Hashicorp Terraform Cert

Question 1

What is IaC?

Answer 1

Infrastructure as Code
- writing what you want to deploy as human readable code

Question 2

What are the benefits of IaC?

Answer 2

• Enabling DevOps
• Declaring your Infrastructure
• Speed, Cost, Reduced Risk

Question 3

What is the Terraform Workflow?

Answer 3

• Write
• Plan
• Apply

Question 4

What does “terraform plan” do?

Answer 4

• reads code and creates and shows a “plan of execution/deployment”
• does not actually deploy anything
• allows the user to “review” the action plan before executing anything
• Authentication Credentials are used to connect to your infrastructure if required

Question 5

At what stage of the terraform workflow are Authentication Credentials used to connect to your infrastructure if required?

Answer 5

Terraform Plan

Question 6

What does “terraform apply” do?

Answer 6

• Deploys the instructions and statements in the code
• Updates the State File

Question 7

What does “terraform destroy” do?

Answer 7

• Looks at the recorded/stored State File created during deployment and destroys all resources created by your code

Question 8

True of False: “terraform destroy” is non-reversible

Answer 8

True

Question 9

What does “terraform init” do?

Answer 9

-Initializes the working directory that contains your Terraform code
– downloads the ancillary/supporting components (providers, modules, plug ins)
– sets up the backend for storing the terraform state file

Question 10

What is a Resource Address?

Answer 10

• a way to access a resources in terraform code

Question 11

What pattern does a Resource Address for the following look like?

resource “aws_instance” “web” {
ami = “ami-a1b2c3d4”
instance_type = “t2.micro”

Answer 11

aws_instance.web

Question 12

What pattern does a Resource Address for the following look like?

data “aws_instance” “my-vm” {
instance_id = “i-1234567890abcdef0”
}

Answer 12

data.aws_instance.my-vm

Question 13

What is the main difference between a data block and a resource block?

Answer 13

• Data blocks fetch and track details of already existing resources
• Resource block create resources from scratch

Question 14

What file extension does terrafrom look for to execute terraform code?

Answer 14

.tf

Question 15

Where does Terraform first look for providers?

Answer 15

In the Terraform Providers Registry

Question 16

True or False: Providers can not be sourced locally and internally and referenced in your code

Answer 16

False

Question 17

What are the two methods for installing Terraform?

Answer 17

Method 1: Download, Unzip, and Use
Method 2: Set up a Terraform Repository on Linux

Question 18

What are Providers?

Answer 18

Providers are Terraform’s way of abstracting integrations with API control layer of the infrastructure vendors
(i.e. Terraform abstracts away all the API calls it makes under the hood using Providers)
basically like plug ins
- Each provider is a precompiled chunk of code which defines resources for Terraform to interact with the respective vendor

Question 19

True or False: Providers are released on a separate rhythm from Terraform itself

Answer 19

True

Question 20

Select which one is False:
A - Each Provider has their own series of version numbers
B - You can only use providers from the Terraform Provider’s registry
C - It is a Best Practice to Fix the version of the providers in your code
D - Providers updates and releases are seperate from Terraform’s

Answer 20

B
You can create your own custom providers!

Question 21

where are providers stored?

Answer 21

in the hidden .terraform file
revelaed by ls -a

Question 22

What is the purpose of provisioners?

Answer 22

Provisioners give users a way to execute custom scripts, commands, or actions

Question 23

What are the 2 types of provisioners

Answer 23

Creation-time
Destruction-time

Question 24

How can Terraform provisioners be run?

Answer 24

locally on the same system
or
remotely on resources spun up through the Terraform deployment

Question 25

True or False: Provisioners should be used as a last resort

Answer 25

true.
It is recommended to use inherent mechanisms within your infrastructure deployment to carry out custom tasks when possible

Question 26

Fill in the blank:
“If the command within a provisioner returns a value other than _ , it’s considered failed and the underlying resource is tainted”

Answer 26

0

Question 27

What happens when a provisioner’s underlying resource is tainted?

Answer 27

Terraform marks the resource against which the provisioner was to be run so it can be created again on the next run

Question 28

By Default provisioners are:
A. Creation TIme
B. Destruction time

Answer 28

A Creation Time

Question 29

What is the difference between a Creation Time and Destruction time provisioner in code?

Answer 29

destruction - time provisioners can be determined because they have the “when” condition

Question 30

True or False: You can use multiple provisioners in the same resource

Answer 30

True

Question 31

What order are provisioners run in?

Answer 31

The order they are listed

Question 32

What is the de fault name of the Terraform State FIle?
a. terraform.statetf
b. terraform.tfstate
c. state.tf
d. state.terraform

Answer 32

b. terraform.tfstate

Question 33

how do you reference the following terraform variable:
variable “my-var” {
description = “My Test Variable”
type = string
default = “Hello”
}

Answer 33

var.my-var

Question 34

Where is the best practice to store terraform variables?
a. in the main code files
b. in vars.tf
c. in terraform.vars
d. in terraform.tfvars

Answer 34

d. in terraform.tfvars

Question 35

what parameter helps to hide sensitive info durinf runs?
a. secret
b. safe
c. sensitive
d. redacted

Answer 35

c. sensitive

Question 36

What are the Base type variables in Terraform?

Answer 36

• string
• number
• boolean

Question 37

What are the Complex variable types in Terraform

Answer 37

• list
• set
• map
• object
• tuple

Question 38

When are Output Variables shown

Answer 38

Output variables values are shown on the shell after running terraform apply

Question 39

What is the purpose of terraform state?

Answer 39

It maps real world resources to Terraform configuration

Question 40

By Default, where is the terraform state file called?

Answer 40

terraform.tfstate

Question 41

Terraform refreshes the state:
a. before each opening of the state file
b. after a terraform plan
c. prior to any modification operation

Answer 41

C. prior to any modification operation

Question 42

True or False: Resource dependency metadata is also tracked via the state file

Answer 42

True

Question 43

True or false: the terraform state file does not effect deployment performance

Answer 43

False:
Terraform state helps boost deployment performance by caching resource attributes for subsequent use

Question 44

What is the purpose of the Terraform state command?

