OFFICIAL DOCUMENTATION Flashcards

Question

required_providers block

Answer 1

The terraform required_providers block contains the r, which specifies the provider 1. local name, 2. the source address, 3. and the version. When you initialize this configuration, Terraform will download:

Answer 2

The >= version constraint operator specifies the minimum provider version that is compatible with the configuration.

Answer 3

When you initialize a Terraform configuration for the first time with Terraform 1.1 or later, Terraform will generate a new .terraform.lock.hcl file in the current working directory. | Terraform Dependency Lock File

Answer 4

Upgrade the AWS provider version The -upgrade flag will upgrade all providers to the latest version consistent within the version constraints specified in your configuration.

Answer 5

When you initialize a Terraform configuration for the first time with Terraform 1.1 or later, Terraform will generate a new .terraform.lock.hcl file in the current working directory. You should include the lock file in your version control repository to ensure that Terraform uses the same provider versions across your team and in ephemeral remote execution environments.

Answer 6

to Inspect the current state, use terraform show

Answer 7

use **terraform state** for advanced state management. Use the list subcommand to list of the resources in your project's state. ~terraform state list

Answer 8

this command can print out all output parameters in the statefile

Answer 9

Each provider plugin has its own set of available versions, allowing the functionality of the provider to evolve over time. Each provider dependency you declare should have a version constraint given in the version argument so Terraform can select a single version per provider that all modules are compatible with. The version argument is optional; if omitted, Terraform will accept any version of the provider as compatible. However, we strongly recommend specifying a version constraint for every provider your module depends on. To ensure Terraform always installs the same provider versions for a given configuration, you can use Terraform CLI to create a dependency lock file and commit it to version control along with your configuration. If a lock file is present, Terraform Cloud, CLI, and Enterprise will all obey it when installing providers.

Answer 10

A Terraform configuration may refer to two different kinds of external dependency that come from outside of its own codebase: Providers, which are plugins for Terraform that extend it with support for interacting with various external systems. Modules, which allow splitting out groups of Terraform configuration constructs (written in the Terraform language) into reusable abstractions. Both of these dependency types can be published and updated independently from Terraform itself and from the configurations that depend on them. For that reason, Terraform must determine which versions of those dependencies are potentially compatible with the current configuration and which versions are currently selected for use.

Answer 11

Version constraints within the configuration itself determine which versions of dependencies are potentially compatible, but after selecting a specific version of each dependency Terraform remembers the decisions it made in a dependency lock file so that it can (by default) make the same decisions again in future. At present, the dependency lock file tracks only provider dependencies. Terraform does not remember version selections for remote modules, and so Terraform will always select the newest available module version that meets the specified version constraints. You can use an exact version constraint to ensure that Terraform will always select the same module version.

Answer 12

The dependency lock file uses the same low-level syntax as the main Terraform language, but the dependency lock file is not itself a Terraform language configuration file. It is named with the suffix .hcl instead of .tf in order to signify that difference.

Answer 13

The lock file is always named .terraform.lock.hcl, and this name is intended to signify that it is a lock file for various items that Terraform caches in the .terraform subdirectory of your working directory. Terraform automatically creates or updates the dependency lock file each time you run the terraform init command. **You should include this file in your version control repository s**o that you can discuss potential changes to your external dependencies via code review, just as you would discuss potential changes to your configuration itself.

Answer 14

The dependency lock file is a file that belongs to the configuration as a whole, rather than to each separate module in the configuration. For that reason Terraform creates it and expects to find it in your current working directory when you run Terraform, which is also the directory containing the .tf files for the root module of your configuration.

Answer 15

When terraform init is working on installing all of the providers needed for a configuration, Terraform considers both the version constraints in the configuration and the version selections recorded in the lock file. If a particular provider has no existing recorded selection, Terraform will select the newest available version that matches the given version constraint, and then update the lock file to include that selection. If a particular provider already has a selection recorded in the lock file, Terraform will always re-select that version for installation, even if a newer version has become available. You can override that behavior by adding the -upgrade option when you run terraform init, in which case Terraform will disregard the existing selections and once again select the newest available version matching the version constraint.

Answer 16

Because the dependency lock file is primarily maintained automatically by Terraform itself, rather than being updated manually by you or your team, your version control system may show you that the file has changed. There are a few different types of changes that Terraform can potentially make to your lock file, which you may need to understand in order to review the proposed changes.

Answer 17

A module intended to be used as the root of a configuration — that is, as the directory where you'd run terraform apply — should also specify the maximum provider version it is intended to work with, to avoid accidental upgrades to incompatible new versions. The ~> operator is a convenient shorthand for allowing the rightmost component of a version to increment. Do not use ~> (or other maximum-version constraints) for modules you intend to reuse across many configurations, even if you know the module isn't compatible with certain newer versions. Doing so can sometimes prevent errors, but more often it forces users of the module to update many modules simultaneously when performing routine upgrades. Specify a minimum version, document any known incompatibilities, and let the root module manage the maximum version.

Answer 18

tree . ├── LICENSE ├── README.md ├── main.tf ├── modules │ └── aws-ec2-instance │ ├── main.tf │ └── variables.tf ├── terraform.tf └── variables.tf The example repository includes the following: LICENSE - includes the text of the Mozilla Public License under which HashiCorp distributes the example configuration. README.md - describes the example configuration. main.tf - includes the resources and data sources used by the example configuration. the modules/aws-ec2-instance - directory includes a Terraform module to provision an EC2 instance on AWS. terraform.tf - defines the terraform block, which defines the providers, remote backend, and the Terraform version(s) to be used with this configuration. variables.tf - defines the variables used in this configuration.

