Terraform Associate Certification Exam (003): tips and Recommended Courses
Among the certifications obtained in 2023, one that particularly piqued my interest was the Terraform Associate certification. Being relatively new to the world of Infrastructure as Code (IAC), I seized the opportunity to study for this exam while simultaneously diving into practical use of Terraform.
This certification goes beyond mere theory; on the contrary, many questions require hands-on coding skills, adapting to specific circumstances.
I’ll share the references I used for my preparation and provide some practical tips for addressing recurring themes in this exam. Get ready to explore the world of Terraform and gain a practical perspective that extends beyond mere certification theory.
Recommended resources
First of all, this is the official page with the details of the exam:
HashiCorp Cloud Engineer Certification — Terraform Associate 003
For any uncertainty or concept that may not be sufficiently clear, ALWAYS refer to the OFFICIAL Terraform DOCUMENTATION:
Documentation | Terraform | HashiCorp Developer
Other Medium members provide articles that I found very helpful for my preparation:
- Here are the links to the best courses available on YouTube.
- This is a collection of 250 practice questions to prepare for the exam.
- If you are looking for practice simulations on Udemy, i recommend those by Bryan Krausen
Here are some tips on the most important topics you need to know for the exam
How Terraform recreate resource without having to destroy everything that was created?
The terraform apply -replace command manually marks a Terraform-managed resource for replacement, forcing it to be destroyed and recreated on the apply execution.
You could also use terraform destroy -target <virtual machine> and destroy only the virtual machine and then run a terraform apply again. (virtual machine is an example).
How Terraform manage resources created manually?
The terraform import command is used to import existing resources into Terraform. This allows you to take resources that you’ve created by some other means and bring them under Terraform management. Note that terraform import DOES NOT generate configuration, it only modifies state. You’ll still need to write a configuration block for the resource for which it will be mapped using the terraform import command.
How can we destroy all Terraform-managed resources except for a single resource?
To destroy all Terraform-managed resources except for a single resource, you can use the terraform state command to remove the state for the resources you want to preserve (terraform state rm ..). This effectively tells Terraform that those resources no longer exist, so it will not attempt to destroy them when you run terraform destroy.
Where are plugins downloaded and stored on the server?
By default, terraform init downloads plugins into a subdirectory of the working directory: .terraform/providers
so that each working directory is self-contained. See the example below, where I ran a terraform init and you can see the resulting directory (highlighted in the red box) and then the actual provider that was downloaded (highlighted by the green arrow)
Where does Terraform Open Source (OSS) store the local state for workspaces?
Terraform Open Source (OSS) stores the local state for workspaces in a file on disk. For local state, Terraform stores the workspace states in a directory called terraform.tfstate.d/<workspace_name>. Here’s a screenshot of a Terraform run that was created using a workspace called training.
When using modules to deploy infrastructure, how would you export a value from one module to import into another module?
Output values are like the return values of a Terraform module and have several uses such as a child module using those outputs to expose a subset of its resource attributes to a parent module. Output variables allow a module to export specific data that can be used by other modules or by your main configuration file.
Module with output variable: Suppose you have a module called module1 and you wish to export a variable called my_value from this module:
output “my_value” {
value = “the value that you want to export”
}
Main module or configuration importing value: to import the value exported by module module1, you must refer to the module using its source in your main module or configuration file:
module “my_module” {
source = “./path/to/module1”
}
resource “example_resource” “my_resource” {
some_property = module.my_module.my_value
}
True or False? You can migrate the Terraform backend but only if there are no resources currently being managed.
False. You can migrate the Terraform backend even if there are resources currently being managed. However, it requires careful planning and execution to avoid disruptions in the infrastructure
A backend migration in Terraform is a process that allows you to move your existing state file from one state backend to another. This may be necessary for various reasons, for instance when you want to move from a local backend (such as the file) to a remote backend (such as Amazon’s S3) or when you want to change the path or configuration of the backend.
Here is a general procedure for migrating a backend to Terraform:
- Configure the new backend: First of all, you have to configure the new backend you want to use in your Terraform configuration file (usually in a file called backend.tf). For example, if you want to migrate from a local backend to an Amazon S3 backend, you can configure the new backend as follows:
terraform {
backend “s3” {
bucket = “my-terraform-state-bucket”
key = “path/to/your/terraform.tfstate”
region = “us-west-2”
encrypt = true
}
}
- Run terraform init: after configuring the new backend, run the terraform init command to initialise your terraform project with the new backend.
- Verify the new backend: after terraform init has copied the state file to the new backend, you can run terraform state list or other terraform state commands to verify that the resources have been correctly migrated to the new backend.
- Optional: remove the old backend.
- Update the configuration: now that your project is using the new backend, make sure that the terraform configuration and status files refer to the new backend.
What command should be run in order to complete the state migration while copying the existing state to the new backend?
Whenever a configuration’s backend changes, you must run terraform init again to validate and configure the backend before you can perform any plans, applies, or state operations. Re-running init with an already-initialized backend will update the working directory to use the new backend settings. Either -reconfigure or -migrate-state must be supplied to update the backend configuration.
Which configuration block type is used to declare settings and behaviors specific to Terraform?
In Terraform, the terraform block is used to configure Terraform settings and to specify a required version constraint for the Terraform CLI.
The terraform block is optional and is typically placed at the top of a Terraform configuration file. It can also be used to configure other settings such as the maximum number of concurrent operations (max_parallelism), the number of retries for failed operations (retryable_errors), and the default input values for variables (default).
Some resources failed to deploy due to incorrect variables. After the error is discovered, what happens to the resources that were successfully provisioned?
During a terraform apply, any resources that are successfully provisioned are maintained as deployed. On the other hand, resources that failed during the provisioning process, such as a provisioned, will be tainted to be recreated during the next run.
What happens if i run terraform apply command without having an associated status file?
If there is no state file associated with a Terraform configuration file, a terraform apply will create the resources defined in the configuration file. This is a normal workflow during the first terraform apply that is executed against a configuration file. This, of course, assumes that the directory has been initialized using a terraform init.
What happens if i run terraform apply and have a configuration file with no resources and a status file with existing resources?
In this case, since there is a state file with resources, Terraform will match the desired state of no resources since the configuration file doesn’t include any resources. Therefore, all resources defined in the state file will be destroyed.
How can we protect the data in the Status File?
If you manage any sensitive data with Terraform, treat the state itself as sensitive data. Storing state remotely can provide better security. As of Terraform 0.9, Terraform does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.
- Terraform Cloud always encrypts state at rest and protects it with TLS in transit. Terraform Cloud also knows the identity of the user requesting state and maintains a history of state changes. This can be used to control access and track activity. Terraform Enterprise also supports detailed audit logging.
- The S3 backend supports encryption at rest when the encrypt option is enabled. IAM policies and logging can be used to identify any invalid access. Requests for the state go over a TLS connection.
Mastering IAC, Your Key to 2024 Success
Mastering Infrastructure as Code (IAC) is poised to be a crucial skill in 2024, providing a significant edge in the ever-evolving tech landscape. Best of luck to those preparing for the exam: may your learning journey lead you to new heights of success!