Terraform-Associate-003 HashiCorp Certified: Terraform Associate (003) (HCTA0-003) Question and Answers

It lets you version, reuse, and share infrastructure configuration as code files, which can be stored in a source control system and integrated with your CI/CD pipeline.

It reduces risk of operator error by automating repetitive tasks and ensuring consistency across environments. IaC does not necessarily provision resources at a lower cost, secure your credentials, or prevent manual modifications to your resources - these depend on other factors such as your cloud provider, your security practices, and your access policies.

You can install third party plugins using terraform init, as long as you specify the plugin directory in your configuration or as a command-line argument. You can also use the terraform providers mirror command to create a local mirror of providers from any source.

The statement that you must use the CLI to switch between workspaces is false. Terraform Cloud workspaces are different from Terraform CLI workspaces. Terraform Cloud workspaces are required and represent all of the collections of infrastructure in an organization. They are also a major component of role-based access in Terraform Cloud. You can grant individual users and user groupspermissions for one or more workspaces that dictate whether they can manage variables, perform runs, etc. You can create, view, and switch between Terraform Cloud workspaces using the Terraform Cloud UI, the Workspaces API, or the Terraform Enterprise Provider5. Terraform CLI workspaces are optional and allow you to create multiple distinct instances of a single configuration within one working directory. They are useful for creating disposable environments for testing or experimenting without affecting your main or production environment. You can create, view, and switch between Terraform CLI workspaces using the terraform workspace command6. The other statements about Terraform Cloud workspaces are true. They have role-based access controls that allow you to assign permissions to users and teams based on their roles and responsibilities. You can create and manage roles using the Teams API or the Terraform Enterprise Provider7. Plans and applies can be triggered via version control system integrations that allow you to link your Terraform Cloud workspaces to your VCS repositories. You can configure VCS settings, webhooks, and branch tracking to automate your Terraform Cloud workflow8. They can securely store cloud credentials as sensitive variables that are encrypted at rest and only decrypted when needed. You can manage variables using the Terraform Cloud UI, the Variables API, or the Terraform Enterprise Provider9. References = [Workspaces]5, [Terraform CLI Workspaces]6, [Teams and Organizations]7, [VCS Integration]8, [Variables]9

Terraform variable names are not saved in the state file, only their values are. The state file only stores the attributes of the resources and data sources that are managed by Terraform, not the variables that are used to configure them.

To prevent two Terraform runs from changing the same state file simultaneously, state locking is used. State locking ensures that when one Terraform operation is running, others will be blocked from making changes to the same state, thus preventing conflicts and data corruption. This is achieved by configuring the state backend to support locking, which will lock the state for all operations that could write to the state.References = This information is supported by Terraform's official documentation, which explains the importance of state locking and how it can be configured for different backends to prevent concurrent state modifications .

This is what will happen if you run terraform apply in the working directory again, after removing the resource definition from your Terraform configuration file. Terraform will detect that there is a resource in the state file that is not present in the configuration file, and will assume that you want to delete it.

Destroy Command Options: Theterraform destroycommand is the correct method to destroy resources, and it requires either manual approval or the -auto-approve flag.

Unsupported Triggering Method: The--destroy flagis not a recognized option for plan or apply commands, making B the correct answer as it isnota valid way to initiate resource destruction.

For more on destroying resources, refer to theterraform destroy command documentationin the Terraform CLI reference.

This is one disadvantage of using dynamic blocks in Terraform, as they can introduce complexity and reduce readability of the configuration. The other options are either advantages or incorrect statements.

Terraform Cloud provides features like remote state storage and a web-based user interface for managing your Terraform runs. While it offers robust infrastructure as code capabilities, automatic backups of configuration and state are not directly provided by Terraform Cloud; instead, the state is stored remotely and secured.

This is the Terraform style convention for indenting a nesting level compared to the one above it. The other options are not consistent with the Terraform style guide.

If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform init3. This will ensure that you use the same provider versions across different machines and runs.

While terraform destroy is a common way to remove infrastructure, it isnot the only way.

You can also remove resources bydeleting them from the configuration and running terraform apply.

Manually deleting resources in the cloud provider can also remove infrastructure (but Terraform won’t be aware unless the state is updated).

Official Terraform Documentation Reference:

terraform destroy - HashiCorp Documentation

This is the best time to run terraform validate, as it will check your code for syntax errors, typos, and missing arguments before you attempt to create a plan. The other options are either incorrect or unnecessary.

 This is a quick way to inspect the state file and find the information you need without modifying anything5. The other options are either incorrect or inefficient.

A (✅Correct)– Providers allow Terraform tointeract with APIsof cloud/on-premises services.