Answer 19

├── LICENSE ├── README.md ├── main.tf ├── modules │ └── aws-ec2-instance │ ├── main.tf │ └── variables.tf ├── terraform.tf └── variables.tf **├──.terraform** │ └── modules │ └── providers

Answer 20

**├──.terraform** │ └── modules │ └── providers **Terraform automatically manages the .terraform directory. Do not check it into version control, and do not directly modify this directory's contents. Exploring the .terraform directory in this tutorial is meant to deepen your understanding of how Terraform works, but the contents and structure of this directory are subject to change between Terraform versions.**

Answer 21

Initialize your Terraform workspace with terraform init when: You create new Terraform configuration and are ready to use it to create a workspace and provision infrastructure. You clone a version control repository containing Terraform configuration, and are ready to use it to create a workspace and provision infrastructure. You add, remove, or change the version of a module or provider in an existing workspace. You add, remove, or change the backend or cloud blocks within the terraform block of an existing workspace.

Answer 22

Migrate the state file To migrate your existing state file to Terraform Cloud, you must reinitialize your configuration to update the backend. Reinitialize your configuration. Terraform detects your updated backend and confirms that you wish to migrate your state file to Terraform Cloud. Type yes to confirm the migration. This is all assuming you have your **cloud Block** within your configuration

Answer 23

to save a terraform plan to a binaryfile called replan: ~ terraform plan -out "tfplan" to print on screen: ~terraform show "tfplan" Convert the saved plan into JSON, pass it to jq to format it, and save the output into a new file: terraform show -json "tfplan" | jq > tfplan.json then use jq for analysis: - The configuration section further organizes your resources defined in your top level root_module: ~ jq '.configuration.root_module.resources' tfplan.json - The module_calls section contains the details of the modules used, their input variables and outputs, and the resources to create: jq '.configuration.root_module.module_calls' tfplan.json

Answer 24

~ terraform apply -replace "aws_instance.main[1]" when a resource has become unhealthy or stops working in ways that are outside of Terraform's control. For instance, an error in your EC2 instance's OS configuration could require that the instance be replaced. There is no corresponding change to your Terraform configuration, so you want to instruct Terraform to reprovision the resource using the same configuration. The -replace argument requires a resource address. List the resources in your configuration with terraform state list.

Answer 25

1. CLI ~ terraform apply -var ec2_instance_type=t2.micro 2. FILE *.auto.tfvars or terraform.tfvars file

Answer 26

While the description argument is optional, you should include it in all output declarations to document the intent and content of the output.

Answer 27

sometimes removing the terraform version specification can solve version problems. However, this has to be done cautiously NOTE In general, we encourage you to use the latest available version of Terraform to take advantage of the most recent features and bug fixes. However, it is unnecessary to upgrade your Terraform projects to the latest version every time you use Terraform unless you need a specific feature or bug fix. As a best practice, consider using ~> style version constraints to pin your major and minor Terraform version. Doing so will allow you and your team to use patch version updates without updating your Terraform configuration. You can then plan when you want to upgrade your configuration to use a new version of Terraform, and carefully review the changes to ensure that your project still works as intended. For example, if you write Terraform configuration using Terraform 1.0.0, you would add required_version = "~> 1.0.0" to your terraform { } block. This will allow you and your team to use any Terraform 1.0.x, but you will need to update your configuration to use Terraform 1.1.0 or later.

Answer 28

.terraform template file

Answer 29

Modules can either be loaded from the local filesystem, or a remote source. Terraform supports a variety of remote sources, including the Terraform Registry, most version control systems, HTTP URLs, and Terraform Cloud or Terraform Enterprise private module registries

Answer 30

When using a new module for the first time, you must run either terraform init or terraform get to install the module. When you run these commands, Terraform will install any new modules in the .terraform/modules directory within your configuration's working directory. For local modules, Terraform will create a symlink to the module's directory. Because of this, any changes to local modules will be effective immediately, without having to reinitialize or re-run terraform get.

Answer 31

**The files mentioned below will often include secret information such as passwords or access keys, which will become public if those files are committed to a public version control system such as GitHub.** There are also some other files to be aware of, and ensure that you don't distribute them as part of your module: **terraform.tfstate and terraform.tfstate.backup:** These files contain your Terraform state, and are how Terraform keeps track of the relationship between your configuration and the infrastructure provisioned by it. **.terraform:** This directory contains the modules and plugins used to provision your infrastructure. These files are specific to a specific instance of Terraform when provisioning infrastructure, not the configuration of the infrastructure defined in .tf files. **.tfvars:** Since module input variables are set via arguments to the module block in your configuration, you don't need to distribute any *.tfvars files with your module, unless you are also using it as a standalone Terraform configuration. If you are tracking changes to your module in a version control system, such as git, you will want to configure your version control system to ignore these files. For an example, see this .gitignore file from GitHub.

