If a module declares a variable with a default, that variable must also be defined within the module.
- A . True
- B . False
Your security team scanned some Terraform workspaces and found secrets stored in a plaintext in state files.
How can you protect sensitive data stored in Terraform state files?
- A . Delete the state file every time you run Terraform
- B . Store the state in an encrypted backend
- C . Edit your state file to scrub out the sensitive data
- D . Always store your secrets in a secrets.tfvars file.
What does the default "local" Terraform backend store?
- A . tfplan files
- B . Terraform binary
- C . Provider plugins
- D . State file
D
Explanation:
The local backend stores state on the local filesystem, locks that state using system APIs, and performs operations locally.
Reference: https://www.terraform.io/docs/language/settings/backends/local.html
What is the name assigned by Terraform to reference this resource?
- A . dev
- B . azurerm_resource_group
- C . azurerm
- D . test
You have declared an input variable called environment in your parent module.
What must you do to pass the value to a child module in the configuration?
- A . Add node_count = var.node_count
- B . Declare the variable in a terraform.tfvars file
- C . Declare a node_count input variable for child module
- D . Nothing, child modules inherit variables of parent module
C
Explanation:
"That module may call other modules and connect them together by passing output values from one to input values of another." https://www.terraform.io/language/modules/develop
You have declared a variable called var.list which is a list of objects that all have an attribute id.
Which options will produce a list of the IDs? (Choose two.)
- A . { for o in var.list: o => o.id }
- B . var.list[*].id
- C . [ var.list[*].id ]
- D . [ for o in var.list: o.id ]
B,D
Explanation:
https://www.terraform.io/language/expressions/splat
A splat expression provides a more concise way to express a common operation that could otherwise be performed with a for expression.
Which of these options is the most secure place to store secrets foe connecting to a Terraform remote backend?
- A . Defined in Environment variables
- B . Inside the backend block within the Terraform configuration
- C . Defined in a connection configuration outside of Terraform
- D . None of above
A
Explanation:
https://www.terraform.io/language/settings/backends/configuration#credentials-and-sensitive-data
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform subdirectory and in plan files. This can leak sensitive credentials.
Which argument(s) is (are) required when declaring a Terraform variable?
- A . type
- B . default
- C . description
- D . All of the above
- E . None of the above
B
Explanation:
The variable declaration can also include a default argument.
Reference: https://www.terraform.io/docs/language/values/variables.html
If writing Terraform code that adheres to the Terraform style conventions, how would you properly indent each nesting level compared to the one above it?
- A . With four spaces
- B . With a tab
- C . With three spaces
- D . With two spaces
D
Explanation:
https://www.terraform.io/language/syntax/style#style-conventions
Terraform can import modules from a number of sources C which of the following is not a valid source?
- A . FTP server
- B . GitHub repository
- C . Local path
- D . Terraform Module Registry
A
Explanation:
https://www.terraform.io/language/modules/sources
What is the workflow for deploying new infrastructure with Terraform?
- A . terraform plan to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure
- B . Write a Terraform configuration, run terraform show to view proposed changes, and terraform apply to create new infrastructure.
- C . terraform plan to import the current infrastructure to the state file, make code changes, and terraform apply to update the infrastructure
- D . Write a Terraform configuration, run terraform init, run terraform plan to view planned infrastructure changes, and terraform apply to create new infrastructure.
D
Explanation:
Reference:
https://www.google.com/search?q=Write+a+Terraform+configuration%2C+run+terraform+init%2C
+run+terraform+plan+to+view+planned+infrastructure+changes%2C+and+terraform+apply +to+create+new
+infrastructure.&oq=Write+a+Terraform+configuration%2C+run+terraform+init%2C+run+te rraform+plan+to
+view+planned+infrastructure+changes%2C+and+terraform+apply+to+create+new
+infrastructure.&aqs=chrome..69i57.556j0j7&sourceid=chrome&ie=UTF-8
You have used Terraform to create an ephemeral development environment in the cloud and are now ready to destroy all the infrastructure described by your Terraform configuration. To be safe, you would like to first see all the infrastructure that will be deleted by Terraform.
Which command should you use to show all of the resources that will be deleted? (Choose two.)
- A . Run terraform plan -destroy.
- B . This is not possible. You can only show resources that will be created.
- C . Run terraform state rm *.
- D . Run terraform destroy and it will first output all the resources that will be deleted before prompting for approval.
A,D
Explanation:
Reference: https://www.terraform.io/docs/cli/commands/state/rm.html
What features does the hosted service Terraform Cloud provide? (Choose two.)
- A . Automated infrastructure deployment visualization
- B . Automatic backups
- C . Remote state storage
- D . A web-based user interface (UI)
C,D
Explanation:
https://www.terraform.io/enterprise/admin/infrastructure/backup-restore
Only the user that generated a plan may apply it.
- A . True
- B . False
You run a local-exec provisioner in a null resource called null_resource.run_script and realize that you need to rerun the script.
