Infrastructure as Code (IaC) with Terraform

Understand the core concepts, benefits, and patterns of Infrastructure as Code using Terraform.

This domain covers the fundamental concepts of Infrastructure as Code (IaC), including what IaC is, the advantages of IaC patterns such as version control, consistency, and automation, and how Terraform specifically enables multi-cloud, hybrid cloud, and service-agnostic infrastructure management workflows.

5 minutes 5 Questions

Infrastructure as Code (IaC) is a methodology that allows you to manage and provision computing infrastructure through machine-readable configuration files rather than manual processes or interactive configuration tools. Terraform, developed by HashiCorp, is one of the leading IaC tools that enable…

Concepts covered: What is Infrastructure as Code, Declarative vs Imperative approaches, IaC configuration files and version control, Consistency and repeatability in infrastructure, Version control and collaboration benefits, Automation and reduced manual errors, Infrastructure documentation as code, Multi-cloud infrastructure management, Hybrid cloud deployment patterns, Provider-agnostic infrastructure workflows

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

TA-004 - Infrastructure as Code (IaC) with Terraform Example Questions

Test your knowledge of Infrastructure as Code (IaC) with Terraform

Question 1

Scenario: You are the lead infrastructure engineer at an e-commerce company. Your team recently migrated from a monolithic Terraform configuration to a modular structure with separate directories for networking, compute, and database resources. During a code review, you discover that developers have been copying and modifying shared module code into their local directories instead of referencing the centralized modules. This has created multiple versions of the same module logic scattered across the repository, making updates inconsistent and error-prone. Problem: Which version control and module management strategy should you implement to ensure consistent module usage across all team members?

Implement a CI/CD pipeline that automatically copies the latest module code from a central directory into each developer's workspace before each terraform init command runs Configure Git submodules to embed the shared module repository within each project directory and update the submodule reference when changes are needed Create a separate Git repository for shared modules and reference them using versioned source URLs in module blocks throughout your configurations Establish a protected branch for modules and require developers to use local file paths pointing to the main branch copy of each module in their configurations

Correct Answer: Create a separate Git repository for shared modules and reference them using versioned source URLs in module blocks throughout your configurations

The correct approach is to create a separate Git repository for shared modules and reference them using versioned source URLs in module blocks throughout your configurations.

This solution directly addresses the problem of inconsistent module usage across the team. By hosting modules in a dedicated repository, you establish a single source of truth for all shared infrastructure code. Using versioned source URLs (such as Git tags or commit SHAs) in module blocks ensures that:

All team members reference the exact same module code
Module versions can be pinned and upgraded deliberately
Changes to modules go through proper review processes
Teams can test new module versions before adopting them
Breaking changes can be managed through semantic versioning

Example module source reference:

module "networking" {
source = "git::https://github.com/company/terraform-modules.git//networking?ref=v1.2.0"
}

The approach of using protected branches with local file paths is problematic because local file paths require the module code to exist on the same filesystem, which doesn't translate well across different developer workstations and CI/CD environments. This doesn't prevent developers from modifying local copies.

Using Git submodules adds unnecessary complexity to the workflow. Submodules are notoriously difficult to manage, require additional Git commands to update, and can lead to confusion about which version is being used. Terraform's native module sourcing capabilities are more straightforward and purpose-built for this use case.

Implementing a CI/CD pipeline to copy module code into workspaces is an anti-pattern. This approach adds complexity, introduces race conditions, obscures which module version is being used, and doesn't prevent developers from modifying the copied code locally. It also doesn't leverage Terraform's built-in module management capabilities.

Question 2

A small e-commerce startup wants to deploy their application using Terraform across both AWS and Google Cloud Platform. They plan to host their frontend on AWS CloudFront and their backend APIs on GCP Cloud Run. The team has written a single Terraform configuration file containing resources for both providers. During the first terraform apply, they receive authentication errors for GCP while AWS resources are created successfully. The team has confirmed that both cloud CLI tools work correctly from the command line. What is the most likely cause of this issue and how should they resolve it?

