004 — HashiCorp Certified: Terraform Associate Exam Blueprint

Last revised: June 29, 2026

Practical exam blueprint for the HashiCorp Certified: Terraform Associate (004) exam, covering Terraform workflow, configuration, state, modules, providers, and HCP Terraform readiness.

How to use this exam blueprint

Use this page as an independent readiness map for the HashiCorp Certified: Terraform Associate (004) exam from HashiCorp. It is designed to help you turn broad Terraform exam topics into concrete review tasks.

Do not treat the order of topics as an exam weighting. Instead, use the checklist to answer three questions:

Can I explain the concept clearly?
Can I recognize the right Terraform command, file, or workflow in a scenario?
Can I avoid common traps around state, dependencies, variables, modules, and remote execution?

A good final-review target: for each row below, you should be able to explain the concept, identify the relevant Terraform artifact, and predict what Terraform will do next.

Topic-area readiness table

Readiness area	You should be able to explain	You should be able to do	Quick self-check
Infrastructure as Code	Why Terraform uses declarative configuration and state	Compare manual changes, scripts, and IaC workflows	Can you explain why Terraform needs state?
Terraform workflow	The normal loop: write, init, validate, plan, apply, review state	Choose the correct CLI command for each stage	Can you tell what `terraform init` does and does not do?
Providers	How Terraform uses providers as plugins for APIs	Configure provider source, version constraints, and aliases	Can you identify when a provider must be initialized or upgraded?
Resources and data sources	Difference between managed infrastructure and read-only lookups	Read resource addresses and references	Can you explain `resource` vs `data` in a scenario?
Configuration language	HCL blocks, arguments, expressions, references, functions	Read variables, locals, outputs, conditionals, loops	Can you predict values from a small `.tf` snippet?
Variables and outputs	Input variable precedence, defaults, validation, sensitivity	Use variables, `.tfvars`, environment variables, and outputs	Can you identify where a variable value came from?
Dependencies	Implicit references, explicit `depends_on`, graph ordering	Predict create, update, and destroy order at a high level	Can you spot when `depends_on` is unnecessary?
State	State purpose, resource tracking, drift detection, sensitive data risk	Inspect, move, remove, and protect state appropriately	Can you explain why editing state directly is risky?
Backends	Local vs remote state concepts, locking, shared team workflows	Recognize when remote state is needed	Can you choose shared state for a team scenario?
Modules	Root modules, child modules, registry modules, inputs, outputs	Call a module and pass values correctly	Can you explain how a child module exposes an output?
Workspaces	Multiple named state instances for one configuration	Select, create, and list workspaces	Can you explain what workspaces are not meant to solve?
HCP Terraform workflows	Remote runs, workspaces, VCS-driven workflows, variables, collaboration	Identify when a remote execution workflow fits	Can you distinguish local CLI execution from remote execution?
Security	Provider credentials, secret handling, sensitive outputs, state protection	Avoid committing secrets and know where secrets may still appear	Can you explain why `sensitive = true` is not encryption?
Troubleshooting	Init, validation, planning, provider, permissions, and state errors	Choose first diagnostic steps from an error message	Can you separate syntax errors from provider/API errors?
Change management	Plans, saved plans, replacements, imports, moved resources	Decide how to review and apply changes safely	Can you tell when Terraform will replace a resource?

Terraform workflow you must be ready to recognize

    flowchart LR
	    A[Write or update .tf files] --> B[terraform fmt]
	    B --> C[terraform init]
	    C --> D[terraform validate]
	    D --> E[terraform plan]
	    E --> F{Review changes}
	    F -->|Accept| G[terraform apply]
	    F -->|Reject| A
	    G --> H[State updated]
	    H --> E

Ready means you can explain each step

Step	What it checks or changes	What it does not guarantee
`terraform fmt`	Formatting consistency	Does not validate provider permissions
`terraform init`	Backend setup, module download, provider plugin installation	Does not create infrastructure
`terraform validate`	Configuration syntax and internal consistency	Does not fully verify remote API permissions or quota-like conditions
`terraform plan`	Proposed actions compared with state and remote objects	Does not apply changes; may become stale if inputs or remote state change
`terraform apply`	Executes approved changes and updates state	Does not mean every external system is now perfectly documented outside Terraform
`terraform destroy`	Plans and removes managed objects	Does not remove unmanaged resources

