Free Practice Questions•Terraform Associate (004)•30 Questions with Answers•Free Practice Questions•Terraform Associate (004)•30 Questions with Answers•
FREE QUESTIONS
Terraform Associate (004) Practice Questions
30 free questions with correct answers and detailed explanations.
30Free Questions
2Free Exams
100%With Explanations
TA-004 Practice Set-01
15 questions
Q1
Your security team scanned some Terraform workspaces and found secrets stored in plaintext in state files. How can you protect that data?
A
Delete the state file every time you run Terraform.
Store the state in an encrypted backend.
C
Always store your secrets in a secrets.tfvars file.
D
Edit your state file to scrub out the sensitive data.
Correct Answer
Store the state in an encrypted backend.
Explanation
Sensitive data in Terraform state files should be protected by using encrypted remote backends such as S3 with server-side encryption, Azure Blob Storage, or GCS. The plaintext state issue is a known concern since Terraform stores resource attributes including secrets in state. Storing state in an encrypted backend ensures data at rest is protected. See: https://developer.hashicorp.com/terraform/language/state/sensitive-data
Q2
You can reference a resource created with for_each using a splat ( * ) expression.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
Resources created with for_each are stored as a map, not a list, so splat expressions (*) cannot be used to reference them. Splat expressions only work with resources using count. To reference for_each resources, use the resource address with the key, e.g., resource_type.name[key].attribute. This statement is FALSE. See: https://developer.hashicorp.com/terraform/language/expressions/splat
Q3
What is an advantage of immutable infrastructure?
A
Automatic infrastructure upgrades
B
In-place infrastructure upgrades
C
Quicker infrastructure upgrades
Less complex infrastructure upgrades
Correct Answer
Less complex infrastructure upgrades
Explanation
Immutable infrastructure means replacing resources rather than updating them in-place, which reduces configuration drift and complexity. The correct answer 'Less complex infrastructure upgrades' is correct because you avoid patching existing servers, and instead deploy fresh replacements. This is a core IaC principle. See: https://developer.hashicorp.com/terraform/tutorials/state/resource-lifecycle
Q4
You add a new resource to an existing Terraform configuration, but do not update the version constraint in the configuration. The existing and new resources use the same provider. The working directory contains a .terraform.lock.hcl file. How will Terraform choose which version of the provider to use?
A
Terraform will use the latest version of the provider for the new resource and the version recorded in the lock file to manage existing resources.
Terraform will use the version recorded in your lock file.
C
Terraform will check your state file to determine the provider version to use.
D
Terraform will use the latest version of the provider available at the time you provision your new resource.
Correct Answer
Terraform will use the version recorded in your lock file.
Explanation
When a .terraform.lock.hcl file exists, Terraform uses the provider version recorded in it for consistency. Even if a new resource is added using the same provider, Terraform uses the locked version unless you explicitly run terraform init -upgrade. This ensures reproducible builds across teams. See: https://developer.hashicorp.com/terraform/language/files/dependency-lock
Q5
What is the workflow for deploying new infrastructure with Terraform?
A
terraform plan to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure.
B
Write a Terraform configuration, run terraform show to view proposed changes, and terraform apply to create new infrastructure.
C
terraform import to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure.
Write a Terraform configuration, run terraform init, run terraform plan to view planned infrastructure changes, and terraform apply to create new infrastructure.
Correct Answer
Write a Terraform configuration, run terraform init, run terraform plan to view planned infrastructure changes, and terraform apply to create new infrastructure.
Explanation
The core Terraform workflow for deploying new infrastructure is: Write configuration files, run terraform init to initialize, terraform plan to preview changes, and terraform apply to create infrastructure. This ensures changes are reviewed before being applied to real infrastructure. See: https://developer.hashicorp.com/terraform/intro/core-workflow
Q6
All standard backend types support state storage, locking, and remote operations like plan, apply, and destroy.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
Not all standard backend types support remote operations like plan, apply, and destroy. For example, the S3 backend only supports state storage and locking via DynamoDB, but does NOT support remote operations. Remote operations are only supported by the remote backend and HCP Terraform. This statement is FALSE. See: https://developer.hashicorp.com/terraform/language/settings/backends/configuration
Q7
A resource block is shown in the Exhibit section of this page. How would you reference the attribute name of this resource in HCL?
