to reference a module on the Terraform Module Registry. If you omit the version constraint, Terraform will automatically use the latest available version of the module
You ate creating a Terraform configuration which needs to make use of multiple providers, one for AWS and one for Datadog.
Which of the following provider blocks would allow you to do this?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
C
Explanation:
Option C is the correct way to configure multiple providers in a Terraform configuration. Each provider block must have a name attribute that specifies which provider it configures2. The other options are either missing the name attribute or using an invalid syntax.
terraform validate confirms that your infrastructure matches the Terraform state file.
- A . True
- B . False
B
Explanation:
terraform validate does not confirm that your infrastructure matches the Terraform state file. It only checks whether the configuration files in a directory are syntactically valid and internally consistent3. To confirm that your infrastructure matches the Terraform state file, you need to use terraform plan or terraform apply with the -refresh-only option.
Which command must you first run before performing further Terraform operations in a working directory?
- A . terraform import
- B . terraform workspace
- C . terraform plan
- D . terraform init
D
Explanation:
terraform init is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It initializes a working directory containing Terraform configuration files and downloads any required providers and modules. The other commands are used for different purposes, such as importing existing resources, switching between workspaces, generating execution plans, etc.
A developer accidentally launched a VM (virtual machine) outside of the Terraform workflow and ended up with two servers with the same name. They don’t know which VM Terraform manages but do have a list of all active VM IDs.
Which of the following methods could you use to discover which instance Terraform manages?
- A . Run terraform state list to find the names of all VMs, then run terraform state show for each of them to find which VM ID Terraform manages
- B . Update the code to include outputs for the ID of all VMs, then run terraform plan to view the outputs
- C . Run terraform taint/code on all the VMs to recreate them
- D . Use terraform refresh/code to find out which IDs are already part of state
A
Explanation:
The terraform state list command lists all resources that are managed by Terraform in the current state file1. The terraform state show command shows the attributes of a single resource in the state file2. By using these two commands, you can compare the VM IDs in your list with the ones in the state file and identify which one is managed by Terraform.
When does Sentinel enforce policy logic during a Terraform Cloud run?
- A . Before the plan phase
- B . During the plan phase
- C . Before the apply phase
- D . After the apply phase
C
Explanation:
Sentinel policies are checked after the plan stage of a Terraform run, but before it can be confirmed or the terraform apply is executed3. This allows you to enforce rules on your infrastructure before it is created or modified.
You have provisioned some virtual machines (VMs) on Google Cloud Platform (GCP) using the gcloud command line tool. However, you are standardizing with Terraform and want to manage these VMs using Terraform instead.
What are the two things you must do to achieve this? Choose two correct answers.
- A . Run the terraform Import-gcp command
- B . Write Terraform configuration for the existing VMs
- C . Use the terraform import command for the existing VMs
- D . Provision new VMs using Terraform with the same VM names
BC
Explanation:
To import existing resources into Terraform, you need to do two things1:
Write a resource configuration block for each resource, matching the type and name used in your state file.
Run terraform import for each resource, specifying its address and ID. There is no such command as terraform Import-gcp, and provisioning new VMs with the same names will not import them into Terraform.
Which of the following ate advantages of using infrastructure as code (laC) instead of provisioning with a graphical user interface (GUI)? Choose two correct answers.
- A . Lets you version, reuse, and share infrastructure configuration
- B . Provisions the same resources at a lower cost
- C . Secures your credentials
- D . Reduces risk of operator error
- E . Prevents manual modifications to your resources
AD
Explanation:
It lets you version, reuse, and share infrastructure configuration as code files, which can be stored in a source control system and integrated with your CI/CD pipeline.
It reduces risk of operator error by automating repetitive tasks and ensuring consistency across environments. IaC does not necessarily provision resources at a lower cost, secure your credentials, or prevent manual modifications to your resources – these depend on other factors such as your cloud provider, your security practices, and your access policies.
Outside of the required_providers block, Terraform configurations always refer to providers by their local names.
