Terraform-Associate-003 HashiCorp Certified: Terraform Associate (003) (HCTA0-003) Question and Answers

The best way to specify a tag of v1.0.0 when referencing a module stored in Git is to append ?ref=v1.0.0 argument to the source path. This tells Terraform to use a specific Git reference, such as a branch, tag, or commit, when fetching the module source code. For example, source = "git::https://example.com/vpc.git?ref=v1.0.0 ". This ensures that the module version is consistent and reproducible across different environments. References = [Module Sources], [Module Versions]

Before using a remote backend in Terraform, it is mandatory to run terraform init. This command initializes a Terraform working directory, which includes configuring the backend. If a remote backend is specified, terraform init will set up the working directory to use it, including copying any existing state to the remote backend if necessary.References = This principle is a fundamental part of workingwith Terraform and its backends, as outlined in general Terraform documentation and best practices. The specific HashiCorp Terraform Associate (003) study materials in the provided files did not include direct references to this information.

This is a secure way to inject sensitive variables into your Terraform run, as they will not be stored in any file or source code repository. You can also use environment variables or variable files with encryption to pass sensitive variables to Terraform.

This is the kind of configuration block that will create an infrastructure object with settings specified within the block. The other options are not used for creating infrastructure objects, but for configuring providers, accessing state data, or querying data sources.

This is what will happen if you run terraform destroy without any flags, as it will attempt to delete all the resources that are associated with your current working directory or workspace. You can use the -target flag to specify a particular resource that you want to destroy.

Detailed Explanation:

Rationale for Correct Answer (D):The terraform.lock.hcl file is automatically created and maintained by Terraform. It records the specific versions and checksums of providers used in a configuration, ensuring consistent runs across environments and machines.

Analysis of Incorrect Options:

A. There is no such file: Incorrect — the lock file exists and is crucial for dependency management.

B. Storing references to workspaces: Incorrect — workspaces are tracked in the state file, not the lock file.

C. Preventing Terraform runs: Incorrect — the lock file does not block runs; it enforces consistent provider versions.

Key Concept:The terraform.lock.hcl file enforces provider version consistency, which is critical for reproducible and reliable Terraform deployments.

The module source path that does not specify a remote module is source = "module/consul". This specifies a local module, which is a module that is stored in a subdirectory of the current working directory. The other options are all examples of remote modules, which are modules that are stored outside of the current working directory and can be accessed by various protocols, such as Git, HTTP, or the Terraform Registry. Remote modules are useful for sharing and reusing code across different configurations and environments. References = [Module Sources], [Local Paths], [Terraform Registry], [Generic Git Repository], [GitHub]

All of the statements are true of Terraform providers. Terraform providers are plugins that enable Terraform to interact with various APIs and services1. Anyone can write a Terraform provider, either as an individual or as part of a community2. HashiCorp maintains some providers, such as the AWS, Azure, and Google Cloud providers3. Cloud providers and infrastructure vendors can also write, maintain, or collaborate on Terraform providers, such as the VMware, Oracle, and Alibaba Cloud providers. References =

•1: Providers - Configuration Language | Terraform | HashiCorp Developer

•2: Plugin Development - How Terraform Works With Plugins | Terraform | HashiCorp Developer

•3: Terraform Registry

•: Terraform Registry

The correct syntax to pass a variable from the root module to a child module isservers = var.num_servers. Terraform uses dot notation to reference variables.

Detailed Explanation:

Rationale for Correct Answers:

C. terraform.tfvars securely managed: Acceptable if distributed securely outside version control.

D. HCP Terraform/Terraform Cloud sensitive variables: Official best practice for team-based workflows.

E. Vault: HashiCorp Vault is designed for secret management and integrates well with Terraform.

Analysis of Incorrect Options:

A: Storing plaintext secrets on shared drives is insecure.

B: Checking secrets into version control is a major security risk.

Key Concept:Sensitive values should be managed securely in Vault, HCP Terraform, or securely shared .tfvars files — never in plaintext or version control.

The terraform apply command changes both the cloud infrastructure and the state file after you approve the execution plan. The command creates, updates, or destroys the infrastructure resources to match theconfiguration. It also updates the state file to reflect the new state of the infrastructure. The .terraform directory, the execution plan, and the Terraform code are not changed by the terraform apply command. References = Command: apply and Purpose of Terraform State

Detailed Explanation:

Rationale for Correct Answer:Parent modules cannot directly access child module variables. Only values explicitly exposed via outputs can be accessed by the parent module.