Answer 44

The terraform state command is a utility for manipulating and reading the terraform state file

Question 45

True or False: Under most circumstances, one does not need to modify the Terraform State File

Answer 45

True

Question 46

What are three scenarios where it is appropriate to use Terraform state commands?

Answer 46

1. Advanced State Management
2. Manually removing a resource from the Terraform State file so it is not managed by terraform
3. Listing out tracked resources and their details

Question 47

What terraform command lists out all resources tracked by the terraform state file?

Answer 47

terraform state list

Question 48

What command deletes a resource from the terraform state file?

Answer 48

terraform state rm <resource></resource>

Question 49

What command shows the details of a resource tracked in the terraform state file?

Answer 49

terraform state show

Question 50

What is the Default behavior for Terraform state storage?

Answer 50

to save / store terraform state locally on your system

Question 51

What does State Locking do?

Answer 51

locks state file so parallel executions don’t coincide

Question 52

State locking is initiated as a default after terraform apply for ___ storage

Answer 52

Local

Question 53

True or False: State locking is a default behavior for remote state storage

Answer 53

False
State locking is not supported by all remote state storage backends

Question 54

What is a Terraform Module?

Answer 54

A Terraform Module is a container for multiple resources that are used together

Question 55

What is the main purpose of a Terraform Module?

Answer 55

To make the terraform code reusable so it can be used elsewhere again and again

Question 56

True or false: every Terraform configuration has at least one module.

Answer 56

True
It is called the Root Module and consists of code files in your main working directory

Question 57

What are 3 places Terraform modules can be downloaded or referenced from?

Answer 57

1. Terraform Public Registry
2. A Private Registry
3. Your Local System

Question 58

True or False: It is a best practice to not list a specific terraform version on terraform modules

Answer 58

False
It is a best practice to require a specific version for the module to ensure that there aren’t breaking changes when updating the modules

Question 59

What Terraform Module Parameter denotes where the module is being references from?

Answer 59

source

Question 60

What terraform module parameter allows for spawning multiple separate instances of modules resources?

Answer 60

count

Question 61

What terraform module parameter allows iterating over complex variables?

Answer 61

for_each

Question 62

What terraform module parameter allows one to tie down specific providers to a module?

Answer 62

providers

Question 63

What Terraform module parameter allows you to set dependencies for the module?

Answer 63

depends_on

Question 64

How do you reference a variable inside a module?
a. var.module.<var>
b. var.<var>
c. module.var.<var></var></var></var>

Answer 64

B. var.<var></var>

Question 65

How do you reference a module variable in main code?
a. var.<var>
b. var.module.<var>
c. module.<module>.<var>
d. module.var.<modulename>.<var></var></modulename></var></module></var></var>

Answer 65

C. module.<module>.<var></var></module>

Question 66

True or False: User-defined functions are are extremely useful in making terraform code dynamic and flexible

Answer 66

FALSE
Terraform does not allow for User-defined functions, however this does apply to Built-In functions!

Question 67

What is the output of join?
variable “project-name” {
type = string
default = “prod”
}
resource “aws_vpc” “my-vpc” {
cidr_block = “10.0.0.0/16”
tags = {
Name = join(“-”, [“terraform”, var.project-name])
}
}

Answer 67

terraform-prod

Question 68

What does the file function do?

Answer 68

helps insert files into resources

Question 69

What does the max function do?

Answer 69

determines the max integer value from a provided list

Question 70

what does the flatten function do?

Answer 70

Creates a singular list out of a provided set of lists

Question 71

what does the contains function do?

Answer 71

searches for whatever you’ve passed in a list of elements you pass in

Question 72

What are Dynamic Blocks?

Answer 72

Dynamic Blocks are constructed repeatable nested configuration blocks inside terraform resources

Question 73

What can Dynamic blocks be used with?

Answer 73

Resource, Data, Provider, and Provisioner

Question 74

Why should you use Dynamic Blocks?

Answer 74

They make your code look cleaner

Question 75

Why should you be careful when it comes to Dynamic Blocks?

Answer 75

If you overuse them they can make your code hard to read and maintain

Question 76

How do you configure dynamic blocks?

Answer 76

They expect a complex variable type to iterate over

They act like for loops and output a nested block for each element in your variable

Question 77

What is the Best Practice for Dynamic Blocks?

Answer 77

Only use Dynamic B locks when you need to hide detail in order to build a clearer user interface when writing reusable modules

Question 78

What does terraform fmt do?

Answer 78

Formats code for readability
Helps in keeping code consistent

Question 79

What command should you use:
- Before pushing your code to version control (github, etc.)
- After upgrading your Terraform or tis modules
- Any time you’ve made changes to your code

Answer 79

terraform fmt

Question 80

What does terraform taint RESOURCE_ADDRESS do?

Answer 80

Marks an existing resource, forcing it to be destroyed and recreated
Modifies the state file which causes the recreation workflow

Question 81

True or False: Tainting a resource may cause other resources to be modified

Answer 81

True

Question 82

What command should you use:
- To cause provisioners to run
- To Replace misbehaving resources forcefully
- To mimic side effects of recreation not modeled by any attributes of the resource

Answer 82

terraform taint RESOURCE_ADDRESS

Question 83

What does terraform import RESOURCE_ADDRESS ID do?

Answer 83

Maps existing resources to Terraform using an “ID”
Note: “ID” is dependent on the underlying vendor
For example, to import an AWS EC2 instance you’ll need to provide its instance ID

Question 84

What command should you use:
- When you need to work with existing resources
- you’re not allowed to create new resources
- When you’re not in control of creation process of infrastructure

Answer 84

terraform import RESOURCE_ADDRESS ID

Question 85

What are Terraform Workspaces (CLI)?

Answer 85

Terraform Workspaces are alternate state files within the same working directory

Question 86

Terraform starts with a single workspace that is always called ______

Answer 86

default

Question 87

True or False: The initial terraform workspace cannot be deleted

Answer 87

True

Question 88

What does terraform workspace new <WORKSPACE-NAME> do?