B (✅Correct)– Some Terraform providers can provisionon-premises infrastructure, such as VMware, OpenStack, etc.

C (❌Incorrect)– This describesTerraform Workspaces, not providers.

D (✅Correct)– Terraform providers allow provisioning ofpublic cloud resources(AWS, Azure, GCP, etc.).

E (❌Incorrect)– Enforcing security and compliance policies isnot a direct provider function, but it can be done using Sentinel or other policy-as-code tools.

Official Terraform Documentation Reference:

Terraform Providers

The Terraform collection type that should be used to store key/value pairs is map. A map is a collection of values that are accessed by arbitrary labels, called keys. The keys and values can be of any type, but the keys must be unique within a map. For example, var = { key1 = "value1", key2 = "value2" } is a map with two key/value pairs. Maps are useful for grouping related values together, such as configuration options or metadata. References = [Collection Types], [Map Type Constraints]

State locking prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss1.

Outside of the required_providers block, Terraform configurations can refer to providers by either their local names or their source addresses. The local name is a short name that can be used throughout the configuration, while the source address is a global identifier for the provider in the format registry.terraform.io/namespace/type. For example, you can use either aws or registry.terraform.io/hashicorp/aws to refer to the AWS provider.

The required_providers block is used to specify the provider versions that the configuration can work with. The version argument accepts a version constraint string, which must be enclosed in double quotes. The version constraint string can use operators such as >=, ~>, =, etc. to specify the minimum, maximum, or exact version of the provider. For example, version = ">= 3.1" means that theconfiguration can work with any provider version that is 3.1 or higher. References = [Provider Requirements] and [Version Constraints]

terraform state listonly displays resources stored in the state filebut doesnot interact with the cloud provideror refresh the state.

terraform plan, terraform apply, and terraform destroycompare or modify the infrastructure, so theyrefresh the stateto ensure accuracy.

Official Terraform Documentation Reference:

terraform state list - HashiCorp Documentation

Terraform state files are not automatically encrypted by default. Sensitive values are stored in plaintext within the state file. However, you can protect the state file by using remote backends that support encryption, such as AWS S3 with server-side encryption enabled or Terraform Cloud, which offers encrypted state storage.

The public Terraform Module Registry automatically exposes all the information about published modules, including required input variables, optional input variables and default values, and outputs. This helps users to understand how to use and configure the modules.

The terraform import command allows Terraform to takeexistinginfrastructure andbring it under Terraform’s management.

A (terraform get)is incorrect because it is used to fetch modules.

B (terraform refresh)is incorrect because it only updates Terraform's state to match the infrastructure but does not import resources.

D (terraform init)is incorrect because it only initializes the Terraform working directory.

Official Terraform Documentation Reference:

terraform import - HashiCorp Documentation

This is the command that always causes a state file to be updated with changes that might have been made outside of Terraform, as it will only refresh the state file with the current status of the real resources, without making any changes to them or creating a plan.

Runningterraform destroywill show all resources that will be deleted before prompting for approval. You can also runterraform plan -destroyto simulate the destruction without actually applying it, which is useful for reviewing the planned changes.

In Terraform, the backend configuration, which includes details about where and how state is stored, is specified within the terraform block of your configuration. This block is the correct place to define the backend type and its configuration parameters, such as the location of the state file for a local backend or the bucket details for a remote backend like S3.References = This practice is outlined in Terraform's core documentation, which provides examples and guidelines on how to configure various aspects of Terraform's behavior, including state backends .

To make Terraform's logging more verbose for troubleshooting purposes, you must configure the TF_LOG environment variable. This variable controls the level of logging and can be set to TRACE, DEBUG, INFO, WARN, or ERROR, with TRACE providing the most verbose output.References = Detailed debugging instructions and the use of environment variables like TF_LOG for increasing verbosity are part of Terraform's standard debugging practices

E (✅Correct)–IaC aims to eliminate manual cloud console workflowsby using code-based automation.

A, B, C (✅Advantages of IaC)– IaC enablesself-service deployment, API-driven workflows, and dynamic resource scaling.

D (diff command)– While useful, troubleshooting via diff is not acore advantageof IaC.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

Terraform keeps track of the infrastructure state via the state file. When you initially ran terraform plan, Terraform determined that the port should be changed from80 to 443. However, since another team member manually modified the load balancer, Terraform's local state file is now outdated.

When you run terraform apply, Terraform willcompare the expected state (from the plan) with the actual state (from the provider API).

Since the port is already set to443, but the local state file still shows80, Terraform willfail with an errordue to the state mismatch.

