State Management
State management is a critical aspect of infrastructure as code and is a key feature of Terraform. In Terraform, state management refers to the process of keeping track of the current state of infrastructure resources, including their configurations and any changes that have been made.
---
shuffleAnswers: true
shuffleQuestions: true
nQuestions: 25
introduction: >
The test contains a set of questions and there is no time limit. The test is not official, it's just one of the most efficient ways to see how much you know, or don't know, about the subject.
--- # Terraform supports different backend types. Select the default backend type from the options given below. 1. [ ] remote backend > because remote backend is a separate category of backend type. 1. [x] local backend > Local backend is the default backend. 1. [ ] Consul > It's a remote backend types. 1. [ ] vault > It's a remote backend types. 1. [ ] s3 > It's a remote backend types. > For more information: https://www.terraform.io/docs/language/settings/backends/index.html#recommended-backends # Does Consul help in locking the state file for remote backend 1. [ ] False 1. [x] True > Yes, by using terraform consul we can lock the state files for remote backend # As a network administrator responsible for managing Terraform deployments in both on-premises and cloud environments, if you run the terraform refresh command, will it impact all resources across both environments? 1. [ ] True 1. [x] False > The terraform refresh command updates the state of the local environment but does not modify the state in the Terraform Cloud. > Reference: https://www.terraform.io/docs/cli/commands/refresh.html # By default, does the terraform state mv command create a backup copy of the Terraform state? 1. [ ] False 1. [x] True > `terraform state mv command` creates a backup copy by default > Reference: https://www.terraform.io/docs/commands/state/mv.html # Can Amazon S3 be utilized with Terraform's remote backend to manage tfstate? 1. [ ] False 1. [x] True > As a Standard Backend, Terraform supports S3 as a remote backend. The backends of Terraform are divided into two categories based on how they handle state and operations:
Enhanced backends are capable of both storing and performing operations. Only two enhanced backends are available: local and remote.
Backends that only store state and rely on the local backend to perform operations are known as standard backends. > For more information: https://www.terraform.io/docs/backends/types/s3.html
> https://www.terraform.io/docs/language/settings/backends/configuration.html # Does executing the terraform refresh command result in updates to the state files? 1. [ ] False 1. [x] True > Yes, terraform refresh updates the state files to the latest unless there are any manual changes. > Reference: https://www.terraform.io/docs/cli/commands/refresh.html # Your company is using a version control system (such as git) and has instructed you to include all terraform code in it. However, you need to exercise caution while committing sensitive information. Which files from the following list should you exclude from the commit? 1. [ ] main.tf 1. [ ] variables.tf 1. [ ] provisioner.tf 1. [x] terraform.tfstate > In general, the terraform.tfvars and terraform.tfstate files may contain confidential information such as passwords, access keys, and database passwords. To ensure the security of this data, it is recommended that these files not be included in the commit. # You want to know what the state file contains after making modifications to your tfvar files. Which command can be used for the given request 1. [ ] terraform state 1. [ ] terraform current 1. [x] terraform show > The terraform show command displays comprehensible output from state or plain files. This is used to double-check the current state contents and inspect the plan to ensure that everything is in working order. Terraform show – json can be used to display outputs in json format. https://www.terraform.io/docs/cli/commands/show.htmL 1. [ ] terraform inspect # You need to change the instance type of an EC2 instance to `t3.large` while keeping the default set of values. What adjustments do you make in order to meet this goal? 1. [ ] Issue `terraform plan instance.type .t2.large ` and it deploys the instance > Incorrect since the given syntax is incorrect. 1. [ ] Modify the `tf.variables` with the instance type and issue terraform apply > Incorrect because it is recommended that instead of modifying the default values, you modify the `terraform.tfvars` variables, as there are no `tf.variables` in terraform. 1. [ ] Create a new file `my.tfvars` and add the type of the instance and issue `terraform plan` and `terraform apply` > Incorrect because the suggested file type for Terraform is `terraform.tfvars`. To use cli terraform plan -var-file="my.tfvars" for any other tf.vars file types, use cli terraform plan -var-file="my.tfvars" 1. [x] Modify the `terraform.tfvars` with the instance type and issue `terraform plan` and then terraform apply to deploy the instances > Correct, since terraform checks the values after altering the terraform.tfvars and then issues terraform apply. > https://www.terraform.io/docs/commands/environment-variables.html https://www.terraform.io/docs/commands/plan.html # How can you delete the default workspace? > You can’t delete the default workspace. 1. [ ] terraform workspace delete default 1. [ ] terraform delete workspace default 1. [ ] terraform workspace -rm default 1. [x] None of the options # What happens if the locking state fails when executing an operation in Terraform? 1. [ ] Terraform will continuously apply its configuration without modifying the state, then you can execute a Terraform refresh to update the state 1. [ ] Terraform will continuously apply its configuration and apply changes to the state 1. [x] Terraform will not continue to plan/apply any changes 1. [ ] Terraform will continuously and will force lock the state and will refresh the state # You manually built a virtual machine on Azure and want to import it using Terraform import. Is terraform transfer possible in this case? 1. [ ] False 1. [x] True > https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine # `terraform state rm` is the only tool that deletes all Terraform-configured resources. 1. [ ] True 1. [x] False > terraform destroy and terraform state rm are the two commands to delete all the resources. > References: https://www.terraform.io/docs/cli/commands/state/rm.html
> https://www.terraform.io/docs/cli/commands/destroy.html # Members of your team can make changes to the state file after you've carried out the `terraform plan` Is it accurate or untrue? 1. [ ] False 1. [x] True > Yes, we can make changes to the state file once terraform plan is executed. # Current state and desired state should be in same state all the time? 1. [ ] Yes 1. [x] No > Current Terraform: The current terraform represents the current state. tfstate Desired State: A desired state that must be achieved.