Which of the following commands would you use first?
- A . terraform taint null_resource.run_script
- B . terraform apply -target=null_resource.run_script
- C . terraform validate null_resource.run_script
- D . terraform plan -target=null_resource.run_script
A
Explanation:
https://www.terraform.io/cli/commands/taint
Which of the following is not a valid string function in Terraform?
- A . split
- B . join
- C . slice
- D . chomp
C
Explanation:
https://www.terraform.io/language/functions
terraform validate validates the syntax of Terraform files.
- A . True
- B . False
A
Explanation:
https://www.terraform.io/cli/commands/validate
The terraform validate command validates the syntax and arguments of the Terraform configuration files.
Reference: https://www.terraform.io/docs/cli/code/index.html
One remote backend configuration always maps to a single remote workspace.
- A . True
- B . False
B
Explanation:
The remote backend can work with either a single remote Terraform Cloud workspace, or with multiple similarly-named remote workspaces (like networking-dev and networking-prod). The workspaces block of the backend configuration determines which mode it uses: To use a single remote Terraform Cloud workspace, set workspaces.name to the remote workspace’s full name (like networking-prod). To use multiple remote workspaces, set workspaces.prefix to a prefix used in all of the desired remote workspace names. For example, set prefix = "networking-" to use Terraform cloud workspaces with names like networking-dev and networking-prod. This is helpful when mapping multiple Terraform CLI workspaces used in a single Terraform configuration to multiple Terraform Cloud workspaces.
A Terraform local value can reference other Terraform local values.
- A . True
- B . False
A
Explanation:
"The expressions in local values are not limited to literal constants; they can also reference other values in the module in order to transform or combine them, including variables, resource attributes, or other local values:" https://www.terraform.io/language/values/locals#declaring-a-local-value
Terraform providers are always installed from the Internet.
- A . True
- B . False
B
Explanation:
Terraform configurations must declare which providers they require, so that Terraform can install and use them.
Reference: https://www.terraform.io/docs/language/providers/configuration.html
What command should you run to display all workspaces for the current configuration?
- A . terraform workspace
- B . terraform workspace show
- C . terraform workspace list
- D . terraform show workspace
C
Explanation:
terraform workspace list
The command will list all existing workspaces.
Reference: https://www.terraform.io/docs/cli/commands/workspace/list.html
Terraform and Terraform providers must use the same major version number in a single configuration.
- A . True
- B . False
B
Explanation:
https://www.terraform.io/language/expressions/version-constraints#terraform-core-and-provider-versions
Terraform requires the Go runtime as a prerequisite for installation.
- A . True
- B . False
B
Explanation:
https://www.terraform.io/plugin/sdkv2/guides/v1-upgrade-guide and https://www.terraform.io/plugin/sdkv2/guides/v2-upgrade-guide
Terraform validate reports syntax check errors from which of the following scenarios?
- A . Code contains tabs indentation instead of spaces
- B . There is missing value for a variable
- C . The state files does not match the current infrastructure
- D . None of the above
B
Explanation:
The terraform validate command is used to validate the syntax of the terraform files. Terraform performs a syntax check on all the terraform files in the directory, and will display an error if any of the files doesn’t validate. This command does not check formatting (e.g. tabs vs spaces, newlines, comments etc.). The following can be reported: invalid HCL syntax (e.g. missing trailing quote or equal sign) invalid HCL references (e.g. variable name or attribute which doesn’t exist) same provider declared multiple times same module declared multiple times same resource declared multiple times invalid module name interpolation used in places where it’s unsupported (e.g. variable, depends_on, module.source, provider) missing value for a variable (none of -var foo=… flag, -var-file=foo.vars flag, TF_VAR_foo environment variable, terraform.tfvars, or default value in the configuration) https://www.typeerror.org/docs/terraform/commands/validate https://learning-ocean.com/tutorials/terraform/terraform-validate
Terraform provisioners can be added to any resource block.
- A . True
- B . False
A
Explanation:
https://www.phillipsj.net/posts/introduction-to-terraform-provisioners/
As you continue learning about Terraform, you will start hearing about provisioners.
Terraform provisioners can be created on any resource and provide a way to execute actions on local or remote machines.
https://www.terraform.io/language/resources/provisioners/local-exec
You want to know from which paths Terraform is loading providers referenced in your Terraform configuration (files). You need to enable debug messages to find this out.
Which of the following would achieve this?
- A . Set the environment variable TF_LOG=TRACE
- B . Set verbose logging for each provider in your Terraform configuration
- C . Set the environment variable TF_VAR_log=TRACE
- D . Set the environment variable TF_LOG_PATH
A
Explanation:
Although this will only output to stderr and if you need to review log file you will need to include TF_LOG_PATH=pathtofile https://www.terraform.io/internals/debugging
How can you trigger a run in a Terraform Cloud workspace that is connected to a Version Control System (VCS) repository?