CLI command checklist

Command	Know the purpose	Ready if you can answer
`terraform version`	Show Terraform CLI version and provider version context	Why might version mismatches matter?
`terraform fmt`	Reformat `.tf` files	When would `fmt -check` be useful in CI?
`terraform init`	Initialize backend, providers, and modules	When should you run it again?
`terraform init -upgrade`	Re-evaluate provider and module selections within constraints	How is this different from a normal init?
`terraform validate`	Validate configuration structure	Why can validation pass but apply fail?
`terraform plan`	Preview changes	How do you use plan output to identify create, update, replace, or destroy?
`terraform plan -out=FILE`	Save a specific plan for later apply	Why is a saved plan safer than re-planning later?
`terraform apply`	Apply a plan or create a new plan and ask for approval	What changes if you pass a saved plan file?
`terraform destroy`	Remove managed infrastructure	Why should state and workspace context be checked first?
`terraform show`	Display state or plan content	When would `terraform show -json` be useful?
`terraform output`	Read root module outputs	What is the difference between an output and a resource attribute?
`terraform state list`	List resources tracked in state	What does absence from state imply?
`terraform state show ADDRESS`	Inspect a tracked object in state	Why is this not the same as querying the provider console directly?
`terraform state mv`	Move state bindings between addresses	When might this avoid recreation during refactoring?
`terraform state rm`	Remove an object from Terraform tracking	Why does this not delete the real object?
`terraform import`	Associate an existing object with a Terraform address	What else must exist after import for future management?
`terraform providers`	Show provider requirements and selections	How can this help diagnose dependency issues?
`terraform workspace list`	List named workspaces	How do you know which state you are targeting?
`terraform workspace new/select`	Create or switch workspace	Why can applying in the wrong workspace be dangerous?
`terraform login`	Authenticate the CLI to HashiCorp services when needed	When is a local CLI credential different from provider credentials?
`terraform force-unlock`	Clear a stuck state lock when appropriate	Why should this be used cautiously?

“Can you do this?” core skills checklist

Terraform fundamentals

Explain declarative configuration: desired end state, not step-by-step imperative instructions.
Explain why Terraform compares configuration, state, and real infrastructure.
Describe the difference between Terraform CLI, providers, modules, state, and backends.
Explain why state is required for mapping resource addresses to real objects.
Recognize that Terraform is not a general-purpose configuration management tool.
Explain idempotence in practical terms: repeated runs should converge on desired state when inputs are unchanged.
Describe drift and how Terraform detects proposed remediation during planning.

Configuration language and files

Identify .tf files as Terraform configuration files loaded together in a module directory.
Read HCL blocks, labels, arguments, nested blocks, expressions, and references.
Distinguish resource, data, variable, locals, output, module, provider, and terraform blocks.
Explain that file names do not define dependency order.
Use comments, formatting, and naming conventions to make configuration easier to review.
Recognize when a value is known only after apply.
Identify interpolation and direct references, such as var.name, local.tags, and module.network.id.

Providers

Explain providers as plugins that translate Terraform operations into API calls.
Configure required_providers with source and version constraints.
Explain why .terraform.lock.hcl matters for reproducible provider selections.
Know when to run terraform init after provider changes.
Explain provider authentication at a high level without hard-coding secrets.
Use provider aliases conceptually for multiple accounts, regions, subscriptions, projects, or endpoints.
Recognize provider-specific errors versus Terraform syntax errors.

Resources and data sources

Explain that resources are managed by Terraform.
Explain that data sources read existing information for use in configuration.
Read a resource address such as resource_type.name or module.app.resource_type.name.
Predict when Terraform will create, update, replace, or destroy a managed object.
Explain why some argument changes require replacement while others update in place.
Recognize that provider behavior determines many resource-specific details.

Variables, locals, and outputs

Define input variables with type constraints, defaults, descriptions, and validation.
Explain common variable value sources, including CLI flags, .tfvars, auto-loaded files, environment variables, defaults, and remote workspace variables.
Use locals to name computed values and reduce repetition.
Use outputs to expose root module or child module values.
Mark variables and outputs as sensitive when appropriate.
Explain that sensitive values can still be stored in state.
Troubleshoot an unset required variable.

