Q & A

By default where does terraform search for provider plugins?

Terraform searches for provider plugins in the public Terraform Registry or in a third-party provider registry by default.

What do you do, If you cannot or do not wish to install providers from their origin registries?

You can use a provider_installation block in the CLI configuration to override Terraform's default installation behaviors. This allows you to force Terraform to use a local mirror for some or all of the providers you intend to use.

Terraform apply is a combination of what?

Terraform apply is a combination of the following commands: terraform plan -out file; terraform apply file; rm file.

Can you have multiple provisioners for the same resource?

Yes. You can also mix and match creation and destruction provisioners, and only the provisioners that are valid for a given operation will be run. This allows you to model specific actions on the local machine or on a remote machine in order to prepare servers or other infrastructure objects for service.

What is the priority list for terraform variables to be assigned?

1 being highest and 4 being lowest.

Command line flags: You can use the var and var-file flags when running the terraform plan or terraform apply commands to set variable values.
Environment variables: You can set environment variables with the prefix TF_VAR_ followed by the name of the variable to set its value.
Variable definition files: You can create files with the .tfvars or .tfvars.json extensions to define variable values. Terraform automatically loads these files if they are present in the current directory or any parent directory.
Default values: If you have specified a default value for a variable in its declaration, Terraform will use that value if no other value has been provided.

Difference between terraform plan -destroy and terraform destroy?

The former generates an execution plan that can be reviewed before being applied, while the latter destroys the remote objects without generating a plan.

Difference between terraform plan -refresh-only and terraform refresh?

The former generates an execution plan that can be reviewed before being applied, while the latter updates the state file without generating a plan.

When you use both options -var and -var-file together which takes precedence?

var takes precedence.

terraform plan -var-file="variables.tfvars" -var="region=us-east-1" In this example, Terraform will first load variable values from the variables.tfvars file and then override the value of the region variable with us-east-1.

If I have not defined the variables in variables.tf but I have it in tfvars file, can I still use that variable?

Yes, you can use a variable defined in a .tfvars file even if it is not explicitly declared in a variables.tf file, but this is not a recommended practice.

Every region in AWS has a different AMI ID, how to deal with different AMI IDs based on regions?

Using Data source, we can query for latest AMI ID based on specific conditions like availability, Operating System or other.

Can terraform apply destroy infrastructure in any scenario? if so in what scenario?

Yes, Terraform can destroy infrastructure intentionally using the terraform destroy command, or automatically during updates if changes require re-creation of resources.

When to use local values Vs variables. Make it short and to the point

Use variables in Terraform when you need to input values from outside the configuration or when you want to parameterize configurations to enhance reusability and flexibility across different environments.

Use local values to simplify and organize hard-coded values or complex expressions within your configuration, making the code cleaner and easier to maintain.

Where is tfstate file created when using workspaces?

Terraform stores tfstate files for each workspace in the terraform.tfstate.d/<workspace_name>/terraform.tfstate directory.

You created a new DEV workspace, do you have to manually switch to the DEV workspace in order to start using it?

By default, when you create a new workspace you are automatically switched to it.

Which command is used to rename a resource block in Terraform without deleting and recreating it?

Use terraform state mv aws_instance.old_name aws_instance.new_name to rename a Terraform resource without recreation.

Is the Terraform Workspace feature in Terraform Cloud same as the Terraform workspace feature that is present in the free open-source version of Terraform?

No.

Purpose and Scale: Open-source workspaces manage states; Terraform Cloud workspaces manage full environments and configurations for larger scale operations.
Environment Management: Open-source workspaces switch states within configurations, while Terraform Cloud workspaces manage complete, isolated environments with their own configurations and variables.
Integration and Features: Terraform Cloud workspaces include advanced features like VCS integration, access controls, and secrets management, which are not available in the open-source version.
Usage Complexity: Open-source workspaces are simpler and easier to manage, whereas Terraform Cloud workspaces require more setup and are designed for complex organizational use.

Which Terraform files should be ignored by Git when committing code to a repository?

.tfvars files, which are likely to contain sensitive data, such as passwords, private keys, and other secrets. These should not be part of version control as they are data points that are potentially sensitive and subject to change depending on the environment. Along with this, even tfstate files should not be committed. It can contain sensitive data. Instead, it is recommended to have tfstate to a remote backend.

Terraform supports which of the following formats for its configuration files

HCL (HashiCorp Configuration Language.) and JSON

Following is the sample terraform code:output "db_password" { value = aws_db_instance.db.password description = "RDS Password" sensitive = true }

Will the value associated with aws_db_instance.db.password be present within the terraform state file?

