Try 10 focused Terraform Associate (004) questions on Terraform Maintenance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Terraform Associate (004) on Web View full Terraform Associate (004) practice page
| Field | Detail |
|---|---|
| Exam route | Terraform Associate (004) |
| Topic area | Maintain Infrastructure with Terraform |
| Blueprint weight | 8% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Maintain Infrastructure with Terraform for Terraform Associate (004). Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 8% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Maintain Infrastructure with Terraform
Your team uses a shared remote backend. A new plan shows that module.web.aws_instance.app will be replaced, but before anyone makes changes you need a read-only view of the values Terraform currently stores for that specific resource. You want the safest supported inspection step and do not want to open raw state JSON. What should you run?
Options:
A. terraform import module.web.aws_instance.app <resource_id>
B. terraform state list module.web.aws_instance.app
C. terraform state pull and inspect the JSON output
D. terraform state show module.web.aws_instance.app
Best answer: D
Explanation: Use terraform state show when you already know the resource address and need a read-only view of what Terraform currently tracks. It is the supported CLI command for diagnosing a specific state entry without working directly with raw state JSON or modifying state.
terraform state show is the best choice when the goal is safe diagnosis of one known resource in state. It reads the current state and renders the tracked attributes for that resource address in a human-friendly form, which matches the need to review what Terraform believes before applying any changes. This keeps the workflow read-only and avoids direct work with raw state data.
terraform state list helps discover resource addresses, but it does not show the stored attribute values for a resource. terraform state pull exposes the raw state JSON, which is not the safest or clearest option for routine inspection. terraform import is used to bring existing unmanaged infrastructure under Terraform state, so it is not a read-only diagnostic step.
For a specific resource replacement surprise, inspect it first with terraform state show.
terraform state list only shows matching addresses, not the resource’s tracked attributes.terraform state pull works with raw state JSON, which misses the requirement to avoid raw state inspection for routine diagnosis.terraform import is for associating existing infrastructure with state, not for read-only inspection of an already managed resource.Topic: Maintain Infrastructure with Terraform
Which Terraform CLI command should you use to display the attribute values Terraform currently has stored in state for one specific resource instance, without generating a proposed change plan?
Options:
A. terraform state list
B. terraform show
C. terraform state show
D. terraform plan
Best answer: C
Explanation: Use terraform state show when you need to inspect what Terraform already knows about one resource in state. It is a state inspection command, not a planning command, so it does not calculate proposed infrastructure changes.
Terraform state stores Terraform’s current recorded knowledge about managed resources. When you want to inspect the saved attributes for one specific resource instance, terraform state show <resource_address> is the precise command.
This differs from other common commands:
terraform plan calculates proposed actions by comparing configuration, state, and real infrastructure.terraform show renders an entire state or plan file.terraform state list shows only the resource addresses Terraform is tracking.The key distinction is whether you are inspecting recorded state or asking Terraform what it would change next.
terraform show is broader; it displays an entire state or plan, not one targeted resource instance.terraform state list only lists tracked addresses, not stored attribute values.terraform plan is for proposed changes, so it answers what Terraform would do rather than what Terraform already knows.Topic: Maintain Infrastructure with Terraform
Your team stores Terraform state in a shared remote backend. Before refactoring resources into a child module, you need to confirm the exact resource addresses Terraform currently tracks so you can add moved blocks safely. You must inspect state without changing infrastructure or state contents. What is the best next action?
Options:
A. Run terraform plan -refresh-only
B. Run terraform import <address> <id>
C. Run terraform state list
D. Run terraform state show <address>
Best answer: C
Explanation: terraform state list is the purpose-built command for viewing the resource addresses currently stored in Terraform state. In a refactor, that lets you review existing mappings safely before adding moved blocks, without importing resources or proposing infrastructure changes.
Terraform state stores the mapping between resource addresses in configuration and the real infrastructure objects Terraform manages. When the goal is to inspect which addresses are currently tracked, terraform state list is the safest and most direct command. It outputs the full addresses of resources and instances already in state, including module paths and indexed instances, without modifying infrastructure or the state data.
If you already know a specific address and need to inspect its stored attributes, terraform state show is the better follow-up command. By contrast, terraform import changes state by creating a new mapping, and terraform plan -refresh-only is for drift-focused review rather than listing current addresses.