Expressions and collection handling

Read string, number, bool, list, map, object, and set values.
Use conditionals for simple branching.
Understand for expressions at a reading level.
Explain count and for_each differences.
Predict why for_each with stable keys is often safer than count with list indexes.
Recognize common functions such as length, lookup, merge, toset, join, and templatefile at a conceptual level.
Identify when a value cannot be known until apply.

Dependencies and lifecycle

Explain implicit dependencies from references.
Explain when explicit depends_on is appropriate.
Recognize that Terraform builds a dependency graph.
Predict high-level create and destroy order from references.
Explain lifecycle behaviors such as preventing accidental destruction or creating replacements before destroying old objects.
Recognize when lifecycle settings can hide or complicate drift.
Explain replacement triggers at a concept level.

State and backends

Explain local state versus remote state.
Explain state locking and why teams need it.
Identify sensitive data risks in state.
Explain why state files should not be casually edited, copied, or committed.
Know the difference between removing an object from state and destroying the object.
Explain when state movement can support refactoring.
Recognize backend initialization and migration prompts.
Explain why backend configuration changes require care.

Modules

Explain root module and child module.
Call a module using source.
Pass variables into a child module.
Read outputs from a child module.
Understand local modules, registry modules, and version-pinned remote modules at a high level.
Explain why modules improve reuse but do not eliminate the need to understand state and providers.
Recognize module nesting in resource addresses.

HCP Terraform and remote workflows

Explain why teams use remote execution and shared workspaces.
Distinguish Terraform CLI local execution from remote runs.
Recognize VCS-driven run workflows at a high level.
Know that variables can be managed in remote workspaces.
Explain remote state, locking, run history, and collaboration benefits.
Recognize that provider credentials for remote runs must be available to the remote execution environment.
Explain that workspace names and state context matter before planning or applying.

HCL readiness checks

You do not need to memorize every provider-specific argument for the HashiCorp Certified: Terraform Associate (004) exam. You should be comfortable reading the structure and predicting Terraform behavior.

Provider and Terraform block pattern

terraform {
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "~> 3.0"
    }
  }
}

provider "random" {}

Can you explain?

What required_providers controls.
What provider source means.
Why version constraints matter.
Why terraform init is needed before planning.
Why provider plugins are separate from the Terraform CLI.

Variables, locals, and outputs

variable "environment" {
  type        = string
  description = "Deployment environment"

  validation {
    condition     = contains(["dev", "test", "prod"], var.environment)
    error_message = "Environment must be dev, test, or prod."
  }
}

locals {
  name_prefix = "app-${var.environment}"
}

output "prefix" {
  value = local.name_prefix
}

Can you explain?

When validation is evaluated.
Why locals can simplify repeated expressions.
How an output is accessed from the root module.
What changes if an output is marked sensitive = true.

Module call pattern

module "network" {
  source      = "./modules/network"
  environment = var.environment
}

output "network_id" {
  value = module.network.id
}

Can you explain?

Which directory is the root module.
Which directory is the child module.
How input variables are passed to the child module.
How child module outputs are exposed.
Why child module resources appear with module paths in state.

Multiple instances pattern

variable "names" {
  type = set(string)
}

resource "example_resource" "item" {
  for_each = var.names

  name = each.key
}

Can you explain?

Why for_each creates addressable instances by key.
Why sets and maps are commonly used with for_each.
How changing a key can affect resource identity.
How this differs from count.index.

State readiness checklist

State is one of the most tested practical concepts because it affects safety, collaboration, and troubleshooting.