- A . Only Terraform Cloud organization owners can set workspace variables on VCS connected workspaces
- B . Commit a change to the VCS working directory and branch that the Terraform Cloud workspace is connected to
- C . Only members of a VCS organization can open a pull request against repositories that are connected to Terraform Cloud workspaces
- D . Only Terraform Cloud organization owners can approve plans in VCS connected workspaces
B
Explanation:
"In a workspace linked to a VCS repository, runs start automatically when you merge or commit changes to version control.
A workspace is linked to one branch of a VCS repository and ignores changes to other branches. You can specify which files and directories within your repository trigger runs. "
https://www.terraform.io/cloud-docs/run/ui#automatically-starting-runs
Examine the following Terraform configuration, which uses the data source for an AWS AMI.
What value should you enter for the ami argument in the AWS instance resource?
- A . aws_ami.ubuntu
- B . data.aws_ami.ubuntu
- C . data.aws_ami.ubuntu.id
- D . aws_ami.ubuntu.id
C
Explanation:
resource "aws_instance" "web" {
ami= data.aws_ami.ubuntu.id
Reference:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
The terraform.tfstate file always matches your currently built infrastructure.
- A . True
- B . False
B
Explanation:
Reference: https://www.terraform.io/docs/language/state/index.html
What is not processed when running a terraform refresh?
- A . State file
- B . Configuration file
- C . Credentials
- D . Cloud provider
B
Explanation:
"The terraform refresh command reads the current settings from all managed remote objects and updates the Terraform state to match."
What type of block is used to construct a collection of nested configuration blocks?
- A . for_each
- B . repeated
- C . nesting
- D . dynamic
D
Explanation:
https://www.terraform.io/language/expressions/dynamic-blocks
How is terraform import run?
- A . As a part of terraform init
- B . As a part of terraform plan
- C . As a part of terraform refresh
- D . By an explicit call
- E . All of the above
D
Explanation:
"The current implementation of Terraform import can only import resources into the state. It does not generate configuration. A future version of Terraform will also generate configuration. Because of this, prior to running terraform import it is necessary to write manually a resource configuration block for the resource, to which the imported object will be mapped. While this may seem tedious, it still gives Terraform users an avenue for importing existing resources." https://www.terraform.io/cli/import/usage
When using Terraform to deploy resources into Azure, which scenarios are true regarding state files? (Choose two.)
- A . When a change is made to the resources via the Azure Cloud Console, the changes are recorded in a new state file
- B . When a change is made to the resources via the Azure Cloud Console, Terraform will update the state file to reflect them during the next plan or apply
- C . When a change is made to the resources via the Azure Cloud Console, the current state file will not be updated
- D . When a change is made to the resources via the Azure Cloud Console, the changes are recorded in the current state file
When using a module block to reference a module stored on the public Terraform Module Registry such as:
How do you specify version 1.0.0?
- A . Modules stored on the public Terraform Module Registry do not support versioning
- B . Append ?ref=v1.0.0 argument to the source path
- C . Add version = "1.0.0" attribute to module block
- D . Nothing C modules stored on the public Terraform Module Registry always default to version 1.0.0
C
Explanation:
Version
When using modules installed from a module registry, we recommend explicitly constraining the acceptable version numbers to avoid unexpected or unwanted changes.
Use the version argument in the module block to specify versions:
module "consul" {
source = "hashicorp/consul/aws"
version = "0.0.5"
servers = 3
}
Reference: https://www.terraform.io/docs/language/modules/sources.html
A Terraform provider is not responsible for:
- A . Understanding API interactions with some service
- B . Provisioning infrastructure in multiple clouds
- C . Exposing resources and data sources based on an API
- D . Managing actions to take based on resource differences
B
Explanation:
https://www.terraform.io/language/providers
Which of the following is allowed as a Terraform variable name?
- A . count
- B . name
- C . source
- D . version
B
Explanation:
"The name of a variable can be any valid identifier except the following: source, version, providers, count, for_each, lifecycle, depends_on, locals." https://www.terraform.io/language/values/variables
You have never used Terraform before and would like to test it out using a shared team account for a cloud provider. The shared team account already contains 15 virtual machines (VM). You develop a Terraform configuration containing one VM, perform terraform apply, and see that your VM was created successfully.
What should you do to delete the newly-created VM with Terraform?
- A . The Terraform state file contains all 16 VMs in the team account. Execute terraform destroy and select the newly-created VM.
- B . The Terraform state file only contains the one new VM. Execute terraform destroy.
- C . Delete the Terraform state file and execute Terraform apply.
- D . Delete the VM using the cloud provider console and terraform apply to apply the changes to the Terraform state file.
B
Explanation:
You develop a Terraform configuration containing one VM, perform terraform apply, and see that your VM was created successfully. read the question carefully "Terraform configuration containing one VM, perform terraform apply" so only one VM is in state file.
How can terraform plan aid in the development process?
