Terraform Workflow and CLI

Terraform Workflow and CLI Quiz

Quiz

Question 1 of 46 (0 answered)

Question 1

Arrange the core Terraform workflow steps in the correct order:

Drag to arrange from first to last

⋮⋮ WRITE (author .tf files)

⋮⋮ INIT (initialize workspace)

⋮⋮ PLAN (preview changes)

⋮⋮ APPLY (execute changes)

✓

Correct!

The correct Terraform workflow is: Write configuration → Init workspace → Plan changes → Apply changes. This ensures you always initialize before planning and preview before applying.

✗

Incorrect

The correct Terraform workflow is: Write configuration → Init workspace → Plan changes → Apply changes. This ensures you always initialize before planning and preview before applying.

Question 2

What is the primary purpose of the terraform init command?

To preview infrastructure changes To prepare the working directory for Terraform operations To apply configuration changes To validate syntax

✓

Correct!

terraform init prepares your working directory by downloading provider plugins, initializing the backend, installing modules, and creating/updating the lock file.

✗

Incorrect

terraform init prepares your working directory by downloading provider plugins, initializing the backend, installing modules, and creating/updating the lock file.

Think about what happens when you first set up a Terraform project.

Question 3

What does terraform init do?

Creates .terraform/ directory Downloads provider plugins Initializes backend for state storage Applies infrastructure changes Downloads modules if any Creates or updates .terraform.lock.hcl

✓

Correct!

terraform init creates the .terraform/ directory, downloads providers, initializes the backend, downloads modules, and manages the lock file. It does NOT apply infrastructure changes.

✗

Incorrect

terraform init creates the .terraform/ directory, downloads providers, initializes the backend, downloads modules, and manages the lock file. It does NOT apply infrastructure changes.

Init prepares the workspace but doesn’t make infrastructure changes.

Question 4

What directory does terraform init create to store downloaded provider plugins?

✓

Correct!

The .terraform/ directory is created during initialization and contains downloaded provider plugins, modules, and workspace information. It should be excluded from version control.

✗

Incorrect

The .terraform/ directory is created during initialization and contains downloaded provider plugins, modules, and workspace information. It should be excluded from version control.

It’s a hidden directory that starts with a dot.

Question 5

The .terraform/ directory should be committed to version control.

True False

✓

Correct!

The .terraform/ directory should NOT be committed to version control (add to .gitignore) because it contains downloaded plugins and can be regenerated with terraform init. However, .terraform.lock.hcl should be committed.

✗

Incorrect

Think about whether downloaded plugins should be in Git.

Question 6

What is the purpose of the Terraform State File?

Terraform State File (terraform.tfstate)

The state file is Terraform’s database of managed infrastructure. It serves to:

Map configuration to real-world resources - Links your .tf code to actual cloud resources
Track metadata - Stores dependencies and provider information
Improve performance - Caches attribute values to avoid constant API queries
Enable collaboration - Allows teams to share infrastructure state

⚠️ Contains sensitive data (passwords, keys) and should never be manually edited.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 7

During terraform plan, how does Terraform detect state drift?

It only reads the local state file It queries the cloud provider for actual resource state and compares with the state file It scans the entire cloud account for all resources It checks Git history for changes

✓

Correct!

During plan, Terraform refreshes its in-memory state by querying the actual cloud resources listed in the state file. It compares the actual state with what’s recorded in the state file to detect drift.

✗

Incorrect

Think about how Terraform knows if someone made manual changes in the console.

Question 8

Which scenarios cause state drift?

Manual changes in the cloud console Running terraform plan External tools (Ansible/scripts) modifying infrastructure Resource deletion in the console Running terraform apply Emergency hotfixes applied directly

✓

Correct!

State drift occurs when actual infrastructure differs from what’s recorded in the state file. This happens through manual console changes, external tools, resource deletions, and emergency hotfixes. terraform plan and apply don’t cause drift—they detect and reconcile it.

✗

Incorrect

Drift happens when changes are made outside of Terraform.

Question 9

Terraform can detect drift for any resource that exists in your cloud account.

True False

✓

Correct!

FALSE. Terraform can ONLY detect drift for resources it already manages (i.e., resources in its state file). Resources created outside Terraform are invisible to drift detection. This is by design—Terraform only manages what you tell it to manage.

✗

Incorrect

Think about the scope of what Terraform tracks.