When we run terraform plan, it compares the previous configuration from the terraform.tfstate file to the current configuration from the current code and verifies the differences, such as which resources need to be created, changed, or destroyed. # When terraform destroy is executed with the auto-approve option, it doesn't require user confirmation before destroying the resources. 1. [ ] True 1. [x] False > The auto-approve feature in terraform destroy eliminates the need for user confirmation before resource destruction. It's commonly employed in automated pipelines where there is no requirement for human intervention during execution.
The command for this function is as follows: `terraform destroy -auto-approve` # Is remote management system support available in Terraform's standard backend type? 1. [ ] True 1. [x] False > The documentation distinguishes between two types of backends: enhanced and standard. Local, which is the default, and remote, which generally refers to Terraform Cloud, are the two enhanced backends. Support for remote operations is one of the most important features of an improved backend. > Reference: https://www.terraform.io/docs/language/settings/backends/remote.html # Your state file is locked and one of your colleagues issues a terraform apply. Will the resources get created? 1. [ ] True 1. [x] False > When a state file is locked, terraform apply or any other terraform command that could potentially change the state is disabled. > Reference: https://www.terraform.io/docs/language/state/locking.html # terraform state list command shows the list of resources in the state file. 1. [x] True > `terraform state list` shows the resources within a terraform state. 1. [ ] False > https://www.terraform.io/docs/cli/commands/state/list.html # Your state file is locked, and terraform apply is run by one of your colleagues. Is it true that all of the content is provisioned? After the state file has been locked, one of your colleagues issues a terraform apply. Is there a way to get all of the content provisioned using the apply command? 1. [ ] True 1. [x] False > All commands that can change the terraform state file, such as terraform apply, destroy, and so on, are frozen when the state file is locked. > https://www.terraform.io/docs/language/state/locking.html # You have been asked to talk to your team about how to manage secrets in terraform. Please choose the correct statements from below. - - [ ] Always store the secrets in tfstate file with sensitive parameter turned on and this will help to mask the parameters and doesn’t show the data unless you unmask it - [x] Never hardcode secrets like access keys, passwords in the configuration’s files - [x] Avoid saving the hardcoded secrets in state file or configuration files - [x] Make sure when committing to git don’t add the files where the secrets are stored # Please choose from the below command, which doesn’t destroy an instance, instead recreates? 1. [ ] `terraform refresh` 1. [x] `terraform taint` > `Terraform taint` Terraform receives notification from the terraform taint command that a specific object has been degraded or damaged 1. [ ] `terraform state mv` 1. [ ] `terraform plan -options` > https://www.terraform.io/docs/cli/commands/taint.html # terraform inspect is the command to inspect the current state file. True or False. 1. [ ] True 1. [x] False > The correct command to inspect the current state file is terraform show. There is no inspect command in Terraform. > Reference: https://www.terraform.io/docs/cli/commands/show.html # Is terraform state-unlock command used to unlock the locked state file? 1. [ ] True 1. [x] False > The correct command is `terraform force-unlock [options] LOCK_ID`. This command is used to unlock the state file. > For more explanation, refer to the link below: > https://www.terraform.io/docs/cli/commands/force-unlock.html # Is state file mandatory for Terraform to work? 1. [ ] False 1. [x] True > Terraform state's primary purpose is to store bindings between remote system objects and resource instances declared in your configuration. When Terraform creates a remote object in response to a configuration change, it records the remote object's identity against a specific resource instance, which it can then update or delete in response to future configuration changes. > https://www.terraform.io/docs/language/state/purpose.html # Do Terraform state store implicit and explicit dependencies? 1. [x] True > Both Implicit and explicit dependencies data is stored in the state file. 1. [ ] False > https://learn.hashicorp.com/tutorials/terraform/dependencies # terraform state list command shows the list of resources in the state file. 1. [x] True > `terraform state list` shows the resources within a terraform state. 1. [ ] False > https://www.terraform.io/docs/cli/commands/state/list.html # Your state file is locked, and terraform apply is run by one of your colleagues. Is it true that all of the content is provisioned? After the state file has been locked, one of your colleagues issues a terraform apply. Is there a way to get all of the content provisioned using the apply command? 