- A . Validates your expectations against the execution plan without permanently modifying state
- B . Initializes your working directory containing your Terraform configuration files
- C . Formats your Terraform configuration files
- D . Reconciles Terraform’s state against deployed resources and permanently modifies state using the current status of deployed resources
A
Explanation:
"The terraform plan command creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure. By default, when Terraform creates a plan it:
Reads the current state of any already-existing remote objects to make sure that the Terraform state is up-to-date.
Compares the current configuration to the prior state and noting any differences. Proposes a set of change actions that should, if applied, make the remote objects match the configuration."
"The plan command alone will not actually carry out the proposed changes, and so you can use this command to check whether the proposed changes match what you expected before you apply the changes or share your changes with your team for broader review.
If Terraform detects that no changes are needed to resource instances or to root module output values, terraform plan will report that no actions need to be taken."
https://www.terraform.io/cli/commands/plan
Which backend does the Terraform CLI use by default?
- A . Terraform Cloud
- B . Consul
- C . Remote
- D . Local
D
Explanation:
"By default, Terraform implicitly uses a backend called local to store state as a local file on disk. Every other backend stores state in a remote service of some kind, which allows multiple people to access it. Accessing state in a remote service generally requires some kind of access credentials, since state data contains extremely sensitive information." https://www.terraform.io/language/settings/backends
When does terraform apply reflect changes in the cloud environment?
- A . Immediately
- B . However long it takes the resource provider to fulfill the request
- C . After updating the state file
- D . Based on the value provided to the -refresh command line argument
- E . None of the above
When you initialize Terraform, where does it cache modules from the public Terraform Module Registry?
- A . On disk in the /tmp directory
- B . In memory
- C . On disk in the .terraform sub-directory
- D . They are not cached
C
Explanation:
"A hidden .terraform directory, which Terraform uses to manage cached provider plugins and modules, record which workspace is currently active, and record the last known backend configuration in case it needs to migrate state on the next run. This directory is automatically managed by Terraform, and is created during initialization." https://www.terraform.io/cli/init
A terraform apply can not _________ infrastructure.
- A . change
- B . destroy
- C . provision
- D . import
D
Explanation:
https://www.educative.io/answers/what-is-the-command-to-destroy-infrastructure-in-terraform
What information does the public Terraform Module Registry automatically expose about published modules?
- A . Required input variables
- B . Optional inputs variables and default values
- C . Outputs
- D . All of the above
- E . None of the above
D
Explanation:
https://www.terraform.io/registry/modules/publish
"The registry extracts information about the module from the module’s source. The module name, provider, documentation, inputs/outputs, and dependencies are all parsed and available via the UI or API, as well as the same information for any submodules or examples in the module’s source repository."
Terraform can only manage resource dependencies if you set them explicitly with the depends_on argument.
- A . True
- B . False
A
Explanation:
"Use the depends_on meta-argument to handle hidden resource or module dependencies that Terraform cannot automatically infer. You only need to explicitly specify a dependency when a resource or module relies on another resource’s behavior but does not access any of that resource’s data in its arguments."
https://www.terraform.io/language/meta-arguments/depends_on
When running the command terraform taint against a managed resource you want to force recreation upon, Terraform will immediately destroy and recreate the resource.
- A . True
- B . False
B
Explanation:
"The terraform taint command informs Terraform that a particular object has become degraded or damaged. Terraform represents this by marking the object as "tainted" in the Terraform state, and Terraform will propose to replace it in the next plan you create." FYI – This command is deprecated. For Terraform v0.15.2 and later, we recommend using the -replace option with terraform apply instead. For Terraform v0.15.2 and later, we recommend using the -replace option with terraform apply to force Terraform to replace an object even though there are no configuration changes that would require it. https://www.terraform.io/cli/commands/taint
How is the Terraform remote backend different than other state backends such as S3, Consul, etc.?
- A . It can execute Terraform runs on dedicated infrastructure on premises or in Terraform Cloud
- B . It doesn’t show the output of a terraform apply locally
- C . It is only available to paying customers
- D . All of the above
A
Explanation:
Backends define where Terraform’s state snapshots are stored. A given Terraform configuration can either specify a backend, integrate with Terraform Cloud, or do neither and default to storing state locally.
If you and your team are using Terraform to manage meaningful infrastructure, we recommend using the remote backend with Terraform Cloud or Terraform Enterprise.
Reference: https://www.terraform.io/docs/language/settings/backends/index.html
You need to deploy resources into two different cloud regions in the same Terraform configuration.
To do that, you declare multiple provider configurations as follows:
What meta-argument do you need to configure in a resource block to deploy the resource to the “us-west-2” AWS region?
- A . alias = west
- B . provider = west
- C . provider = aws.west
- D . alias = aws.west
C
Explanation:
https://www.terraform.io/language/providers/configuration
Where in your Terraform configuration do you specify a state backend?
- A . The terraform block
- B . The resource block
- C . The provider block
- D . The datasource block
A
Explanation:
Backends are configured with a nested backend block within the top-level terraform block.