Answer 32

The Terraform state file is a record of all resources Terraform manages. **You should not make manual changes to resources controlled by Terraform, because the state file will be out of sync, **or "drift," from the real infrastructure. If your state and configuration do not match your infrastructure, Terraform will attempt to reconcile your infrastructure, which may unintentionally destroy or recreate resources

Answer 33

by default, Terraform compares your state file to real infrastructure whenever you invoke terraform plan or terraform apply. The refresh updates your state file in-memory to reflect the actual configuration of your infrastructure. This ensures that Terraform determines the correct changes to make to your resources. If you suspect that your infrastructure configuration changed outside of the Terraform workflow, you can use a -refresh-only flag to inspect what the changes to your state file would be. This is safer than the refresh subcommand, which automatically overwrites your state file without displaying the updates.

Answer 34

A refresh-only operation does not attempt to modify your infrastructure to match your Terraform configuration -- it only gives you the option to review and track the drift in your state file. If you ran terraform plan or terraform apply without the -refresh-only flag now, Terraform would attempt to revert your manual changes. Instead, you will update your configuration to associate your EC2 instance with both security groups.

Answer 35

In Terraform, refreshing your state file updates Terraform's knowledge of your infrastructure, as represented in your state file, with the actual state of your infrastructure. Terraform plan and apply operations run an implicit in-memory refresh as part of their functionality, reconciling any drift from your state file before suggesting infrastructure changes. You can also update your state file without making modifications to your infrastructure using the -refresh-only flag for plan and apply operations. Though Terraform will continue to support the refresh subcommand in future versions, it is deprecated, and we encourage you to use the -refresh-only flag instead. This allows you to review any updates to your state file. Unlike the refresh subcommand, -refresh-only mode is supported in workspaces using Terraform Cloud as a remote backend, allowing your team to collaboratively review any modifications.

Answer 36

1. Language error (HCL Syntax) 2. State error (statefile logical check) 3. Core error: The Terraform core application contains all the logic for operations. It interprets your configuration, manages your state file, constructs the resource dependency graph, and communicates with provider plugins. Errors produced at this level may be a bug. Later in this tutorial, you will learn best practices for opening a GitHub issue for the core development team. 4. Provider error: The provider plugins handle authentication, API calls, and mapping resources to services. Later in this tutorial, you will learn best practices for opening a GitHub issue for the provider development team.

Answer 37

terraform fmt only parses your HCL for interpolation errors or malformed resource definitions, which is why you should use terraform validate after formatting your configuration to check your configuration in the context of the providers' expectations.

Answer 38

**Splat operator (*) only works with LIST type while for_each only works with MAP or set of strings type** Note: The splat expression [*] only interpolates list types, while the for_each attribute is reserved for map types. A local value can return a map type.

Answer 39

TRACE provides the highest level of logging and contains all the information the development teams need. There are other logging levels, but are typically reserved for developers looking for specific information.

Answer 40

You can also generate provider logs by setting the TF_LOG_PROVIDER environment variable. By including these in your bug reports, the provider development team can reproduce and debug provider specific errors.

Answer 41

Once you have configured your logging, set the path for your error logs as an environment variable. If your TF_LOG_CORE or TF_LOG_PROVIDER environment variables are enabled, the TF_LOG_PATH variable will create the specified file and append logs generated by Terraform.

Answer 42

To use Terraform Cloud as a backend for your configuration, you must include a cloud block in your configuration. The Cloud block: **terraform { cloud { organization = "ORGANIZATION-NAME" workspaces { name = "learn-terraform-cloud-migrate" } }**

Answer 43

While the organization defined in the cloud stanza must already exist, the workspace does not have to; Terraform Cloud will create it if necessary. If you use an existing workspace, it must not have any existing states.

Answer 44

After configuring your Terraform Cloud integration, you must authenticate to Terraform Cloud to use it for remote operations. Run terraform login and follow the prompts to log in, typing yes at the confirmation prompt.

Answer 45

To migrate your existing state file to Terraform Cloud, you must reinitialize your configuration to update the backend.(**terraform init**) Reinitialize your configuration. Terraform detects your updated backend and confirms that you wish to migrate your state file to Terraform Cloud. Type yes to confirm the migration.

Answer 46

After migrating your state to Terraform Cloud, log in to the Terraform Cloud web UI and navigate to your learn-terraform-cloud-migrate workspace. Then, go to the workspace's States page. Terraform Cloud lists the state you migrated to your new workspace.

Answer 47

After verifying that Terraform migrated your state to Terraform Cloud, manually remove your local state file from your local host.

Answer 48

The VCS-driven workflow For the VCS-driven workflow, you must configure VCS access and create your workspace, then associate it with a repository containing your Terraform configuration. You can then configure your workspace to create speculative plans for any Pull Requests, which allows your team to review how the changes would modify infrastructure. Any merges to your main branch then trigger Terraform runs to implement your changes.

Answer 49

When using the CLI-driven Terraform Cloud workflow, running **terraform init** on configuration with a cloud block creates the Terraform Cloud workspace specified in the block, if it does not already exist. Note: Every Terraform Cloud workspace belongs to a project, which is a group of workspaces. When you create your workspace using this automated CLI workflow, Terraform Cloud adds the workspace to your organization's Default project unless you set the project argument in your configuration's cloud block. Projects help you organize your workspaces into groups, making it easier to find workspaces in large Terraform Cloud organizations

Answer 50

auto.tfvars files have the lowest precedence in a workspace, and any workspace specific variables will override the values defined in this file.