Answer 88

creates a new terraform workspace

Question 89

What does terraform workspace select <WORKSPACE-NAME> do?

Answer 89

Selects a terraform workspace

Question 90

Why would you use Terraform Workspaces?

Answer 90

• Test changes using a parallel, distinct copy of infrastructure
• It can be modeled against branches in version control such as Git

Question 91

True or false: Terraform Workspaces enables distributes team

Answer 91

True

Question 92

What does this variable represent: ${terraform.workspace}

Answer 92

A workspace name

Question 93

State Files that workspaces create are stored in what directory ?

Answer 93

terraform.tfstate.d

Question 94

What environment variable enables verbose logging in Terraform?

Answer 94

TF_LOG

Question 95

By default, where are logs from TF_LOG sent?

Answer 95

stderr

Question 96

What is the most verbose and reliable level of TF_LOG?

Answer 96

TRACE

Question 97

What are the different levels of TF_LOG?

Answer 97

• Trace
• DEBUG
• INFO
• WARN
• ERROR

Question 98

What env variable persists logging output?
i.e.(redirects logs to a file, takes file as an input)

Answer 98

TF_LOG_PATH

Question 99

True or False: Sentinel is not meant to enforce policies on your code

Answer 99

False

Question 100

True or False: Sentinel has its own language

Answer 100

True, its a policy language called Sentinel Language

Question 101

Sentinel is designed to…
A. Break into terraform code
B. specifically for expereinced programmers
C. Be approachable by non-programmers

Answer 101

C. Be approachable by non-programmers

Question 102

Where in the Terraform workflow does Sentinel Integration take place within Terraform Enterprise?

Answer 102

after terraform plan and before terraform apply

Question 103

What do Sentinel Policies NOT have access to:
A. The data in the curated plan
B. State of the resources at the time of the plan
C. The configuration at the time of the plan
D. The state of the resources before the plan

Answer 103

D

Question 104

What are the benefits of using Sentinel?

Answer 104

• Sandboxing or Guardrails for Automation
  — You can apply Sentinel policies against your Terraform code to sandbox your deployments
• Codification or Easier Understanding, better collaboration
  — it codifies the process of security enforcement in Terraform code
• Version Control
  — Shared across the organization
• Testing and Automation
  — Can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Question 105

How can you apply Sentinel for sandboxing?

Answer 105

Essentially as Guardrails for Automation
- You can apply Sentinel policies against your Terraform code to sandbox your deployments

Question 106

How can Sentinel help with Testing and Automation?

Answer 106

It can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Question 107

How can Sentinel help with Testing and Automation?

Answer 107

It can help standardize security testing and automation right into your Terraform deployment pipeline as Sentinel automatically runs before your Terraform deployments

Question 108

What are some Use Cases for Sentinel?

Answer 108

• For enforcing CIS standards across AWS accounts
• Checking to make sure only y3.micro instance types are used
• Ensuring Security Groups do not allow traffic on Port 22

Question 109

What is Hashicorp Vault>

Answer 109

Its a Secrets Management Software that dynamically provisions credentials and rotates them.
It encrypts sensitive data in transit and at rest and provides fine-grained access to secrets using ACLs

Question 110

Why should you use Terraform Vault Provider?

Answer 110

Crednetials Sprawl.
They can be in multiple places, some not secure at all.
Through vault you can manage and protect them very well.

Question 111

What are the benefits of Vault?

Answer 111

• Developers don’t need to manage long-lived credentials, making it more secure
• You can Inject secrets into your Terraform deployment at runtime
• Fine-grained ACLs for access to temporary credentials

Question 112

What’s the Big Exam Takeaway for Terraform Vault Provider?

Answer 112

Vault allows for storing your secrets in a centralized way and allows you to provide both temporary credentials for usage in your deployments, as well as provide encryption of data at rest and in transit

Question 113

What is the Terraform Registry?

Answer 113

A repository of publicly available Terraform providers and modules

Question 114

True or False: You can publish and share your own Terraform modules and providers to the Terraform Registry.

Answer 114

True

Question 115

True or false: You can directly reference the Terraform Registry in your Terraform code

Answer 115

True, You cad declare a provider and it will automatically go grab it from the registry

Question 116

What is Terraform Cloud Workspaces?

Answer 116

Directories hosted in Terraform Cloud, think of it as directories for distinct deployments hosted in Cloud
- no worrying about storage, segregation, or even security of your workspaces.

Question 117

What Does Terraform Cloud Workspaces do?

Answer 117

• Stores old versions of state files by default and can be shared between organizations
• Maintains a record of all execution activity (allows for auditing and investigating deployments easier)
• All Terraform commands are executed on “managed” Terraform Cloud VMs ( you can trigger deployments via a workspace’s API or version control system triggers, like Github Actions, or even the Terraform Cloud user interface, and HashiCorp will execute your plan, apply, and init commands on their own hosted and managed VMs)

Question 118

What are the benefits of Terraform Cloud Workspace? - long

Answer 118

A Collaboration oriented Terraform Workflow:
- remote Terraform Execution
- Workspace based org model
- Integration with Version Control Systems
- Remote State management and CLI Integration
- Private Terraform Module registry
- Cost estimation and Sentinel Integration features

Question 119

What is the difference in the Terraform Configuration between Terraform OSS and Terraform Cloud Workspaces?

Answer 119

• The Terraform Configuration is on Disk for OSS Workspaces
• The Terraform Configuration is In a linked version control repository or periodically uploaded via API/CLI

Question 120

What is the difference in the way Variable Values are stored between Terraform OSS and Terraform Cloud Workspaces?

Answer 120

The Variable Values are stored as .tfvars, as CLI arguments, or in a shell env for OSS Workspace
- The Variable Values are stored In the TF Cloud Workspace for Cloud Workspace

Question 121

What is the difference in State Storage between Terraform OSS and Terraform Cloud Workspaces?