Question 10

Complete the command to detect drift without making any infrastructure changes:

Fill in the missing flag

terraform plan _____

Your answer:

✓

Correct!

terraform plan -refresh-only detects drift by refreshing the state without planning any infrastructure changes. To update the state to match reality, use terraform apply -refresh-only.

✗

Incorrect

terraform plan -refresh-only detects drift by refreshing the state without planning any infrastructure changes. To update the state to match reality, use terraform apply -refresh-only.

Question 11

What symbol in terraform plan output indicates a resource will be destroyed and then recreated?

-/+

✓

Correct!

The -/+ symbol indicates a resource will be replaced (destroyed then recreated). This happens when certain attributes change that require replacement, causing the resource ID to change.

✗

Incorrect

The -/+ symbol indicates a resource will be replaced (destroyed then recreated). This happens when certain attributes change that require replacement, causing the resource ID to change.

It combines the destroy and create symbols.

Question 12

What does ‘known after apply’ mean in Terraform plan output?

‘known after apply’

This appears in plan output when a value cannot be determined until the resource is actually created.

Example:

+ public_ip = (known after apply)

This happens because:

The cloud provider assigns the value (e.g., AWS assigns the public IP)
Terraform can’t predict what the provider will assign
The value becomes known only after the resource is created

Common examples: resource IDs, auto-assigned IPs, generated ARNs

Did you get it right?

✓

Correct!

✗

Incorrect

Question 13

Arrange these steps in the correct order during terraform apply:

Drag to arrange in execution order

⋮⋮ Generate plan

⋮⋮ Request approval

⋮⋮ Lock state

⋮⋮ Execute changes

⋮⋮ Update state

⋮⋮ Unlock state

✓

Correct!

The apply process: Generate plan → Request approval → Lock state → Execute changes → Update state → Unlock state. State locking prevents concurrent modifications.

✗

Incorrect

The apply process: Generate plan → Request approval → Lock state → Execute changes → Update state → Unlock state. State locking prevents concurrent modifications.

Question 14

What is the default parallelism value for terraform apply (how many resources can be created simultaneously)?

✓

Correct!

Terraform applies changes with a default parallelism of 10, meaning it can create/modify up to 10 resources simultaneously. This can be controlled with the -parallelism flag.

✗

Incorrect

Terraform applies changes with a default parallelism of 10, meaning it can create/modify up to 10 resources simultaneously. This can be controlled with the -parallelism flag.

It’s a two-digit number.

Question 15

What happens when you run terraform apply without a saved plan?

It fails with an error It applies the last plan that was run It re-generates the plan and prompts for approval It applies changes without showing them

✓

Correct!

When you run terraform apply without a saved plan, it re-generates the plan (same as running terraform plan), shows you the changes, and then prompts for approval before applying.

✗

Incorrect

When you run terraform apply without a saved plan, it re-generates the plan (same as running terraform plan), shows you the changes, and then prompts for approval before applying.

Terraform always shows you what will happen before applying.

Question 16

During terraform apply, Terraform acquires a state lock to prevent concurrent modifications.

True False

✓

Correct!

TRUE. When using backends that support locking (like S3 with DynamoDB), Terraform acquires a state lock during apply to prevent multiple users from modifying state simultaneously, which prevents state corruption.

✗

Incorrect

Think about what happens when two people run terraform apply at the same time.

Question 17

Complete the command to apply changes without the confirmation prompt:

Fill in the missing flag

terraform apply _____

Your answer:

✓

Correct!

The -auto-approve flag skips the interactive approval prompt. Use with caution, especially in production!

✗

Incorrect

The -auto-approve flag skips the interactive approval prompt. Use with caution, especially in production!

Question 18

Which commands should you run after writing Terraform configuration files but before applying changes?

terraform fmt terraform validate terraform destroy terraform init terraform plan terraform output

✓

Correct!

The proper workflow is: terraform fmt (format code) → terraform validate (check syntax) → terraform init (initialize) → terraform plan (preview changes) → terraform apply. Destroy and output come later.

✗

Incorrect

Think about the logical order: format, validate, initialize, preview.

Question 19

What does the terraform fmt command do?

Validates configuration syntax Formats code to canonical style Creates a new configuration file Shows the state file contents

✓

Correct!

terraform fmt formats Terraform configuration files to a canonical style, ensuring consistent formatting. Use terraform fmt -recursive to format all subdirectories.

