Questions for the TERRAFORM ASSOCIATE 003 were updated on : Dec 01 ,2025
You want to use API tokens and other secrets within your team's Terraform workspaces. Where does
HashiCorp recommend you store these sensitive values? (Pick 3)
C, D, E
Explanation:
Detailed
Rationale for Correct Answers:
C . terraform.tfvars securely managed: Acceptable if distributed securely outside version control.
D . HCP Terraform/Terraform Cloud sensitive variables: Official best practice for team-based
workflows.
E . Vault: HashiCorp Vault is designed for secret management and integrates well with Terraform.
Analysis of Incorrect Options:
A: Storing plaintext secrets on shared drives is insecure.
B: Checking secrets into version control is a major security risk.
Key Concept:
Sensitive values should be managed securely in Vault, HCP Terraform, or securely shared .tfvars files
— never in plaintext or version control.
Reference:
Terraform Exam Objective – Use Terraform to Manage Infrastructure.
When you use a backend that requires authentication, it is best practice to:
C
Explanation:
Detailed
Rationale for Correct Answer (C):
Credentials should not be hardcoded in Terraform files. Best practice is to configure them via
environment variables or secret managers.
Analysis of Incorrect Options:
A: Shared servers introduce risk and drift.
B: Storing secrets in config/version control is insecure.
D: Incorrect since option C is valid.
Key Concept:
Separation of credentials from code is a Terraform security best practice.
Reference:
Terraform Exam Objective – Navigate Terraform State and Backends.
Which of the following should you add in the required_providers block to define a provider version
constraint?
C
Explanation:
Detailed
Rationale for Correct Answer (C):
Version constraints must be specified with = and quotes, e.g.:
version = ">= 3.1"
This ensures compatibility with Terraform’s syntax.
Analysis of Incorrect Options:
A, B: Incorrect syntax, missing quotes or wrong operator format.
C: Correct Terraform syntax.
Key Concept:
Correct syntax in provider version constraints ensures reproducibility.
Reference:
Terraform Exam Objective – Manage Terraform Resources and Providers.
Which type of block fetches or computes information for use elsewhere in a Terraform configuration?
A
Explanation:
Detailed
Rationale for Correct Answer (A):
data blocks fetch information from providers (like AMI IDs, network info) that can be used in other
resources.
Analysis of Incorrect Options:
B . local: Stores values, doesn’t fetch external data.
C . resource: Defines managed infrastructure, not read-only data.
D . provider: Configures connection to APIs, not data fetching.
Key Concept:
Data sources are read-only queries into existing infrastructure.
Reference:
Terraform Exam Objective – Read, Generate, and Modify Configurations.
You are tasked with making a change to an infrastructure stack running in a public cloud using HCP
Terraform/Terraform Cloud. Which pattern follows IaC best practices?
B
Explanation:
Detailed
Rationale for Correct Answer (B):
IaC best practice is to manage infrastructure through version-controlled code. Changes should be
reviewed and approved (via PRs), ensuring collaboration, traceability, and automation.
Analysis of Incorrect Options:
A, D, E: Making direct/manual changes bypasses IaC practices and causes drift.
C: Running code without PR review skips collaboration and approval.
Key Concept:
Infrastructure as Code emphasizes version control + peer review + automation.
Reference:
Terraform Exam Objective – Understand Infrastructure as Code (IaC) Concepts.
You're writing a Terraform configuration that needs to read input from a local file called id_rsa.pub.
Which built-in Terraform function can you use to import the file's contents as a string?
B
Explanation:
Detailed
Rationale for Correct Answer (B):
The file() function reads a file from disk and returns its content as a string. This is commonly used for
public keys (.pub files).
Analysis of Incorrect Options:
A . fileset(): Returns a set of filenames matching a pattern, not file contents.
C . filebase64(): Reads file and returns Base64 encoded string — unnecessary for .pub.
D . templatefile(): Used for rendering templates with variables, not raw file contents.
Key Concept:
Terraform’s file() function is used for injecting file content directly.
Reference:
Terraform Exam Objective – Read, Generate, and Modify Configurations.
Only the user that generated a terraform plan may apply it.
B
Explanation:
Detailed
Rationale for Correct Answer (False):
Any user with access to the saved plan file (terraform plan -out=planfile) can run terraform apply
planfile. Terraform does not enforce user-specific restrictions.
Analysis of Incorrect Option:
True: Incorrect — Terraform doesn’t tie plan files to individual users.
Key Concept:
Plan files ensure predictability but are not bound to the identity of the user.
Reference:
Terraform Exam Objective – Understand Terraform Basics and CLI.
A developer launched a VM outside of the Terraform workflow and ended up with two servers with
the same name. They are unsure which VM is managed with Terraform, but they do have a list of all
active VM IDs. Which method could you use to determine which instance Terraform manages?
D
Explanation:
Detailed
Rationale for Correct Answer (D):
terraform state list shows all resources currently managed by Terraform. terraform state show
<resource> provides detailed attributes, including the VM ID. This lets you match the Terraform-
managed instance with the actual infrastructure.
Analysis of Incorrect Options:
A: Importing is not needed since one VM is already in state.
B: terraform apply doesn’t show which VM ID is managed, it only refreshes attributes.
C: Removing state entries is destructive and may lead to losing state data unnecessarily.
