Maintain Infrastructure with Terraform

Import existing resources, inspect state, and troubleshoot Terraform operations.

This domain covers ongoing maintenance of Terraform-managed infrastructure. It includes importing existing infrastructure into Terraform workspaces, using CLI commands to inspect state and understand current infrastructure, and using verbose logging with TF_LOG for troubleshooting and debugging Terraform operations.

5 minutes 5 Questions

Maintaining infrastructure with Terraform involves ongoing management of your deployed resources throughout their lifecycle. This process encompasses several key practices that ensure your infrastructure remains consistent, secure, and aligned with your desired state. State Management is fundament…

Concepts covered: The terraform import command, Import blocks in configuration, Writing configuration for imported resources, Import workflow and best practices, The terraform state command, terraform state list and show, terraform state mv and rm, terraform output command, TF_LOG environment variable, Log levels and debugging, Troubleshooting provider issues

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

TA-004 - Maintain Infrastructure with Terraform Example Questions

Test your knowledge of Maintain Infrastructure with Terraform

Question 1

You are managing a multi-environment Terraform setup for a healthcare organization. After a recent deployment, you discovered that a Lambda function resource 'aws_lambda_function.patient_processor' was imported into the wrong workspace state file. The resource currently exists in the 'staging' workspace state but should be managed by the 'production' workspace. The Lambda function is actively processing patient data and must remain operational throughout the transition. Your team needs to transfer this resource's state entry between workspaces while maintaining the existing infrastructure. What sequence of terraform state commands should you use to accomplish this transfer?

Use 'terraform state list' to identify the resource in staging, then 'terraform state mv' to relocate the resource entry from the staging workspace to the production workspace state file Use 'terraform state pull' to extract the staging state, then 'terraform state rm' to remove the resource from staging, and finally 'terraform import' in the production workspace to add the resource Use 'terraform state pull' from both workspaces to merge them, then run 'terraform state replace-provider' to update the resource references and move the Lambda between workspace states Use 'terraform state show' to capture the resource configuration, then 'terraform state push' to add the resource details into the production workspace state file location

Correct Answer: Use 'terraform state pull' to extract the staging state, then 'terraform state rm' to remove the resource from staging, and finally 'terraform import' in the production workspace to add the resource

The correct approach for transferring a resource's state entry between workspaces involves a three-step process:

First, use 'terraform state pull' in the staging workspace to extract the current state (this allows you to verify and potentially backup the state)
Then, use 'terraform state rm aws_lambda_function.patient_processor' in the staging workspace to remove the resource from the staging state file WITHOUT destroying the actual infrastructure
Finally, switch to the production workspace and use 'terraform import aws_lambda_function.patient_processor ' to add the existing Lambda function to the production workspace state

This sequence ensures the Lambda function remains operational throughout the transition because 'terraform state rm' only removes the resource from Terraform's state tracking - it does not destroy the actual AWS resource.

The second answer suggesting 'terraform state mv' is incorrect because 'terraform state mv' is designed to move resources within the same state file (renaming resources or moving between modules), not between different workspace state files. You cannot directly move a resource from one workspace to another using this command.

The third answer is incorrect because 'terraform state show' only displays resource information and 'terraform state push' is used to overwrite an entire remote state file with a local state file - it cannot selectively add individual resources to a state.

The fourth answer is incorrect because 'terraform state replace-provider' is used for changing provider configurations when migrating between provider versions or namespaces, not for moving resources between workspaces. Merging states is also not a standard or recommended approach for this scenario.

Question 2

A DevOps engineer at a logistics company is using Terraform 1.5+ to import several existing AWS Security Groups into infrastructure-as-code management. The engineer creates import blocks for three security groups and runs terraform plan. The plan output shows that two security groups will be imported successfully, but one security group displays an error stating 'Resource instance not found' even though the security group ID in the import block has been copied from the AWS console. The engineer has verified network connectivity and AWS credentials are working correctly for the other two imports. What is the most likely cause of this import failure?

The security group was created using a different IAM user and requires cross-account access permissions to complete the import operation The resource block definition for that security group is missing required arguments that must be specified before the import can proceed The security group exists in a different AWS region than what is configured in the Terraform provider block for this configuration The import block requires the security group ARN format instead of the security group ID format for proper resource identification

Correct Answer: The security group exists in a different AWS region than what is configured in the Terraform provider block for this configuration

The most likely cause of the import failure is that the security group exists in a different AWS region than what is configured in the Terraform provider block.

When using Terraform's import functionality with AWS resources, the provider configuration determines which AWS region Terraform queries. If the provider is configured for us-east-1 but the security group exists in us-west-2, Terraform will return a 'Resource instance not found' error because it's looking in the wrong region. The fact that two other security groups import successfully while one fails strongly suggests a region mismatch - the successful imports are in the configured region while the failing one is in a different region.

The answer suggesting that ARN format is required instead of security group ID is incorrect. AWS Security Groups are imported using their ID (sg-xxxxxxxx format) with the aws_security_group resource type. The import block accepts the security group ID as the identifier.

The answer about different IAM users and cross-account permissions is incorrect. IAM ownership of who created a resource doesn't affect the ability to import it. As long as the current credentials have permission to describe the security group, the import will work. The scenario also states credentials are working correctly for other imports in the same account.

The answer about missing required arguments in the resource block is incorrect. While you do need a corresponding resource block for the import, the 'Resource instance not found' error specifically indicates Terraform cannot locate the resource in AWS, not that the configuration is incomplete. Configuration validation errors would produce different error messages.

Question 3

What is the primary purpose of the TF_LOG environment variable when troubleshooting Terraform provider issues?

To enable detailed logging output that reveals state file operations and resource dependency graphs To configure the authentication credentials that providers use when connecting to cloud APIs To specify the file path where provider binaries should be downloaded and cached locally To enable detailed logging output that reveals provider communication and API interactions

Correct Answer: To enable detailed logging output that reveals provider communication and API interactions

The TF_LOG environment variable is used to enable detailed logging output that reveals provider communication and API interactions. When troubleshooting Terraform provider issues, setting TF_LOG to levels like DEBUG or TRACE allows you to see the actual HTTP requests and responses between Terraform providers and their respective APIs, authentication flows, and detailed error messages that aren't shown in normal output.

The TF_LOG variable accepts values such as TRACE, DEBUG, INFO, WARN, or ERROR, with TRACE being the most verbose. This is particularly valuable when debugging provider issues because it exposes:
- API calls being made to cloud providers
- Request and response payloads
- Authentication handshakes
- Retry attempts and timeout information

The answer about specifying file paths for provider binaries is incorrect because that functionality is handled by the TF_PLUGIN_CACHE_DIR environment variable or the plugin_cache_dir setting, not TF_LOG.

The answer about configuring authentication credentials is incorrect because authentication is typically configured through provider-specific environment variables (like AWS_ACCESS_KEY_ID, GOOGLE_CREDENTIALS, etc.) or within the provider configuration block itself, not through TF_LOG.

The answer mentioning state file operations and resource dependency graphs is partially misleading. While TF_LOG does show some state-related operations, its primary purpose when troubleshooting provider issues specifically is to reveal the provider-to-API communication, which is what makes it most valuable for diagnosing provider-related problems.

🎓 Unlock Premium Access

HashiCorp Certified: Terraform Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
3516 Superior-grade HashiCorp Certified: Terraform Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
TA-004: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Maintain Infrastructure with Terraform questions

327 questions (total)

Start 100 question test