✗

Incorrect

terraform fmt formats Terraform configuration files to a canonical style, ensuring consistent formatting. Use terraform fmt -recursive to format all subdirectories.

fmt is short for format.

Question 20

What is the purpose of the .terraform.lock.hcl file?

Provider Dependency Lock File (.terraform.lock.hcl)

Ensures consistent provider versions across team members and environments.

Without lock file:

Developer A uses AWS provider 5.84.0
Developer B uses AWS provider 5.85.0 (newer release)
CI/CD uses AWS provider 5.86.0
Result: Inconsistent behavior, potential bugs

With lock file:

All developers use the exact same provider version
Prevents unexpected changes from provider updates
Should be committed to version control

Update providers: terraform init -upgrade

Did you get it right?

✓

Correct!

✗

Incorrect

Question 21

The .terraform.lock.hcl file should be committed to version control.

True False

✓

Correct!

TRUE. The lock file should be committed to ensure all team members and CI/CD systems use the same provider versions, preventing inconsistent behavior.

✗

Incorrect

TRUE. The lock file should be committed to ensure all team members and CI/CD systems use the same provider versions, preventing inconsistent behavior.

Think about ensuring consistency across the team.

Question 22

How do you upgrade provider versions within the constraints defined in your configuration?

terraform update terraform init -upgrade terraform apply -upgrade terraform provider upgrade

✓

Correct!

terraform init -upgrade upgrades providers to the latest version allowed by your version constraints and updates the lock file accordingly.

✗

Incorrect

terraform init -upgrade upgrades providers to the latest version allowed by your version constraints and updates the lock file accordingly.

It’s a flag added to the init command.

Question 23

Complete the command to save a plan to a file named ’tfplan':

Fill in the missing part

terraform plan _____

Your answer:

✓

Correct!

terraform plan -out=tfplan saves the plan to a file. You can then apply this exact plan with terraform apply tfplan, which skips the approval prompt since the plan was already reviewed.

✗

Incorrect

terraform plan -out=tfplan saves the plan to a file. You can then apply this exact plan with terraform apply tfplan, which skips the approval prompt since the plan was already reviewed.

Question 24

What exit codes does terraform plan -detailed-exitcode return?

0=success, 1=error 0=no changes, 1=error, 2=changes present 0=no changes, 1=changes present 0=success, 2=error

✓

Correct!

With -detailed-exitcode, terraform plan returns: 0 (no changes needed), 1 (error occurred), or 2 (changes are present). This is useful in CI/CD pipelines to determine if infrastructure drift exists.

✗

Incorrect

There are three possible exit codes.

Question 25

Which terraform state commands DO NOT modify actual cloud infrastructure?

terraform state list terraform state show terraform state mv terraform state rm terraform destroy

✓

Correct!

All terraform state commands only modify the state file, not actual infrastructure. terraform state rm removes from state but doesn’t destroy the resource. Only terraform destroy actually deletes cloud resources.

✗

Incorrect

State commands modify the state file, not the cloud.

Question 26

What is the difference between ’terraform state rm’ and ’terraform destroy'?

terraform state rm vs terraform destroy

terraform state rm <resource>

Removes resource from state file only
Resource continues to exist in the cloud
Terraform stops managing it
Use case: Move resource out of Terraform management

terraform destroy

Actually deletes resources from the cloud
Updates state file to reflect deletion
Resource is permanently removed
Use case: Clean up infrastructure

⚠️ Critical: state rm doesn’t destroy—it just stops tracking!

Did you get it right?

✓

Correct!

✗

Incorrect

Question 27

How do you bring an existing cloud resource under Terraform management?

terraform state add terraform import <resource_address> <resource_id> terraform adopt <resource_id> terraform state create

✓

Correct!

terraform import brings existing resources into Terraform management. Syntax: terraform import aws_instance.web i-0abc123. You must also add the corresponding configuration to your .tf files.

✗

Incorrect

terraform import brings existing resources into Terraform management. Syntax: terraform import aws_instance.web i-0abc123. You must also add the corresponding configuration to your .tf files.

The command is ‘import’.

Question 28

Complete the command to force recreation of a specific resource:

Fill in the missing flag

terraform apply _____ aws_instance.web

Your answer:

✓

Correct!

terraform apply -replace=aws_instance.web forces Terraform to destroy and recreate the specified resource, even if no configuration changes require it. This replaced the deprecated -taint flag.

✗

Incorrect

terraform apply -replace=aws_instance.web forces Terraform to destroy and recreate the specified resource, even if no configuration changes require it. This replaced the deprecated -taint flag.