Key Concept:
The state file is Terraform’s source of truth for which resources it manages.
Reference:
Terraform Exam Objective – Implement and Maintain State.
If one of your modules uses a local value, you can expose that value to callers of the module by
defining a Terraform output in the module’s configuration.
A
Explanation:
Detailed
Rationale for Correct Answer (True):
Local values (locals {}) are scoped to a module and are not directly visible outside. To make them
available to callers, you must define outputs in the module. Outputs act as the interface for exposing
values from a child module to the root module.
Analysis of Incorrect Option:
False: Incorrect, because locals cannot be exposed directly; only via outputs.
Key Concept:
Outputs are the way to expose information outside of a module.
Reference:
Terraform Exam Objective – Interact with Terraform Modules.
If a module declares a variable without a default value, you must pass the value of the variable
within the module block when you call the module in your configuration.
A
Explanation:
Detailed
Rationale for Correct Answer (True):
Variables without defaults are required inputs. If the calling module doesn’t supply a value,
Terraform will fail with an error at plan time.
Analysis of Incorrect Option:
False: Incorrect, because Terraform does not assume defaults when none are provided.
Key Concept:
Terraform modules enforce required vs. optional variables depending on whether a default is set.
Reference:
Terraform Exam Objective – Interact with Terraform Modules.
One cloud block always maps to a single HCP Terraform/Terraform Cloud workspace.
A
Explanation:
Detailed
Rationale for Correct Answer (True):
A cloud block in Terraform configuration specifies a single Terraform Cloud or HCP Terraform
workspace. You cannot use one cloud block for multiple workspaces.
Analysis of Incorrect Option:
False: Incorrect because a cloud block is a one-to-one mapping with a single workspace.
Key Concept:
Cloud blocks manage remote operations and backend configuration tied to one workspace.
Reference:
Terraform Exam Objective – Manage Terraform Workspaces and Cloud.
Which of the following should you add in the required_providers block to define a provider version
constraint?
B
Explanation:
Detailed
Rationale for Correct Answer (B):
Provider version constraints in Terraform are specified using the version argument in the
required_providers block, e.g.:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.1"
}
}
}
This ensures Terraform always uses a specific provider version (or constraint expression).
Analysis of Incorrect Options:
A . version: Incomplete, no value specified.
C . version: 3.1: Incorrect syntax, Terraform uses = not :.
D . version - 3.1: Incorrect syntax, - is invalid here.
Key Concept:
Defining provider version constraints ensures consistent provider behavior across environments and
avoids breaking changes.
Reference:
Terraform Exam Objective – Manage Terraform Resources and Providers.
You modified your Terraform configuration to fix a typo in the resource ID by renaming it from
photoes to photos. What configuration will you add to update the resource ID in state without
destroying the existing resource?
Original configuration:
resource "aws_s3_bucket" "photoes" {
bucket_prefix = "images"
}
Updated configuration:
resource "aws_s3_bucket" "photos" {
bucket_prefix = "images"
}
A.
moved {
from = aws_s3_bucket.photoes
to = aws_s3_bucket.photos
}
B.
moved {
bucket.photoes = aws_s3_bucket.photos
}
C.
moved {
aws_s3_bucket.photoes = aws_s3_bucket.photos
}
D. None. Terraform will automatically update the resource ID.
A
Explanation:
Detailed
Rationale for Correct Answer (A):
Terraform does not automatically update state references when resource identifiers are renamed.
Instead, you must use a moved block in your configuration to inform Terraform how to map the old
resource to the new one. This prevents Terraform from destroying and recreating the resource.
Analysis of Incorrect Options:
B & C: Incorrect syntax — moved requires from and to.
D: Incorrect, Terraform won’t auto-detect renames and will plan to destroy and recreate the resource
unless a moved block is provided.
Key Concept:
The moved block is essential for refactoring resource names without losing resources in state.
Reference:
Terraform Exam Objective – Implement and Maintain State.
When you use a backend that requires authentication, it is best practice to:
C
Explanation:
Detailed
Rationale for Correct Answer (C):
Best practice is to avoid hardcoding sensitive credentials in Terraform configurations or storing them
in version control. Instead, credentials should be managed via environment variables, CLI
authentication helpers, or secret managers (e.g., Vault).
Analysis of Incorrect Options:
A . Shared server: Not secure, introduces single point of failure and risk.
B . Storing credentials in config files: A major security risk, especially if pushed to version control.
D . None of the above: Incorrect, because option C is a valid and recommended approach.
Key Concept:
Security best practices in Terraform dictate that credentials should be externalized from Terraform
code.
Reference:
Terraform Exam Objective – Navigate Terraform State and Backends.
When you run terraform apply, the Terraform CLI will print output values from both the root module
and any child modules.
A
Explanation:
Detailed
Rationale for Correct Answer (True):
When terraform apply completes successfully, Terraform prints output values. Outputs from both
root and child modules are displayed, but child module outputs must be explicitly exposed through
the root module outputs to be visible at the CLI.
Analysis of Incorrect Option:
False: Incorrect, because Terraform does display output values, but only if they are exposed from
child modules to the root module.
Key Concept:
Outputs help you extract important information (e.g., IP addresses, resource IDs) from your
configuration.
Reference:
Terraform Exam Objective – Read, Generate, and Modify Configurations.