Yes, it will be present. Setting an output value in the root module as sensitive prevents Terraform from showing its value in the list of outputs at the end of terraform apply. Sensitive output values are still recorded in the state, and so will be visible to anyone who is able to access the state data.

For the Remote Exec Provisioners, which among the following are the supported connection types?

WinRM (Windows Remote Management, is a protocol used for remote management of Windows machines) and SSH

In the following terraform setting, which provider version satisfies the version constraint of the AWS provider?

1. terraform {
2. required_providers {
3.    aws = "~> 1.1.0"
4.   }
5. }

like 1.1.2, 1.1.9 But not 1.2.x or 2.x.x. It should be within 1.1.x

The Security team has asked for complete segregation between these environments including the backend, and also configurations since there will be different set of resources in each environments. What is the approach to architect the terraform code to facilitate that?

Create a separate set of folders. Each one will be associated with a specific environment. Using workspaces doesn’t work due to different resources.

Which of the following VCS Providers are supported in Terraform Cloud?

List is below.

GitHub
GitHub Enterprise
GitLab.com
GitLab Self-Hosted
Bitbucket Cloud
Bitbucket Server
Azure DevOps Server
Azure DevOps Services

When you run the terraform init operation, is the source code of the reference module also retrieved?

Yes, the terraform init command retrieves the source code of referenced modules to the .terraform/modules directory.

In order to migrate the Terraform state file from localhost to S3 bucket which command should be run?

Use terraform init -migrate-state to migrate the Terraform state file from localhost to an S3 bucket.

How can one retrieve details of a resource created with Terraform without using the AWS console if the output block was omitted?

Use terraform state show <resource> to display detailed information about a specific resource, such as terraform state show aws_eip.lb.

Do Terraform state files include default values and descriptions of variables?

No, While the state file does not store variable definitions (such as default values and descriptions), it does store the resultant values of these variables if they are used in resource configurations.

There is a requirement to use a S3 backend in the newly written Terraform code. Where do you define the backend configuration in Terraform code?

Define the S3 backend configuration in the backend block inside the terraform block in your Terraform configuration files.

What is sentinel used for in terraform cloud?

Sentinel in Terraform Cloud is used as a policy-as-code framework to enforce rules and ensure compliance across Terraform configurations and workflows.

In order to reduce the time it takes to provision resources, Terraform uses parallelism. By default, how many resources will Terraform provision concurrently during a terraform apply?

10

Mutable Vs immutable

In Terraform, "mutable" refers to in-place updates of resources, leading to potential configuration drift, while "immutable" treats resources as replaceable, creating new instances for each change to ensure consistency and reduce drift.

Imperative Vs declarative

Terraform uses a declarative approach, specifying the desired end-state of infrastructure without defining the steps to achieve it, contrasting with the imperative approach that requires explicit command sequences.

By default, the terraform destroy command will prompt the user for confirmation before proceeding.

True

When using the Terraform provider for Vault, the tight integration between these HashiCorp tools provides the ability to mask secrets in the state file.

False. When using the Terraform provider for Vault, the integration does not inherently mask secrets in the Terraform state file. Secrets used as inputs or outputs in Terraform configurations can still be stored in plain text in the state file, which is a known security consideration when using Terraform with sensitive data.

Using the latest versions of Terraform, terraform init cannot automatically download community providers.

False. With the latest versions of Terraform, terraform init can automatically download community providers. More specifically, this feature was added with Terraform 0.13. Before 0.13, terraform init would NOT download community providers.

Which of the following is a valid variable name in Terraform? lifecycle, version, count or invalid

Invalid

How is the lifecycle keyword used? Give an example

In Terraform, the lifecycle block within a resource configuration modifies Terraform's default behavior to manage resource lifecycles in specific ways. Here’s an example of how it can be used:

resource "aws_instance" "example" {
  ami           = "ami-123456"
  instance_type = "t2.micro"

  lifecycle {
    create_before_destroy = true
    prevent_destroy       = true
    ignore_changes        = [
      tags, # Ignore changes to tags, for example
    ]
  }

  tags = {
    Name = "MyInstance"
  }
}

Where are provider plugins stored on a RHEL-based server after running terraform init?

The provider plugins are downloaded and stored in the .terraform/providers directory within the current working directory. This directory is specifically used by Terraform to manage provider plugins.