A
data.kubernetes_namespace.name
kubernetes_namespace.example.name
C
kubernetes_namespace.test.name
D
resource.kubernetes_namespace.example.name
Correct Answer
kubernetes_namespace.example.name
Explanation
In Terraform HCL, resource attributes are referenced using dot notation: resource_type.resource_name.attribute. For a resource block, you reference its name attribute as resource_type.resource_name.name. This syntax is used consistently across Terraform to access exported resource attributes. See: https://developer.hashicorp.com/terraform/language/expressions/references
Q8
Which provisioner invokes a process on the resource created by Terraform?
remote-exec
B
null-exec
C
local-exec
D
file
Correct Answer
remote-exec
Explanation
The remote-exec provisioner invokes scripts or commands on the remote resource that was just created by Terraform. Unlike local-exec which runs on the machine running Terraform, remote-exec connects to the newly created resource via SSH or WinRM and executes commands directly on it. See: https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
Q9
Which argument(s) are required when declaring a Terraform variable?
A
type
B
default
C
description
D
All of the above
None of the above
Correct Answer
None of the above
Explanation
No arguments are strictly required when declaring a Terraform variable. The variable block can be empty since type, default, description, and validation are all optional. If no default is provided, Terraform will prompt for input at runtime. None of the listed arguments are required. See: https://developer.hashicorp.com/terraform/language/values/variables
Q10
terraform apply is failing with the following error. What next step should you take to determine the root cause of the problem?
A
Run terraform login to reauthenticate with the provider.
B
Review /var/log/terraform.log for error messages.
C
Review syslog for Terraform error messages.
Set TF_LOG=DEBUG.
Correct Answer
Set TF_LOG=DEBUG.
Explanation
When terraform apply fails with an error, the best next step to determine the root cause is to enable detailed logging using the TF_LOG environment variable set to DEBUG or TRACE. This provides verbose output including provider API calls and internal operations that reveal what went wrong. See: https://developer.hashicorp.com/terraform/internals/debugging
Q11
Which Terraform command checks that your configuration syntax is correct?
A
terraform show
B
terraform init
C
terraform fmt
terraform validate
Correct Answer
terraform validate
Explanation
The terraform validate command checks the syntax and internal consistency of Terraform configuration files without accessing any remote services or state. It confirms configuration is syntactically valid and internally consistent based on provider schemas downloaded during init. See: https://developer.hashicorp.com/terraform/cli/commands/validate
Q12
How does the HCP Terraform/Terraform Cloud integration differ from backends such as S3, Consul, etc.?
It can execute Terraform runs on dedicated infrastructure in HCP Terraform/Terraform Cloud.
B
It doesn’t show the output of a terraform apply locally.
C
It is only available to paying customers.
D
All of the above.
Correct Answer
It can execute Terraform runs on dedicated infrastructure in HCP Terraform/Terraform Cloud.
Explanation
HCP Terraform differs from backends like S3 or Consul because it supports full remote operations: plan, apply, and destroy run in HCP Terraform's managed environment with logging, UI, policy enforcement, and team features. Standard backends only store and lock state without providing a remote execution environment. See: https://developer.hashicorp.com/terraform/cloud-docs/overview
Q13
You have deployed a new webapp with a public IP address on a cloud provider. However, you did not create any outputs for your code. What is the best method to quickly find the IP address of the resource you deployed?
A
Run terraform output ip_address to view the result
B
In a new folder, use the terraform_remote_state data source to load in the state file, then write an output for each resource that you find the state file
Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address
D
Run terraform destroy then terraform apply and look for the IP address in stdout
Correct Answer
Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address
Explanation
When a webapp is deployed without output definitions, the best method to find its IP address is to run terraform state show resource_type.resource_name, which displays all attributes stored in state including the public IP. This avoids redeploying or searching through the cloud console manually. See: https://developer.hashicorp.com/terraform/cli/commands/state/show
Q14
Which of these actions will prevent two Terraform runs from changing the same state file at the same time?
A
Delete the state before running Terraform.
B
Refresh the state after running Terraform.
C
Run Terraform with parallelism set to 1.
Configure state locking for your state backend.
Correct Answer
Configure state locking for your state backend.
Explanation
State locking prevents concurrent Terraform runs from simultaneously writing to the same state file, avoiding state corruption. Backends that support locking such as S3 with DynamoDB, Consul, or the remote backend will acquire an exclusive lock during plan and apply operations. See: https://developer.hashicorp.com/terraform/language/state/locking
Q15
Terraform variables and outputs that set the "description" argument will store that description in the state file.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
The description argument on variables and outputs is purely for documentation and is NOT stored in the state file. Terraform state only stores resource metadata and attribute values needed to manage infrastructure. Variable and output descriptions exist only in the configuration files. This statement is FALSE. See: https://developer.hashicorp.com/terraform/language/state
TA-004 Practice Set-02
15 questions
Q1
When should you use the force-unlock command?