Question 29

When should you run terraform init?

First time in a new directory After adding new providers After changing backend configuration Every time before terraform plan When cloning a repository After modifying resource configurations

✓

Correct!

Run terraform init when first using a directory, adding providers, changing backends, cloning a repo, or upgrading provider versions. You don’t need to run it every time or after just modifying resources.

✗

Incorrect

Init is needed when the workspace setup changes, not for every operation.

Question 30

What does the ~ symbol mean in terraform plan output?

Resource will be created Resource will be updated in-place Resource will be destroyed Resource will be replaced

✓

Correct!

The ~ symbol indicates an in-place update—the resource will be modified without destroying and recreating it. The resource ID stays the same.

✗

Incorrect

The ~ symbol indicates an in-place update—the resource will be modified without destroying and recreating it. The resource ID stays the same.

Think of the tilde as representing a small change.

Question 31

What are Terraform Workspaces and when should you use them?

Terraform Workspaces

Workspaces are named state instances for the same configuration, allowing you to manage multiple environments.

Commands:

terraform workspace list - Show all workspaces
terraform workspace new staging - Create workspace
terraform workspace select prod - Switch workspace
terraform workspace show - Show current workspace

Use case: Same code, different environments (dev/staging/prod)

Each workspace has its own state file
Easy to switch between environments

⚠️ Note: For production use, many teams prefer separate directories/repos rather than workspaces for better isolation.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 32

The terraform.tfstate.backup file is automatically created by Terraform as a backup of the previous state.

True False

✓

Correct!

TRUE. Terraform automatically creates a backup of the previous state in terraform.tfstate.backup before updating the state file. This provides a safety net if the state gets corrupted.

✗

Incorrect

TRUE. Terraform automatically creates a backup of the previous state in terraform.tfstate.backup before updating the state file. This provides a safety net if the state gets corrupted.

Think about Terraform’s built-in safety mechanisms.

Question 33

You encounter a state lock error. What command can force-unlock the state?

terraform unlock terraform state unlock terraform force-unlock terraform apply -force

✓

Correct!

terraform force-unlock <lock-id> can force-release a stuck state lock. Use with extreme caution—only when you’re certain no one else is running Terraform, as forcing unlock during an active operation can corrupt the state.

✗

Incorrect

The command includes ‘force-unlock’.

Question 34

Which files/directories should be committed to version control in a Terraform project?

main.tf .terraform/ .terraform.lock.hcl terraform.tfstate variables.tf outputs.tf

✓

Correct!

Commit: Configuration files (.tf files) and the lock file (.terraform.lock.hcl). Do NOT commit: .terraform/ directory (regenerable) and terraform.tfstate (contains secrets, use remote backend instead).

✗

Incorrect

Commit code and lock file, not cache or state.

Question 35

What command displays the current state in JSON format?

terraform state json terraform show -json terraform output -json terraform export -json

✓

Correct!

terraform show -json displays the current state in JSON format. This is useful for parsing state data in scripts or for integration with other tools.

✗

Incorrect

terraform show -json displays the current state in JSON format. This is useful for parsing state data in scripts or for integration with other tools.

It’s the show command with a flag.

Question 36

Complete the command to list all resources in the state file:

Fill in the missing subcommand

terraform state _____

Your answer:

✓

Correct!

terraform state list shows all resources currently managed in the state file. This is useful for getting an overview of what Terraform is managing.

✗

Incorrect

terraform state list shows all resources currently managed in the state file. This is useful for getting an overview of what Terraform is managing.

Question 37

Terraform state files can contain sensitive information like passwords and API keys.

True False

✓

Correct!

TRUE. State files often contain sensitive data including passwords, API keys, and other secrets. This is why you should never commit state files to version control and should use remote backends with encryption.

✗

Incorrect

Think about what data Terraform needs to track about resources.

Question 38

What is the purpose of the terraform validate command?

Validates that infrastructure is running correctly Checks configuration syntax and internal consistency Validates credentials with cloud providers Checks if the state file is valid

✓

Correct!

terraform validate checks the syntax and internal consistency of your configuration files. It validates the configuration without accessing remote state or provider APIs.

✗

Incorrect

terraform validate checks the syntax and internal consistency of your configuration files. It validates the configuration without accessing remote state or provider APIs.

It validates the configuration files themselves.

Question 39

What is the scope of Terraform’s state drift detection?