To resolve this, you should run terraform refresh or use terraform apply -refresh-only to update the local state before applying changes.

Official Terraform Documentation Reference:

State Management - HashiCorp Documentation

Managing Drift in Terraform

This is not a valid Terraform variable type. The other options are valid variable types that can store different kinds of values2.

Sentinel policies are checked after the plan stage of a Terraform run, but before it can be confirmed or the terraform apply is executed3. This allows you to enforce rules on your infrastructure before it is created or modified.

terraform apply can runwithout explicitly running terraform plan first.

Running terraform plan before apply isrecommendedbutnot mandatory.

If no plan file is provided, terraform applyautomatically creates and executes a planbefore applying changes.

Official Terraform Documentation Reference:

terraform apply - HashiCorp Documentation

C (✅Correct)– InHCP Terraform, you can use the terraform_remote_state data source to referenceanother workspace's state. This feature isnot available in Terraform CLI.

A (❌Incorrect)– terraform plan (dry runs)is available in both Terraform CLI and HCP Terraform.

B (❌Incorrect)– Secure variable storageexists in HCP Terraform, but CLI users can store variables securely using environment variables or .tfvars files.

D (❌Incorrect)– BothTerraform CLI and HCP Terraform support multiple cloud providers.

Official Terraform Documentation Reference:

terraform_remote_state - HashiCorp Documentation

 Terraform configuration (including any module references) can contain more than one Terraform provider type. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. A Terraform configuration can use multiple providers to manage resources across different platforms and services. For example, a configuration can use the AWS provider to create a virtual machine, the Cloudflare provider to manage DNS records, and the GitHub provider to create a repository. Terraform supports hundreds of providers for different use cases and scenarios. References = [Providers], [Provider Requirements], [Provider Configuration]

The terraform init command is required before using a new backend or integrating with HCP Terraform/Terraform Cloud.

terraform init initializes the working directory and sets up the backend, downloading necessary provider plugins and modules.

If the backend configuration changes, Terraform willrequirere-initialization to apply those changes.

Without running terraform init, Terraform willfailto use a new backend or remote Terraform Cloud workspace.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

To output returned values from a child module in the Terraform CLI output, you need to declare the output in both the child module and the root module. The child module output will return the value to the root module, and the root module output will display the value in the CLI. References = [Terraform Outputs]

The two steps that are required to provision new infrastructure in the Terraform workflow are init and apply. The terraform init command initializes a working directory containing Terraform configuration files. It downloads and installs the provider plugins that are needed for the configuration, and prepares the backend for storing the state. The terraform apply command applies the changes required to reach the desired state of the configuration, as described by the resource definitions in the configuration files. It shows a plan of the proposed changes and asks for confirmation before making any changes to the infrastructure. References = [The Core Terraform Workflow], [Initialize a Terraform working directory with init], [Apply Terraform Configuration with apply]

This is how Terraform chooses which version of the provider to use, when you add a new resource to an existing Terraform configuration, but do not update the version constraint in the configuration. The lock file records the exact version of each provider that was installed in your working directory, and ensures that Terraform will always use the same provider versions until you run terraform init -upgrade to update them.

From the Terraform Provider Requirements:

">= 3.0" means any versiongreater than or equal to 3.0— including 4.x and beyond.

A (wrong): Would need >= 3.0, < 4.0

C/D (wrong): > excludes 3.0 — not what’s written.

In Terraform, the max function can be used to select the largest number from a list of numbers. The max function takes multiple arguments and returns the highest one. For the list numcpus = [18, 3, 7, 11, 2], using max(numcpus...) will return 18, which is the largest number in the list.

You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.

Detailed Explanation:

Rationale for Correct Answer (D):The terraform.lock.hcl file is automatically created and maintained by Terraform. It records the specific versions and checksums of providers used in a configuration, ensuring consistent runs across environments and machines.

Analysis of Incorrect Options:

A. There is no such file: Incorrect — the lock file exists and is crucial for dependency management.

B. Storing references to workspaces: Incorrect — workspaces are tracked in the state file, not the lock file.

C. Preventing Terraform runs: Incorrect — the lock file does not block runs; it enforces consistent provider versions.

Key Concept:The terraform.lock.hcl file enforces provider version consistency, which is critical for reproducible and reliable Terraform deployments.

 If you manually destroy infrastructure, Terraform will automatically detect the change and update the state file during the next plan or apply. Terraform compares the current state of the infrastructure with the desired state in the configuration and generates a plan to reconcile the differences. If a resource is missing from the infrastructure but still exists in the state file, Terraform will attempt to recreate it. If a resource is present in the infrastructure but not in the state file, Terraform will ignore it unless you use the terraform import command to bring it under Terraform’s management. References = [Terraform State]

terraform initdoes not create a main.tf file.