A
When apply has failed due to a state lock.
When automatic unlocking has failed.
C
When you see a status message stating that you cannot acquire the lock.
D
When you have a high priority change.
Correct Answer
When automatic unlocking has failed.
Explanation
The force-unlock command should only be used when automatic unlocking fails and you are absolutely certain no other Terraform process is currently using the state. This situation occurs when a Terraform process is interrupted, leaving a stale lock. Using it carelessly risks state corruption. See: https://developer.hashicorp.com/terraform/cli/commands/force-unlock
Q2
You used Terraform to create an ephemeral development environment in the cloud and are now ready to destroy all the infrastructure described by your Terraform configuration. To be safe, you would like to first see all the infrastructure that Terraform will delete. Which command should you use to show all the resources that will be deleted?
A
Run terraform state rm *.
Run terraform destroy.This will output all the resources that will be deleted before prompting for approval.
Run terraform plan -destroy.
D
Run terraform show -destroy.
Correct Answers
Run terraform destroy.This will output all the resources that will be deleted before prompting for approval.
Run terraform plan -destroy.
Explanation
To preview what terraform destroy will delete, you can run terraform plan -destroy which shows a destroy plan without executing it, or run terraform show with a saved plan file. Both approaches display all resources that will be removed before any actual destruction occurs. See: https://developer.hashicorp.com/terraform/cli/commands/plan
Q3
What is not processed when running a terraform refresh?
A
State file
Configuration file
C
Credentials
D
Cloud provider
Correct Answer
Configuration file
Explanation
terraform refresh reads current real infrastructure state and updates the Terraform state file to match, but it does NOT process or modify configuration (.tf) files. Configuration files remain untouched during refresh; only the state file is reconciled with actual infrastructure. See: https://developer.hashicorp.com/terraform/cli/commands/refresh
Q4
You should store secret data in the same version control repository as your Terraform configuration.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
Storing secret data in version control alongside Terraform configurations is a security anti-pattern. Secrets committed to VCS can be exposed to anyone with repository access and remain in git history permanently. Environment variables, encrypted secret stores, or Vault are safer alternatives. This answer is FALSE. See: https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
Q5
Which of the following locations can Terraform use as a private source for modules?
A
Public repository on GitHub.
B
Internally hosted VCS (Version Control System) platform.
C
Public Terraform Registry.
Private repository on GitHub.
Correct Answer
Private repository on GitHub.
Explanation
Terraform can load modules from private sources including a private registry such as HCP Terraform's private module registry, local file paths, and private Git repositories. The public Terraform Registry is a public source. Private registries allow organizations to share modules internally without public exposure. See: https://developer.hashicorp.com/terraform/registry/private
Q6
You have provisioned some virtual machines (VMs) on Google Cloud Platform (GCP) using the gcloud command line tool. However, you are standardizing with Terraform and want to manage these VMs using Terraform instead. What are the two things you must do to achieve this?
A
Provision new VMs using Terraform with the same VM names.
B
Use the terraform import command for the existing VMs.
Write Terraform configuration for the existing VMs.
D
Run the terraform import-gcp command.
Correct Answer
Write Terraform configuration for the existing VMs.
Explanation
To bring existing GCP VMs into Terraform management, you must: (1) write Terraform configuration describing those resources, and (2) run terraform import to associate the existing resources with the new configuration in state. Without both steps, Terraform cannot manage pre-existing resources. See: https://developer.hashicorp.com/terraform/cli/commands/import
Q7
A resource block is shown in the Exhibit space of this page. How would you reference the name value of the second instance of this resource?
A
aws_instance.web[1]
B
element(aws_instance.web, 2)
C
aws_instance.web[2].name
aws_instance.web[1].name
E
aws_instance.web.*.name
Correct Answer
aws_instance.web[1].name
Explanation
When a resource uses count, each instance is referenced by its zero-based index. For the second instance (index 1), the reference syntax is resource_type.resource_name[1].attribute. For example, aws_instance.example[1].name. Zero-based indexing means the first instance is [0] and the second is [1]. See: https://developer.hashicorp.com/terraform/language/meta-arguments/count
Q8
Which of these is true about Terraform’s plugin-based architecture?
You can create a provider for your API if none exists.
