Terraform Associate · 15% of the exam

IaC Concepts and Terraform Purpose: free practice questions

5 sample questions from our 38-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real HashiCorp exam.

1. A team maintains two separate Terraform projects: one that provisions AWS EC2 instances and one that provisions Azure Virtual Machines. Both projects run `terraform apply` nightly via CI/CD. A new requirement asks them to also manage DNS records in Cloudflare. Which statement BEST reflects how Terraform's provider ecosystem addresses this requirement?

  • A. Terraform cannot manage Cloudflare resources natively; the team must use a separate IaC tool dedicated to DNS management.
  • B. The team must contact HashiCorp to request an official Cloudflare provider before any integration is possible.
  • C. The team can add a Cloudflare provider block to an existing or new Terraform configuration; Terraform will download the provider plugin from the Registry and manage Cloudflare DNS resources alongside their existing infrastructure.✓ Correct
  • D. The team must upgrade to Terraform Enterprise to access third-party providers such as Cloudflare, because the open-source CLI only ships with AWS and Azure providers built in.
Explanation

Option C is correct: Terraform's provider ecosystem on the public Registry includes a Cloudflare provider (and thousands of others). Adding a provider block and running `terraform init` downloads the plugin, enabling management of Cloudflare DNS alongside any other infrastructure in the same or separate configurations. Option A is wrong: a mature Cloudflare provider exists on the Registry. Option B is wrong: providers are published by HashiCorp, partners, or community contributors — no special request to HashiCorp is needed. Option D is wrong: the open-source CLI supports all Registry providers; Terraform Enterprise/Cloud adds collaboration features but is not a prerequisite for third-party providers.

2. A solutions architect is comparing IaC approaches and states: 'With a declarative approach, you describe the desired end state of your infrastructure, and the tool figures out how to get there.' A junior engineer pushes back, saying declarative and imperative IaC are functionally identical because both produce the same infrastructure. Which response BEST addresses the junior engineer's misconception?

  • A. The junior engineer is correct — both approaches produce identical infrastructure and the distinction is purely stylistic.
  • B. In a declarative approach, the engineer defines *what* the infrastructure should look like, while in an imperative approach the engineer defines *how* to create it step by step; this distinction affects idempotency and drift handling.✓ Correct
  • C. Declarative tools like Terraform cannot provision resources on more than one cloud provider, while imperative tools can, making them functionally different.
  • D. Imperative IaC tools always require manual approval before applying changes, whereas declarative tools do not.
Explanation

Option B is correct: declarative IaC lets you specify the desired end state (what), and the tool computes the necessary steps, which inherently supports idempotency and drift reconciliation. Option A is wrong because the two approaches differ significantly in how they handle repeated applies and configuration drift — declarative tools converge to the desired state without re-running the same creation steps. Option C is a misconception; many declarative tools, including Terraform, support multiple cloud providers. Option D is incorrect; neither approach universally requires or waives manual approval — that is a workflow policy decision, not a property of the paradigm.

3. A DevOps engineer is explaining Terraform's idempotency to a skeptical colleague. The colleague says: 'If I run `terraform apply` and the cloud provider silently ignores a duplicate API call, that's just the provider being idempotent — Terraform itself isn't doing anything special.' Which response BEST clarifies Terraform's role in achieving idempotency?

  • A. The colleague is correct; Terraform's idempotency is entirely delegated to the underlying provider APIs and Terraform itself adds no idempotency guarantees.
  • B. Terraform achieves idempotency by comparing the desired state in configuration files against the actual state recorded in the state file, and only generating API calls for resources that differ — so re-applying an unchanged configuration produces no changes regardless of whether the provider API is idempotent.✓ Correct
  • C. Terraform's idempotency is implemented by locking the state file during every apply, which prevents any two applies from ever producing different results.
  • D. Terraform guarantees idempotency by requiring all providers to implement a retry mechanism that deduplicates API calls at the network layer.
Explanation