The key distinction is that terraform state list answers “what addresses are in state right now?”
terraform state show <address> is useful only after you already know the address and want that resource’s stored attributes.terraform import <address> <id> writes a new mapping into state, so it does not meet an inspection-only requirement.terraform plan -refresh-only compares state with real infrastructure, but it does not directly list the current tracked addresses.Topic: Maintain Infrastructure with Terraform
A team wants to start managing an existing bucket with Terraform. Assume the bucket already existed before this command.
resource "aws_s3_bucket" "logs" {
bucket = "company-logs-prod"
}
$ terraform import aws_s3_bucket.logs company-logs-prod
Import successful!
What is the best interpretation of this result?
Options:
A. Terraform created a new bucket and recorded it in state.
B. Terraform moved the bucket into the configured backend.
C. Terraform generated the full resource configuration automatically.
D. Terraform associated the existing bucket with aws_s3_bucket.logs in state.
Best answer: D
Explanation: terraform import records the relationship between an existing object and a resource address in Terraform state. That association lets future plan and apply operations manage the bucket through the configuration.
The core concept is that terraform import does not provision infrastructure. It tells Terraform that the real object identified by company-logs-prod should be tracked as aws_s3_bucket.logs in the state file. That state association is what brings an existing resource under Terraform management.
After an import, a common next step is to run terraform plan and compare the configuration to the imported object’s actual settings. If the configuration is incomplete or differs from the real resource, Terraform may propose changes on the next plan. Import is therefore about state association first, not automatic creation and not automatic generation of a complete .tf file.
The closest misconception is treating import like apply; creation happens with apply, not with import.
.tf file with every remote setting.Topic: Maintain Infrastructure with Terraform
Which Terraform capability is most useful for troubleshooting mismatched resource addresses, confirming that an import was recorded correctly, or seeing which objects Terraform currently manages?
Options:
A. State inspection with terraform state subcommands
B. Dependency locking in .terraform.lock.hcl
C. Output values defined with output blocks
D. Backend configuration for remote state storage
Best answer: A
Explanation: State inspection is used to examine the contents of Terraform state, including tracked resource addresses and instance details. That makes it the right choice when you need to confirm what Terraform manages or whether an import mapped to the expected address.
Terraform state is the record of infrastructure objects Terraform currently tracks. When you need to troubleshoot an address mismatch, verify an import, or understand what is already managed, inspect the state directly. Common CLI commands include terraform state list to view tracked addresses and terraform state show to inspect one resource instance in detail.
This is different from other Terraform features. A backend controls where state is stored, outputs expose selected values, and the dependency lock file pins provider versions. None of those are meant to show the full set of managed objects or confirm how an imported object is recorded. The key idea is that questions about what Terraform currently manages are answered by inspecting state.
output blocks expose chosen values, not the complete inventory of managed resources..terraform.lock.hcl tracks provider selections, not imported resources or state addresses.Topic: Maintain Infrastructure with Terraform
What is the primary purpose of terraform import?
Options:
A. Read an existing resource as a data source without managing it
B. Associate an existing resource with Terraform state so Terraform can manage it
C. Move infrastructure into the configured backend for state locking
D. Create a new resource from configuration and replace the existing one
Best answer: B
Explanation: terraform import does not create infrastructure. It associates an already existing object with a Terraform resource address in state so that object can be managed by Terraform going forward.
Importing tells Terraform that a real infrastructure object already exists and should be tracked as a managed resource in Terraform state. State is Terraform’s mapping between a resource address in configuration and the actual remote object. After import, Terraform can include that object in plan and apply, assuming the corresponding resource configuration exists.
Import is not the same as provisioning a new resource, using a data source, or changing where infrastructure lives. A data source only reads information, while a backend only stores state and may provide locking. The key idea is that import brings existing infrastructure under Terraform management by creating the state association.
Topic: Maintain Infrastructure with Terraform
What is the primary purpose of enabling verbose Terraform logging with TF_LOG?
Options:
A. Store infrastructure metadata outside the state file
B. Speed up routine plan and apply operations
C. Review normal infrastructure changes during every run
D. Troubleshoot difficult workflow or provider interaction problems
Best answer: D
Explanation: Verbose Terraform logging is mainly a troubleshooting tool. It provides detailed internal and provider-level messages for diagnosing difficult failures or unexpected behavior, not for routine daily use.