Answer 51

By default, Terraform uses a backend called local, which stores state as a local file on disk. You can also configure one of the built-in backends included in this documentation. Some of these backends act like plain remote disks for state files, while others support locking the state while operations are being performed. This helps prevent conflicts and inconsistencies. The built-in backends listed are the only backends. You cannot load additional backends as plugins. Note: You do not need to configure a backend when using Terraform Cloud because Terraform Cloud automatically manages state in the workspaces associated with your configuration.** If your configuration includes a cloud block, it cannot include a backend block.**

Answer 52

The terraform apply -replace command manually marks a Terraform-managed resource for replacement, forcing it to be destroyed and recreated on the apply execution. You could also use terraform destroy -target and destroy only the virtual machine and then run a terraform apply again.

Answer 53

If you migrate an existing project from the CLI to Terraform Cloud, Terraform Cloud configures the workspace to use the same version as the Terraform binary you used when migrating.

Answer 54

To destroy all Terraform-managed resources except for a single resource, you can use the terraform state command to remove the state for the resources you want to preserve. This effectively tells Terraform that those resources no longer exist, so it will not attempt to destroy them when you run terraform destroy. 1. run ***terraform state list*** 2. Run ***terraform state rm*** for each resource you want to keep, like the prod_db. 3. ***terraform destroy*** The above can be useful in scenarios where you want to keep certain resources managed by Terraform while removing others. Note that this approach can be dangerous and is not recommended if you have multiple Terraform workspaces or if you are using a remote state backend, as it can cause inconsistencies in your state file. In those cases, it is usually better to use a separate Terraform workspace for the resources you want to preserve or to utilize Terraform's built-in resource-targeting functionality to destroy only specific resources.

Answer 55

The HCL syntax is designed to be human-readable and easy to write, and it provides many features designed explicitly for Terraform, such as interpolation, variables, and modules. The JSON syntax is a machine-readable alternative to HCL, and it is typically used when importing existing infrastructure into Terraform or when integrating Terraform with other tools that expect data in JSON format. While Terraform will automatically detect the syntax of a file based on its extension, Note Most Terraform configurations are written in the native Terraform language syntax, which is designed to be relatively easy for humans to read and update. Terraform also supports an alternative syntax that is JSON-compatible. This syntax is useful when generating portions of a configuration programmatically, since existing JSON libraries can be used to prepare the generated configuration files. The JSON syntax is defined in terms of the native syntax. Everything that can be expressed in native syntax can also be expressed in JSON syntax, but some constructs are more complex to represent in JSON due to limitations of the JSON grammar. Terraform expects native syntax for files named with a .tf suffix, and JSON syntax for files named with a .tf.json suffix.

Answer 56

***Depends-on*** - Explicit ***vpc_id = data.aws_vpc.web.id*** - implicit Note: In general, Terraform implicit dependencies are handled automatically, but sometimes it may be necessary to use the depends_on argument to ensure that resources are created in the correct order.

Answer 57

HashiCorp, the creator of Terraform, recommends using two spaces for indentation when writing Terraform code. This is a convention that helps to improve readability and consistency across Terraform configurations. While this is the recommended convention, it is not a strict requirement and Terraform will still function correctly even if you use a different number of spaces or a different type of indentation. However, using two spaces for indentation is a widely adopted convention in the Terraform community and is recommended by HashiCorp to improve the readability and maintainability of your Terraform configurations.

Answer 58

An alias meta-argument is used when using the same provider with different configurations for different resources. This feature allows you to include multiple provider blocks that refer to different configurations. In this example, you would need something like this: provider "aws" { region = "us-east-1" } provider "aws" { region = "us-west-1" alias = "west" }

Answer 59

Resources that don't set the provider meta-argument will use the default provider configuration that matches the first word of the resource type name. (For example, an aws_instance resource uses the default aws provider configuration unless otherwise stated.)

Answer 60

In Terraform, there are two related but distinct concepts: the provider block and the required_providers block. 1. provider Block: The provider block is used to configure a specific instance of a provider within a Terraform configuration. This block is where you define the configuration details for a particular provider, such as AWS, Azure, or others. Example using the aws provider: *provider "aws" { region = "us-east-1" }* *resource "awsinstance" "example" { ami = "ami-0123456789abcdef0" instancetype = "t2.micro" }* In this example, the provider "aws" block configures an instance of the AWS provider with the specified region. The subsequent resource "aws_instance" block then uses this provider instance to create an EC2 instance. 2. required_providers Block: The required_providers block is used to **declare the providers required by a Terraform configuration and specify their versions. **This block is typically placed at the top level of your Terraform configuration. ***terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } ***provider "aws" { region = "us-east-1" }

Answer 61

In Terraform, data blocks are used to retrieve data from external sources, such as APIs or databases, and make that data available to your Terraform configuration. With data blocks, you can use information from external sources to drive your infrastructure as code, making it more dynamic and flexible. For example, you can use a data block to retrieve a list of Amazon Machine Images (AMIs) from AWS, and then use that data to select the appropriate AMI for a virtual machine you are provisioning:

Answer 62

GitHub. The module must be on GitHub and must be a public repo. This is only a requirement for the public registry. If you're using a private registry, you may ignore this requirement Named terraform--. Module repositories must use this three-part name format, where reflects the type of infrastructure the module manages and is the main provider where it creates that infrastructure. The segment can contain additional hyphens. Examples: terraform-google-vault or terraform-aws-ec2-instance. Repository description. The GitHub repository description is used to populate the short description of the module. This should be a simple one-sentence description of the module. Standard module structure. The module must adhere to the standard module structure. This allows the registry to inspect your module and generate documentation, track resource usage, parse submodules and examples, and more. x.y.z tags for releases. The registry uses tags to identify module versions. Release tag names must be a semantic version, which can optionally be prefixed with a v. For example, v1.0.4 and 0.9.2. To publish a module initially, at least one release tag must be present. Tags that don't look like version numbers are ignored.