The GCP resources are being created before the provider is initialized, so they should add a depends_on meta-argument referencing the GCP provider in each GCP resource block The GCP provider block is missing required authentication configuration such as credentials file path or project settings, which need to be added to the provider block The AWS provider block is consuming all available authentication tokens, so they should configure separate provider blocks with explicit credential sources for each cloud platform The Terraform version is incompatible with multi-cloud deployments, so they should upgrade to the latest Terraform version and run terraform init with the upgrade flag to refresh all provider plugins

Correct Answer: The GCP provider block is missing required authentication configuration such as credentials file path or project settings, which need to be added to the provider block

The most likely cause of this issue is that the GCP provider block is missing required authentication configuration. While the AWS provider can automatically detect credentials from environment variables, AWS CLI configuration files, or IAM roles, the Google Cloud provider often requires explicit configuration of the credentials file path and project ID in the provider block.

When using multiple cloud providers in Terraform, each provider needs to be properly configured with its authentication settings. The fact that the GCP CLI works from the command line doesn't automatically mean Terraform can use those same credentials - Terraform providers have their own authentication mechanisms.

For GCP, the provider block typically needs:
- The credentials argument pointing to a service account JSON key file, OR
- The GOOGLE_APPLICATION_CREDENTIALS environment variable set, OR
- The project argument specifying the GCP project ID

The correct solution is to add the required authentication configuration to the GCP provider block, such as:

provider "google" {
credentials = file("path/to/service-account.json")
project = "my-project-id"
region = "us-central1"
}

The other options are incorrect:

AWS does not 'consume authentication tokens' that would affect GCP. Provider authentication is completely independent between different cloud providers.
Using depends_on with provider references is not valid Terraform syntax. Providers are initialized during terraform init, and resources don't need explicit dependencies on their providers - this relationship is implicit.
Multi-cloud deployments work fine with current Terraform versions. This is not a version compatibility issue - it's a straightforward authentication configuration problem with the GCP provider.

Question 3

Nexus Technologies operates a healthcare platform with strict HIPAA compliance requirements. Their infrastructure team of 10 engineers manages Terraform configurations for patient data systems. During a recent security audit, the auditor requested documentation showing every change made to the encryption module over the past year, including timestamps, authors, and the specific lines of code modified in each update. The team currently has all configurations in a Git repository but has been making changes through direct pushes to the main branch. The compliance manager needs to demonstrate granular traceability for regulatory purposes. Which version control practice would provide the most comprehensive audit trail for meeting these compliance documentation requirements?

Create separate repositories for each compliance domain and maintain synchronization logs between them with automated reconciliation processes Configure automated snapshots of the repository every hour and store them in a separate compliance archive with retention policies enabled Implement a tagging strategy where each release is tagged with version numbers and deploy timestamps for tracking major infrastructure changes Enforce atomic commits with descriptive messages that reference ticket numbers and include detailed change summaries for each modification

Correct Answer: Enforce atomic commits with descriptive messages that reference ticket numbers and include detailed change summaries for each modification

For HIPAA compliance and regulatory audit requirements, enforcing atomic commits with descriptive messages that reference ticket numbers and include detailed change summaries provides the most comprehensive audit trail.

This approach directly addresses the auditor's requirements because:

Timestamps: Git automatically records the exact date and time of each commit, providing precise temporal tracking of all changes.
Authors: Every commit in Git captures the author's identity, showing exactly who made each modification to the encryption module.
Specific lines of code modified: Git's diff functionality shows exactly which lines were added, removed, or modified in each commit. Atomic commits (small, focused changes) make it easy to trace specific changes.
Ticket number references: Linking commits to tickets creates a complete paper trail connecting business justification to code changes, which is essential for compliance documentation.
Detailed change summaries: Descriptive commit messages explain the 'why' behind each change, providing context for auditors.

The other options fall short of meeting the compliance requirements:

Automated hourly snapshots would create redundant copies but wouldn't provide granular traceability of individual changes, authors, or specific line modifications. This approach obscures rather than clarifies the change history.
A tagging strategy for releases only captures major milestones, not the granular day-to-day changes to the encryption module. Auditors need to see every change, not just release points.
Creating separate repositories for compliance domains adds complexity and fragmentation. It doesn't inherently improve audit trails and could actually make it harder to trace changes across the infrastructure, potentially creating compliance gaps in the synchronization process.

🎓 Unlock Premium Access

HashiCorp Certified: Terraform Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
3516 Superior-grade HashiCorp Certified: Terraform Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
TA-004: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Infrastructure as Code (IaC) with Terraform questions

297 questions (total)

Start 100 question test