Terraform Associate · 6% of the exam

Terraform Cloud Capabilities: free practice questions

5 sample questions from our 15-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real HashiCorp exam.

1. A platform engineer is setting up a new Terraform Cloud workspace for the production environment. They want every `terraform apply` to require a human to review and approve the plan output before infrastructure changes are made — even when the run is triggered automatically by a VCS push. Which workspace setting should they configure to enforce this behavior?

  • A. Set the execution mode to 'Remote' and enable the 'Auto apply' toggle in workspace settings.
  • B. Set the execution mode to 'Remote' and leave 'Auto apply' disabled so every run pauses for confirmation after planning.✓ Correct
  • C. Set the execution mode to 'Local' so the engineer must manually run `terraform apply` from their workstation.
  • D. Attach a Sentinel hard-mandatory policy that blocks all applies until an operator adds an override comment in the run UI.
Explanation

When a Terraform Cloud workspace uses Remote execution mode with 'Auto apply' disabled (the default), every run pauses at the 'planned' state after the plan phase and waits for a user with appropriate permissions to click 'Confirm & Apply'. This is the built-in mechanism for requiring human approval before any apply proceeds, regardless of how the run was triggered. — Option A is wrong because enabling 'Auto apply' causes runs to proceed to apply automatically without human confirmation, which is the opposite of what is required. — Option C is wrong because Local execution mode offloads the plan and apply to the engineer's local machine; Terraform Cloud only stores state. It does not provide a centralized approval gate inside the platform for team-based review. — Option D is wrong because Sentinel policies gate applies based on policy logic, not on a blanket 'pause for human review' pattern. Sentinel is a policy-as-code governance tool and cannot be configured to simply require an operator comment as a generic approval mechanism; the correct purpose-built feature for approval gates is disabling Auto apply.

2. When Terraform Cloud performs cost estimation for a plan, which statement accurately describes its behavior and limitations?

  • A. Cost estimation calculates the exact monthly bill by querying live cloud provider pricing APIs in real time and accounts for all resource types across all providers.
  • B. Cost estimation provides a monthly cost delta between the prior state and the planned state for a supported subset of AWS, Azure, and GCP resources, and is shown before the Sentinel policy check stage.✓ Correct
  • C. Cost estimation runs after the apply completes and shows actual costs incurred rather than a projected estimate.
  • D. Cost estimation is only available for AWS resources and requires the user to input an IAM role with billing read permissions.
Explanation

Option B is correct. Terraform Cloud's cost estimation feature calculates a projected monthly cost delta—showing the estimated cost before and after the planned changes—for a supported subset of resource types across AWS, Azure, and Google Cloud. Importantly, it is inserted into the run pipeline after the plan but before Sentinel policy checks, allowing policies to act on cost data (e.g., rejecting plans that exceed a cost threshold). Option A is wrong because coverage is not complete for all resource types and does not use real-time billing API queries; it uses static pricing tables. Option C is wrong because cost estimation is prospective (pre-apply), not retrospective. Option D is wrong because cost estimation supports AWS, Azure, and GCP, and does not require any cloud credentials or IAM roles—it works from the plan's resource definitions.

3. A security team wants to enforce a policy that prevents any Terraform plan from creating AWS security groups with ingress rules open to `0.0.0.0/0`. They want the run to be blocked and not allowed to proceed to apply under any circumstances if this condition is violated. Which Sentinel policy enforcement level should they configure?

  • A. advisory
  • B. soft-mandatory
  • C. hard-mandatory✓ Correct
  • D. strict
Explanation

Option C is correct. A `hard-mandatory` Sentinel policy cannot be overridden by anyone, including organization owners. If the policy fails, the run is permanently blocked from proceeding to apply with no override path. Option A (advisory) is wrong because advisory policies log a warning but never block a run—the apply proceeds regardless. Option B (soft-mandatory) is wrong because soft-mandatory policies can be overridden by users with appropriate permissions (typically organization owners or policy override privileges), which does not meet the requirement of 'no circumstances' override. Option D (strict) is wrong because 'strict' is not a valid Sentinel enforcement level in Terraform Cloud; the three valid levels are advisory, soft-mandatory, and hard-mandatory.

4. An operator is reviewing a failed Terraform Cloud run. The run log shows: 'Policy check soft failed.' The operator does not have the 'Manage Policy Overrides' permission. What will happen to this run?

  • A. The run is automatically discarded and must be re-triggered from scratch.
  • B. The run proceeds to apply automatically because soft-mandatory failures are non-blocking.
  • C. The run is paused at the policy check stage and requires a user with the 'Manage Policy Overrides' permission to override it before the apply can proceed.✓ Correct
  • D. The run proceeds to apply only if all Terraform plan changes are marked as 'no-op'.
Explanation

Option C is correct. A soft-mandatory Sentinel policy failure pauses the run and requires a user with the 'Manage Policy Overrides' permission to explicitly override the failure before the apply step is unlocked. The current operator cannot unblock it themselves due to lacking that permission. Option A is wrong because the run is not discarded—it stays in a paused/needs-override state. Option B is wrong because soft-mandatory failures DO block the run; only advisory failures are non-blocking. Option D is wrong because the apply gating is based on the override permission, not on whether the plan produces changes.

5. A developer runs `terraform workspace new staging` from the CLI while working in a directory that is connected to a Terraform Cloud workspace. What is the correct understanding of how Terraform Cloud workspaces differ from CLI workspaces?

  • A. Terraform Cloud workspaces and CLI workspaces are interchangeable; the new 'staging' workspace will appear in the Terraform Cloud UI automatically.
  • B. CLI workspaces share the same backend configuration and state storage location, while Terraform Cloud workspaces each have their own state file, variables, run history, and access controls.✓ Correct
  • C. Terraform Cloud workspaces are simply remote versions of CLI workspaces and support the same `terraform workspace` commands to switch between them.
  • D. CLI workspaces are more powerful than Terraform Cloud workspaces because they allow multiple state files to be managed without any additional configuration.
Explanation

Option B is correct. CLI workspaces (backed by a local or remote backend) share the same working directory and backend configuration—they are lightweight named state files within a single configuration. Terraform Cloud workspaces are far richer: each is an independent unit with its own state, variables, run history, team access permissions, and execution environment. Option A is wrong because creating a CLI workspace does not automatically create or sync a Terraform Cloud workspace. Option C is wrong because `terraform workspace` commands do not map to Terraform Cloud workspaces when using the `cloud` block or `remote` backend; you navigate TFC workspaces through the UI, API, or CLI workspace tagging. Option D is wrong because CLI workspaces are not more powerful—they lack governance, RBAC, audit logging, and remote execution that Terraform Cloud provides.

10 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
Terraform Cloud Capabilities — Free Terraform Associate Practice Questions | DataCertPrep — Certification Prep