B
Terraform can only source providers from the internet.
C
All providers are part of the Terraform core binary.
D
Every provider in a configuration has its own state file for its resources.
Correct Answer
You can create a provider for your API if none exists.
Explanation
Terraform uses a plugin-based architecture where providers are separate binaries from the Terraform core. Each provider is independently versioned, downloaded, and maintained. The Terraform core binary does not include any provider code; providers are installed separately via terraform init. See: https://developer.hashicorp.com/terraform/plugin
Q9
Terraform can only manage resource dependencies if you set them explicitly with the depends_on argument.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
This statement is FALSE. Terraform automatically infers most resource dependencies from expressions in the configuration. When one resource references another resource's attribute, Terraform knows to create the referenced resource first. depends_on is only needed for hidden dependencies not expressed through references. See: https://developer.hashicorp.com/terraform/language/meta-arguments/depends_on
Q10
You decide to move a Terraform state file to Amazon S3 from another location. You write the code shown in the Exhibit space into a file called backend.tf. Which command will migrate your current state file to the new S3 backend?
A
terraform refresh
terraform init
C
terraform push
D
terraform state
Correct Answer
terraform init
Explanation
To migrate a Terraform state file to a new S3 backend, update your backend configuration in backend.tf and then run terraform init. Terraform detects the backend change and prompts you to migrate the existing state to the new backend automatically without manual state manipulation. See: https://developer.hashicorp.com/terraform/language/settings/backends/configuration
Q11
You have declared a variable called var.list which is a list of objects that all have an attribute id . Which options will produce a list of the IDs?
[ for o in var.list : o.id ]
B
var.list[*].id
C
[ var.list[*].id ]
D
{ for o in var.list : o => o.id }
Correct Answer
[ for o in var.list : o.id ]
Explanation
To produce a list of IDs from a list of objects, use a for expression [for item in var.list : item.id] or the splat expression var.list[*].id. Both approaches extract the id attribute from each object in the list and return a new list containing only those values. See: https://developer.hashicorp.com/terraform/language/expressions/for
Q12
terraform validate uses provider APIs to verify your infrastructure settings.
A
TRUE
FALSE
Correct Answer
FALSE
Explanation
terraform validate checks configuration syntax and logical consistency locally and does NOT use provider APIs or make any remote calls. It validates resource types and argument names based on locally-cached provider schemas but does not verify actual infrastructure state or API responses. This statement is FALSE. See: https://developer.hashicorp.com/terraform/cli/commands/validate
Q13
It is ____________ to change the Terraform backend from the default “local” backend to a different one after performing your first terraform apply.
A
impossible
discouraged
C
optional
D
mandatory
Correct Answer
discouraged
Explanation
Changing the Terraform backend after the first terraform apply is 'possible' but requires running terraform init to migrate the state. When you update your backend configuration and run init, Terraform asks if you want to migrate existing state to the new backend, allowing the change. See: https://developer.hashicorp.com/terraform/language/settings/backends/configuration
Q14
Which of the following is true about terraform apply?
A
You cannot target specific resources for the operation.
Depending on provider specification, Terraform may need to destroy and recreate your infrastructure resources.
It only operates on infrastructure defined in the current working directory or workspace.
D
By default, it does not refresh your state file to reflect the current infrastructure configuration.
E
You must pass the output of a terraform plan command to it.
Correct Answers
Depending on provider specification, Terraform may need to destroy and recreate your infrastructure resources.
It only operates on infrastructure defined in the current working directory or workspace.
Explanation
terraform apply generates an execution plan AND applies it to infrastructure. It updates the state file after changes are applied, does not require a prior terraform plan run, and can both create and update resources. Apply shows the plan and requires confirmation before making changes. See: https://developer.hashicorp.com/terraform/cli/commands/apply
Q15
Which of the following is available only in HCP Terraform workspaces and not in Terraform CLI?
Secure variable storage.
B
Support for multiple cloud providers.
C
Dry runs with terraform plan.
D
Using one workspace’s state as a data source for another.
Correct Answer
Secure variable storage.
Explanation
HCP Terraform workspaces provide features not available in the Terraform CLI including remote plan and apply with a managed execution environment, Sentinel policy enforcement, team management with access controls, audit logging, and private module registries. The CLI alone does not offer these governance features. See: https://developer.hashicorp.com/terraform/cloud-docs/workspaces
Want More Practice?
These are just the free questions. Unlock the full Terraform Associate (004) exam library with hundreds of additional questions, timed practice mode, and progress tracking.