Skip to content

Quiz: Terraform

← Back to quiz index

13 questions

L1 (6 questions)

1. What is Terraform state and why is it critical?

Show answer State maps real infrastructure to your config. Without it Terraform can't know what exists. Store state remotely (S3 + DynamoDB lock) for teams. Never edit state manually — use terraform state mv/rm. Lost state means Terraform will try to recreate everything.

2. What does terraform plan show and why should you always run it?

Show answer Plan shows what Terraform will create, change, or destroy without making changes. It catches drift, unexpected deletions, and dependency issues before they hit production. Always review the plan output — especially the destroy count — before running apply.

3. How do Terraform modules help with infrastructure code?

Show answer Modules are reusable packages of Terraform config. They enforce standards (e.g., all VPCs get flow logs), reduce duplication, and abstract complexity. Pin module versions (source with ?ref=v1.2.0) to prevent surprise changes.

4. What does terraform taint do and what replaced it?

Show answer taint marks a resource for destruction and recreation on next apply. Replaced by terraform apply -replace=RESOURCE (Terraform 1.0+). Use when a resource is in a bad state that can't be fixed by normal apply. Be cautious — replace can cause downtime if the resource has dependents.

5. What is the difference between terraform plan output symbols + - ~ ?

Show answer + = create new resource. - = destroy resource. ~ = update in place. -/+ = destroy and recreate (replacement). <= = read data source. Pay special attention to -/+ and - in plan output — they can cause downtime. Always count destroys before applying.

6. What is the difference between variable, local, and output in Terraform?

Show answer variable: input parameter (set by user/tfvars/env). local: computed intermediate value (DRY helper, not exposed). output: value exported for other modules or human consumption. Use variables for things that change per deployment; locals for repeated expressions; outputs for cross-module data flow.

L2 (7 questions)

1. What is drift in Terraform and how do you detect it?

Show answer Drift = real infrastructure differs from state (someone made a manual change). Detect with terraform plan — it shows differences. terraform refresh updates state to match reality (but doesn't fix config). Best practice: run plan in CI on a schedule to catch drift early.

2. When should you use terraform import vs writing new config?

Show answer Use import to bring existing resources under Terraform management without recreating them. Write the config first, then terraform import . Use it for brownfield adoption. For new infra, always write config and apply normally.

3. How do you safely rename a resource in Terraform without destroying it?

Show answer Use a moved block (Terraform 1.1+): moved { from = aws_instance.old to = aws_instance.new }. Or: terraform state mv aws_instance.old aws_instance.new. Without this, Terraform destroys old and creates new — causing downtime.

4. What are Terraform workspaces and when should you use them?

Show answer Workspaces maintain separate state files for the same config. Good for: minor variations (dev/staging with same infra). Bad for: fundamentally different environments (use separate root modules instead). Each workspace has its own state. Use terraform.workspace in config to vary parameters.

5. How do you prevent accidental resource deletion in Terraform?

Show answer 1. lifecycle { prevent_destroy = true } on critical resources.
2. Review plan output carefully — grep for 'destroy'.
3. Use state locking.
4. Require plan approval in CI/CD (not auto-apply).
5. Separate stateful resources (databases, S3) from ephemeral ones.
6. Use protect_from_deletion on the cloud side too (AWS deletion protection).

6. What are Terraform data sources and when do you use them?

Show answer Data sources read existing infrastructure without managing it. Use to: reference resources created outside Terraform, look up AMI IDs, get account info, read secrets from Vault. They are read-only — Terraform never modifies or destroys data source targets. Refresh on every plan.

7. A terraform apply hangs on a resource that is taking too long. What do you do?

Show answer 1. Check the cloud console — the resource may be stuck (e.g., RDS creating, ASG scaling).
2. Check provider timeouts (configurable in resource block).
3. Do NOT Ctrl+C and re-run — state may be locked or partially updated.
4. If you must interrupt, check state with terraform show and reconcile manually.
5. Some providers support custom timeouts blocks.