Answer 121

• The State is stored on disk or in a remote backend for OSS Workspace
• The State is stored In the TF Cloud Workspace for Cloud Workspace

Question 122

What is the difference in Credentials and Secrets Storage between Terraform OSS and Terraform Cloud Workspaces?

Answer 122

• The Credentials and Secrets are store in shell env or entered at prompts for OSS Workspace
• The Credentials and Secrets are stored In TF Cloud workspace stores as sensitive variables for Cloud Workspace

Question 123

What Terraform command can be used to remove the lock on the state for the current configuration

Answer 123

terraform force-unlock
or
Another option is to use the terraform state rm command followed by the terraform state push command to forcibly overwrite the state on the remote backend, effectively removing the lock

Question 124

Environment variables can be used to set the value of input variables. The environment variables must be in the format “____“_<variablename>.</variablename>

Answer 124

TF_VAR

Question 125

Provider dependencies are created in several different ways. Select the valid provider dependencies from the following list: (select three)
A. Existence of any provider plugins found locally in the working directory
B. Use of any resource belonging to a particular provider in a resource or data block in the configuration
C. Existence of any resource instance belonging to a particular provider in the current state
D. Explicit use of a provider block in configuration, optionally including a version constraint

Answer 125

B. Use of any resource belonging to a particular provider in a resource or data block in the configuration
C. Existence of any resource instance belonging to a particular provider in the current state
D. Explicit use of a provider block in configuration, optionally including a version constraint

Question 126

Henry has been working on automating his Azure infrastructure for a new application using Terraform. His application runs successfully, but he has added a new resource to create a DNS record using the new Infoblox provider. He has added the new resource but gets an error when he runs a terraform plan.

What should Henry do first before running a plan and apply?

Answer 126

Since a new provider has been introduced. terraform init needs to be run to download the infoblox plugin

Question 127

True or False? The terraform plan -refresh-only command is used to create a plan whose goal is only to update the Terraform state to match any changes made to remote objects outside of Terraform.

Answer 127

True

Question 128

Terraform is distributed as a single binary and available for many different platforms. What are all of the Operating Systems that Terraform is available for?

Answer 128

Windows
AIX
Linux
macOS
Solaris

Question 129

When using constraint expressions to signify a version of a provider, which of the following are valid provider versions that satisfy the expression found in the following code snippet: (select two)

terraform {
required_providers {
aws = “~> 1.2.0”
}
}

A. Terraform 1.3.0
B. Terraform 1.3.1
C. Terraform 1.2.3
D. Terraform 1.2.9

Answer 129

C. Terraform 1.2.3
D. Terraform 1.2.9

In a required_version parameter in Terraform, the tilde (~) symbol followed by the greater than symbol (>) specifies a “compatible with” version constraint.

For example, if your Terraform configuration specifies required_version = “~> 1.12.0”, Terraform will accept any version of Terraform 1.12 that is greater than or equal to version 1.12.0 and less than 1.13.0. In other words, Terraform will accept any version of Terraform 1.12 that is considered compatible with version 1.12.0.

Question 130

Why might a user opt to include the following snippet in their configuration file?

terraform {
required_version = “>= 1.3.8”
}

Answer 130

The user wants to specify the minimum version of Terraform that is required to run the configuration

Question 131

After many years of using Terraform Open Source (OSS), you decide to migrate to Terraform Cloud. After the initial configuration, you create a workspace and migrate your existing state and configuration. What Terraform version would the new workspace be configured to use after the migration?

Answer 131

The same Terraform version that was used to perform the migration

Question 132

When you add a new module to a configuration, Terraform must download it before it can be used. What two commands can be used to download and update modules? (select two)

Answer 132

terraform get
terraform init

Question 133

Anyone can publish and share modules on the Terraform Public Module Registry, and meeting the requirements for publishing a module is extremely easy.

What are some of the requirements that must be met in order to publish a module on the Terraform Public Module Registry? (select three)

A. The registry uses tags to identify module versions. Release tag names must be for the format x.y.z, and can optionally be prefixed with a v
B. The module must be on GitHub and must be a public repo
C. The module must be PCI/HIPPA compliant
D. Module repositories must use this three part name format `terraform-<PROVIDER>-<NAME></NAME></PROVIDER>

Answer 133

A. The registry uses tags to identify module versions. Release tag names must be for the format x.y.z, and can optionally be prefixed with a v
B. The module must be on GitHub and must be a public repo
D. Module repositories must use this three part name format `terraform-<PROVIDER>-<NAME></NAME></PROVIDER>

Question 134

From the code below, identify the implicit dependency:

resource “aws_eip” “public_ip” {
vpc = true
instance = aws_instance.web_server.id
}

resource “aws_instance” “web_server” {
ami = “ami-2757f631”
instance_type = “t2.micro”
depends_on = [aws_s3_bucket.company_data]
}

Answer 134

The EC2 Instance labeled web_server

The EC2 instance labeled web_server is the implicit dependency as the aws_eip cannot be created until the aws_instance labeled web_server has been provisioned and the id is available.

Note that aws_s3_bucket.company_data is an explicit dependency for the aws_instance.web_server

Question 135

You are performing a code review of a colleague’s Terraform code and see the following code. Where is this module stored?

module “vault-aws-tgw” {
source = “btkrausen/vault-aws-tgw/hcp”
version = “1.0.0”

client_id = “4djlsn29sdnjk20dn”
hvn_id = “a4c9357ead4de”
route_table_id = “rtb-a221958bc5892eade331”
}

Answer 135

In the Terraform public module registry

Question 136

Which Terraform command will check and report errors within modules, attribute names, and value types to ensure they are syntactically valid and internally consistent?

Answer 136

terraform validate

It’s recommended to run terraform validate before running terraform apply, to ensure that your Terraform code is valid and will not produce unexpected results.

Question 137

A “backend” in Terraform determines how state is loaded and how an operation such as apply is executed. Which of the following is not a supported backend type?

A. consul
B. local
C. s3
D. github

Answer 137

D. github

Question 138

In Terraform, variable names must follow a set of naming conventions to be considered valid. What are some examples of invalid variable names?