Analysis of Incorrect Options (Distractors):

A. True: Incorrect because module variable scope is isolated.

Key Concept:Terraform enforces module encapsulation, exposing data only through outputs.

Terraform follows adeclarativeapproach, meaning it ensures the infrastructure matches the configuration.

If you run terraform apply againwithout any changes, Terraform willdetect that the infrastructure is already up to dateand willdo nothing.

The command will complete successfully with the message"No changes. Your infrastructure matches the configuration."

Official Terraform Documentation Reference:

Terraform Apply - HashiCorp Documentation

Terraform’s Indentation Standards: Terraform’s style convention usestwo spaces per nesting levelfor readability, helping to maintain uniform code across teams.

Configuration Files: Consistent indentation is crucial for Terraform’s HCL syntax, as it improves readability and avoids parsing issues.

More details are available in theTerraform configuration style guide.

State locking prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss1.

While terraform destroy is a common way to remove infrastructure, it isnot the only way.

You can also remove resources bydeleting them from the configuration and running terraform apply.

Manually deleting resources in the cloud provider can also remove infrastructure (but Terraform won’t be aware unless the state is updated).

Official Terraform Documentation Reference:

terraform destroy - HashiCorp Documentation

Importing Existing Resources: Theterraform importcommand brings resources already deployed in a cloud environment into Terraform’s state file, allowing Terraform to manage them.

Workflow Usage: Importing is vital when managing resources created outside of Terraform or those in place before Terraform adoption.

Refer to Terraform’s import command documentation.

The terraform import command is used to import existing infrastructure into Terraform’s state. This allows Terraform to manage and destroy the imported infrastructure as part of the configuration. The terraform import command does not modify the configuration, so the imported resources must be manually added to the configuration after the import. References = [Importing Infrastructure]

In Terraform, a data block is used to fetch or compute information from external sources for use elsewhere in the Terraform configuration. Unlike resource blocks that manage infrastructure, data blocks gather information without directly managing any resources. This can include querying for data from cloud providers, external APIs, or other Terraform states.References = This definition and usage of data blocks are covered in Terraform's official documentation, highlighting their role in fetching external information to inform Terraform configurations.

Terraform can call modules from various sources including the public Terraform Registry, private registries, local file paths, or version control systems like GitHub.

Runningterraform destroywill show all resources that will be deleted before prompting for approval. You can also runterraform plan -destroyto simulate the destruction without actually applying it, which is useful for reviewing the planned changes.

If you update the version constraint in your Terraform configuration, Terraform will update your lock file the next time you run terraform init3. This will ensure that you use the same provider versions across different machines and runs.

Infrastructure as Code (IaC) can indeed be stored in a version control system along with application code. This practice is a fundamental principle of modern infrastructure management, allowing teams to apply software development practices like versioning, peer review, and CI/CD to infrastructure management. Storing IaC configurations in version control facilitates collaboration, history tracking, and change management.References = While this concept is a foundational aspect of IaC and is widely accepted in the industry, direct references from the HashiCorp Terraform Associate (003) study materials were not found in the provided files. However, this practice is encouraged in Terraform's best practices and various HashiCorp learning resources.

Detailed Explanation:

Rationale for Correct Answer:

init: Initializes the working directory, downloads providers and modules.

apply: Executes the planned changes and provisions infrastructure.

Both steps are mandatory for provisioning new infrastructure.

Analysis of Incorrect Options (Distractors):

A. import: Used for existing resources, not provisioning new ones.

B. plan: Optional but recommended; not strictly required.

C. validate: Checks syntax only; does not provision resources.

Key Concept:The Terraform workflow requires initialization and application to create infrastructure.

In Terraform, the max function can be used to select the largest number from a list of numbers. The max function takes multiple arguments and returns the highest one. For the list numcpus = [18, 3, 7, 11, 2], using max(numcpus...) will return 18, which is the largest number in the list.

Detailed Explanation:

Rationale for Correct Answer:While HashiCorp publishes and maintains some official modules, many modules on the Terraform Registry are community-maintained. HashiCorp does not test or maintain all published modules. The Registry clearly distinguishes between official, partner, and community modules.