1. [ ] True 1. [x] False > All commands that can change the terraform state file, such as terraform apply, destroy, and so on, are frozen when the state file is locked. > https://www.terraform.io/docs/language/state/locking.html # You've used Terraform to provision your infrastructure, and now you need to save the state file to the remote backend. You don't want to include all of the backend information in the configuration file. What is the name of this configuration? 1. [ ] First time configuration 1. [ ] Air gapped configuration 1. [ ] Remote configuration 1. [x] Partial configuration > In the backend configuration, you don't have to specify every required argument. If some arguments are provided automatically by an automation script running Terraform, omitting some arguments may be desirable. A partial configuration is when some or all of the arguments are omitted. > For more information: https://www.terraform.io/docs/backends/config.html#partialconfiguration # Not all of the backend types support locking. Please select the backend types given below which support locking. - [ ] artifactory > Because it lacks backend locking support. https://www.terraform.io/docs/language/settings/backends/azurerm.html - [x] consul > Because it allows for state locking. At a given path, it saves the state in the Consul KV store. https://www.terraform.io/docs/language/settings/backends/consul.html - [x] S3 > Because the S3 backend type uses Dynamo DB for state locking and consistency checking, which can be enabled by setting the dynamodb table field to the name of an existing DynamoDB table. - [x] azurerm > Because it uses Azure Blob Storage's native capabilities to support state locking and consistency checking. It saves the state as a Blob in the Blob Container of the Blob Storage Account with the given Key. Please see the following links for more information: > For more information: https://www.terraform.io/docs/language/settings/backends/s3.html # Below mentioned provisioner gets executed on destroy. What happens if provisioner fails to execute? ```terraform resource "aws_instance" "web" { provisioner "local-exec" { when = destroy command = "echo 'Destroy-time provisioner'" } } ``` 1. [ ] Resources get destroyed even though provisioner fails > because if the provisioner fails, the resource will not be destroyed. 1. [ ] A new resource gets created and that provisioner gets executed during its destroy > because if the provisioner fails, no new resources will be created. 1. [ ] Terraform blocks this resource and should be deleted manually from cloud provider console. > because there is no way to block a resource in Terraforom. 1. [x] Terraform will error and rerun the provisioners again on the next terraform apply. > because if the provisioner fails, it will become tainted and attempt to destroy the data in the next apply. Before the resource is destroyed, destroy provisioners are run. If they fail, Terraform will throw an error and the provisioners will be rerun on the next Terraform apply. Because of this behaviour, destroy provisioners should be treated with caution if they are to be run multiple times. > For more information: https://www.terraform.io/docs/provisioners/#destroy-timeprovisioners # A user wants to rename the resource variable from web to webapp, how can this be achieved in terraform efficiently. New name should also get reflected in configuration file? ```terraform resource "aws_instance" "web" { ami = ami-a123456789b instance_type = "t3.micro" } ``` 1. [ ] Manually change the variable to webapp and then run `terraform apply` > because it destroys the resource and then creates a new one with the name webapp as the variable name. 1. [ ] `terraform state mv aws_instance.web aws_instance.webapp` > because it only affects the state file and does not affect the configuration file. 1. [ ] `terraform state mv aws_instance.web aws_instance.webapp` and then run `terraform apply` > because the state file will change, but terraform apply will recreate a resource with the web resource variable. 1. [x] `terraform state mv aws_instance.web aws_instance.webapp` and changing variable name in configuration file > this option will change the state file, but we will have to manually apply the change to the configuration file. To move items in a Terraform state, use the `terraform state mv command`. This command can be used to move individual resources, resource instances, entire modules, and more. > For more information: https://www.terraform.io/docs/commands/state/mv.html # A user wants to list all resources which are deployed using Terraform. How can this be done? 1. [ ] terraform state show > because this command shows the attributes of a single resource in the Terraform state file 1. [x] terraform state list > because the terraform state list command is used to list resources within a Terraform state. 