Answer 138

Names that start with a number: 1_invalid_variable_name

Names that contain spaces or special characters (other than underscores): invalid variable name

Names that contain only numbers: 12345

Names that are the same as Terraform reserved words, such as var, module, data, count, etc.

Question 139

Terraform Cloud is more powerful when you integrate it with your version control system (VCS) provider. Select all the supported VCS providers from the answers below. (select four)
A. CVS Version COntrol
B. Bitbucket Cloud
C. GitHub Enterprise
D. GitHub.com
E. Azure DevOps Server

Answer 139

B. Bitbucket Cloud
C. GitHub Enterprise
D. GitHub.com
E. Azure DevOps Server

Question 140

A user creates three workspaces from the command line: prod, dev, and test. What command will the user run to switch to the dev workspace?

Answer 140

terraform workspace select dev

Question 141

A user has created three workspaces using the command line - prod, dev, and test. The user wants to create a fourth workspace named stage.

Which command will the user execute to accomplish this task?

Answer 141

terraform workspace new stage

Question 142

In order to reduce the time it takes to provision resources, Terraform uses parallelism. By default, how many resources will Terraform provision concurrently during a terraform apply?

Answer 142

10

Question 143

When writing Terraform code, how many spaces between each nesting level does HashiCorp recommends that you use?

Answer 143

2

Question 144

True or False? When using the Terraform provider for Vault, the tight integration between these HashiCorp tools provides the ability to mask secrets in the state file.

Answer 144

False

Question 145

What Terraform command will launch the Interactive console to evaluate and experiment with expressions?

Answer 145

terraform console

Question 146

What do the declarations, such as name, cidr, and azs, in the following Terraform code represent and what purpose do they serve?

module “vpc” {
source = “terraform-aws-modules/vpc/aws”
version = “2.21.0”

name = var.vpc_name
cidr = var.vpc_cidr

azs = var.vpc_azs
private_subnets = var.vpc_private_subnets
public_subnets = var.vpc_public_subnets

enable_nat_gateway = var.vpc_enable_nat_gateway

tags = var.vpc_tags
}

Answer 146

These are where the variable declarations are created so Terraform is aware of these variables within the calling module

Question 147

What 5 types of files should be ignored by Git when committing code to a repo?

Answer 147

• .terraform directory: This directory contains local Terraform state files, which should not be committed to the repository.
• terraform.tfstate and terraform.tfstate.backup: These files contain the current state of your infrastructure, and should not be committed to the repository.
• tfvars files: These files may contain sensitive information, such as passwords or API keys, and should be kept out of version control. Instead, you can use environment variables or other secure methods to pass this information to Terraform.
• *.tfplan files: These files contain the plan generated by Terraform when applying changes to your infrastructure, and may include sensitive information such as resource IDs. They should not be committed to the repository

Question 148

In Terraform Enterprise, a workspace can be mapped to how many VCS repos?

Answer 148

1

Question 149

In the terraform block, which configuration would be used to identify the specific version of a provider required?

Answer 149

required_providers

Question 150

Which of the following connection types are supported by the remote-exec provisioner? (select two)

A .ssh
B. wimrm
C. smb
D. rdp

Answer 150

A .ssh
B. wimrm

Question 151

True or False? Multiple providers can be declared within a single Terraform configuration file.

Answer 151

True

Question 152

What is the purpose of using the local-exec provisioner? (select two)

A. to execute one or more commands on the machine running Terraform
B. Ensures that the resource is only executed in the local infrastructure where Terraform is deployed
C. To invoke a local executable
D. Executes a command on the resource to invoke an update to the Terraform state

Answer 152

A. to execute one or more commands on the machine running Terraform
C. To invoke a local executable

Question 153

HashiCorp offers multiple versions of Terraform, including Terraform open-source, Terraform Cloud, and Terraform Enterprise. Which of the following Terraform feature is available in the Enterprise and Terraform Cloud for Business editions? (select four)
A. Provate Module Repo
B. Private Network Connectivity
C. Audit Loggs
D. Self Managed Installation
E. SAML/SSO

Answer 153

A. Provate Module Repo
B. Private Network Connectivity
C. Audit Loggs
E. SAML/SSO

Question 154

Which of the following represents a feature of Terraform Cloud that is NOT free to customers?
A. team management and governance
B. Private Module Registry
C. VCS Integration
D. Workspace Management

Answer 154

A. team management and governance

Question 155

True or False? You can migrate the Terraform backend but only if there are no resources currently being managed.

Answer 155

False

Question 156

True or False: Using the mask feature, you can instruct Terraform to mask sensitive data in the state file

Answer 156

False

Question 157

True or False: Terraform Cloud always encrypts state at rest

Answer 157

True

Question 158

Frank has a file named main.tf which is shown below. Which of the following statements are true about this code? (select two)

module “servers” {
source = “./app-cluster”

servers = 5
}
A. app-cluster is the child module
B. main.tf is the calling module
C. app-cluster is the calling module
D. main.tf is the child module

Answer 158

A. app-cluster is the child module
B. main.tf is the calling module

Question 159

When configuring a remote backend in Terraform, it might be a good idea to purposely omit some of the required arguments to ensure secrets and other relevant data are not inadvertently shared with others. What are the ways the remaining configuration can be added to Terraform so it can initialize and communicate with the backend? (select three)
A. interactively on the command line
B. use the -backend-config=PATH to specify a seperate config file
C. command-line key/value pairs
D. Direclt querying HashiCorp Vault for the secrets

Answer 159

A. interactively on the command line
B. use the -backend-config=PATH to specify a seperate config file
C. command-line key/value pairs

Question 160

Terraform Cloud can be managed from the CLI but requires __________?

Answer 160

An API token`

Question 161

After executing a terraform plan, you notice that a resource has a tilde (~) next to it. What does this mean?

Answer 161

the resource will be updated in place

Question 162

When multiple engineers start deploying infrastructure using the same state file, what is a feature of remote state storage that is critical to ensure the state does not become corrupt?