Reference:
https://www.terraform.io/docs/language/settings/backends/configuration.html
https://www.terraform.io/language/settings/backends/configuration#using-a-backend-block
Which of the following is not a valid Terraform collection type?
- A . list
- B . map
- C . tree
- D . set
C
Explanation:
https://www.terraform.io/language/expressions/type-constraints#collection-types
A Terraform provisioner must be nested inside a resource configuration block.
- A . True
- B . False
A
Explanation:
Most provisioners require access to the remote resource via SSH or WinRM, and expect a nested connection block with details about how to connect.
Reference: https://www.terraform.io/docs/language/resources/provisioners/connection.html
Where does the Terraform local backend store its state?
- A . In the /tmp directory
- B . In the terraform.tfvars file
- C . In the terraform.tfstate file
- D . In the user’s .terraformrc file
C
Explanation:
https://www.terraform.io/language/state
The local backend stores state on the local filesystem, locks that state using system APIs, and performs operations locally.
Reference: https://www.terraform.io/docs/language/settings/backends/local.html
Terraform variables and outputs that set the "description" argument will store that description in the state file.
- A . True
- B . False
B
Explanation:
Reference: https://www.terraform.io/docs/language/values/outputs.html
Module variable assignments are inherited from the parent module and do not need to be explicitly set.
- A . True
- B . False
If you manually destroy infrastructure, what is the best practice reflecting this change in Terraform?
- A . Run terraform refresh
- B . It will happen automatically
- C . Manually update the state fire
- D . Run terraform import
A
Explanation:
https://www.terraform.io/cli/commands/refresh#:~:text=The%20terraform%20refresh%20command%20reads%20the%20current%20settings%20from%20all%20managed%20remote%20objects%20and%20updates%20the%20Terraform%20state%20to%20match.
All standard backend types support state storage, locking, and remote operations like plan.
apply and destroy.
- A . True
- B . False
B
Explanation:
https://www.terraform.io/language/settings/backends/configuration "Some of these backends act like plain remote disks for state files, while others support locking the state while operations are being performed. This helps prevent conflicts and inconsistencies. The built-in backends listed are the only backends. You cannot load additional backends as plugins."
What command does Terraform require the first time you run it within a configuration directory?
- A . terraform import
- B . terraform init
- C . terraform plan
- D . terraform workspace
B
Explanation:
terraform init command is used to initialize a working directory containing Terraform configuration files.
Reference: https://www.terraform.io/docs/cli/commands/init.html
Which task does terraform init not perform?
- A . Sources all providers present in the configuration and ensures they are downloaded and available locally
- B . Connects to the backend
- C . Sources any modules and copies the configuration locally
- D . Validates all required variables are present
D
Explanation:
Reference: https://www.terraform.io/docs/cli/commands/init.html
Terraform can run on Windows or Linux, but it requires a Server version of the Windows operating system.
- A . True
- B . False
B
Explanation:
https://www.terraform.io/downloads
What is terraform refresh intended to detect?
- A . Terraform configuration code changes
- B . Empty state files
- C . State file drift
- D . Corrupt state files
C
Explanation:
"The terraform refresh command reads the current settings from all managed remote objects and updates the Terraform state to match. Warning: This command is deprecated, because its default behavior is unsafe if you have misconfigured credentials for any of your providers. See below for more information and recommended alternatives." https://www.terraform.io/cli/commands/refresh
Which of the following is available only in Terraform Enterprise or Cloud workspaces and not in Terraform CLI?
- A . Secure variable storage
- B . Support for multiple cloud providers
- C . Dry runs with terraform plan
- D . Using the workspace as a data source
A
Explanation:
Reference: https://www.terraform.io/docs/language/providers/configuration.html
CORRECT TEXT
FILL BLANK
What is the name of the default file where Terraform stores the state?
Type your answer in the field provided. The text field is not case-sensitive and all variations of the correct answer are accepted.
"This state is stored by default in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment." https://www.terraform.io/language/state
Which of these is the best practice to protect sensitive values in state files?
- A . Blockchain
- B . Secure Sockets Layer (SSL)
- C . Enhanced remote backends
- D . Signed Terraform providers
C
Explanation:
Use of remote backends and especially the availability of Terraform Cloud, there are now a variety of backends that will encrypt state at rest and will not store the state in cleartext on machines running.
Reference: https://www.terraform.io/docs/extend/best-practices/sensitive-state.html
You have deployed a new webapp with a public IP address on a clod provider. However, you did not create any outputs for your code.
What is the best method to quickly find the IP address of the resource you deployed?
- A . Run terraform output ip_address to view the result
- B . In a new folder, use the terraform_remote_state data source to load in the state file, then write an output for each resource that you find the state file
- C . Run terraform state list to find the name of the resource, then terraform state show to find the attributes including public IP address
- D . Run terraform destroy then terraform apply and look for the IP address in stdout
C
Explanation:
https://www.terraform.io/cli/commands/state/show
CORRECT TEXT
FILL BLANK
Which flag would you add to terraform plan to save the execution plan to a file?
