Introduction
These 25 practice questions are modeled on the current Terraform Associate 003 exam — including all nine objectives and every question format you’ll encounter (multi-choice, multi-select, true/false, fill-in-the-blank, matching).
Use this as a diagnostic. If you get 22+ correct, you’re exam-ready. Below 18, you have weak objectives to revisit. After that, run a few full-length Sailor.sh Terraform Associate mock exams under timed conditions to lock in performance.
Questions
Q1
Which of the following are valid Terraform backends? (Select all that apply.)
A. s3
B. gcs
C. azurerm
D. kubernetes
E. consul
Answer: A, B, C, D, E. All five are valid Terraform backends. The 003 exam loves “select all that apply” backend questions.
Q2
What does terraform init do? (Select all that apply.)
A. Downloads provider plugins B. Initializes the backend C. Applies pending changes D. Downloads referenced modules E. Validates configuration syntax
Answer: A, B, D. init downloads providers, initializes the backend, and downloads modules. It does not apply changes (that’s apply) or fully validate syntax (that’s validate).
Q3
True or false: Provisioners are HashiCorp’s recommended way to bootstrap configuration management inside Terraform.
Answer: False. Provisioners are an explicit last resort per HashiCorp’s documentation. Prefer cloud-init, user data, or dedicated config management (Ansible, Chef, Puppet).
Q4
Which command moves a resource from one address to another in state without destroying and recreating it?
A. terraform refresh
B. terraform state mv
C. terraform import
D. terraform replace
Answer: B — terraform state mv. It rewrites the address inside the state file. The resource itself is untouched.
Q5
Fill in the blank: To migrate state from a local backend to a remote backend without re-creating resources, you change the backend configuration and then run __________.
Answer: terraform init -migrate-state. Without the flag, Terraform will refuse to migrate or will start fresh.
Q6
You want to ensure a resource is replaced when a specific other resource changes. Which lifecycle argument should you use?
A. create_before_destroy
B. prevent_destroy
C. ignore_changes
D. replace_triggered_by
Answer: D — replace_triggered_by. Introduced in Terraform 1.2 and tested on 003.
Q7
What is the difference between count and for_each?
A. count works with maps; for_each works with lists
B. count works with numbers/lists; for_each works with maps/sets
C. They are functionally identical
D. count is deprecated in favor of for_each
Answer: B. count takes a number (often length(list)); for_each takes a map or set. for_each is generally safer when resources change because each instance is keyed by its map key, not its index.
Q8
Which of these is the correct order of the standard Terraform workflow?
A. init → apply → plan
B. plan → init → apply
C. init → plan → apply
D. apply → init → plan
Answer: C. Init first to set up providers/backend/modules; plan to preview; apply to execute.
Q9
True or false: The Terraform state file may contain sensitive values such as database passwords in plaintext.
Answer: True. This is why state must be stored in a secure remote backend with encryption at rest and strict IAM. Mark sensitive variables with sensitive = true, but the state file itself can still expose them.
Q10
Which block downloads a published module from the Terraform Registry?
A. module "vpc" { source = "registry/aws-vpc" }
B. module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.0" }
C. module "vpc" { provider = "aws/vpc" }
D. provider "registry" { name = "terraform-aws-modules/vpc/aws" }
Answer: B. Public registry modules use namespace/name/provider source format. Version pinning is best practice.
Q11
Match each command to its purpose:
| Command | Purpose |
|---|---|
terraform fmt | A. Validates configuration syntax |
terraform validate | B. Rewrites configuration in canonical style |
terraform output | C. Displays the value of root module outputs |
terraform graph | D. Outputs a visual dependency graph |
Answer: fmt → B, validate → A, output → C, graph → D.
Q12
What does the terraform import block (new in Terraform 1.5+) do that the terraform import command does not?
A. It runs faster B. It allows importing without writing the resource block first C. It can be committed to version control and run as part of the plan/apply cycle D. It supports more providers
Answer: C. Import blocks make imports reviewable in PRs and reproducible in CI — a major improvement over the imperative CLI command.
Q13
You want a child module to expose a value to its caller. Which block do you use?
A. variable
B. output
C. locals
D. data
Answer: B — output. Outputs in a child module are accessible as module.<name>.<output_name> in the parent.
Q14
True or false: Terraform Cloud has been renamed to HCP Terraform.
Answer: True. Rebranded in 2024. Expect both names on the exam.
Q15
Which of these is not a valid Terraform variable type?
A. string
B. bool
C. set(string)
D. decimal
Answer: D — decimal. Use number for any numeric value.
