DEV Community

Mukami
Mukami

Posted on

My Final Preparation for the Terraform Associate Exam

#devjournal #devops #learning #terraform

60 Minutes. 57 Questions. No Looking Back.

Day 24 of the 30-Day Terraform Challenge — and today I did something I've been dreading for weeks.

I simulated the real exam.

No notes. No pauses. No second chances to look something up.

Just me, 57 questions, and a 60-minute timer.

Here's what happened, what I learned, and my plan for exam day.

The Simulation Results

Score: 43/57 (75%) — just above the 70% passing threshold

Time remaining: 4 minutes

Questions flagged for review: 12

Domains I struggled with:

  • Terraform CLI (26% weight) — missed 5 questions
  • State management (8% weight) — missed 3 questions
  • Terraform Cloud (4% weight) — missed 2 questions

The CLI section is what almost got me. The questions about -target, -refresh-only, and terraform state mv were harder than I expected.

What I Learned From My Mistakes

The CLI traps:

  • terraform plan -target doesn't just plan the targeted resource — it also plans any resources that depend on it
  • terraform state mv requires the full resource address, not just the name
  • terraform apply -refresh-only updates state to match real infrastructure without changing anything

The state traps:

  • A stale state file can cause terraform plan to show no changes even when infrastructure has drifted
  • terraform refresh is deprecated — use terraform apply -refresh-only instead

The Terraform Cloud traps:

  • Sentinel policies run after plan, before apply
  • Workspaces in TFC are separate state files, not separate directories

Flash Card Answers (Without Looking)

1. What file does terraform init create to record provider versions?
.terraform.lock.hcl

2. Difference between terraform.workspace and a Terraform Cloud workspace?
terraform.workspace is an expression used in config to get current workspace name. TFC workspace is a separate state file with collaboration features.

3. If you run terraform state rm aws_instance.web, what happens to the EC2 instance?
Nothing — it continues running. Only removed from state.

4. What does depends_on do and when should you use it?
Creates explicit dependency when Terraform can't infer it. Use when a resource needs to wait for another that isn't referenced in its arguments.

5. Purpose of .terraform.lock.hcl?
Locks provider versions so every team member uses the same version.

6. How does for_each differ from count when items are removed from middle?
count reindexes and recreates subsequent resources. for_each keys by value, so only removed item is affected.

7. What does terraform apply -refresh-only do?
Updates state file to match real infrastructure without modifying resources.

8. Maximum items in a single terraform import command?
One — you can only import one resource at a time.

9. What happens when you run terraform plan against a workspace that has never been applied?
It shows all resources as "to be created" since state is empty.

10. What does prevent_destroy do and what does it NOT prevent?
Blocks terraform destroy from deleting the resource. Does NOT prevent manual deletion in AWS Console.

High-Weight Domain Drill

Terraform basics (24%):

  • templatefile() reads a template file and renders it with variables — useful for user_data scripts
  • merge() combines multiple maps; later keys overwrite earlier ones
  • tomap() converts a list of objects to a map, but fails if keys aren't unique

Terraform CLI (26%):

  • terraform init -upgrade forces provider version upgrades even when lock file pins them
  • terraform apply -auto-approve skips interactive approval — never use in production
  • terraform plan -out=file.tfplan saves plan to apply exactly later

IaC concepts (16%):

  • Declarative = describe desired state, system figures out how to achieve it
  • Idempotency = applying same config multiple times produces same result
  • Drift = difference between declared state and actual state

State management (8%):

  • State is the source of truth — Terraform compares config to state, not directly to AWS
  • State locking prevents concurrent writes using DynamoDB
  • State versioning in S3 allows recovery from corruption

Common Exam Traps (I Added 3 More)

1. "Terraform plan shows no changes" doesn't mean infrastructure is correct — stale state can mask drift

2. terraform destroy vs terraform state rm — destroy deletes real resources, state rm only removes from state

3. Module source ?ref=main vs ?ref=v1.0.0 — branch is mutable, tag is immutable. Always pin to tags.

4. sensitive = true does NOT prevent secrets from being stored in state — only masks terminal output

5. Multi-select questions — if it says "select TWO," exactly two. One or three = wrong regardless of which you picked

6. terraform plan -target includes dependencies — not just the targeted resource

Exam-Day Strategy

  • Read the question twice before looking at answers
  • Spend max 90 seconds per question — flag and move on if stuck
  • Eliminate clearly wrong answers first — often gets you from 4 to 2 options
  • Flag any question you're unsure about — don't waste time overthinking
  • Answer all flagged questions in remaining time — even guessing beats leaving blank
  • Watch for "select TWO" instructions — don't over-select or under-select
  • Trust your gut on first pass — your first instinct is usually right

Remaining Red Topics

Terraform Cloud features — still red. I've used S3 backend, not TFC.

How I'll address this:

  • Complete TFC "Get Started" tutorials (1 hour)
  • Create a free TFC account and run a remote plan
  • Write 10 practice questions about TFC features

The Bottom Line

75% on my first simulation. Not great. Not failing.

The CLI section is my biggest risk. The questions about specific flags and edge cases are harder than I expected.

But I know exactly where my gaps are now. And I have six days to close them.

Whatever the score is on exam day, I know this material better than I did 24 days ago.

Let's go.

Resources:

Top comments (0)