Answer 63

terraform { required_version = ">= 1.3.8" } The required_version parameter in a terraform block is used to specify the minimum version of Terraform that is required to run the configuration. This parameter is optional, but it can be useful for ensuring that a Terraform configuration is only run with a version of Terraform that is known to be compatible.

Answer 64

By using the terraform state command and its subcommands, users can manage and manipulate the Terraform state in various ways, helping to ensure that their Terraform configurations are in the desired state. terraform state command must be paired with a subcommand Subcommands: **list** List resources in the state **mv** Move an item in the state **pull** Pull current state and output to stdout **push** Update remote state from a local state file **replace-provider** Replace provider in the state **rm** Remove instances from the state **show** Show a resource in the state **import** Used to import existing resources into the Terraform state. This allows Terraform to manage resources that were created outside of Terraform.

Answer 65

Terraform Open Source (OSS) stores the local state for workspaces in a file on disk. For local state, Terraform stores the workspace states in a directory called terraform.tfstate.d/

Answer 66

Storage for terraform state 1. Local 2. S3 3. vault 4. Cloud 5. Consul

Answer 67

By default, Terraform will provision resources concurrently with a maximum of 10 concurrent resource operations. This setting is controlled by the parallelism configuration option in Terraform, which can be set globally in the Terraform configuration file or on a per-module basis. The parallelism setting determines the number of resource operations that Terraform will run in parallel, so increasing the parallelism setting will result in Terraform provisioning resources more quickly, but can also increase the risk of rate-limiting or other errors from the API. You can adjust the parallelism setting in your Terraform configuration file by adding the following code: terraform { parallelism = 10 } This setting sets the maximum number of concurrent resource operations to 10. You can adjust this number to meet your specific needs and constraints.

Answer 68

there's no means of masking secrets in a tf statefile. It requires extra steps, such as, env vriables or Terraform input variables to store sensitive information, and then use Terraform's data sources to retrieve the information from the environment or input variables, rather than hardcoding the information into the Terraform configuration. This helps to ensure that sensitive information is not stored in plain text in the Terraform plan or state files.

Answer 69

Terraform includes the concept of provisioners as a measure of pragmatism, knowing that there are always certain behaviors that cannot be directly represented in Terraform's declarative model. In Terraform, the local-exec provisioner is used to execute a command on the machine running Terraform, rather than on a remote resource. The local-exec provisioner is often used to perform actions that cannot be accomplished using Terraform's built-in resource types or to execute local scripts or commands to perform additional setup or configuration after creating infrastructure resources. Note Provisioners should only be used as a last resort. For most common situations there are better alternatives. For more information, see the sections above.

Answer 70

Provisioners in Terraform are used to execute scripts or commands on a resource after it has been created. While provisioners can be useful in certain situations, such as configuring a server or setting up a database, it is generally true that provisioners should only be used as a last resort. provisioners are used to copy files from a local machine to a resource. **provisioner block** contains the source and destination parametes **Connection block** provisioner also requires a connection block that describes the protocols and route for the provisioner to use **Security Group** Security group must also permit the port declared by the connection block **key pair** provisioner also requires a keypairblock with settings for ssh access

Answer 71

In Terraform Cloud, a workspace can be mapped to only 1 VCS repos at a time

Answer 72

API tokens

Answer 73

Terraform state can contain sensitive data, depending on the resources in use and your definition of "sensitive." The state contains resource IDs and all resource attributes. For resources such as databases, this may contain initial passwords. When using local state, state is stored in plain-text JSON files. If you manage any sensitive data with Terraform (like database passwords, user passwords, or private keys), treat the state itself as sensitive data. Storing Terraform state remotely can provide better security. As of Terraform 0.9, Terraform does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.

Answer 74

Declaring the required version of a provider in a Terraform configuration file is a good idea for several reasons: Reproducibility: By specifying the exact version of a provider, you can ensure that anyone who runs your Terraform configuration will use the same version of the provider as you. This makes your infrastructure configuration more reproducible and helps avoid issues that can arise when different versions of a provider are used. Predictability: When you specify a specific provider version, you can be confident that your infrastructure configuration will behave predictably, regardless of changes to the provider in future versions. This can help you avoid surprises and reduce the risk of unintended consequences. Compatibility: Different versions of a provider may have different APIs, resources, or behaviors, which can cause issues if you switch to a new version without realizing the differences. By specifying the required version of a provider in your Terraform configuration, you can ensure that your configuration remains compatible with the specific version of the provider you have tested and validated. Version locking: When you specify the required version of a provider in your Terraform configuration, you effectively lock the version of the provider to that version unless you explicitly change it. This can help prevent issues that may arise when using a different, potentially incompatible version of the provider. In summary, specifying the required version of a provider in your Terraform configuration file helps ensure that your infrastructure configuration is more predictable, reproducible, compatible, and reduces the risk of unintended consequences or issues caused by version differences.