Analysis of Incorrect Options (Distractors):

A. True: Incorrect because not all Registry modules are maintained or tested by HashiCorp.

Key Concept:Understanding the difference between official, partner, and community modules in the Terraform Registry.

Module version is optional to reference a module on the Terraform Module Registry. If you omit the version constraint, Terraform will automatically use the latest available version of the module

C (✅Correct)– If changes require aresource replacement(e.g., changing an immutable attribute like instance type), Terraform willdestroy and recreate the resource.

E (✅Correct)– Terraform only appliesthe configuration in the current directory or workspace.

These are features of Terraform Cloud, which is a hosted service that provides a web-based UI, remote state storage, remote operations, collaboration features, and more for managing your Terraform infrastructure.

This is where Terraform saves resource state when using a remote backend or Terraform Cloud integration, as it allows you to store and manage your state file in a remote location, such as a cloud storage service or Terraform Cloud’s servers. This enables collaboration, security, and scalability for your Terraform infrastructure.

This will trigger a run in the Terraform Cloud workspace, which will perform a plan and apply operation on the infrastructure defined by the Terraform configuration files in the VCS repository.

Detailed Explanation:

Rationale for Correct Answer (True):Local values (locals {}) are scoped to a module and are not directly visible outside. To make them available to callers, you must define outputs in the module. Outputs act as the interface for exposing values from a child module to the root module.

Analysis of Incorrect Option:

False: Incorrect, because locals cannot be exposed directly; only via outputs.

Key Concept:Outputs are the way to expose information outside of a module.

The terraform import command is used to import existing infrastructure into your Terraform state. This command takes the existing resource and associates it with a resource defined in your Terraform configuration, updating the state file accordingly. It does not generate configuration for the resource, only the state.

This is a secure way to protect sensitive data in the state file, as it will be encrypted at rest and in transit2. The other options are not recommended, as they could lead to data loss, errors, or security breaches.

To make Terraform's logging more verbose for troubleshooting purposes, you must configure the TF_LOG environment variable. This variable controls the level of logging and can be set to TRACE, DEBUG, INFO, WARN, or ERROR, with TRACE providing the most verbose output.References = Detailed debugging instructions and the use of environment variables like TF_LOG for increasing verbosity are part of Terraform's standard debugging practices

The terraform import command is not part of any other Terraform workflow. It must be explicitly invoked by the user with the appropriate arguments, such as the resource address and the ID of the existing infrastructure to import. References = [Importing Infrastructure]

The purpose of state in Terraform is to keep track of the real-world resources managed by Terraform, mapping them to the configuration. The state file contains metadata about these resources, such as resource IDs and other important attributes, which Terraform uses to plan and manage infrastructure changes. The state enables Terraform to know what resources are managed by which configurations and helps in maintaining the desired state of the infrastructure.References = This role of state in Terraform is outlined in Terraform's official documentation, emphasizing its function in mapping configuration to real-world resources and storing vital metadata .

This is what you must do to successfully retrieve this value from your networking module, as it will expose the attribute as an output value that can be referenced by other modules or resources. The error message indicates that the networking module does not have an output value named vnet_id, which causes the reference to fail.

The public Terraform Module Registry automatically exposes all the information about published modules, including required input variables, optional input variables and default values, and outputs. This helps users to understand how to use and configure the modules.

 Terraform configuration (including any module references) can contain more than one Terraform provider type. Terraform providers are plugins that Terraform uses to interact with various cloud services and other APIs. A Terraform configuration can use multiple providers to manage resources across different platforms and services. For example, a configuration can use the AWS provider to create a virtual machine, the Cloudflare provider to manage DNS records, and the GitHub provider to create a repository. Terraform supports hundreds of providers for different use cases and scenarios. References = [Providers], [Provider Requirements], [Provider Configuration]

Some backends support state locking, which prevents other users from modifying the state file while a Terraform operation is in progress. This prevents conflicts and data loss. Not all backends support this feature, and you can check the documentation for each backend type to see if it does.