1. [ ] terraform show > because this command produces a humanreadable output of all resources and attributes. 1. [ ] terraform show list > because it attempts to display all of the list file's resources and attributes. The list is used as an input file for the show command in this command. All resources are listed if no addresses are given. The resources are arranged alphabetically after being sorted by module depth. This means that resources in your immediate configuration are listed first, followed by resources that are nested deeper within modules. For complex infrastructures, the state can contain thousands of resources it can filter using the id option. > For more information: https://www.terraform.io/docs/commands/state/list.html # Does terraform refresh modifies the existing infrastructure? 1. [ ] True 1. [x] False (right) > The terraform refresh command is used to reconcile Terraform's current state (as stored in its state file) with the real-world infrastructure. This can be used to detect and update any drift from the last-known state. This does not change the infrastructure, but it changes the state file. > For more information: https://www.terraform.io/docs/commands/refresh.html # When multiple team members are working on same state file, state file gets locke1. How to remove the lock? 1. [x] terraform force-unlock LOCK_ID > force-unlock with LOCK_ID is used to remove lock on state file. 1. [ ] terraform force-unlock STATE_FILE > because the argument should be LOCK ID, not STATE FILE. 1. [ ] terraform unlock LOCK_ID > because the state lock is removed using forceunlock rather than unlock. 1. [ ] terraform force-unlock=true > because force-unlock requires the argument LOCK ID. > For more information: https://www.terraform.io/docs/commands/force-unlock.html # Which of the following backends support state storage with default locking?(SELECT TWO) - [ ] s3 > Because s3 does not have default locking and instead relies on DynomoDB. - [x] azurerm > Because azurerm has default state locking, - [x] gcs > Because gcs has default state locking - [ ] http > because the http endpoint is capable of storing state but lacks a standard locking mechanism. - [ ] artifactory > Because artifactory does not support locking mechanisms, Option E is incorrect. > For more information: https://www.terraform.io/docs/backends/types/index.html # Which of the following is true about local backend? (SELECT TWO) - [x] local backend stores state on the local file system > local backend, which saves state to the local file system. - [x] locks that state using system APIs > because it uses system APIs to lock the state. - [ ] performs operations locally and remotely > operations can only be performed locally, not remotely. - [ ] Data at rest is encrypted by terraform. > Terraform does not encrypt data at rest, so this option is incorrect. - [ ] locks that state using terraform prebuilt APIs > because terraform APIs cannot lock state; only system APIs can do so for local backends. > For more information: > https://www.terraform.io/docs/backends/types/local.html > https://www.terraform.io/docs/backends/index.html # You have been asked to manually taint a resource using terraform command. Which command from below you will use? 1. [ ] `terraform taint -resource-name` 1. [x] `terraform taint type.name` > name of the terraform taint [options] The name argument specifies the name of the tainted resource. This argument has the format TYPE.NAME, such as aws instance.foo. terraform taint command is deprecated now in terraform version 0.15.2 and higher. 1. [ ] `terraform taint = resource.id` 1. [ ] `terraform taint resource.id – name` > http://man.hubwiz.com/docset/Terraform.docset/Contents/Resources/Documents/docs/commands/taint.html # Bob wants to see all the terraform output values stored in terraform.tfstate file. Which of the below commands will do the task? (SELECT THREE) - [x] terraform output (right) > The terraform output command is used to extract the value of an output variable from the state file - [x] terraform show (right) > The terraform show command is used to display the entire tfstate file in human readable form (rather than json), as well as the outputs and other data. - [x] terraform output -state=terraform.tfstate > When you run this command, you will receive a warning because you should provide the full address of the tfstate file rather than just the name of the tfstate file. `Usage: [options] terraform state show ADDRESS` - [ ] terraform state list > The terraform state list command shows the resource type, logical name, and indexing. - [x] terraform show terraform.tfstate (right) > The terraform displays the terraform. The tfstate command is used to display the attributes of a single Terraform resource. > For more information: https://www.terraform.io/docs/cli/commands/state/show.html