- A . True
- B . False
B
Explanation:
Outside of the required_providers block, Terraform configurations can refer to providers by either their local names or their source addresses. The local name is a short name that can be used throughout the configuration, while the source address is a global identifier for the provider in the format registry.terraform.io/namespace/type.
For example, you can use either aws or registry.terraform.io/hashicorp/aws to refer to the AWS provider.
Terraform providers are always installed from the Internet.
- A . True
- B . False
B
Explanation:
Terraform providers are not always installed from the Internet. There are other ways to install provider plugins, such as from a local mirror or cache, from a local filesystem directory, or from a network filesystem. These methods can be useful for offline or air-gapped environments, or for customizing the installation process. You can configure the provider installation methods using the provider_installation block in the CLI configuration file.
What feature stops multiple users from operating on the Terraform state at the same time?
- A . State locking
- B . Version control
- C . Provider constraints
- D . Remote backends
A
Explanation:
State locking prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss1.
Which of the following is not a valid siring function in Terraform?
- A . choaf
- B . join
- C . Split
- D . slice
A
Explanation:
This is not a valid string function in Terraform. The other options are valid string functions that can manipulate strings in various ways2.
What does the default "local" Terraform backend store?
- A . tfplan files
- B . State file
- C . Provider plugins
- D . Terraform binary
B
Explanation:
The default “local” Terraform backend stores the state file in a local file named terraform.tfstate, which can be used to track and manage the state of your infrastructure3.
How can you trigger a run in a Terraform Cloud workspace that is connected to a Version Control System (VCS) repository?
- A . Only Terraform Cloud organization owners can set workspace variables on VCS connected workspaces
- B . Commit a change to the VCS working directory and branch that the Terraform Cloud workspace is connected to
- C . Only Terraform Cloud organization owners can approve plans in VCS connected workspaces
- D . Only members of a VCS organization can open a pull request against repositories that are connected to Terraform Cloud workspaces
B
Explanation:
This will trigger a run in the Terraform Cloud workspace, which will perform a plan and apply operation on the infrastructure defined by the Terraform configuration files in the VCS repository.
You’re building a CI/CD (continuous integration/continuous delivery) pipeline and need to inject sensitive variables into your Terraform run.
How can you do this safely?
- A . Copy the sensitive variables into your Terraform code
- B . Store the sensitive variables in a secure_varS.tf file
- C . Store the sensitive variables as plain text in a source code repository
- D . Pass variables to Terraform with a -var flag
D
Explanation:
This is a secure way to inject sensitive variables into your Terraform run, as they will not be stored in any file or source code repository. You can also use environment variables or variable files with encryption to pass sensitive variables to Terraform.
When should you write Terraform configuration files for existing infrastructure that you want to start managing with Terraform?
- A . You can import infrastructure without corresponding Terraform code
- B . Terraform will generate the corresponding configuration files for you
- C . Before you run terraform Import
- D . After you run terraform import
C
Explanation:
You need to write Terraform configuration files for the existing infrastructure that you want to import into Terraform, otherwise Terraform will not know how to manage it. The configuration files should match the type and name of the resources that you want to import.
Variables declared within a module are accessible outside of the module.
- A . True
- B . False
B
Explanation:
Variables declared within a module are only accessible within that module, unless they are explicitly exposed as output values1.
Your security team scanned some Terraform workspaces and found secrets stored in plaintext in state files.
How can you protect that data?
- A . Edit your state file to scrub out the sensitive data
- B . Always store your secrets in a secrets.tfvars file
- C . Delete the state file every time you run Terraform
- D . Store the state in an encrypted backend
D
Explanation:
This is a secure way to protect sensitive data in the state file, as it will be encrypted at rest and in transit2. The other options are not recommended, as they could lead to data loss, errors, or security breaches.
If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform Init.
- A . True
- B . False
A
Explanation:
If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform init3. This will ensure that you use the same provider versions across different machines and runs.
Once you configure a new Terraform backend with a terraform code block, which command(s) should you use to migrate the state file?
- A . terraform destroy, then terraform apply
- B . terraform init
- C . terraform push
- D . terraform apply
A
Explanation:
This command will initialize the new backend and prompt you to migrate the existing state file to the new location4. The other commands are not relevant for this task.