Answer 162

State locking

Question 163

Which type of configuration block assigns a name to an expression that can be used multiple times within a module without having to repeat it?

Answer 163

resources

A local value assigns a name to an expression, so you can use it multiple times within a module without repeating it.

Question 164

Aaron is new to Terraform and has a single configuration file that is ready to be deployed. Which of the following can be true about this configuration file? (select three)

A. Aaron’s configuration file can deploy applications in both AWS and GCP
B. The state can be disabled when deploying to multiple clouds to prevent sensitive data from being shared across cloud platforms
C. The configuration file can deploy both QA and Staging infrastructure for applications
D. the state file can be stores in Azure but provision applications in AWS

Answer 164

A. Aaron’s configuration file can deploy applications in both AWS and GCP
C. The configuration file can deploy both QA and Staging infrastructure for applications
D. the state file can be stores in Azure but provision applications in AWS

There are a ton of benefits of deploying with Terraform and the solution is very capable of managing deployments across multiple clouds. However, state is still required and cannot be disabled.

Question 165

Given the following snippet of code, what does servers = 4 reference?

module “servers” {
source = “./modules/aws-servers”

servers = 4
}

Answer 165

the value of an input variable

Question 166

What function does the terraform init -upgrade command perform?

A. upgrades the backend to the latest supported version
B. update all previously installed plugins to the newest version that compiles with the configuration’s version constraints
C. upgrades the terraform configuration file(s) to use the referenced terraform version
D.upgrades all of the reference modules and providers to the latest version of terraform.

Answer 166

B. update all previously installed plugins to the newest version that compiles with the configuration’s version constraints

The -upgrade will upgrade all previously-selected plugins to the newest version that complies with the configuration’s version constraints. This will cause Terraform to ignore any selections recorded in the dependency lock file, and to take the newest available version matching the configured version constraints.

Question 167

A provider alias is used for what purpose in a Terraform configuration file?

Answer 167

using the same provider with different configurations for different resources

To create multiple configurations for a given provider, include multiple provider blocks with the same provider name. For each additional non-default configuration, use the alias meta-argument to provide an extra name segment.

Question 168

There are multiple ways to provide sensitive values when using Terraform. However, sensitive information provided in your configuration can be written to the state file, which is not desirable. Which method below will not result in sensitive information being written to the state file?

A. using a declared variable
B. retrieving the credentials from a data source, such as HashiCorp Vault
C. none of the above
D.using a .tfvars file

Answer 168

C. none of the above

When using sensitive values in your Terraform configuration, all of the configurations mentioned above will result in the sensitive value being written to the state file. Terraform stores the state as plain text, including variable values, even if you have flagged them as sensitive. Terraform needs to store these values in your state so that it can tell if you have changed them since the last time you applied your configuration.

Question 169

Infrastructure as Code (IaC) makes infrastructure changes _______, ________, ________, and __________. (select four)

A. consistent
B. predictable
C. idempotent
D. highly-available
E. repeatable

Answer 169

A. consistent
B. predictable
C. idempotent
E. repeatable

Question 170

Ralphie has executed a terraform apply using a complex Terraform configuration file. However, a few resources failed to deploy due to incorrect variables. After the error is discovered, what happens to the resources that were successfully provisioned?

Answer 170

the resources that were successfully provisioned will remain as deployed

During a terraform apply, any resources that are successfully provisioned are maintained as deployed.

On the other hand, resources that failed during the provisioning process, such as a provisioned, will be tainted to be recreated during the next run.

Question 171

Based on the Terraform code below, what block type is used to define the VPC?
vpc_id = aws_vpc.main.id

Answer 171

resource block

Based on the Terraform code provided in the question, the VPC is defined in a resource block, meaning that there is a VPC resource being defined, such as:

resource “aws_vpc” “main” {
cidr_block = var.base_cidr_block
}
If it were locals, the resource would be referred to as local.aws_vpc

If it were in a data block, it would be referred to as data.aws_vpc.i.main.id

Question 172

When running a terraform plan, how can you save the plan so it can be applied at a later time?

Answer 172

use the -out flag

Question 173

You have a Terraform configuration file with no defined resources. However, there is a related state file for resources that were created on AWS. What happens when you run a terraform apply?

Answer 173

Terraform will destroy all of the resources

In this case, since there is a state file with resources, Terraform will match the desired state of no resources since the configuration file doesn’t include any resources. Therefore, all resources defined in the state file will be destroyed.

Question 174

Margaret is calling a child module to deploy infrastructure for her organization. Just as a good architect does (and suggested by HashiCorp), she specifies the module version she wants to use even though there are newer versions available. During a terrafom init, Terraform downloads v0.0.5 just as expected.

What would happen if Margaret removed the version parameter in the module block and ran a terraform init again?

module “consul” {
source = “hashicorp/consul/aws”
version = “0.0.5”

servers = 3
}

Answer 174

Terraform would use the existing module already downloaded.

Question 175

Which of the following are the benefits of using modules in Terraform? (select three)

A. allows modules to be stored anywhere accessible by Terraform
B. enables code reuse
C. supports modules stored locally or remotely
D. supports versioning to maintain compatibility

Answer 175

B. enables code reuse
C. supports modules stored locally or remotely
D. supports versioning to maintain compatibility

Question 176

You are working with a cloud provider to deploy resources using Terraform. You’ve added the following data block to your configuration. When Terraform the data block is executed, what value is the data source returning?

data “aws_ami” “amzlinux2” {
most_recent = true
owners = [“amazon”]

filter {
name = “name”
values = [“amzn2-ami-hvm-*-x86_64-ebs”]
}
}

resource “aws_instance” “vault” {
ami = data.aws_ami.amzlinux2.id
instance_type = “t3.micro”
key_name = “vault-key”
vpc_security_group_ids = var.sg
subnet_id = var.subnet
associate_public_ip_address = “true”
user_data = file(“vault.sh”)

tags = {
Name = “vault”
}
}

Answer 176

All possible data of a specific Amazon Machine Image(AMI) from AWS

When you add a data block to your configuration, Terraform will retrieve all of the available data for that particular resource. It is then up to you to reference a specific attribute that can be exported from that data source. For example, if you include a data block for the aws_ami resource, Terraform will get a ton of attributes about that AMI that you can use elsewhere in your code

Within the block body (between { and }) are query constraints defined by the data source. Most arguments in this section depend on the data source, and indeed in this example most_recent, owners and tags are all arguments defined specifically for the aws_ami data source.