Type your answer in the field provided. The text field is not case-sensitive and all variations of the correct answer are accepted.
"You can use the optional -out=FILE option to save the generated plan to a file on disk, which you can later execute by passing the file to terraform apply as an extra argument. This two-step workflow is primarily intended for when running Terraform in automation. If you run terraform plan without the -out=FILE option then it will create a speculative plan, which is a description of the effect of the plan but without any intent to actually apply it." https://www.terraform.io/cli/commands/plan
You have multiple team members collaborating on infrastructure as code (IaC) using Terraform, and want to apply formatting standards for readability.
How can you format Terraform HCL (HashiCorp Configuration Language) code according to standard Terraform style convention?
- A . Run the terraform fmt command during the code linting phase of your CI/CD process
- B . Designate one person in each team to review and format everyone’s code
- C . Manually apply two spaces indentation and align equal sign "=" characters in every Terraform file (*.tf)
- D . Write a shell script to transform Terraform files using tools such as AWK, Python, and sed
A
Explanation:
https://www.terraform.io/cli/commands/fmt
You would like to reuse the same Terraform configuration for your development and production environments with a different state file for each.
Which command would you use?
- A . terraform import
- B . terraform workspace
- C . terraform state
- D . terraform init
B
Explanation:
https://www.terraform.io/language/state/workspaces#when-to-use-multiple-workspaces
Which of the following is not an action performed by terraform init?
- A . Create a sample main.tf file
- B . Initialize a configured backend
- C . Retrieve the source code for all referenced modules
- D . Load required provider plugins
What is the name assigned by Terraform to reference this resource?
- A . compute_instance
- B . main
- C . google
- D . test
If a module uses a local variable, you can expose that value with a terraform output.
- A . True
- B . False
A
Explanation:
Output values are like function return values.
Reference: https://www.terraform.io/docs/language/values/locals.html https://www.terraform.io/docs/language/values/outputs.html
Which provisioner invokes a process on the resource created by Terraform?
- A . remote-exec
- B . null-exec
- C . local-exec
- D . file
A
Explanation:
"The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource." https://www.terraform.io/language/resources/provisioners/local-exec
"The remote-exec provisioner invokes a script on a remote resource after it is created." https://www.terraform.io/language/resources/provisioners/remote-exec
HashiCorp Configuration Language (HCL) supports user-defined functions.
- A . True
- B . False
B
Explanation:
https://www.terraform.io/language/functions
The Terraform language does not support user-defined functions, and so only the functions built into the language are available for use
You’re building a CI/CD (continuous integration/ continuous delivery) pipeline and need to inject sensitive variables into your Terraform run.
How can you do this safely?
- A . Pass variables to Terraform with a Cvar flag
- B . Copy the sensitive variables into your Terraform code
- C . Store the sensitive variables in a secure_vars.tf file
- D . Store the sensitive variables as plain text in a source code repository
A
Explanation:
https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1
Terraform provisioners that require authentication can use the ______ block.
- A . connection
- B . credentials
- C . secrets
- D . ssh
A
Explanation:
https://www.terraform.io/language/resources/provisioners/connection
"Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect." "Connection blocks don’t take a block label and can be nested within either a resource or a provisioner."
You have recently started a new job at a retailer as an engineer. As part of this new role, you have been tasked with evaluating multiple outages that occurred during peak shopping time during the holiday season. Your investigation found that the team is manually deploying new compute instances and configuring each compute instance manually. This has led to inconsistent configuration between each compute instance.
How would you solve this using infrastructure as code?
- A . Implement a ticketing workflow that makes engineers submit a ticket before manually provisioning and configuring a resource
- B . Implement a checklist that engineers can follow when configuring compute instances
- C . Replace the compute instance type with a larger version to reduce the number of required deployments
- D . Implement a provisioning pipeline that deploys infrastructure configurations committed to your version control system following code reviews
In Terraform 0.13 and above, outside of the required_providers block, Terraform configurations always refer to providers by their local names.
- A . True
- B . False
A
Explanation:
Outside of the required_providers block, Terraform configurations always refer to providers by their local names.
Reference:
https://www.terraform.io/docs/language/providers/requirements.html
https://www.terraform.io/language/providers/requirements#local-names
What is one disadvantage of using dynamic blocks in Terraform?
- A . They cannot be used to loop through a list of values
- B . Dynamic blocks can construct repeatable nested blocks
- C . They make configuration harder to read and understand
- D . Terraform will run more slowly
C
Explanation:
"Overuse of dynamic blocks can make configuration hard to read and maintain, so we recommend using them only when you need to hide details in order to build a clean user interface for a re-usable module. Always write nested blocks out literally where possible."
Reference: https://github.com/hashicorp/terraform/issues/19291
You write a new Terraform configuration and immediately run terraform apply in the CLI using the local backend.
Why will the apply fail?