Answer 75

Provisioners in Terraform are used to execute scripts or commands on a resource after it has been created. While provisioners can be useful in certain situations, such as configuring a server or setting up a database, it is generally true that provisioners should only be used as a last resort. The reason for this is that using provisioners can make your Terraform code** less predictable and harder to manage. When you use provisioners, you introduce external dependencies and additional complexity into your infrastructure configuration. This can make it harder to reproduce your infrastructure, as well as harder to troubleshoot issues that arise.** Instead of using provisioners, it is generally recommended to use native Terraform resources and data sources to manage your infrastructure. This approach makes your code more predictable, easier to manage, and less error-prone. However, there may be situations where provisioners are necessary or unavoidable, such as when working with legacy systems or when a resource does not support the necessary configuration options. In these cases, provisioners can be a useful tool, but they should be used judiciously and with care, and you should be aware of the potential risks and downsides of using provisioners in your infrastructure configuration.

Answer 76

Location of the statefile. Backend is usually declared in the Terraform block. ***terraform { required_version = ">= 0.12.0, < 0.13.0" backend "s3" { bucket = "my-terraform-state" key = "terraform.tfstate" region = "us-west-2" } }*** The terraform block can also be used to configure other settings such as the maximum number of concurrent operations (max_parallelism), the number of retries for failed operations (retryable_errors), and the default input values for variables (default). By including a terraform block in the Terraform configuration, you can ensure that the correct version of Terraform is used and that the configuration is validated against the correct syntax and semantics for that version. This helps to ensure that the configuration will run correctly and consistently across different environments.

Answer 77

The remote-exec provisioner in Terraform is used to execute commands on a resource after it has been created over an SSH or WinRM connection. The supported connection types for remote-exec depend on the type of resource being provisioned and the underlying operating system. For Linux-based resources, the remote-exec provisioner supports the following connection types: SSH (Secure Shell) over TCP (Transmission Control Protocol) For Windows-based resources, the remote-exec provisioner supports the following connection types: WinRM (Windows Remote Management) over HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP Secure) Note that both SSH and WinRM connections can be configured to use specific usernames and passwords or SSH keys, depending on the resource being provisioned and the security requirements of the environment. It is worth noting that while remote-exec provisioner can be useful in certain situations, it should generally be used as a last resort due to the potential risks and complexities involved in executing remote commands on resources. Whenever possible, it is recommended to use Terraform's native resource types to manage your infrastructure, rather than relying on external scripts or tools.

Answer 78

You do not need to specify every required argument in the backend configuration. Omitting certain arguments may be desirable to avoid storing secrets, such as access keys, within the main configuration. When some or all of the arguments are omitted, we call this a partial configuration. With a partial configuration, the remaining configuration arguments must be provided as part of the initialization process. There are several ways to supply the remaining arguments: **Interactively:** Terraform will interactively ask you for the required values unless interactive input is disabled. Terraform will not prompt for optional values. **File:** A configuration file may be specified via the init command line. To specify a file, use the -backend-config=PATH option when running terraform init. **If the file contains secrets it may be kept in a secure data store, such as Vault, in which case it must be downloaded to the local disk before running Terraform**. Command-line key/value pairs: Key/value pairs can be specified via the init command line. Note that many shells retain command-line flags in a history file, so this isn't recommended for secrets. To specify a single key/value pair, use the -backend-config="KEY=VALUE" option when running terraform init.

Answer 79

Terraform vault does not stream to terraform. Secret files must be downloaded first before use

Answer 80

When using Terraform with Git, it is generally recommended to ignore certain files in order to avoid committing sensitive or unnecessary information to your repository. The specific files that should be ignored may vary depending on your project and configuration, but as a general rule, you should ignore the following files: **.terraform directory:** This directory contains local Terraform state files, which should not be committed to the repository. terraform.tfstate and terraform. **tfstate.backup:** These files contain the current state of your infrastructure, and should not be committed to the repository. .**tfvars files:** These files may contain sensitive information, such as passwords or API keys, and should be kept out of version control. Instead, you can use environment variables or other secure methods to pass this information to Terraform. ***.tfplan files:** These files contain the plan generated by Terraform when applying changes to your infrastructure, and may include sensitive information such as resource IDs. They should not be committed to the repository. To ignore these files in Git, you can add them to your .gitignore file.

Answer 81

The terraform fmt command is a formatting tool in Terraform that helps to automatically format Terraform configuration files to follow a consistent style and make them more readable. Running terraform fmt will parse the configuration files in the current directory and recursively in subdirectories and rewrite them using a standard formatting style, including indentation, spacing, and line breaks. It will modify the original files in place, so it's vital to ensure that the files are backed up or committed to a version control system before running this command. By running terraform fmt, it helps to ensure that the Terraform configuration files are consistent across the project and easy to read, especially when working with large and complex infrastructure codebases. Consistent code style makes it easier for multiple people to collaborate on a project and makes it easier to understand the configuration files when returning to the project after an extended period. It's a best practice to run terraform fmt before committing any changes to the configuration files, to ensure that all changes have the same formatting style and are easy to read. ***terraform fmt --diff***

Answer 82

The terraform show command is used to provide human-readable output from a state or plan file. This can be used to inspect a plan to ensure that the planned operations are expected, or to inspect the current state as Terraform sees it. Machine-readable output can be generated by adding the -json command-line flag. Note: When using the -json command-line flag, any sensitive values in Terraform state will be displayed in plain text.