What does Terraform use the .terraform.lock.hc1 file for?
- A . There is no such file
- B . Tracking specific provider dependencies
- C . Preventing Terraform runs from occurring
- D . Storing references to workspaces which are locked
B
Explanation:
The .terraform.lock.hcl file is a new feature in Terraform 0.14 that records the exact versions of each provider used in your configuration. This helps ensure consistent and reproducible behavior across different machines and runs.
Why does this backend configuration not follow best practices?
- A . An alias meta-argument should be included in backend blocks whenever possible
- B . You should use the local enhanced storage backend whenever possible
- C . You should not store credentials in Terraform configuration
- D . The backend configuration should contain multiple credentials so that more than one user can execute terraform plan and terraform apply
C
Explanation:
This is a bad practice, as it exposes your credentials to anyone who can access your configuration files or state files. You should use environment variables, credential files, or other mechanisms to provide credentials to Terraform.
Module variable assignments are inherited from the parent module and you do not need to explicitly set them.
- A . True
- B . False
B
Explanation:
Module variable assignments are not inherited from the parent module and you need to explicitly set them using the source argument. This allows you to customize the behavior of each module instance.
What are some benefits of using Sentinel with Terraform Cloud/Terra form Cloud? Choose three correct answers.
- A . You can enforce a list of approved AWS AMIs
- B . Policy-as-code can enforce security best practices
- C . You can check out and check in cloud access keys
- D . You can restrict specific resource configurations, such as disallowing the use of CIDR=0.0.0.0/0.
- E . Sentinel Policies can be written in HashiCorp Configuration Language (HCL)
ABD
Explanation:
These are some of the benefits of using Sentinel with Terraform Cloud/Terraform Enterprise, as they allow you to implement logic-based policies that can access and evaluate the Terraform plan, state, and configuration. The other options are not true, as Sentinel does not manage cloud access keys, and Sentinel policies are written in Sentinel language, not HCL.
What does Terraform not reference when running a terraform apply -refresh-only?
- A . State file
- B . Credentials
- C . Cloud provider
- D . Terraform resource definitions in configuration files
D
Explanation:
When running a terraform apply -refresh-only, Terraform does not reference the configuration files, but only the state file, credentials, and cloud provider. The purpose of this command is to update the state file with the current status of the real resources, without making any changes to them1.
Which of the following is not a valid Terraform variable type?
- A . list
- B . array
- C . nap
- D . string
B
Explanation:
This is not a valid Terraform variable type. The other options are valid variable types that can store different kinds of values2.
You decide to move a Terraform state file to Amazon S3 from another location.
You write the code below into a file called backend.tf.
Which command will migrate your current state file to the new S3 remote backend?
- A . terraform state
- B . terraform init
- C . terraform push
- D . terraform refresh
B
Explanation:
This command will initialize the new backend and prompt you to migrate the existing state file to the new location3. The other commands are not relevant for this task.
Your DevOps team is currently using the local backend for your Terraform configuration. You would like to move to a remote backend to store the state file in a central location.
Which of the following backends would not work?
- A . Artifactory
- B . Amazon S3
- C . Terraform Cloud
- D . Git
D
Explanation:
This is not a valid backend for Terraform, as it does not support locking or versioning of state files4.
The other options are valid backends that can store state files in a central location.
You have deployed a new webapp with a public IP address on a cloud provider. However, you did not create any outputs for your code.
What is the best method to quickly find the IP address of the resource you deployed?
- A . In a new folder, use the terraform_remote_state data source to load in the state file, then write an output for each resource that you find the state file
- B . Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address
- C . Run terraform output ip_address to view the result
- D . Run terraform destroy then terraform apply and look for the IP address in stdout
B
Explanation:
This is a quick way to inspect the state file and find the information you need without modifying anything5. The other options are either incorrect or inefficient.
As a developer, you want to ensure your plugins are up to date with the latest versions.
Which Terraform command should you use?
- A . terraform refresh -upgrade
- B . terraform apply -upgrade
- C . terraform init -upgrade
- D . terraform providers -upgrade
C
Explanation:
This command will upgrade the plugins to the latest acceptable version within the version constraints specified in the configuration. The other commands do not have an -upgrade option.