Terraform validate reports configuration consistency errors, such as declaring a resource identifier more than once. This means that the same resource type and name combination is used for multiple resource blocks, which is not allowed in Terraform. For example, resource "aws_instance" "example" {...} cannot be used more than once in the same configuration. Terraform validate does not report errors related to module versions, state differences, or formatting issues, as these are not relevant for checking the configuration syntax and structure. References = [Validate Configuration], [Resource Syntax]

Detailed Explanation:

Rationale for Correct Answer (B):Terraform uses a state file to map real-world resources to your configuration. By default, if no backend is explicitly defined, Terraform stores this information in a file named terraform.tfstate located in the same directory as your configuration files. This local state file is critical for Terraform to understand what infrastructure already exists and to plan updates correctly.

Analysis of Incorrect Options (Distractors):

A. .terraform.d (home directory subdirectory):This is used for storing plugins and some global settings, not for resource state.

C. .terraform.lock.hcl (lock file):This file locks provider versions to ensure reproducible runs, but it does not contain resource state information.

D. .terraform (subdirectory):This folder contains cached provider binaries and related data, but not the actual state file.

Key Concept:Terraform state management is at the core of "Implement and Maintain State." Understanding where Terraform stores the state by default is critical because state files should often be stored remotely (using a backend like S3, GCS, or Terraform Cloud) for collaboration and reliability.

Terraform detects infrastructure drift by comparing thestate filewith the actual infrastructure.

When an instance ismanually deleted, Terraformsees it as missingand marks it for recreation.

Running terraform apply willonly recreate the missing instanceswhile leaving the rest of the infrastructure unchanged.

Explanation of incorrect answers:

A (Tear down everything and rebuild)– Incorrect. Terraform does not destroy existing infrastructure unless explicitly told to.

B (Build a completely new set of infrastructure)– Incorrect. Terraform does not create duplicates unless configuration changes.

D (Stop and error out)– Incorrect. Terraform does not fail; itrebuilds missing resourcesautomatically.

Official Terraform Documentation Reference:

Handling Infrastructure Drift

Detailed Explanation:

Rationale for Correct Answer (C):Best practice is to avoid hardcoding sensitive credentials in Terraform configurations or storing them in version control. Instead, credentials should be managed via environment variables, CLI authentication helpers, or secret managers (e.g., Vault).

Analysis of Incorrect Options:

A. Shared server: Not secure, introduces single point of failure and risk.

B. Storing credentials in config files: A major security risk, especially if pushed to version control.

D. None of the above: Incorrect, because option C is a valid and recommended approach.

Key Concept:Security best practices in Terraform dictate that credentials should be externalized from Terraform code.

Infrastructure as Code (IaC) provides several benefits, including the ability to version control infrastructure, reuse code, and automate infrastructure management. However, IaC is typically associated with declarative configuration files and does not inherently provide a graphical user interface (GUI). A GUI is a feature that may be provided by specific tools or platforms built on top of IaC principles but is not a direct benefit of IaC itself1.

References = The benefits of IaC can be verified from the official HashiCorp documentation on “What is Infrastructure as Code with Terraform?” provided by HashiCorp Developer1.

Module variable assignments are not inherited from the parent module and you need to explicitly set them using the source argument. This allows you to customize the behavior of each module instance.

This is how Terraform manages most dependencies between resources, by using the references between them in the configuration files. For example, if resource A depends on resource B, Terraform will create resource B first and then pass its attributes to resource A.

From the official Terraform Type Constraints Documentation:

The object({ name = string, age = number }) type expects:

name to be aquoted string, e.g. "John"

age to be anumber, e.g. 52

Option Bsatisfies both:

{

name = "John" #✅Valid string

age = 52 #✅Valid number

}

Let's analyze the incorrect ones:

❌Option A: "fifty two" is not a valid number.

❌Option C: John is unquoted (invalid string), and "fifty two" is not a number.

❌Option D: name = John is not quoted, making it an invalid string in HCL.

Terraform is strict about type and formatting. Stringsmust be quoted, and numbersmust be numeric literals.

In Terraform, the correct way to reference a resource attribute is:

pgsql

CopyEdit

resource_type.resource_name.attribute

For example, if the resource block is:

hcl

CopyEdit

resource "kubernetes_namespace" "example" {

metadata {

name = "my-namespace"

}

}

To reference the name attribute, use:

pgsql

CopyEdit

kubernetes_namespace.example.name

Explanation of incorrect answers:

A (resource.kubernetes_namespace.example.name)– Incorrect. Terraform does not use the resource. prefix when referencing resources.