State concept	What ready looks like
Resource address	You can map `module.web.resource_type.name[0]`-style addresses to configuration structure
Object binding	You understand state links Terraform resource addresses to real infrastructure objects
Drift	You can explain how Terraform notices remote changes during planning
Sensitive data	You know state may contain sensitive values even when outputs are marked sensitive
Locking	You can explain why simultaneous applies can corrupt or conflict with state
Remote state	You can explain why teams avoid unmanaged local-only state
State movement	You know `state mv` changes Terraform’s tracking address, not the real object
State removal	You know `state rm` stops tracking without destroying the object
Import	You know import associates an existing object with Terraform state and requires matching configuration for ongoing management
Backend changes	You know backend changes require initialization and careful migration decisions

State scenario checks

Scenario	Best Terraform reasoning
A resource exists in the cloud console but not in state	Terraform does not manage it until imported or recreated through configuration
A resource is in state but removed from configuration	Terraform will usually plan to destroy it
A resource is removed with `terraform state rm`	The real object remains, but Terraform stops tracking it
A resource block is renamed	Terraform may plan destroy/create unless state is moved or a move is declared
Two users apply against the same state at the same time	Locking or remote workflow should prevent unsafe concurrent operations
A secret output is marked sensitive	CLI display may be redacted, but state still requires protection
A saved plan is applied later	It applies the reviewed plan, but context and validity still matter

Providers and dependency lock file

Be ready to reason about provider installation and version selection.

Artifact or setting	Purpose	Exam-style trap
`required_providers`	Declares provider source and version constraints	Not the same as configuring provider credentials
Provider block	Configures provider settings such as region, endpoint, or alias	May be optional for some providers but required for others
`.terraform.lock.hcl`	Records selected provider versions	Deleting or ignoring it can reduce reproducibility
`.terraform/` directory	Local working directory for downloaded plugins and modules	Usually not committed as source configuration
Provider alias	Allows multiple configurations of the same provider	Resources must explicitly reference the alias when needed
Environment credentials	Common way to avoid hard-coded secrets	Must exist in the execution environment, local or remote

Module readiness table

Module topic	You should know
Root module	The current working directory where Terraform is run
Child module	A module called by another module
Module input	A variable defined in the child and assigned by the caller
Module output	A value exposed by the child and referenced by the caller
Module source	Local path, registry source, or other supported source form
Module version	Used with registry-style sources to improve repeatability
Nested modules	Can make resource addresses longer and troubleshooting more complex
Provider inheritance	Child modules can inherit or receive provider configurations depending on configuration
Reuse tradeoff	Modules reduce repetition but can hide complexity if poorly documented

Module self-test prompts

Can you identify all inputs a module requires?
Can you identify which outputs a module exposes?
Can you explain why changing a module source or version may require terraform init?
Can you trace a resource address inside module.network or module.app.module.database?
Can you explain why copying a module is different from versioning and reusing it?
Can you explain why a module should not rely on undeclared root variables?

Variable precedence and value-source checks

You should know that Terraform can receive variable values from multiple places. Exact precedence details are worth reviewing in your Terraform study materials, but for exam readiness you should be able to identify likely sources and troubleshoot conflicts.

Source	Example	Readiness point
Default value	`default = "dev"`	Used when no other value is supplied
Variable definition file	`terraform.tfvars`	Common for environment-specific values
Auto-loaded file	`*.auto.tfvars`	Loaded automatically when present
CLI variable	`-var="environment=prod"`	Useful for explicit one-off values
CLI var file	`-var-file=prod.tfvars`	Useful for environment selection
Environment variable	`TF_VAR_environment=prod`	Useful in automation
Remote workspace variable	Managed outside local files	Must be available to remote runs

Variable traps

A variable declared without a default must be provided.
locals are not input variables.
Outputs do not pass values into a module; inputs do.
Marking a variable sensitive changes display behavior, not all storage risks.
tfvars files can accidentally expose secrets if committed.
Type constraints can reject values before provider calls happen.

Workspaces readiness

Terraform workspaces are often misunderstood. Be ready for practical questions about state context.

Topic	Ready explanation
Default workspace	Terraform starts with a default named workspace
Named workspace	A separate state instance for the same configuration
Workspace selection	Determines which state the next plan/apply uses
Use case	Can separate similar environments in simple workflows
Trap	Workspaces are not a full access-control, account-boundary, or architecture strategy by themselves
Remote workspaces	HCP Terraform workspaces also include collaboration and run settings concepts

Workspace safety checks

Before planning or applying, ask:

Which workspace am I in?
Which backend is configured?
Which variable values are being used?
Which provider credentials are active?
Which state will be modified?
Am I using local execution or remote execution?

HCP Terraform and collaborative workflow checks

For the HashiCorp Certified: Terraform Associate (004), be ready to reason about why an organization would use a managed Terraform workflow such as HCP Terraform.