What information does the public Terraform Module Registry automatically expose about published modules?
- A . Required input variables
- B . Optional inputs variables and default values
- C . Outputs
- D . All of the above
- E . None of the above
D
Explanation:
The public Terraform Module Registry automatically exposes all the information about published modules, including required input variables, optional input variables and default values, and outputs. This helps users to understand how to use and configure the modules.
You must use different Terraform commands depending on the cloud provider you use.
- A . True
- B . False
B
Explanation:
You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.
As a member of an operations team that uses infrastructure as code (lac) practices, you are tasked with making a change to an infrastructure stack running in a public cloud.
Which pattern would follow laC best practices for making a change?
- A . Make the change via the public cloud API endpoint
- B . Clone the repository containing your infrastructure code and then run the code
- C . Use the public cloud console to make the change after a database record has been approved
- D . Make the change programmatically via the public cloud CLI
- E . Submit a pull request and wait for an approved merge of the proposed changes
E
Explanation:
You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.
You ate making changes to existing Terraform code to add some new infrastructure.
When is the best time to run terraform validate?
- A . After you run terraform apply so you can validate your infrastructure
- B . Before you run terraform apply so you can validate your provider credentials
- C . Before you run terraform plan so you can validate your code syntax
- D . After you run terraform plan so you can validate that your state file is consistent with your infrastructure
C
Explanation:
This is the best time to run terraform validate, as it will check your code for syntax errors, typos, and missing arguments before you attempt to create a plan. The other options are either incorrect or unnecessary.
How would you reference the volume IDs associated with the ebs_block_device blocks in this configuration?
- A . aws_instance.example.ebs_block_device[sda2,sda3).volume_id
- B . aws_lnstance.example.ebs_block_device.[*].volume_id
- C . aws_lnstance.example.ebs_block_device.volume_ids
- D . aws_instance.example-ebs_block_device.*.volume_id
D
Explanation:
This is the correct way to reference the volume IDs associated with the ebs_block_device blocks in this configuration, using the splat expression syntax. The other options are either invalid or incomplete.
Which command should you run to check if all code in a Terraform configuration that references multiple modules is properly formatted without making changes?
- A . terraform fmt -write-false
- B . terraform fmt -list -recursive
- C . terraform fmt -check -recursive
- D . terraform fmt -check
C
Explanation:
This command will check if all code in a Terraform configuration that references multiple modules is properly formatted without making changes, and will return a non-zero exit code if any files need formatting. The other commands will either make changes, list the files that need formatting, or not check the modules.
What kind of configuration block will create an infrastructure object with settings specified within the block?
- A . provider
- B . state
- C . data
- D . resource
D
Explanation:
This is the kind of configuration block that will create an infrastructure object with settings specified within the block. The other options are not used for creating infrastructure objects, but for configuring providers, accessing state data, or querying data sources.
What is the Terraform style convention for indenting a nesting level compared to the one above it?
- A . With a tab
- B . With two spaces
- C . With four spaces
- D . With three spaces
B
Explanation:
This is the Terraform style convention for indenting a nesting level compared to the one above it. The other options are not consistent with the Terraform style guide.
You have never used Terraform before and would like to test it out using a shared team account for a cloud provider. The shared team account already contains 15 virtual machines (VM). You develop a Terraform configuration containing one VM. perform terraform apply, and see that your VM was created successfully.
What should you do to delete the newly-created VM with Terraform?
- A . The Terraform state file contains all 16 VMs in the team account. Execute terraform destroy and select the newly-created VM.
- B . Delete the Terraform state file and execute terraform apply.
- C . The Terraform state file only contains the one new VM. Execute terraform destroy.
- D . Delete the VM using the cloud provider console and terraform apply to apply the changes to the Terraform state file.
C
Explanation:
This is the best way to delete the newly-created VM with Terraform, as it will only affect the resource that was created by your configuration and state file. The other options are either incorrect or inefficient.
When do changes invoked by terraform apply take effect?