Terraform verbose logging, typically enabled with TF_LOG, is intended for debugging when normal command output is not enough. It can show deeper details about Terraform’s workflow, provider calls, and error paths, which is useful when troubleshooting complex failures, unexpected provider behavior, or hard-to-explain plan/apply results.
In normal day-to-day operation, most users rely on standard output from commands like terraform plan and terraform apply. Verbose logs are usually too noisy for routine use and are not a replacement for state, plans, or normal workflow review.
The key idea is that verbose logging helps investigate problems; it is not a standard operating mode.
terraform plan is the usual tool for routine change review.Topic: Maintain Infrastructure with Terraform
A teammate handed off a Terraform workspace and asks you to confirm the current attributes Terraform has recorded for module.network.aws_vpc.main. You must inspect only what Terraform already knows, avoid generating a change preview, and avoid modifying infrastructure or state. What is the best next action?
Options:
A. Queue a speculative plan in HCP Terraform
B. Run terraform state show module.network.aws_vpc.main
C. Run terraform plan in the workspace
D. Run terraform apply -refresh-only
Best answer: B
Explanation: terraform state show is the direct CLI command for viewing the attributes Terraform currently has stored for one tracked resource. It fits an inspect-only goal without producing a proposed change set or updating state.
When the goal is to see what Terraform already knows, use a state inspection command instead of a planning command. terraform state show <address> reads the current state entry for one resource address and prints its recorded attributes, which is exactly what you need after a handoff or during troubleshooting.
terraform plan and an HCP Terraform speculative plan both calculate proposed actions by comparing configuration, state, and real infrastructure. terraform apply -refresh-only is also not just inspection, because it can update the state to match remote objects. If the requirement is read-only visibility into existing state for a single resource, terraform state show is the safest and most precise choice.
terraform plan is for proposed actions, not for reading one resource’s stored state.terraform apply -refresh-only can rewrite state from real infrastructure, which goes beyond simply viewing what is already recorded.Topic: Maintain Infrastructure with Terraform
A team imported existing infrastructure into Terraform after adopting a reusable module. The configuration expects the resource at module.network.aws_vpc.main, but terraform plan still shows that address will be created. Before making any changes, they want a safe way to verify which resource addresses Terraform already tracks in state and confirm whether the import used the wrong address. What is the best next action?
Options:
A. Add a moved block so Terraform can discover the imported resource automatically.
B. Run terraform validate to confirm the module and provider settings are correct.
C. Run terraform state list and compare the tracked addresses to the configuration.
D. Run terraform apply -refresh-only to update the configuration address from the provider.
Best answer: C
Explanation: State inspection is the right first step when an import may have used the wrong resource address. terraform state list lets the team safely see what Terraform currently manages without changing infrastructure or state mappings.
When a plan shows Terraform wants to create a resource that was already imported, a common cause is an address mismatch between the configuration and the state entry. terraform state list is the safest CLI command to inspect the addresses Terraform currently tracks, so it is useful for troubleshooting imports and confirming what Terraform manages.
terraform state list to see stored resource addresses.terraform state show.Commands like plan, validate, or refresh-only can help in other situations, but they do not directly answer whether the resource is stored under the expected state address.
Topic: Maintain Infrastructure with Terraform
A cloud object already exists outside Terraform. The team wants Terraform to manage future changes and possible deletion of that object, not just read its attributes for use elsewhere. Which approach fits this goal?
Options:
A. Define a data source for the object and let Terraform manage it.
B. Configure a backend for the workspace so the object becomes managed.
C. Define a resource block and import the object into state.
D. Define an output value for the object so Terraform owns it.
Best answer: C
Explanation: Lifecycle ownership in Terraform requires a managed resource and a state association. Import is the action that links an existing real-world object to that resource so Terraform can plan, update, and potentially destroy it later.
To bring existing infrastructure under Terraform lifecycle management, you declare it as a resource and then import the real object into Terraform state. That state entry binds the resource address in configuration to the existing object, so future plan and apply operations treat it as managed infrastructure.
A data source is different: it performs a read-only lookup of an external object and exposes its attributes for use elsewhere in configuration. Terraform can reference data source values, but it does not take lifecycle ownership of that object through the data block.
In practice:
resource block.Use a data source only when you need lookup behavior, not ownership.
data blocks read existing objects but do not let Terraform create, update, or destroy them.Use the Terraform Associate (004) Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Terraform Associate (004) on Web View Terraform Associate (004) Practice Test
Read the Terraform Associate (004) Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.