Capability area	Practical readiness
Remote state	Explain shared state storage and team access
State locking	Explain why coordinated runs are safer than ad hoc local applies
Remote execution	Know that plans and applies can run outside the local machine
VCS integration	Recognize pull/request-driven or commit-driven run workflows conceptually
Workspace variables	Understand that run-time inputs and credentials can be stored in workspace settings
Run history	Explain auditability and review benefits at a high level
Private registry	Recognize reusable internal modules and providers conceptually
Policy and governance	Understand policy checks as a control point without needing to overfit vendor-specific implementation details

Local CLI vs remote run prompt

Can you explain what changes when a run is remote?

The Terraform configuration still defines desired infrastructure.
The execution environment changes.
Provider credentials must be available remotely.
Workspace variables may replace local .tfvars.
State is usually managed remotely.
Local files not committed or uploaded may be unavailable to the remote run.
The plan/apply review process may be controlled by workspace settings.

Scenario and decision-point checks

If the scenario says…	Think…	Avoid this trap
“A team needs shared state and locking”	Remote backend or HCP Terraform-style workflow	Do not keep separate local state files
“Terraform says provider not installed”	Run or revisit `terraform init`	Do not jump straight to `apply`
“Configuration syntax is invalid”	Use `terraform fmt` and `terraform validate`	Do not assume it is a cloud permission problem
“Plan shows replacement”	Identify which argument or lifecycle condition forces replacement	Do not assume every update is in-place
“Resource renamed in code”	Move state or use a move strategy to preserve binding	Do not accept destroy/create blindly
“Existing infrastructure must be managed”	Import plus matching configuration	Import alone is not complete management design
“Sensitive output is hidden in CLI”	State still needs protection	Do not treat redaction as encryption
“Module output is needed by root”	Define output in child, reference `module.name.output`	Do not reference child internals directly as a stable interface
“Multiple similar objects need stable identity”	Prefer key-based `for_each` when appropriate	Avoid fragile `count` indexes if list order changes
“Two provider configurations are needed”	Provider aliases and explicit provider assignment	Do not assume one provider block covers all cases
“Plan differs between laptop and remote run”	Compare variables, credentials, Terraform version, provider selections, workspace, and files	Do not assume Terraform is nondeterministic
“Apply failed halfway”	Review state, provider error, and next plan	Do not manually edit state as a first step
“Manual console change was made”	Run plan to detect drift and decide whether to accept or revert	Do not assume Terraform automatically knows intent
“Need to prevent accidental deletion”	Lifecycle, permissions, review process, and remote workflow controls	Do not rely on memory or naming alone
“Need different environments”	Consider separate workspaces, directories, backends, variables, or accounts depending on complexity	Do not treat workspaces as a complete environment strategy

Troubleshooting readiness

Symptom	Likely area	First checks
`terraform init` fails	Backend, provider source, network, credentials to registry or backend	Backend block, provider source, connectivity, authentication
`terraform validate` fails	HCL syntax or configuration structure	Missing arguments, bad references, type errors
`terraform plan` fails before provider calls	Configuration evaluation	Variables, expressions, unknown values, module inputs
`terraform plan` fails during provider refresh	Provider authentication or API access	Credentials, provider config, remote object access
Plan shows unexpected destroy	Configuration removed, wrong workspace, wrong variables, state mismatch	Workspace, state, VCS diff, variable source
Plan shows replacement	Force-new argument, lifecycle, resource identity change	Attribute diff, provider docs, address changes
Apply fails after partial work	Provider/API error or dependency issue	Error output, state, next plan, remote system status
State lock error	Another run or stale lock	Active run, remote workspace, lock owner, cautious unlock
Module not found	Module source or init issue	Source path, registry address, `terraform init`
Variable not set	Missing input value	Defaults, var files, environment variables, workspace variables

Artifact checklist

Artifact	Know what it is	Common mistake
`.tf`	Terraform configuration files	Assuming file order controls execution
`.tfvars`	Variable value files	Committing secrets
`*.auto.tfvars`	Automatically loaded variable files	Forgetting they affect plans
`.terraform.lock.hcl`	Provider dependency lock file	Deleting it to “fix” version issues without understanding impact
`.terraform/`	Local working directory for initialized modules/providers	Treating it as source code
`terraform.tfstate`	Local state file when using local state	Storing it casually or committing it
Plan file	Saved plan from `terraform plan -out`	Re-planning later and assuming it is identical
Module directory	Reusable Terraform configuration	Forgetting child module variable and output contracts
Backend configuration	Defines where state is stored	Changing it without planning migration
CLI credentials file	May store Terraform service login token	Confusing it with provider cloud credentials

Security and sensitive-data checks

Security questions are often practical rather than theoretical. Focus on how Terraform handles credentials, state, and review.