- A . After Terraform has updated the state file
- B . Once the resource provider has fulfilled the request
- C . Immediately
- D . None of the above are correct
B
Explanation:
Changes invoked by terraform apply take effect once the resource provider has fulfilled the request, not after Terraform has updated the state file or immediately. The state file is only a reflection of the real resources, not a source of truth.
What is the workflow for deploying new infrastructure with Terraform?
- A . Write Terraform configuration, run terraform init to initialize the working directory or workspace, and run terraform apply
- B . Write Terraform configuration, run terraform show to view proposed changes, and terraform apply to create new infrastructure
- C . Write Terraform configuration, run terraform apply to create infrastructure, use terraform validate to confirm Terraform deployed resources correctly
- D . Write Terraform configuration, run terraform plan to initialize the working directory or workspace, and terraform apply to create the infrastructure
A
Explanation:
This is the workflow for deploying new infrastructure with Terraform, as it will create a plan and apply it to the target environment. The other options are either incorrect or incomplete.
You can develop a custom provider to manage its resources using Terraform.
- A . True
- B . False
A
Explanation:
You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.
What is one disadvantage of using dynamic blocks in Terraform?
- A . Dynamic blocks can construct repeatable nested blocks
- B . Terraform will run more slowly
- C . They cannot be used to loop through a list of values
- D . They make configuration harder to read and understand
D
Explanation:
This is one disadvantage of using dynamic blocks in Terraform, as they can introduce complexity and reduce readability of the configuration. The other options are either advantages or incorrect statements.
Which backend does the Terraform CU use by default?
- A . Depends on the cloud provider configured
- B . HTTP
- C . Remote
- D . Terraform Cloud
- E . Local
E
Explanation:
This is the backend that the Terraform CLI uses by default, unless you specify a different backend in your configuration. The local backend stores the state file in a local file named terraform. tfstate, which can be used to track and manage the state of your infrastructure.
How does Terraform manage most dependencies between resources?
- A . Terraform will automatically manage most resource dependencies
- B . Using the depends_on parameter
- C . By defining dependencies as modules and including them in a particular order
- D . The order that resources appear in Terraform configuration indicates dependencies
A
Explanation:
This is how Terraform manages most dependencies between resources, by using the references between them in the configuration files. For example, if resource A depends on resource B, Terraform will create resource B first and then pass its attributes to resource A.
You have declared a variable called var.list which is a list of objects that all have an attribute id .
Which options will produce a list of the IDs? Choose two correct answers.
- A . [ var.list [ * ] , id ]
- B . [ for o in var.list : o.Id ]
- C . var.list[*].id
- D . { for o in var.llst : o => o.id }
BC
Explanation:
These are two ways to produce a list of the IDs from a list of objects that have an attribute id, using either a for expression or a splat expression syntax.
It is best practice to store secret data in the same version control repository as your Terraform configuration.
- A . True
- B . False
B
Explanation:
It is not a best practice to store secret data in the same version control repository as your Terraform configuration, as it could expose your sensitive information to unauthorized parties or compromise your security. You should use environment variables, vaults, or other mechanisms to store and provide secret data to Terraform.
_______backends support state locking.
- A . All
- B . No
- C . Some
- D . Only local
C
Explanation:
Some backends support state locking, which prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss. Not all backends support this feature, and you can check the documentation for each backend type to see if it does.
You want to define a single input variable to capture configuration values for a server. The values must represent memory as a number, and the server name as a string.
Which variable type could you use for this input?
- A . List
- B . Object
- C . Map
- D . Terraform does not support complex input variables of different types
B
Explanation:
This is the variable type that you could use for this input, as it can store multiple attributes of different types within a single value. The other options are either invalid or incorrect for this use case.
Which of the following statements about Terraform modules is not true?
- A . Modules can call other modules
- B . A module is a container for one or more resources
- C . Modules must be publicly accessible
- D . You can call the same module multiple times
C
Explanation:
This is not true, as modules can be either public or private, depending on your needs and preferences. You can use the Terraform Registry to publish and consume public modules, or use Terraform Cloud or Terraform Enterprise to host and manage private modules.