Answer 83

The prefix -/+ means that Terraform will destroy and recreate the resource, rather than updating it in-place. Some attributes and resources can be updated in-place and are shown with the ~ prefix. Basically, editing/modifying the resource in realtime.

Answer 84

visibility in Calling Code: If you're using a module without outputs, the calling code won't be able to reference any values directly from the module. The module's side effects, such as creating resources, are still visible in the Terraform state, but specific data might not be accessible.

Answer 85

Locking Using System APIs: To ensure that multiple instances of Terraform don't interfere with each other, the local backend uses system APIs to perform basic file locking. This prevents simultaneous modifications to the state file by multiple Terraform instances. However, the local backend doesn't provide robust locking mechanisms for distributed teams or environments with multiple Terraform users.

Answer 86

In a typical Terraform project, several files and directories play important roles in managing configurations, state, and variables: **Terraform StateFile:** The Terraform state file contains the current state of your infrastructure. It tracks the relationships between resources and their current configuration. By default, the state file is named terraform.tfstate. It is stored in the directory where you run Terraform commands unless a backend is configured to store it remotely. **.terraform:** The .terraform directory is used to store local Terraform metadata and plugins. It contains information about the provider plugins required for your configuration, as well as any local plugins you might have. This directory is managed by Terraform and can be safely deleted if you want to start with a clean slate. **It can be regenerated using terraform init.** **.tfvars :** .tfvars files are used to store variable values for your Terraform configurations. These files typically have a .tfvars extension, e.g., variables.tfvars. They contain variable assignments and are often used to separate sensitive information (like API keys or secrets) from the main configuration. **However, every parameter passed using .tfvars will still persist to .tfstate** The .tfvars files can be passed to Terraform commands using the -var-file option.

Answer 87

When using local state (state stored on your local machine), the state file is stored in plain-text JSON format by default. This means that sensitive information in the state file is not automatically encrypted when using local state. If security is a concern, it's recommended to use remote state storage, especially in production environments. To enhance security in local state scenarios, you can consider using backend configurations with encryption features or implementing additional security measures.

Answer 88

In Terraform, the terraform plan command is typically considered a dry run. The plan command generates an execution plan that describes the changes that Terraform will make to the infrastructure, but it does not apply those changes. It provides an opportunity for users to review and verify the planned changes before actually applying them.

Answer 89

Terraform data sources let you dynamically fetch data from APIs or other Terraform state backends. Data sources allow Terraform to use information defined outside of Terraform, defined by another separate Terraform configuration, or modified by functions.

Answer 90

In Terraform Cloud, workspaces let you share data between workspaces.

Answer 91

Data from .tfvars are explicitely passed on to statefile

Answer 92

Provisioning infrastructure across multiple clouds increases fault-tolerance, allowing for more graceful recovery from cloud provider outages. However, multi-cloud deployments add complexity because each provider has its own interfaces, tools, and workflows. Terraform lets you use the same workflow to manage multiple providers and handle cross-cloud dependencies. This simplifies management and orchestration for large-scale, multi-cloud infrastructures. e.g Deploying Federated Multi-Cloud Kubernetes Clusters tutorial to provision Kubernetes clusters in both Azure and AWS environments, configure Consul federation with mesh gateways across the two clusters, and deploy microservices across the two clusters to verify federation.

Answer 93

To simplify the management of approved modules, you can host all the approved Terraform modules in your organization's Private Module Registry (PMR) on Terraform Cloud. The private registry allows you to control access to the modules and ensures they are not publicly available. By implementing PMR, your organization can effectively control and restrict module consumption to only approved modules hosted in the Terraform Private Module Registry. This enhances security, maintains consistency in infrastructure deployments, and reduces the risk of using unverified or potentially harmful modules in your Terraform configurations.

Answer 94

* using a tfvars file * retrieving the credentials from a data source, such as HashiCorp Vault * using a declared variable Terraform needs to store these values in your state so that it can tell if you have changed them since the last time you applied your configuration. **Terraform runs will receive the full text of sensitive variables and might print the value in logs and state files if the configuration pipes the value through to an output or a resource parameter**. Additionally, Sentinel mocks downloaded from runs will contain the sensitive values of Terraform (but not environment) variables. Take care when writing your configurations to avoid unnecessary credential disclosure. (Environment variables can end up in log files if TF_LOG is set to TRACE.)

Answer 95

The terraform login command can be used to automatically obtain and save an API token for Terraform Cloud, Terraform Enterprise, or any other host that offers Terraform services.

Answer 96

use to reconcile the state with the real-world infrastructure in order to detect any drift from the last-known state command is used to reconcile the state Terraform knows about (via its state file) with the real-world infrastructure. This can be used to detect any drift from the last-known state, and to update the state file.

Answer 97

Upgrades all previously-selected plugins to the newest version that complies with the configuration's version constraints. This will cause Terraform to ignore any selections recorded in the dependency lock file, and to take the newest available version matching the configured version constraints.

Answer 98

only terminates resources that are specified in the configuration file

Answer 99

**Terraform configuration** Local Terraform - *On disk* Terraform Cloud - *In linked version control repository, or periodically uploaded via API/CLI* **Variable values** Local Terraform - *As .tfvars files, as CLI arguments, or in shell environment* Terraform Cloud - *In workspace* **State** Local Terraform - On disk or in remote backend Terraform Cloud - *In workspace* **Credentials and secrets** Local Terraform -*In shell environment or entered at prompts* Terraform Cloud - *In workspace, stored as sensitive variables*

Answer 100

output blocks that are created in a module aren't displayed on the Terraform CLI. Therefore, you need to create an output block in the parent/calling module to output the value while referencing the output in the module. And the output is referenced with the ~module.xxxx.yyy.attribute Don't forget that before you can reference data/values from a module, the module has to have an output declared that references the desired value(s).