C (data.kubernetes.namespace.name)– Incorrect. This syntax is used fordata sources, not resources.

D (kubernetes_namespace.test.name)– Incorrect. The resource name is "example", not "test".

Official Terraform Documentation Reference:

Terraform Resource References

You can develop a custom provider to manage its resources using Terraform, as Terraform is an extensible tool that allows you to write your own plugins in Go language. You can also publish your custom provider to the Terraform Registry or use it privately.

Detailed Explanation:

Rationale for Correct Answer (A):data blocks fetch information from providers (like AMI IDs, network info) that can be used in other resources.

Analysis of Incorrect Options:

B. local: Stores values, doesn’t fetch external data.

C. resource: Defines managed infrastructure, not read-only data.

D. provider: Configures connection to APIs, not data fetching.

Key Concept:Data sources are read-only queries into existing infrastructure.

Environment variables and connection configurations outside of Terraform are secure options for storing secrets for connecting to a Terraform remote backend. Environment variables can be used to set values for input variables that contain secrets, such as backend access keys or tokens. Terraform will read environment variables that start with TF_VAR_ and match the name of an input variable. For example, if you have an input variable called backend_token, you can set its value with the environment variable TF_VAR_backend_token1. Connection configurations outside of Terraform are files or scripts that provide credentials or other information for Terraform to connect to a remote backend. For example, you can use a credentials file for the S3 backend2, or a shell script for the HTTP backend3. These files or scripts are not part of the Terraform configuration and can be stored securely in a separate location. The other options are not secure for storing secrets. A variable file is a file that contains values for input variables. Variable files are usually stored in the same directory as the Terraform configuration or in a version control system. This exposes the secrets to anyone who can access the files or the repository. You should not store secrets in variable files1. Inside the backend block within the Terraform configuration is where you specify the type and settings of the remote backend. The backend block is part of the Terraform configuration and is usually stored in a version control system. This exposes the secrets to anyone who can access the configuration or the repository. You should not store secrets in the backend block4. References = [Terraform Input Variables]1, [Backend Type: s3]2, [Backend Type: http]3, [Backend Configuration]4

Running terraform fmt without any flags in a directory with Terraform configuration files will not check the formatting of those files without changing their contents, but will actually rewrite them to a canonical format and style. If you want to check the formatting without making changes, you need to use the -check flag.

Not all standard backend types support state locking and remote operations like plan, apply, and destroy. For example, the local backend does not support remote operations and state locking. State locking is a feature that ensures that no two users can make changes to the state file at the same time, which is crucial for preventing race conditions. Remote operations allow running Terraform commands on a remote server, which is supported by some backends like remote or consul, but not all.

You should run terraform fmt to rewrite all Terraform configurations within the current working directory to conform to Terraform-style conventions. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability. It is recommended to use this command to ensure consistency of style across different Terraform codebases. The command is optional, opinionated, and has no customization options, but it can help you and your team understand the code more quickly and easily. References = : Command: fmt : Using Terraform fmt Command to Format Your Terraform Code

Any user with permission to apply a plan can apply it, not only the user that generated it. This allows for collaboration and delegation of tasks among team members.

Detailed Explanation:

Rationale for Correct Answer (B):Provider version constraints in Terraform are specified using the version argument in the required_providers block, e.g.:

terraform {

required_providers {

aws = {

source = "hashicorp/aws"

version = "3.1"

}

}

}

This ensures Terraform always uses a specific provider version (or constraint expression).

Analysis of Incorrect Options:

A. version: Incomplete, no value specified.

C. version: 3.1: Incorrect syntax, Terraform uses = not :.

D. version - 3.1: Incorrect syntax, - is invalid here.

Key Concept:Defining provider version constraints ensures consistent provider behavior across environments and avoids breaking changes.

Sentinel is a policy-as-code framework that integrates with Terraform Cloud to enforce security, compliance, and governance rules. You can enforce rules such as approved AMIs and ensure security best practices. Policies are written in the Sentinel language, not HCL.

This is one disadvantage of using dynamic blocks in Terraform, as they can introduce complexity and reduce readability of the configuration. The other options are either advantages or incorrect statements.

This is a bad practice, as it exposes your credentials to anyone who can access your configuration files or state files. You should use environment variables, credential files, or other mechanisms to provide credentials to Terraform.