> https://www.terraform.io/docs/cli/commands/output.html # What are the two supported backend types in Terraform? - [ ] Remote-backend - [x] Enhanced > Enhanced backends are capable of both storing and performing operations. Only two enhanced backends are available: local and remote. - [ ] Local- backend - [x] Standard > Backends that only store state and rely on the local backend to perform operations are known as standard backends. > https://www.terraform.io/docs/backends/types # A user doesn’t want to store secrets for configuring remote backend. How can he pass the remaining configuration so that terraform can initialize and talk to backend? (SELECT THREE) - [x] Command line key-value pairs. (right) > because the init command allows us to specify a key value pair. - [x] Interactively on command line. (right) > because terraform interactively asks for required values when values are not defined. - [x] use the –backend-config=PATH to specify a separate config file > Because the configuration file can be specified via the init command line, When running terraform init, use the -backend-config=PATH option to specify a file. - [ ] Query for secrets directly from vault > Because we must first download secrets from vault to local disc before running terraform init. In addition, the downloaded secrets must be passed to the init command. In the backend configuration, you don't have to specify every required argument. It may be preferable to omit certain arguments in order to avoid storing secrets, such as access keys, in the main configuration. A partial configuration is when some or all of the arguments are omitted. > For more information: https://www.terraform.io/docs/backends/config.html#partialconfiguration # You have created an ec2 instance on AWS console with the name my-ec2 and instance id as i-123w8766. You are asked to import this instance. Which command would you choose to import? 1. [ ] `terraform import aws_instance i-123w8766` 1. [ ] `terraform import-my-ec2 i-123w8766` 1. [ ] `terraform import i-123w8766 my-ec2` 1. [x] `terrafom import aws_instance.my-ec2 i-123w8766` > Currently, the command can only import one resource at a time. This means that you can't yet use Terraform import to import an entire collection of resources, such as an AWS VPC. > https://www.terraform.io/docs/cli/commands/import.html # You're a new DevOps engineer at your company, and you notice that terraform has been in use for a while. The backend is stored as local in a Git repository, as you can see. What is the most significant disadvantage? 1. [x] Having the backend in a Git repository doesn’t make the collaboration easier between different teams, and keep secret information in your local disk is not a good practice > Remote states are useful for keeping all of your infrastructure's configuration off of your local disc, but this can be a problem if the state is stored in a Git repository and you need to clone/pull from it. In Terraform, keeping secrets in a local state is also not a good idea. 1. [ ] You can’t use locking > because you'll still have locking, but it'll be local. 1. [ ] You can´t access a remote state as a datasource if another Terraform stack needs access to this state > because local backends can still be accessed. 1. [ ] Having a local state stored in Git is a good practice > if you're storing secrets and don't have a Git repository for them. > References: https://www.terraform.io/language/state/remote
> https://www.terraform.io/language/state/remote-state-data#exampleusage-local-backend # What is the name of the workspace when you execute "terraform init"? 1. [ ] new 1. [ ] No workspace is created 1. [ ] workspace 1. [x] default > When you initialize working directory, a default workspace is created with the name "default". > Reference: https://www.terraform.io/cli/workspaces#managing-workspaces # You're the DevOps engineer in charge at your company, and you want to make sure that your state is stored securely, that it's encrypted at rest, and that it's protected with TLS in transit. This infrastructure is not something you want to be in charge of. What advice would you give the CTO? 1. [x] Move to Terraform Cloud or Terraform Enterprise depending on the number of members in your organization > One of Hashicorp's best practises and recommendations is to keep the state encrypted and protected in transit using TLS. Terraform Cloud or Terraform Enterprise is the way to go. 1. [ ] Implement a Hashicorp Vault architecture and secure your sensitive data using this architecture > You will need to manage this infrastructure 1. [ ] Create a secure webservice to manage your state > You will need to manage this infrastructure 1. [ ] Use a central server to execute Terraform. Store the states as a local backend in a SFTP server defined by a path > because you must manage the infrastructure, and using a local backend to manage your state is not recommended. > Reference: https://www.terraform.io/language/state/sensitivedata#recommendations # How can you list the attributes of aws_instance.gateway resource already implemented in a state file? 1. [ ] terraform show state aws_instance.gateway > The command should be terraform state show instead. 