- A . Terraform needs you to format your code according to best practices first
- B . Terraform needs to install the necessary plugins first
- C . The Terraform CLI needs you to log into Terraform cloud first
- D . Terraform requires you to manually run terraform plan first
When should you use the force-unlock command?
- A . You see a status message that you cannot acquire the lock
- B . You have a high priority change
- C . Automatic unlocking failed
- D . Your apply failed due to a state lock
C
Explanation:
Be very careful with this command. If you unlock the state when someone else is holding the lock it could cause multiple writers. Force unlock should only be used to unlock your own lock in the situation where automatic unlocking failed. Source: https://www.terraform.io/language/state/locking https://www.terraform.io/cli/commands/force-unlock
What is the provider for this fictitious resource?
- A . vpc
- B . main
- C . aws
- D . test
C
Explanation:
Reference: https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-types.html
You should store secret data in the same version control repository as your Terraform configuration.
- A . True
- B . False
B
Explanation:
Reference: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code- 1d586955ace1
Which option can not be used to keep secrets out of Terraform configuration files?
- A . A Terraform provider
- B . Environment variables
- C . A -var flag
- D . secure string
A
Explanation:
Reference: https://secrethub.io/blog/secret-management-for-terraform/
Why would you use the terraform taint command?
- A . When you want to force Terraform to destroy a resource on the next apply
- B . When you want to force Terraform to destroy and recreate a resource on the next apply
- C . When you want Terraform to ignore a resource on the next apply
- D . When you want Terraform to destroy all the infrastructure in your workspace
B
Explanation:
The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply.
Reference: https://www.terraform.io/docs/cli/commands/taint.html
Setting the TF_LOG environment variable to DEBUG causes debug messages to be logged into syslog.
- A . True
- B . False
B
Explanation:
TF_LOG_PATH IS NOT REQUIRED, in the docs, they do not mention HAVE TO SET
TF_LOG_PATH, it is optional, therefore without TF_LOG_PATH will cause detailed logs to appear on stderr.
https://www.computerhope.com/jargon/s/stderr.htm#:~:text=Stderr%2C%20also%20known%20as%20standard,defaults%20to%20the%20user’s%20screen.
A fellow developer on your team is asking for some help in refactoring their Terraform code. As part of their application’s architecture, they are going to tear down an existing deployment managed by Terraform and deploy new. However, there is a server resource named aws_instance.ubuntu[1] they would like to keep to perform some additional analysis.
What command should be used to tell Terraform to no longer manage the resource?
- A . terraform apply rm aws_instance.ubuntu[1]
- B . terraform state rm aws_instance.ubuntu[1]
- C . terraform plan rm aws_instance.ubuntu[1]
- D . terraform delete aws_instance.ubuntu[1]
B
Explanation:
"You can use terraform state rm in the less common situation where you wish to remove a binding to an existing remote object without first destroying it, which will effectively make Terraform "forget" the object while it continues to exist in the remote system." https://www.terraform.io/cli/commands/state/rm
Which two steps are required to provision new infrastructure in the Terraform workflow? (Choose two.)
- A . Destroy
- B . Apply
- C . Import
- D . Init
- E . Validate
B,D
Explanation:
Reference: https://www.terraform.io/guides/core-workflow.html
Which of the following is the correct way to pass the value in the variable num_servers into a module with the input servers?
- A . servers = num_servers
- B . servers = variable.num_servers
- C . servers = var(num_servers)
- D . servers = var.num_servers
D
Explanation:
"Within the module that declared a variable, its value can be accessed from within expressions as var.<NAME>, where <NAME> matches the label given in the declaration block:
Note: Input variables are created by a variable block, but you reference them as attributes on an object named var."
https://www.terraform.io/language/values/variables#using-input-variable-values
Which statement describes a goal of infrastructure as code?
- A . An abstraction from vendor specific APIs
- B . Write once, run anywhere
- C . A pipeline process to test and deliver software
- D . The programmatic configuration of resources
D
Explanation:
The purpose of infrastructure as code is to enable developers or operations teams to automatically manage, monitor and provision resources, rather than manually configure discrete hardware devices and operating systems. Infrastructure as code is sometimes referred to as programmable or software-defined infrastructure.
What value does the Terraform Cloud/Terraform Enterprise private module registry provide over the public Terraform Module Registry?
- A . The ability to share modules with public Terraform users and members of Terraform Enterprise Organizations
- B . The ability to tag modules by version or release
- C . The ability to restrict modules to members of Terraform Cloud or Enterprise organizations
- D . The ability to share modules publicly with any user of Terraform
C
Explanation:
Terraform Cloud’s private registry works similarly to the public Terraform Registry and helps you share Terraform providers and Terraform modules across your organization. It includes support for versioning and a searchable list of available providers and modules.
You need to constrain the GitHub provider to version 2.1 or greater.
Which of the following should you put into the Terraform 0.12 configuration’s provider block?
