9.3. Practice Questions
Work each before reading the answer. These mix objectives and use the real formats.
1. (True/False) Marking a Terraform output as sensitive prevents its value from being stored in the state file.
Answer: False. sensitive only suppresses the value in CLI/plan output. The value is still stored in state in plaintext. Ephemeral values and write-only arguments are what keep secrets out of state. (2.3.2, 4.5.2)
2. (Multiple choice) You renamed a resource from aws_s3_bucket.logs to aws_s3_bucket.audit_logs. Without any additional configuration, what does terraform plan propose?
A. No changes — Terraform recognizes the rename
B. Update the bucket in place
C. Destroy the old bucket and create a new one
D. An error, because the address changed
Answer: C. To Terraform the old address disappeared and a new one appeared, so it plans destroy-then-create. A moved block makes it a state-only rename with no recreation. (1.3.1, 6.3.2)
3. (Multiple choice) Which command can be run successfully without valid provider credentials or network access to the provider's API?
A. terraform apply
B. terraform plan
C. terraform validate
D. terraform import
Answer: C. validate checks syntax and internal consistency offline (after init). plan, apply, and import all interact with provider APIs. (3.2.2)
4. (Multiple answer — select two) Which are true of the .terraform.lock.hcl dependency lock file?
A. It records the exact provider versions selected
B. It pins the Terraform CLI version
C. It should be committed to version control
D. It is regenerated automatically and should be git-ignored
Answer: A and C. The lock file records selected provider versions and hashes and should be committed for reproducibility. It does not pin the CLI version, and ignoring it defeats its purpose. (2.1.3)
5. (Multiple choice) A failing check block during terraform apply will:
A. Halt the apply with an error
B. Roll back all changes
C. Produce a warning but allow the apply to continue
D. Trigger a destroy of the affected resource
Answer: C. check blocks report issues as warnings without blocking the run, unlike validation/precondition/postcondition, which error and halt. (4.5.1)
6. (True/False) terraform state rm aws_instance.web destroys the real EC2 instance.
Answer: False. state rm removes the resource from Terraform's state (it's no longer managed) but leaves the real instance running. (7.2.1)
7. (Multiple choice) Which module source supports the version argument?
A. A local path like ./modules/vpc
B. A GitHub source like github.com/org/repo
C. A Terraform Registry source like terraform-aws-modules/vpc/aws
D. A generic HTTP URL
Answer: C. The version argument applies only to registry sources. Git sources pin with ?ref=; local paths and HTTP URLs don't use version. (5.1.2, 5.3.1)
8. (Multiple choice) A variable is set via a TF_VAR_region environment variable, in terraform.tfvars, and with -var="region=us-west-2" on the command line. Which value wins?
A. The environment variable
B. The terraform.tfvars value
C. The -var command-line value
D. Terraform errors on the conflict
Answer: C. Command-line -var/-var-file has the highest precedence; environment variables have the lowest. (4.3.1)
9. (Multiple choice) In HCP Terraform, which enforcement level blocks a run on policy failure but allows an authorized user to override? A. Advisory B. Soft-mandatory C. Hard-mandatory D. Optional Answer: B. Soft-mandatory blocks but permits override by an authorized user; hard-mandatory cannot be overridden; advisory only warns. (8.2.1)
10. (Multiple answer — select two) Which operations change Terraform's state but not real infrastructure?
A. terraform apply -refresh-only
B. terraform destroy
C. A moved block applied during apply
D. terraform apply after editing a resource argument
Answer: A and C. Refresh-only updates state to match reality without changing infrastructure, and a moved block is a state-only address change. destroy and a normal apply with changes both modify real infrastructure. (6.3.1, 6.3.2)