Q16
When using for_each with a map, what is the type of each.key and each.value?
A. each.key is always a number; each.value is the map value
B. each.key is the map key (string); each.value is the map value
C. Both are the map value
D. each.key is the resource address
Answer: B. The map key becomes each.key; the value becomes each.value.
Q17
Which authentication method is not typically used by Terraform providers?
A. Environment variables B. Provider block credentials C. Cloud-native default credentials (e.g., EC2 instance profile, GCP service account) D. Cookie-based browser session
Answer: D. Cookies are for interactive browser sessions, not providers.
Q18
In HCP Terraform, what is a variable set?
A. A versioned bundle of provider plugins B. A collection of variables that can be applied to multiple workspaces or projects C. A workspace-level state file backup D. A Sentinel policy
Answer: B. Variable sets reduce duplication when many workspaces share the same variables (e.g., cloud credentials).
Q19
What happens when you run terraform destroy against a workspace with prevent_destroy = true on a resource?
A. Terraform destroys all other resources and skips the protected one
B. Terraform refuses the run and errors out
C. Terraform asks for confirmation per protected resource
D. The prevent_destroy setting is ignored on destroy operations
Answer: B. prevent_destroy causes Terraform to error if a plan would destroy that resource.
Q20
Which Sentinel enforcement level prevents an apply from proceeding when violated?
A. advisory
B. soft-mandatory
C. hard-mandatory
D. info
Answer: C — hard-mandatory. Soft-mandatory requires an override; hard-mandatory cannot be bypassed.
Q21
True or false: A data source provisions new infrastructure.
Answer: False. Data sources read existing infrastructure (or external data). To create resources, use resource blocks.
Q22
Which of these is the correct precedence order (highest to lowest) for Terraform variable assignment?
A. Environment vars → -var flag → terraform.tfvars → defaults
B. -var flag → *.auto.tfvars → terraform.tfvars → environment vars → defaults
C. Defaults → environment vars → -var → terraform.tfvars
D. Environment vars → *.auto.tfvars → defaults
Answer: B. From highest precedence: command-line -var and -var-file, then *.auto.tfvars, then terraform.tfvars, then environment variables (TF_VAR_*), then variable defaults.
Q23
What is the recommended way to handle secrets used by Terraform configurations?
A. Hardcode them in *.tf files
B. Pass them via environment variables (TF_VAR_secret) or pull from a secret manager
C. Commit them to a private GitHub repo
D. Store them inline in a public module
Answer: B. Use environment variables, HCP Terraform sensitive variables, or pull from a secret manager (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager). Never commit secrets.
Q24
Which command would you use to only refresh the state file without applying changes?
A. terraform plan -refresh-only
B. terraform apply -refresh-only
C. terraform refresh (deprecated in favor of -refresh-only)
D. All of the above
Answer: D. All three reach the same outcome. -refresh-only mode is the modern, more explicit form.
Q25
In HCP Terraform, which workspace execution mode runs terraform plan and apply on HashiCorp’s infrastructure rather than your local machine?
A. Local execution B. Remote execution C. Agent execution D. CLI-only
Answer: B — Remote execution. This is the default in HCP Terraform. Agent execution uses your own runners for private networks. Local mode only stores state in HCP and runs locally.
Scoring Yourself
| Score | Verdict |
|---|---|
| 22–25 | Exam-ready. Book your exam. |
| 18–21 | Close. Review weak objectives and re-test on a full-length mock. |
| 14–17 | One more focused study week before booking. |
| Below 14 | Revisit HashiCorp Learn and re-do hands-on projects. Don’t book yet. |
Common Wrong-Answer Traps
- Confusing
initandapply.initis preparation only — no changes are made to real infrastructure. - Treating provisioners as a standard tool. HashiCorp explicitly calls them a last resort.
- Mixing up
countandfor_eachuse cases.for_eachis safer when collection content changes. - Forgetting state can contain plaintext secrets. Even with
sensitive = truein code, state can still expose them. - Skipping HCP Terraform questions. Objective 9 is worth real points.
Next Steps
These 25 questions are useful for orientation, but the real exam pulls from a much larger bank with more nuanced wording and timing pressure. To consistently pass, drill realistic exam-format mocks under timed conditions.
Sailor.sh’s Terraform Associate mock exam bundle gives you hundreds of additional questions across every objective, full-length timed mocks, and detailed answer explanations aligned to the current 003 exam.
For deeper structure, read our Terraform Associate exam guide 2026 and pair it with a few real terraform plan/apply projects of your own.