1. [x] terraform state show aws_instance.gateway > Choose terraform state show to see all the attributes associated with a resource. 1. [ ] terraform state list > because the terraform list only shows the state's resources, not their attributes. 1. [ ] terraform state list aws_instance.gateway > because the terraform list only shows the state's resources, not their attributes. > References: https://www.terraform.io/cli/commands/state/list#usage > https://www.terraform.io/cli/commands/state/show#usage # The terraform state list command displays the state file's resource list. 1. [ ] False 1. [x] True > The "terraform state list" command displays the resources available in a terraform state. > Reference: https://www.terraform.io/docs/cli/commands/state/list.html # Current state and desired state should be in same state all the time? 1. [ ] Yes 1. [x] No > NO is an option. Terraform takes the difference between the previous configuration and the current configuration when we run terraform plan. tfstate file and current configuration from current code, checking for differences such as what resources need to be created, changed, or destroyed. # What is the best way to rename a resource already implemented in a Terraform State? 1. [x] terraform state mv resource.old resource.new > You must use the terraform state subcommand "terraform state mv" to rename a resource within the Terraform State. 1. [ ] terraform mv state resource.old resource.new > because the terraform state mv subcommand, not terraform mv state, must be used to rename a resource. 1. [ ] terraform state replace resource.old resource.new > incorrect because terraform replace does not exist, and executing it will result in a syntax error. 1. [ ] terraform replace state resource.old resource.new > incorrect because terraform replace does not exist, and executing it will result in a syntax error. > Resource: https://www.terraform.io/cli/commands/state/mv#example-rename-aresource # How can you delete the default workspace? 1. [ ] terraform workspace delete default > because the default workspace cannot be deleted. 1. [ ] terraform delete workspace default > incorrect because they have syntax errors and you can't delete the default workspace with those commands. 1. [ ] terraform workspace -rm default > incorrect because they have syntax errors and you can't delete the default workspace with those commands. 1. [x] None of the options are correct > The default workspace cannot be deleted. > Reference: https://www.terraform.io/language/state/workspaces#usingworkspaces
The test contains a set of questions and there is no time limit. The test is not official, it's just one of the most efficient ways to see how much you know, or don't know, about the subject.
Count your score
You will get 1 point for each correct answer. At the end of the Quiz, your total score will be displayed.Reflect on you answers
Please conduct a self review of your answers once you complete the quiz test. Being an active participant in your own evaluation, honestly assess your strengths and also areas you need to improve. Good luck!--- # Terraform supports different backend types. Select the default backend type from the options given below. 1. [ ] remote backend > because remote backend is a separate category of backend type. 1. [x] local backend > Local backend is the default backend. 1. [ ] Consul > It's a remote backend types. 1. [ ] vault > It's a remote backend types. 1. [ ] s3 > It's a remote backend types. > For more information: https://www.terraform.io/docs/language/settings/backends/index.html#recommended-backends # Does Consul help in locking the state file for remote backend 1. [ ] False 1. [x] True > Yes, by using terraform consul we can lock the state files for remote backend # As a network administrator responsible for managing Terraform deployments in both on-premises and cloud environments, if you run the terraform refresh command, will it impact all resources across both environments? 1. [ ] True 1. [x] False > The terraform refresh command updates the state of the local environment but does not modify the state in the Terraform Cloud. > Reference: https://www.terraform.io/docs/cli/commands/refresh.html # By default, does the terraform state mv command create a backup copy of the Terraform state? 1. [ ] False 1. [x] True > `terraform state mv command` creates a backup copy by default > Reference: https://www.terraform.io/docs/commands/state/mv.html # Can Amazon S3 be utilized with Terraform's remote backend to manage tfstate? 1. [ ] False 1. [x] True > As a Standard Backend, Terraform supports S3 as a remote backend. The backends of Terraform are divided into two categories based on how they handle state and operations:
Enhanced backends are capable of both storing and performing operations. Only two enhanced backends are available: local and remote.