Terraform is built on a plugin-based architecture, enabling developers to extend Terraform by writing new plugins or compiling modified versions of existing plugins1. Terraform plugins are executable binaries written in Go that expose an implementation for a specific service, such as a cloud resource, SaaS platform, or API2. If there is no existing provider for your API, you can create one using the Terraform Plugin SDK3 or the Terraform Plugin Framework4. References =

•1: Plugin Development - How Terraform Works With Plugins | Terraform | HashiCorp Developer

•2: Lab: Terraform Plug-in Based Architecture - GitHub

•3: Terraform Plugin SDK - Terraform by HashiCorp

•4: HashiCorp Terraform Plugin Framework Now Generally Available

The Terraform binary version and provider versions do not have to match each other in a single configuration. Terraform allows you to specify provider version constraints in the configuration’s terraform block, which can be different from the Terraform binary version1. Terraform will use the newest version of the provider that meets the configuration’s version constraints2. You can also use the dependency lock file to ensure Terraform is using the correct provider version3. References =

•1: Providers - Configuration Language | Terraform | HashiCorp Developer

•2: Multiple provider versions with Terraform - Stack Overflow

•3: Lock and upgrade provider versions | Terraform - HashiCorp Developer

 If you manually destroy infrastructure, Terraform will automatically detect the change and update the state file during the next plan or apply. Terraform compares the current state of the infrastructure with the desired state in the configuration and generates a plan to reconcile the differences. If a resource is missing from the infrastructure but still exists in the state file, Terraform will attempt to recreate it. If a resource is present in the infrastructure but not in the state file, Terraform will ignore it unless you use the terraform import command to bring it under Terraform’s management. References = [Terraform State]

This is what determines how Terraform creates, updates, or deletes resources, as it is responsible for understanding API interactions with some service and exposing resources and data sources based on that API.

You cannot access state stored with the local backend by using the terraform_remote_state data source. The terraform_remote_state data source is used to retrieve the root module output values from some other Terraform configuration using the latest state snapshot from the remote backend. It requires a backend that supports remote state storage, such as S3, Consul, AzureRM, or GCS. The local backend stores the state file locally on the filesystem, which terraform_remote_state cannot access.

You can configure Terraform to log to a file using the TF_LOG environment variable. This variable can be set to one of the log levels: TRACE, DEBUG, INFO, WARN or ERROR. You can also use the TF_LOG_PATH environment variable to specify a custom log file location. References = : Debugging Terraform

 This is the command that can add existing resources into Terraform state, by matching them with the corresponding configuration blocks in your files. 

When declaring a Terraform output, the value argument is required. Outputs are a way to extract information from Terraform-managed infrastructure, and the value argument specifies what data will be outputted. While other arguments like description and sensitive can provide additional context or security around the output, value is the only mandatory argument needed to define an output.References = The requirement of the value argument for outputs is specified in Terraform's official documentation, which provides guidelines on defining and using outputs in Terraform configurations.

HashiCorp Configuration Language (HCL) does not support user-defined functions. You can only use the built-in functions that are provided by the language. The built-in functions allow you to perform various operations and transformations on values within expressions. The general syntax for function calls is a function name followed by comma-separated arguments in parentheses, such as max(5, 12, 9). You can find the documentation for all of the available built-in functions in the Terraform Registry orthe Packer Documentation, depending on which tool you are using. References = : Functions - Configuration Language | Terraform : Functions - Configuration Language | Packer

Infrastructure as Code (IaC) refers to managing infrastructureprogrammatically, enabling automation and repeatability.

Ais incorrect becauseIaC is not just about software delivery pipelines; it specifically deals with infrastructure.

Bis incorrect because"Write once, run anywhere" applies more to software development than IaC.

Dis incorrect becauseIaC does not enforce vendor-agnostic APIs; it depends on the tool and provider.

Official Terraform Documentation Reference:

What is Infrastructure as Code?

E (✅Correct)–IaC aims to eliminate manual cloud console workflowsby using code-based automation.

A, B, C (✅Advantages of IaC)– IaC enablesself-service deployment, API-driven workflows, and dynamic resource scaling.

D (diff command)– While useful, troubleshooting via diff is not acore advantageof IaC.

Official Terraform Documentation Reference:

What is Infrastructure as Code?