You should be able to explain

Provider credentials should not be hard-coded in .tf files.
Environment variables, secure variable stores, and remote workspace variables are common credential patterns.
Terraform state may contain sensitive values.
sensitive = true reduces accidental display but does not remove the value from state.
State access should be limited to people and systems that need it.
Remote execution changes where credentials must be available.
Module inputs can accidentally expose secrets if passed or output carelessly.
Version constraints and dependency locks support supply-chain predictability.
Review plans before applying, especially when destruction or replacement appears.

Security trap table

Trap	Better thinking
“The secret is hidden in output, so it is safe everywhere”	State and logs still need review and protection
“A local plan is safe because it did not apply”	Plan output can still reveal sensitive values
“Remote execution removes credential concerns”	It moves credential requirements to the remote environment
“Provider alias is an access boundary”	Access is controlled by credentials and platform permissions, not alias names
“State is just a cache”	State is critical operational data

Refactoring, import, and drift checks

Be ready for conceptual scenarios where Terraform configuration changes but the desired real infrastructure should remain.

Task	Terraform concept	Ready explanation
Rename a resource block	State move or moved declaration	Preserve mapping from old address to new address
Split configuration into modules	State addresses may change	Plan carefully to avoid unintended replacement
Start managing an existing object	Import	Import links object to address; configuration must match desired management
Stop managing without deleting	Remove from state	State removal does not destroy the real object
Accept manual change into config	Update configuration to match intended state	Do not let drift remain unexplained
Revert manual change	Plan/apply desired configuration	Terraform will attempt to converge back to configuration
Force recreation	Replacement-oriented workflow	Understand replacement consequences before applying

Example moved block pattern:

moved {
  from = example_resource.old_name
  to   = example_resource.new_name
}

Can you explain?

Why this is different from deleting one block and creating another.
How it helps Terraform understand address changes.
Why you still need to review the plan.

Common weak areas and traps

Weak area	Why candidates miss it	Final-review fix
`init` vs `plan` vs `apply`	Commands are memorized but not understood	Explain what each command changes locally, remotely, and in state
State purpose	State is treated as a simple output file	Practice mapping resource addresses to real objects
Sensitive values	Redaction is confused with encryption	Review where values can appear: config, variables, plan, logs, state
Variable sources	Candidates know variables but not how values arrive	Trace a value from declaration to final plan
`count` vs `for_each`	Both create multiple instances	Focus on resource identity and address stability
Module outputs	Candidates try to reach into child module internals	Use declared outputs as module interface
Provider aliases	Alias is configured but not attached to resources/modules	Check explicit provider mapping where needed
Saved plans	Candidates plan once, then apply a different plan	Know why `plan -out` can matter
Workspaces	Treated as full environment isolation	Remember workspace primarily selects state context
Import	Viewed as automatic configuration generation	Import associates state; configuration still matters
Drift	Manual changes are ignored conceptually	Use plan to identify and decide how to handle drift
Lifecycle rules	Used as magic safety switches	Understand side effects, especially ignored changes and create-before-destroy
Backend migration	Backend change treated as a normal edit	Know that state location changes are operationally sensitive
Provider lock file	Ignored as generated noise	Understand reproducible provider selection
Remote execution	Assumed to behave exactly like a laptop	Check files, variables, credentials, workspace, and execution context

Mini practice prompts

Use these prompts during final review. If you cannot answer quickly, revisit the related topic.