Backends that only store state and rely on the local backend to perform operations are known as standard backends. > For more information: https://www.terraform.io/docs/backends/types/s3.html
> https://www.terraform.io/docs/language/settings/backends/configuration.html # Does executing the terraform refresh command result in updates to the state files? 1. [ ] False 1. [x] True > Yes, terraform refresh updates the state files to the latest unless there are any manual changes. > Reference: https://www.terraform.io/docs/cli/commands/refresh.html # Your company is using a version control system (such as git) and has instructed you to include all terraform code in it. However, you need to exercise caution while committing sensitive information. Which files from the following list should you exclude from the commit? 1. [ ] main.tf 1. [ ] variables.tf 1. [ ] provisioner.tf 1. [x] terraform.tfstate > In general, the terraform.tfvars and terraform.tfstate files may contain confidential information such as passwords, access keys, and database passwords. To ensure the security of this data, it is recommended that these files not be included in the commit. # You want to know what the state file contains after making modifications to your tfvar files. Which command can be used for the given request 1. [ ] terraform state 1. [ ] terraform current 1. [x] terraform show > The terraform show command displays comprehensible output from state or plain files. This is used to double-check the current state contents and inspect the plan to ensure that everything is in working order. Terraform show – json can be used to display outputs in json format. https://www.terraform.io/docs/cli/commands/show.htmL 1. [ ] terraform inspect # You need to change the instance type of an EC2 instance to `t3.large` while keeping the default set of values. What adjustments do you make in order to meet this goal? 1. [ ] Issue `terraform plan instance.type .t2.large ` and it deploys the instance > Incorrect since the given syntax is incorrect. 1. [ ] Modify the `tf.variables` with the instance type and issue terraform apply > Incorrect because it is recommended that instead of modifying the default values, you modify the `terraform.tfvars` variables, as there are no `tf.variables` in terraform. 1. [ ] Create a new file `my.tfvars` and add the type of the instance and issue `terraform plan` and `terraform apply` > Incorrect because the suggested file type for Terraform is `terraform.tfvars`. To use cli terraform plan -var-file="my.tfvars" for any other tf.vars file types, use cli terraform plan -var-file="my.tfvars" 1. [x] Modify the `terraform.tfvars` with the instance type and issue `terraform plan` and then terraform apply to deploy the instances > Correct, since terraform checks the values after altering the terraform.tfvars and then issues terraform apply. > https://www.terraform.io/docs/commands/environment-variables.html https://www.terraform.io/docs/commands/plan.html # How can you delete the default workspace? > You can’t delete the default workspace. 1. [ ] terraform workspace delete default 1. [ ] terraform delete workspace default 1. [ ] terraform workspace -rm default 1. [x] None of the options # What happens if the locking state fails when executing an operation in Terraform? 1. [ ] Terraform will continuously apply its configuration without modifying the state, then you can execute a Terraform refresh to update the state 1. [ ] Terraform will continuously apply its configuration and apply changes to the state 1. [x] Terraform will not continue to plan/apply any changes 1. [ ] Terraform will continuously and will force lock the state and will refresh the state # You manually built a virtual machine on Azure and want to import it using Terraform import. Is terraform transfer possible in this case? 1. [ ] False 1. [x] True > https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine # `terraform state rm` is the only tool that deletes all Terraform-configured resources. 1. [ ] True 1. [x] False > terraform destroy and terraform state rm are the two commands to delete all the resources. > References: https://www.terraform.io/docs/cli/commands/state/rm.html
> https://www.terraform.io/docs/cli/commands/destroy.html # Members of your team can make changes to the state file after you've carried out the `terraform plan` Is it accurate or untrue? 1. [ ] False 1. [x] True > Yes, we can make changes to the state file once terraform plan is executed. # Current state and desired state should be in same state all the time? 1. [ ] Yes 1. [x] No > Current Terraform: The current terraform represents the current state. tfstate Desired State: A desired state that must be achieved.
When we run terraform plan, it compares the previous configuration from the terraform.tfstate file to the current configuration from the current code and verifies the differences, such as which resources need to be created, changed, or destroyed. # When terraform destroy is executed with the auto-approve option, it doesn't require user confirmation before destroying the resources. 1. [ ] True 1. [x] False > The auto-approve feature in terraform destroy eliminates the need for user confirmation before resource destruction. It's commonly employed in automated pipelines where there is no requirement for human intervention during execution.