Question 177

You have a Terraform configuration file defining resources to deploy on VMware, yet there is no related state file. You have successfully run terraform init already. What happens when you run a terraform apply ?

Answer 177

Terraform will scan the VMware infrastructure, create a new state file, and compare the state to the configuration file to determine what resources should be created

Question 178

Your team is using Terraform and multiple team members need to be able to manage the infrastructure. You need to ensure state locking is supported to reduce the chance of corrupting the state file. What backends can you use to meet these requirements? (select three)

A. kubernetes backend
B. s3 backend (with DynamoDB)
C. consul backend
D. local backend
E. etcd backend

Answer 178

A. kubernetes backend
B. s3 backend (with DynamoDB)
C. consul backend

The etcd backend doesn’t support state locking. While the local backend does support locking via system APIs, you can’t use the local backend to share the state across your team.

Question 179

Your co-worker has decided to migrate Terraform state to a remote backend. They configure Terraform with the backend configuration, including the type, location, and credentials. However, you want to better secure this configuration. Rather than storing them in plaintext, where should you store the credentials? (select two)

A. use a variable
B. credentials file
C. environment variable
D on the remote system

Answer 179

B. credentials file
C. environment variable

Use a variable? Well, you could use a variable but that wouldn’t really improve security here, since variable defaults or configurations are also stored in plaintext.

On the remote system? I don’t think this is even a viable option. The creds would need to be read by the local system that is executing Terraform

Question 180

You are worried about unauthorized access to the Terraform state file since it might contain sensitive information. What are some ways you can protect the state file? (select two)

A. replicate the state file to an encrypted storage device
B. store in a remote backend that encrypts state at rest
C. enable native encryption in Terraform as configured in the terraform block
D. use the S3 backend using the encrypt option to ensure state is encrypted

Answer 180

B. store in a remote backend that encrypts state at rest
D. use the S3 backend using the encrypt option to ensure state is encrypted

Replication? replicating the state file to another location won’t prevent the original file from being accessed.

Encryption? As of today, Terraform doesn’t support any type of native encryption capability when writing and managing state.

Question 181

Which of the following are advantages of using infrastructure as code (IaC) for your day-to-day operations? (select three)

A. provides the ability to version control the infrastructure and application architecture
B. API-driven workflows
C. ensure the security of applications provisioned on managed infrastructure
D. enables self-service for developers and operators alike

Answer 181

A. provides the ability to version control the infrastructure and application architecture
B. API-driven workflows
D. enables self-service for developers and operators alike

While Terraform can indeed help with the security of your applications, it won’t guarantee it

Question 182

You are using modules to deploy various resources in your environment. You want to provide a “friendly name” for the DNS of a new web server so you can simply click the CLI output and access the new website. Where should you put the following code snippet to satisfy these requirements?

output “website” {
description = “Outputs the URL of the provisioned website”
value = “https://${module.web.public_dns}:800/index.html”
}

Answer 182

if the resource was created inside of a module, then the module will require an output block to export that value. That said, output blocks that are created in a module aren’t displayed on the Terraform CLI. Therefore, you need to create an output block in the parent/calling module to output the value while referencing the output in the module. Because of this, the correct answer requires you to create an output in the parent module and reference the output value from the module.

Question 183

You want to use Terraform to deploy resources across your on-premises infrastructure and a public cloud provider. However, your internal security policies require that you have full control over both the operating system and deployment of Terraform binaries. What versions of Terraform can you use for this? (select two)

A. Terraform Enterprise
B. Terraform Cloud for Business
C. Terraform OSS/CLI
D. Terraform CLoud(free)

Answer 183

A. Terraform Enterprise
C. Terraform OSS/CLI

Terraform OSS and Terraform Enterprise are versions of Terraform that can be installed locally on your own servers, therefore giving you the ability to manage both the Terraform binary and the underlying operating system where Terraform runs.

WRONG ANSWERS:
Although Terraform Cloud for Business does offer Cloud Agents that could be used to provision resources on your local infrastructure on-premises, it is a hosted solution and you would NOT have full control over the operating system that runs the Terraform platform.

Terraform Cloud (free) does not meet either of these use cases since you can’t deploy to on-premises nor can you manage the underlying operating system since it’s a hosted service.

Question 184

True or False? You can move Terraform state between supported backends at any time, even after running your first terraform apply.

Answer 184

True

You can change your backend configuration at any time. You can change both the configuration itself as well as the type of backend (for example from “consul” to “s3”).

Terraform will automatically detect any changes in your configuration and request a reinitialization. As part of the reinitialization process, Terraform will ask if you’d like to migrate your existing state to the new configuration. This allows you to easily switch from one backend to another.

Question 185

Which of the following is not true about Terraform providers? (

A. Some Providers are community-supported
B. all providers are automatically included when downloading Terraform
C. providers can be written and maintained by an outside organizations, such as AWS, F5, or Microsoft
D. They allow anybody to write a provider and publish it to the registry
E. some providers are maintained by hashicorp

Answer 185

B. all providers are automatically included when downloading Terraform

Providers are treated as plugins for Terraform, and during a terraform init process, the required providers are downloaded to the local machine that is executing Terraform so they can be used. Therefore, not all providers are included with Terraform when you download the latest version from terraform.io.

Question 186

True or False? The terraform graph command can be used to generate a visual representation of a configuration or execution plan.

Answer 186

True

The terraform graph command is used to generate a visual representation of either a configuration or execution plan. The output is in the DOT format, which can be used by GraphViz to generate charts.

Question 187

You have a module named prod_subnet that outputs the subnet_id of the subnet created by the module. How would you reference the subnet ID when using it for an input of another module?