- A . version >= 2.1
- B . version ~> 2.1
- C . version = “<= 2.1”
- D . version = “>= 2.1”
D
Explanation:
version = ">= 1.2.0, < 2.0.0"
A version constraint is a string literal containing one or more conditions, which are separated by commas.
Each condition consists of an operator and a version number.
Version numbers should be a series of numbers separated by periods (like 1.2.0), optionally with a suffix to indicate a beta release.
The following operators are valid:
= (or no operator): Allows only one exact version number. Cannot be combined with other conditions.
!=: Excludes an exact version number.
>, >=, <, <=: Comparisons against a specified version, allowing versions for which the comparison is true. "Greater-than" requests newer versions, and "less-than" requests older versions.
~>: Allows only the rightmost version component to increment. For example, to allow new patch releases within a specific minor release, use the full version number: ~> 1.0.4 will allow installation of 1.0.5 and 1.0.10 but not 1.1.0. This is usually called the pessimistic constraint operator.
https://www.terraform.io/language/expressions/version-constraints
CORRECT TEXT
FILL BLANK
You need to specify a dependency manually.
What resource meta-parameter can you use to make sure Terraform respects the dependency?
Type your answer in the field provided. The text field is not case-sensitive and all variations of the correct answer are accepted.
A provider configuration block is required in every Terraform configuration.
Example:
- A . True
- B . False
B
Explanation:
Unlike many other objects in the Terraform language, a provider block may be omitted if its contents would otherwise be empty. Terraform assumes an empty default configuration for any provider that is not explicitly configured.
https://www.terraform.io/language/providers/configuration
Your DevOps team is currently using the local backend for your Terraform configuration. You would like to move to a remote backend to begin storing the state file in a central location.
Which of the following backends would not work?
- A . Amazon S3
- B . Artifactory
- C . Git
- D . Terraform Cloud
C
Explanation:
https://www.terraform.io/cdktf/concepts/remote-backends https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html
What features stops multiple admins from changing the Terraform state at the same time?
- A . Version control
- B . Backend types
- C . Provider constraints
- D . State locking
D
Explanation:
Somewhat ambiguous question however the key phrase is "feature". You need a remote backend first with a State Locking feature available to avoid this scenario.
https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa
You have a simple Terraform configuration containing one virtual machine (VM) in a cloud provider. You run terraform apply and the VM is created successfully.
What will happen if you delete the VM using the cloud provider console, and run terraform apply again without changing any Terraform code?
- A . Terraform will remove the VM from state file
- B . Terraform will report an error
- C . Terraform will not make any changes
- D . Terraform will recreate the VM
In contrast to Terraform Open Source, when working with Terraform Enterprise and Cloud Workspaces, conceptually you could think about them as completely separate working directories.
- A . True
- B . False
A
Explanation:
https://www.terraform.io/cloud-docs/workspaces
"When run locally, Terraform manages each collection of infrastructure with a persistent working directory, which contains a configuration, state data, and variables. Since Terraform CLI uses content from the directory it runs in, you can organize infrastructure resources into meaningful groups by keeping their configurations in separate directories.
You have provisioned some virtual machines (VMs) on Google Cloud Platform (GCP) using the gcloud command line tool. However, you are standardizing with Terraform and want to manage these VMs using Terraform instead.
What are the two things you must do to achieve this? (Choose two.)
- A . Provision new VMs using Terraform with the same VM names
- B . Use the terraform import command for the existing VMs
- C . Write Terraform configuration for the existing VMs
- D . Run the terraform import-gcp command
B,C
Explanation:
You should create the equivalent configuration first, and then run import to load it on the state file.
Which of the following is not a key principle of infrastructure as code?
- A . Versioned infrastructure
- B . Golden images
- C . Idempotence
- D . Self-describing infrastructure
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code#:~:text=Idempotence%20is%20a%20principle%20of,of%20the%20environment’s%20 starting%20state.
Which of the following is not true of Terraform providers?
- A . Providers can be written by individuals
- B . Providers can be maintained by a community of users
- C . Some providers are maintained by HashiCorp
- D . Major cloud vendors and non-cloud vendors can write, maintain, or collaborate on
Terraform providers - E . None of the above
E
Explanation:
https://registry.terraform.io/providers/hashicorp/google/latest – This provider is
collaboratively maintained by the Google Terraform Team at Google and the Terraform
team at HashiCorp
https://www.terraform.io/language/providers
How would you reference the "name" value of the second instance of this fictitious resource?
- A . element(aws_instance.web, 2)
- B . aws_instance.web[1].name
- C . aws_instance.web[1]
- D . aws_instance.web[2].name
- E . aws_instance.web.*.name
B
Explanation:
https://www.terraform.io/language/meta-arguments/count#referring-to-instances
Reference: https://www.terraform.io/docs/configuration-0-11/interpolation.html
terraform init initializes a sample main.tf file in the current directory.
- A . True
- B . False
B
Explanation:
Reference: https://www.terraform.io/docs/cli/commands/init.html