Answer 101

Terraform Cloud always encrypts state at rest and protects it with TLS in transit. Terraform Cloud also knows the identity of the user requesting state and maintains a history of state changes. This can be used to control access and track activity. Terraform Enterprise also supports detailed audit logging.

Answer 102

Terraform does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.

Answer 103

Each provider must be in it's own separate block

Answer 104

Remember that Terraform Cloud and Enterprise also have Workspaces, but they behave slightly differently. In Cloud and Ent, each workspace is still isolated from others, meaning it has its own state. Still, often these workspaces point to different code repositories and use completely different Terraform configuration files. Meanwhile in terraform OSS, all workspaces have different isolated state files but are linked to thesame configuration file.

Answer 105

When using workspaces, you're essentially using the same Terraform configuration files. Therefore the backend will remain the same for all of your workspaces. That makes this answer incorrect.

Answer 106

Whenever a configuration's backend changes, you must run terraform init again to validate and configure the backend before you can perform any plans, applies, or state operations. Re-running init with an already-initialized backend will update the working directory to use the new backend settings. Either -reconfigure or -migrate-state must be supplied to update the backend configuration. When changing backends, Terraform will give you the option to migrate your state to the new backend. This lets you adopt backends without losing any existing state.

Answer 107

When using modules, it's common practice to declare variables outside of the module and pass the value(s) to the child module when it is called by the parent/root module. However, it's perfectly acceptable to declare a variable inside of a module if you needed. Any variables declared inside of a module are only directly referencable within that module. You can't directly reference that variable outside of the module. You can, however, create an output in the module to export any values that might be needed outside of the module.

Answer 108

You can dynamically construct repeatable nested blocks like setting using a special dynamic block type, which is supported inside resource, data, provider, and provisioner blocks.

Answer 109

When you need to constrain the provider to a specific version, you would do this under the terraform configuration block. Within that block, you would use the required_providers block to set certain configurations, including the version of each provider you want to lockdown. Note that even though you would add the provider constraint under the terraform block, you may still indeed have a separate provider block to set certain configurations, like credentials, regions, or other settings specific to the provider. Just keep in mind that each distinct block is used for different settings.

Answer 110

On the remote system? I don't think this is even a viable option. The credentialss would need to be read by the local system that is executing Terraform.

Answer 111

terraform state list will just show you a list of the resources being managed by Terraform, but it won't show you details on each of those resources terraform state show will show you a lot of details on the resource, including things like the ID, IP address, the state of the resource, and lots more.

Answer 112

The one thing that cannot be guaranteed is that the terraform.tfstate file ALWAYS matches the deployed infrastructure since changes can easily be made outside of Terraform. For example, if you deploy a bunch of resources in GCP and nobody makes any changes, then yes, the terraform.tfstate file does match the current state of those resources. However, if an engineer makes a change in the GCP console or CLI, then the terraform.tfstate would NOT match the infrastructure deployed until you ran a terraform apply -refresh-only command.

Answer 113

fmt scans the current directory for configuration files and formats them according to the HCP canonical style and format. However, if you need it to also scan and format files in sub-directories, you can use the -recursive flag to instruct terraform fmt to also process files in subdirectories.

Answer 114

/terraform.tfstate.d/

Answer 115

terraform state list - List resources in the state terraform state mv -Move an item in the state terraform state pull - Pull current remote state and output to stdout terraform state push - Update remote state from a local state terraform state replace-provider Replace provider in the state terraform state rm - Remove instances from the state terraform show - Show a resource in the state

Answer 116

Saved plan/apply plan is a Binary file. It cannot be viewed by high-level applications. to Apply Config from the plan file, You can then use ***~terraform apply FILE***, however, this would not require an approval.

Answer 117

Standard backends * only store state * does not perform terraform operations eg. Terraform apply * To perform operations vou use the CLI on your local machine * third-party backends are Standard backends e.g. AWS S3 Enhanced backends * can both store state * can perform terraform operations enhanced backends are subdivided further: * local - files and data are stored on the local machine executing terraform commands * remote - files and data are stored in the cloud eg. Terraform Cloud

Answer 118

Terraform Enterprise supports the following data storage: PostgresSQL Any S3-compatible object storage service, GCP Cloud Storage or Azure blob storage meets Terraform Enterprise's object storage requirements.

Answer 119

GitHub.com GitHub.com (OAuth) GitHub Enterprise GitLab.com GitLab EE and CE Bitbucket Cloud Bitbucket Server Azure DevOps Server Azure DevOps Services

Answer 120

Provisioners are written inside the resource block

Answer 121

Only imports the state, does not genet\rate the config file

Answer 122

Sensitive values are still visible in statefile

Answer 123

The locals block defines one or more local variables within a module. **Each locals block can have as many locals as needed.**

Answer 124

Output values make information about your infrastructure available on the command line, and can expose information for other Terraform configurations to use. Output values are similar to return values in programming languages.

OFFICIAL DOCUMENTATION Flashcards

(152 cards)