Answer 187

subnet = module.prod_subnet.subnet_id

Using interpolation, you can reference the output of an exported value by using the following syntax: module.<module>.<output></output></module>

Don’t forget that before you can reference data/values from a module, the module has to have an output declared that references the desired value(s).

Question 188

Which of the following are true regarding Terraform variables? (select two)

A. the default value will be found in the state file if no other value was set for the variable
B. the variables marked as sensitive are still stored in the state file, even though the values are obfuscated form the CLI Output
C. the variable name can be found in the state file for easy searching
D. the description of a variable will be written to the state to help describe the contents of the state file

Answer 188

A. the default value will be found in the state file if no other value was set for the variable
B. the variables marked as sensitive are still stored in the state file, even though the values are obfuscated form the CLI Output

Beyond the value, you won’t find the variable name or description in the state file because they are simply used on the development side of Terraform, and not the backend operational aspect of how Terraform works.

Question 189

You have declared a variable named db_connection_string inside of the app module. However, when you run a terraform apply, you get the following error message:

Error: Reference to undeclared input variable

on main.tf line 35:
4: db_path = var.db_connection_string

An input variable with the name “db_connection_string” has not been declared. This variable can be declared with a variable “db_connection_string” {} block.
Why would you receive such an error?

Answer 189

Since the variable was declared within the module, it cannot be referenced outside of the module

When using modules, it’s common practice to declare variables outside of the module and pass the value(s) to the child module when it is called by the parent/root module. However, it’s perfectly acceptable to declare a variable inside of a module if you needed. Any variables declared inside of a module are only directly refrencable within that module. You can’t directly reference that variable outside of the module. You can, however, create an output in the module to export any values that might be needed outside of the module.

Question 190

Given the code snippet below, how would you refer to the value of ip for the dev environment if you are using a for_each argument?

variable “env” {
type = map(any)
default = {
prod = {
ip = “10.0.150.0/24”
az = “us-east-1a”
}
dev = {
ip = “10.0.250.0/24”
az = “us-east-1e”
}
}
}

Answer 190

each.value.ip

Sort of testing two different things here - a complex map variable plus the for_each argument.

A for_each argument will iterate over a map or set of strings and create a similar instance/resource for each item in the map or set. In our case, the map is the input variable and the “each” would be the higher-level map, so prod and dev. Underneath each value, there are two arguments, both az and ip that you can choose from.

The input variable that is shown in this example is essentially a map of maps.

Question 191

Which common action does not cause Terraform to refresh its state?

A. terraform state list
B. terraform plan
C. terraform apply
D. terraform destroy

Answer 191

A. terraform state list`

Running a terraform state list does not cause Terraform to refresh its state. This command simply reads the state file but it will not modify it.

Question 192

True or False? Official Terraform providers and modules are owned and maintained by HashiCorp.

Answer 192

True

If a module or provider is marked as official, it is owned and maintained by HashiCorp themselves.

There are other modules/providers available in the registry that are maintained by third-party partners, or even individuals. This also means that not all of the modules published to the Terraform registry are validated or verified by HashiCorp. Many folks will use the public module registry as a starting place to create their own custom modules needed to meet requirements.

Question 193

True or False? In order to use the terraform console command, the CLI must be able to lock state to prevent changes

Answer 193

True

When you execute a terraform console command, you’ll get this output:

$ terraform console
Acquiring state lock. This may take a few moments…
>

Question 194

Beyond storing state, what capability can an enhanced storage backend, such as the remote backend, provide your organization?

A. provides versioning capabilities on your state file in the event it becomes corrupted
B. execute your Terraform on infrastructure either locally or in Terraform Cloud
C. replicate your state to a secondary location for backup
D. allow multiple people to execute operations on the state file at the same time

Answer 194

B. execute your Terraform on infrastructure either locally or in Terraform Cloud

Using an enhanced storage backend allows you to execute your Terraform on infrastructure either locally or in Terraform Cloud. Note that this enhanced storage backend term has now been deprecated by Terraform but it’s likely to show up in the test for a while. See the note below from this site:

Question 195

Which of the features below is available in the free version of Terraform Cloud? (select three)

A. State Management
B. Private Module Registry
C. Single Sign-On
D. Remote Operations

Answer 195

A. State Management
B. Private Module Registry
D. Remote Operations

Single Sign-On is a feature of Terraform Enterprise and Terraform Cloud for Business.

Question 196

Where is the most secure place to store credentials when using a remote backend?

Answer 196

Defined outside of Terraform

Anytime you can configure these credentials outside of Terraform is your best choice. Environment variables would be the second most-secure choice here.

Question 197

You want Terraform to redeploy a specific resource that it is managing. What command should you use to mark the resource for replacement?

Answer 197

terraform apply -replace

Question 198

What command can you use to display details about the resource as shown below?

resource “aws_internet_gateway” “demo” {
vpc_id = aws_vpc.vpc.id
tags = {
Name = “demo_igw”
}
}

Answer 198

terraform state show aws_internet_gateway.demo

Question 199

What two options are available to delete all of your managed infrastructure?

Answer 199

terraform apply -destroy
terraform destroy

Question 200

What command can be used to ensure your code is syntactically valid and internally consistent?

Answer 200

terraform validate

Question 201

You have recently added new resource blocks to your configuration from a different provider. What command do you need to run before you can run a terraform plan/apply?

Answer 201

terrafrom init

Question 202

Deploy the private subnets

How can you reference all of the subnets that are created by this resource block?

resource “aws_subnet” “private_subnets” {
for_each = var.private_subnets
vpc_id = aws_vpc.vpc.id
cidr_block = cidrsubnet(var.vpc_cidr, 8, each.value)
availability_zone = tolist(data.aws_availability_zones.available.names)[each.value]

tags = {
Name = each.key
Terraform = “true”
}
}

Answer 202

aws_subnet.private_subnets[*]

You can reference all of the subnets created by this for_each by using a [] at the end of the resource address like this aws_subnet.private_subnets[]