Itinitializesthe Terraform working directory, downloads provider plugins, and configures the backend.

Terraform does not generate an example configuration (main.tf); users must create it manually.

Official Terraform Documentation Reference:

terraform init - HashiCorp Documentation

You do not need to use different Terraform commands depending on the cloud provider you use. Terraform commands are consistent across different providers, as they operate on the Terraform configuration files and state files, not on the provider APIs directly.

From Terraform CLI Overview:

"Terraform provides a consistent CLI workflow regardless of which cloud or service you’re managing."

Thesame Terraform commandswork across all providers via plugins.

The terraform import command is used to import existing infrastructure into your Terraform state. This command takes the existing resource and associates it with a resource defined in your Terraform configuration, updating the state file accordingly. It does not generate configuration for the resource, only the state.

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. Running this command on your configuration files before committing them to source control can help ensure consistency of style between different Terraform codebases, and can also make diffs easier to read. You can also use the -check and -diff options to check if the files are formatted and display the formatting changes respectively2. Running the terraform fmt command during the code linting phase of your CI/CD process can help automate this process and enforce the formatting standards for your team. References = [Command: fmt]2

The execution plan for terraform apply will not be the same as the one you ran locally with terraform plan, if your teammate manually modified the infrastructure component you are working on. This is because Terraform will refresh the state file before applying any changes, and will detect any differences between the state and the real resources.

The -replace flag is used with the terraform apply command when there is a need to explicitly force Terraform to destroy and then recreate a specific resource during the next apply. This can be necessary in situations where a simple update is insufficient or when a resource must be re-provisioned to pick up certain changes.

These are two ways to produce a list of the IDs from a list of objects that have an attribute id, using either a for expression or a splat expression syntax.

The Terraform binary version and provider versions do not have to match each other in a single configuration. Terraform allows you to specify provider version constraints in the configuration’s terraform block, which can be different from the Terraform binary version1. Terraform will use the newest version of the provider that meets the configuration’s version constraints2. You can also use the dependency lock file to ensure Terraform is using the correct provider version3. References =

•1: Providers - Configuration Language | Terraform | HashiCorp Developer

•2: Multiple provider versions with Terraform - Stack Overflow

•3: Lock and upgrade provider versions | Terraform - HashiCorp Developer

Referencing Terraform Built-in Functions:

✅chomp: removes trailing newlines

✅join: combines list into string

✅split: splits string into list

❌slice:is nota valid Terraform string function (it's used in other languages like Python)

This is what you must do to successfully retrieve this value from your networking module, as it will expose the attribute as an output value that can be referenced by other modules or resources. The error message indicates that the networking module does not have an output value named vnet_id, which causes the reference to fail.

From the official Terraform Type Constraints Documentation:

The object({ name = string, age = number }) type expects:

name to be aquoted string, e.g. "John"

age to be anumber, e.g. 52

Option Bsatisfies both:

{

name = "John" #✅Valid string

age = 52 #✅Valid number

}

Let's analyze the incorrect ones:

❌Option A: "fifty two" is not a valid number.

❌Option C: John is unquoted (invalid string), and "fifty two" is not a number.

❌Option D: name = John is not quoted, making it an invalid string in HCL.

Terraform is strict about type and formatting. Stringsmust be quoted, and numbersmust be numeric literals.

Terraforminstalls providers during the terraform init phase.

Providers aredownloaded and installedwhen running terraform init.

A (terraform plan)is incorrect because terraform plan only calculates changes but does not install providers.

C (terraform refresh)is incorrect because terraform refresh only updates the state but does not install providers.

Official Terraform Documentation Reference:

Provider Installation - HashiCorp Documentation

terraform validatechecks for syntax errors and internal consistencyin the configuration files.

However, itdoes notcheck if resource configurations are valid with the provider.

Official Terraform Documentation Reference:

terraform validate - HashiCorp Documentation

Terraformdownloads modules and providersinto the .terraform directory inside the working directory.

A (/tmp/)– Incorrect; modules arenot stored temporarily.

C (In memory)– Incorrect; modules persist on disk.

D (Not cached)– Incorrect; Terraformdoes cache modulesfor efficiency.