You are adding a new variable to your configuration. Which of the following is NOT a valid variable type in Terraform? float, number

The answer is: float

Terraform is available for which operating systems?

Terraform is a cross-platform tool and can be installed on several operating systems, including:

Windows: Terraform can be installed on Windows operating systems using the Windows installer.
macOS: Terraform can be installed on macOS using the macOS installer or using Homebrew.
Linux: Terraform can be installed on Linux operating systems using the binary distribution or through package management systems, such as apt or yum.
Unix: Terraform can be installed on Unix-like operating systems using the binary distribution.

There is no Terraform binary for AIX. Terraform is available for macOS, FreeBSD, OpenBSD, Linux, Solaris, and Windows.

What is the difference between terraform apply -replace=aws_instance.web and terraform state rm aws_instance.web?

Using terraform apply -replace=aws_instance.web allows Emma to mark the specific virtual machine resource for replacement without affecting other resources that were created. This command is useful for quickly recreating a single resource. The command terraform state rm aws_instance.web removes the specified resource from the state file, prompting Terraform to recreate the instance during the next apply. This method is not recommended in this scenario as it removes the resource entirely from the state.

After many years of using Terraform Community (Free), you decide to migrate to Terraform Cloud. After the initial configuration, you create a workspace and migrate your existing state and configuration. What Terraform version would the new workspace be configured to use after the migration?

The new workspace in Terraform Cloud will be configured to use the same Terraform version that was used to perform the migration. This ensures compatibility and consistency with the existing state and configuration.

What Terraform command can be used to inspect the current state file?

The command is terraform show.

In Terraform Cloud, a workspace can be mapped to how many VCS repos?

In Terraform Cloud, a workspace can be mapped to one VCS repository. This means each workspace is linked to a single repository from your Version Control System (VCS), providing a one-to-one mapping between a workspace and a repo. This design helps to organize and manage infrastructure as code in a clear and consistent way.

Terraform Cloud can be managed from the CLI but requires what?

An API token is required to manage Terraform Cloud from the CLI.

What is Terraform OSS?

Terraform OSS (Open Source Software) refers to the original open-source version of Terraform.

What is the downside to using Terraform to interact with sensitive data, such as reading secrets from Vault?

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

True or False? Workspaces provide similar functionality in the open-source and Terraform Cloud versions of Terraform.

Workspaces, managed with the terraform workspace command, isn't the same thing as Terraform Cloud's workspaces. Terraform Cloud workspaces act more like completely separate working directories. CLI workspaces (OSS) are just alternate state files.

Module has a specified version v0.0.5. If we remove the version parameter from the module block and run terraform init again, will terraform download the latest available version of the module instead of the specified v0.0.5?

Terraform would use the existing module already downloaded.

True or False? You can continue using your local Terraform CLI to execute terraform plan and terraform apply operations while using Terraform Cloud as the backend.

This is true. If a module or provider is marked as official, it is owned and maintained by HashiCorp themselves.

Can terraform install plugin from source code?

Providers can be installed using multiple methods, including downloading from a Terraform public or private registry, the official HashiCorp releases page, a local plugins directory, or even from a plugin cache. Terraform cannot, however, install directly from the source code.

Will the default value be found in the state file if no other value was set for the variable?

Yes.

Does terraform init update the state file?

You can run terraform init over and over again and it will not change/modify your state file.

How can I deploy a Terraform configuration to a different AWS region without changing the configuration file?

Use Terraform workspaces and override the region variable at runtime, e.g., terraform apply -var="region=us-west-2".

You need to define a single input variable to support the IP address of a subnet, which is defined as a string, and the subnet mask, which is defined as a number. What type of variable should you use?

Use type = object({ip_address = string, subnet_mask = number}) because it allows for a structured definition with specific types for each field, providing clearer constraints and validation compared to a map, which does not enforce data types for its values.

True or False? Input variables that are marked as sensitive are NOT written to Terraform state.

False; while sensitive values are hidden in CLI outputs, they are still written to the state file, necessitating secure handling of the state.

True or False? In order to use the terraform console command, the CLI must be able to lock state to prevent changes.

True; the command locks the state to ensure consistency while it reads configurations and state data

To skip the refresh step during Terraform apply, you can use the command __

terraform apply -refresh=false

You want Terraform to redeploy a specific resource that it is managing. Type the command you should use to mark the resource for replacement. __

terraform apply -replace

The command __ is used to extract the output variables defined in the Terraform configuration.

terraform output

To automatically apply changes without interactive confirmation, you can use the command __

terraform apply -auto-approve