Scope of Drift Detection

CAN DETECT (Managed Resources): ✅ Changes to resources in the state file ✅ Modified attributes (e.g., instance type changed from t2.micro to t2.small) ✅ Deleted resources that Terraform manages ✅ Tags added/removed from managed resources

CANNOT DETECT (Unmanaged Resources): ❌ New resources created outside Terraform ❌ Resources in other regions not managed by Terraform ❌ Resources created by other teams/tools

Key Point: Terraform only queries resources listed in its state file. It does NOT scan your entire cloud account.

Solution: Use terraform import for existing resources or cloud inventory tools to discover unmanaged resources.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 40

During the plan phase, Terraform queries the cloud provider. What does this step accomplish?

It creates new resources It refreshes in-memory state by getting actual resource state from the provider It deletes resources It validates credentials

✓

Correct!

During plan, Terraform refreshes its in-memory state by querying the cloud provider for the actual current state of resources listed in the state file. This allows it to detect drift and calculate required changes.

✗

Incorrect

Think about what Terraform needs to know before planning changes.

Question 41

What are best practices for managing state drift?

Avoid manual changes in cloud console Delete the state file and regenerate it Run terraform plan regularly Use terraform apply -refresh-only to reconcile drift Edit the state file manually Limit who can manually modify infrastructure

✓

Correct!

Best practices: Avoid manual changes, run plan regularly, use refresh-only to reconcile, and limit manual access. NEVER delete or manually edit state files—this can cause serious issues.

✗

Incorrect

Best practices: Avoid manual changes, run plan regularly, use refresh-only to reconcile, and limit manual access. NEVER delete or manually edit state files—this can cause serious issues.

Think about preventing drift and safely handling it when it occurs.

Question 42

Complete the command to target a specific resource during apply:

Fill in the missing flag

terraform apply _____ aws_instance.web

Your answer:

✓

Correct!

terraform apply -target=aws_instance.web applies changes only to the specified resource and its dependencies. Use sparingly—targeting can cause inconsistencies.

✗

Incorrect

terraform apply -target=aws_instance.web applies changes only to the specified resource and its dependencies. Use sparingly—targeting can cause inconsistencies.

Question 43

What command would you use to see details about a specific resource from the state file?

terraform state get aws_instance.web terraform state show aws_instance.web terraform show aws_instance.web terraform inspect aws_instance.web

✓

Correct!

terraform state show aws_instance.web displays detailed information about a specific resource from the state file, including all its attributes.

✗

Incorrect

terraform state show aws_instance.web displays detailed information about a specific resource from the state file, including all its attributes.

It’s a state subcommand.

Question 44

Running ’terraform plan’ with the -refresh=false flag will skip querying the cloud provider for actual resource state.

True False

✓

Correct!

TRUE. The -refresh=false flag skips the refresh step, meaning Terraform won’t query the cloud provider and will use only what’s in the state file. This is faster but won’t detect drift.

✗

Incorrect

TRUE. The -refresh=false flag skips the refresh step, meaning Terraform won’t query the cloud provider and will use only what’s in the state file. This is faster but won’t detect drift.

The flag name indicates what it does.

Question 45

What happens to a resource when you run terraform state rm on it?

The resource is destroyed in the cloud The resource is removed from state but continues to exist in the cloud The resource is moved to a different state file The resource is marked for deletion

✓

Correct!

terraform state rm removes the resource from the state file only—the actual resource continues to exist in the cloud. Terraform simply stops managing it. The resource is NOT destroyed.

✗

Incorrect

terraform state rm removes the resource from the state file only—the actual resource continues to exist in the cloud. Terraform simply stops managing it. The resource is NOT destroyed.

State commands don’t affect actual infrastructure.

Question 46

How does State Locking work in Terraform?

State Locking

Prevents concurrent state modifications that could corrupt the state file.

How it works:

User A runs terraform apply
Terraform acquires a lock (e.g., in DynamoDB)
User B tries to run terraform apply
User B gets an error: “state is locked by User A”
User A completes, releases the lock
User B can now proceed

Backends with locking:

S3 (with DynamoDB table)
Terraform Cloud
Azure Blob Storage
Google Cloud Storage

Local backend: No locking support (not safe for teams)

Force unlock (emergency only): terraform force-unlock <lock-id>

Did you get it right?

✓

Correct!

✗

Incorrect

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on January 6, 2026

Terraform Introduction Configuration Basics