Official Terraform Documentation Reference:

Terraform Module Caching

The remote backend can work with either a single remote Terraform Cloud workspace, or with multiple similarly-named remote workspaces (like networking-dev and networking-prod). The workspaces block of the backend configuration determines which mode it uses. To use a single remote Terraform Cloud workspace, set workspaces.name to the remote workspace’s full name (like networking-prod). To use multiple remote workspaces, set workspaces.prefix to a prefix used in all of the desired remote workspace names. For example, set prefix = “networking-” to use Terraform cloud workspaces with names like networking-dev and networking-prod. This is helpful when mapping multiple Terraform CLI workspaces used in a single Terraform configuration to multiple Terraform Cloud workspaces3. However, one remote backend configuration always maps to a single remote workspace, either by name or by prefix. You cannot use both name and prefix in the same backend configuration, or omit both. Doing so will result in a configuration error3. References = [Backend Type: remote]3

The Terraform Registry allows any user to publish and share modules. Published modules support versioning, automatically generate documentation, allow browsing version histories, show examples and READMEs, and more. Public modules are managed via Git and GitHub, and publishing a module takes only a few minutes. Once a module is published, releasing a new version of a module is as simple as pushing a properly formed Git tag1.

References = The information can be verified from the Terraform Registry documentation on Publishing Modules provided by HashiCorp Developer1.

Detailed Explanation:

Rationale for Correct Answer (B):Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = "hashicorp/aws"

version = "3.1"

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

The provider for theaws_vpcresource isaws, as the resource type begins withaws_, which denotes that it is managed by the AWS provider.

In Terraform, the correct way to reference a resource attribute is:

pgsql

CopyEdit

resource_type.resource_name.attribute

For example, if the resource block is:

hcl

CopyEdit

resource "kubernetes_namespace" "example" {

metadata {

name = "my-namespace"

}

}

To reference the name attribute, use:

pgsql

CopyEdit

kubernetes_namespace.example.name

Explanation of incorrect answers:

A (resource.kubernetes_namespace.example.name)– Incorrect. Terraform does not use the resource. prefix when referencing resources.

C (data.kubernetes.namespace.name)– Incorrect. This syntax is used fordata sources, not resources.

D (kubernetes_namespace.test.name)– Incorrect. The resource name is "example", not "test".

Official Terraform Documentation Reference:

Terraform Resource References

A module can declare a variable with a default value without requiring the caller to define it. This allows the module to provide a sensible default behavior that can be customized by the caller if needed. References = [Module Variables]

According to theofficial Terraform documentationhere:

🔗Terraform Docs – Declaring an Output Value

In Terraform 0.12 and later, you can directly use expressions in outputs without interpolation syntax:

output "instance_ip_addr" {

value = aws_instance.server.private_ip

}

This aligns perfectly withOption A:

output "instance_ip_addr" {

value = aws_instance.main.private_ip

}

Why not the others?

❌Option B: Incorrect syntax. "${main.private_ip}" is referencing main as if it were a global variable or resource, but it isn’t defined. Plus, the output name is oddly written as aws_instance.instance_ip_addr, which is not a valid identifier format.

❌Option C: Although valid in older versions (<= 0.11), interpolation with "${}" isdeprecatedin Terraform 0.12+. The docs clearly advise using direct expressions instead.

❌Option D: Terraform hasno return statement; this is syntactically invalid in Terraform’s HCL.

This is what state locking accomplishes, by preventing other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss.

Detailed Explanation:

Rationale for Correct Answer (C):Best practice is to avoid hardcoding sensitive credentials in Terraform configurations or storing them in version control. Instead, credentials should be managed via environment variables, CLI authentication helpers, or secret managers (e.g., Vault).

Analysis of Incorrect Options:

A. Shared server: Not secure, introduces single point of failure and risk.

B. Storing credentials in config files: A major security risk, especially if pushed to version control.

D. None of the above: Incorrect, because option C is a valid and recommended approach.

Key Concept:Security best practices in Terraform dictate that credentials should be externalized from Terraform code.

The terraform init command is used to initialize a working directory containing Terraform configuration files. This command performs several different initialization steps to prepare the current working directory for use with Terraform, which includes initializing the backend, installing provider plugins, and copying any modules referenced in the configuration. However, it does not validate whether all required variables are present; that is a task performed by terraform plan or terraform apply1.

References = This information can be verified from the official Terraform documentation on the terraform init command provided by HashiCorp Developer1.

A provider configuration block is not required in every Terraform configuration. A provider configuration block can be omitted if its contents would otherwise be empty. Terraform assumes an empty default configuration for any provider that is not explicitly configured. However, some providers may require some configuration arguments (such as endpoint URLs or cloud regions) before they can be used. A provider’s documentation should list which configuration arguments it expects. For providers distributed on the Terraform Registry, versioned documentation is available on each provider’s page, via the “Documentation” link in the provider’s header1. References = [Provider Configuration]1