Option B is correct: Terraform's core contribution to idempotency is the plan/apply cycle — it reads current state, compares it to desired state, and only issues API calls for resources that need to change. If nothing has changed, no API calls are made, regardless of how the underlying provider API behaves. Option A is wrong: while provider API idempotency is helpful, Terraform's state-based diffing is the primary mechanism that prevents unnecessary changes. Option C is wrong: state locking prevents concurrent applies from conflicting, but it does not make repeated sequential applies idempotent — state comparison does. Option D is wrong: Terraform does not mandate a network-layer retry/deduplication mechanism in providers; that is not part of the provider SDK contract.

4. A company currently uses AWS CloudFormation to manage all of its AWS infrastructure. A solutions architect proposes migrating to Terraform. A stakeholder asks what concrete capability Terraform offers that CloudFormation does not. Which of the following is the MOST accurate and meaningful distinction?

  • A. Terraform applies changes faster than CloudFormation because it does not use a managed service and therefore avoids API throttling.
  • B. Terraform supports rollback on failure out of the box, whereas CloudFormation requires manual intervention to recover from a failed stack update.
  • C. Terraform can manage resources across multiple cloud providers and SaaS platforms using a single workflow and a unified state model, whereas CloudFormation is limited to AWS services.✓ Correct
  • D. Terraform configuration files are compiled into JSON before deployment, making them more portable than CloudFormation templates, which only support YAML.
Explanation

Option C is correct: this is Terraform's most fundamental differentiator from CloudFormation — its provider ecosystem enables multi-cloud and multi-SaaS management in a single workflow, while CloudFormation is AWS-only (with limited support for some third-party resources via CloudFormation Extensions, but not as a general multi-cloud tool). Option A is wrong: apply speed varies by configuration complexity and provider; Terraform's local execution does not categorically avoid throttling since it still calls cloud APIs. Option B is wrong: this is actually reversed — CloudFormation has built-in rollback on stack failure; Terraform does not automatically roll back a failed apply. Option D is wrong: Terraform uses HCL (or JSON), not compiled output; CloudFormation supports both JSON and YAML natively.

5. Which THREE of the following are characteristics that distinguish Terraform Enterprise from Terraform Cloud? (Select THREE)

  • A. Terraform Enterprise is deployed in the customer's own environment (on-premises or private cloud), giving the organization full control over the infrastructure.✓ Correct
  • B. Terraform Enterprise supports a private module registry, whereas Terraform Cloud does not offer any module registry.
  • C. Terraform Enterprise is designed for enterprises with requirements such as air-gapped deployments, custom SAML SSO integration, and audit logging beyond what is available on Terraform Cloud's free and standard tiers.✓ Correct
  • D. Terraform Enterprise allows organizations to define their own data residency and retention policies, which is critical for regulatory compliance in certain industries.
  • E. Terraform Enterprise includes the Terraform CLI binary, which is not available with Terraform Cloud.
  • F. Terraform Enterprise provides a self-hosted option, meaning the organization is responsible for installation, upgrades, and operational maintenance of the platform.✓ Correct
Explanation

Options A, C, and F are correct. Terraform Enterprise (TFE) is self-hosted (A), supports advanced enterprise requirements like air-gapped deployments and extended audit capabilities (C), and places the operational burden of installation and maintenance on the customer's team (F). Option B is false; Terraform Cloud also provides a private module registry. Option D is partially true in practice but is not a distinguishing feature listed in HashiCorp's official differentiation — data residency is primarily addressed by self-hosting (already covered by A), and Terraform Cloud Business also offers some data handling controls. Option E is false; the Terraform CLI is a separate open-source binary available to all users regardless of whether they use Cloud or Enterprise.

33 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
IaC Concepts and Terraform Purpose — Free Terraform Associate Practice Questions | DataCertPrep — Certification Prep