A teammate changed a resource name in Terraform code, and the plan now shows destroy/create. What Terraform concepts could prevent unnecessary replacement?
A plan succeeds locally but fails in HCP Terraform. What differences should you check?
A variable has a default, a .tfvars value, and an environment value. How would you investigate the value used in the plan?
A secret output is marked sensitive. Where might the secret still exist?
A module needs to expose a generated ID to the root module. What must be declared?
A resource exists in the cloud console but not in Terraform state. What are the options?
A team accidentally applied in the wrong workspace. What did the workspace control?
A provider upgrade changes the plan unexpectedly. Which files and settings should you inspect?
A plan shows -/+ replacement. What should you look for before approving?
A state lock is stuck. Why is force-unlocking risky?

Final-week checklist

Seven days out

Rebuild your command map: fmt, init, validate, plan, apply, destroy, show, output, state, workspace.
Review provider source, version constraint, and lock-file behavior.
Practice reading small HCL snippets without running them.
Review state concepts: binding, drift, locking, import, move, remove, backend.
Review module inputs, outputs, source, versioning, and nested addresses.

Three to four days out

Work through scenario questions about wrong workspace, wrong variables, provider errors, and unexpected replacement.
Compare local and remote execution workflows.
Review sensitive data handling and where secrets can appear.
Practice identifying whether a problem is syntax, initialization, provider authentication, state, or remote API behavior.
Revisit count vs for_each and implicit vs explicit dependencies.

Final day

Do not cram provider-specific service details at the expense of Terraform fundamentals.
Review the normal workflow from configuration change to state update.
Review common command flags only where they change workflow meaning, such as saved plans.
Review what Terraform does not do: it does not automatically secure state, infer business intent, or manage resources absent from state unless imported or declared.
Practice explaining each major topic aloud in one or two sentences.

Readiness scorecard

Use this as a quick go/no-go review before more practice.

Skill	Green	Yellow	Red
CLI workflow	You can choose commands from scenarios	You know commands but mix up effects	You rely on memorized order only
HCL reading	You can predict references and values	You understand blocks but struggle with expressions	You cannot trace variables or outputs
Providers	You understand source, version, init, aliases, credentials	You know providers but not lock-file behavior	You confuse providers with resources
State	You can reason about drift, import, move, remove, locking	You know state exists but avoid scenarios	You treat state as optional
Modules	You can trace inputs, outputs, and addresses	You can call modules but struggle with outputs	You confuse root and child module scope
Workspaces	You check workspace before plan/apply	You know commands but not risks	You treat workspaces as full isolation
Remote workflow	You can compare local and HCP Terraform runs	You know remote state but not remote execution details	You assume laptop context always applies
Security	You protect credentials and state	You know `sensitive` but overtrust it	You commit or expose secrets in examples
Troubleshooting	You classify errors by workflow stage	You can fix simple syntax only	You guess randomly from error messages

Practical next step

Pick one weak area from the scorecard and do a focused practice loop: read a small Terraform configuration, predict the plan behavior, identify the state impact, and explain which command you would run next. Then move into exam-style practice questions for the HashiCorp Certified: Terraform Associate (004) until your misses are concentrated in only one or two reviewable topics.

Study Plan

Scenario Guide

004 — HashiCorp Certified: Terraform Associate Exam Blueprint

How to use this exam blueprint

Topic-area readiness table

Terraform workflow you must be ready to recognize

Ready means you can explain each step

CLI command checklist

“Can you do this?” core skills checklist

Terraform fundamentals

Configuration language and files

Providers

Resources and data sources

Variables, locals, and outputs

Expressions and collection handling

Dependencies and lifecycle

State and backends

Modules

HCP Terraform and remote workflows

HCL readiness checks

Provider and Terraform block pattern

Variables, locals, and outputs

Module call pattern

Multiple instances pattern

State readiness checklist

State scenario checks

Providers and dependency lock file

Module readiness table

Module self-test prompts

Variable precedence and value-source checks

Variable traps

Workspaces readiness

Workspace safety checks

HCP Terraform and collaborative workflow checks

Local CLI vs remote run prompt

Scenario and decision-point checks

Troubleshooting readiness

Artifact checklist

Security and sensitive-data checks

You should be able to explain

Security trap table

Refactoring, import, and drift checks

Common weak areas and traps

Mini practice prompts

Final-week checklist

Seven days out

Three to four days out

Final day

Readiness scorecard

Practical next step

Browse Certification Practice Tests by Exam Family