The command for this function is as follows: `terraform destroy -auto-approve` # Is remote management system support available in Terraform's standard backend type? 1. [ ] True 1. [x] False > The documentation distinguishes between two types of backends: enhanced and standard. Local, which is the default, and remote, which generally refers to Terraform Cloud, are the two enhanced backends. Support for remote operations is one of the most important features of an improved backend. > Reference: https://www.terraform.io/docs/language/settings/backends/remote.html # Your state file is locked and one of your colleagues issues a terraform apply. Will the resources get created? 1. [ ] True 1. [x] False > When a state file is locked, terraform apply or any other terraform command that could potentially change the state is disabled. > Reference: https://www.terraform.io/docs/language/state/locking.html # terraform state list command shows the list of resources in the state file. 1. [x] True > `terraform state list` shows the resources within a terraform state. 1. [ ] False > https://www.terraform.io/docs/cli/commands/state/list.html # Your state file is locked, and terraform apply is run by one of your colleagues. Is it true that all of the content is provisioned? After the state file has been locked, one of your colleagues issues a terraform apply. Is there a way to get all of the content provisioned using the apply command? 1. [ ] True 1. [x] False > All commands that can change the terraform state file, such as terraform apply, destroy, and so on, are frozen when the state file is locked. > https://www.terraform.io/docs/language/state/locking.html # You have been asked to talk to your team about how to manage secrets in terraform. Please choose the correct statements from below. - - [ ] Always store the secrets in tfstate file with sensitive parameter turned on and this will help to mask the parameters and doesn’t show the data unless you unmask it - [x] Never hardcode secrets like access keys, passwords in the configuration’s files - [x] Avoid saving the hardcoded secrets in state file or configuration files - [x] Make sure when committing to git don’t add the files where the secrets are stored # Please choose from the below command, which doesn’t destroy an instance, instead recreates? 1. [ ] `terraform refresh` 1. [x] `terraform taint` > `Terraform taint` Terraform receives notification from the terraform taint command that a specific object has been degraded or damaged 1. [ ] `terraform state mv` 1. [ ] `terraform plan -options` > https://www.terraform.io/docs/cli/commands/taint.html # terraform inspect is the command to inspect the current state file. True or False. 1. [ ] True 1. [x] False > The correct command to inspect the current state file is terraform show. There is no inspect command in Terraform. > Reference: https://www.terraform.io/docs/cli/commands/show.html # Is terraform state-unlock command used to unlock the locked state file? 1. [ ] True 1. [x] False > The correct command is `terraform force-unlock [options] LOCK_ID`. This command is used to unlock the state file. > For more explanation, refer to the link below: > https://www.terraform.io/docs/cli/commands/force-unlock.html # Is state file mandatory for Terraform to work? 1. [ ] False 1. [x] True > Terraform state's primary purpose is to store bindings between remote system objects and resource instances declared in your configuration. When Terraform creates a remote object in response to a configuration change, it records the remote object's identity against a specific resource instance, which it can then update or delete in response to future configuration changes. > https://www.terraform.io/docs/language/state/purpose.html # Do Terraform state store implicit and explicit dependencies? 1. [x] True > Both Implicit and explicit dependencies data is stored in the state file. 1. [ ] False > https://learn.hashicorp.com/tutorials/terraform/dependencies # terraform state list command shows the list of resources in the state file. 1. [x] True > `terraform state list` shows the resources within a terraform state. 1. [ ] False > https://www.terraform.io/docs/cli/commands/state/list.html # Your state file is locked, and terraform apply is run by one of your colleagues. Is it true that all of the content is provisioned? After the state file has been locked, one of your colleagues issues a terraform apply. Is there a way to get all of the content provisioned using the apply command? 1. [ ] True 1. [x] False > All commands that can change the terraform state file, such as terraform apply, destroy, and so on, are frozen when the state file is locked. > https://www.terraform.io/docs/language/state/locking.html # You've used Terraform to provision your infrastructure, and now you need to save the state file to the remote backend. You don't want to include all of the backend information in the configuration file. What is the name of this configuration? 1. [ ] First time configuration 1. [ ] Air gapped configuration 1. [ ] Remote configuration 1. [x] Partial configuration > In the backend configuration, you don't have to specify every required argument. If some arguments are provided automatically by an automation script running Terraform, omitting some arguments may be desirable. A partial configuration is when some or all of the arguments are omitted. > For more information: https://www.terraform.io/docs/backends/config.html#partialconfiguration # Not all of the backend types support locking. Please select the backend types given below which support locking. - [ ] artifactory > Because it lacks backend locking support. https://www.terraform.io/docs/language/settings/backends/azurerm.html - [x] consul > Because it allows for state locking. At a given path, it saves the state in the Consul KV store. https://www.terraform.io/docs/language/settings/backends/consul.html - [x] S3 > Because the S3 backend type uses Dynamo DB for state locking and consistency checking, which can be enabled by setting the dynamodb table field to the name of an existing DynamoDB table. - [x] azurerm > Because it uses Azure Blob Storage's native capabilities to support state locking and consistency checking. It saves the state as a Blob in the Blob Container of the Blob Storage Account with the given Key. Please see the following links for more information: > For more information: https://www.terraform.io/docs/language/settings/backends/s3.html # Below mentioned provisioner gets executed on destroy. What happens if provisioner fails to execute? ```terraform resource "aws_instance" "web" { provisioner "local-exec" { when = destroy command = "echo 'Destroy-time provisioner'" } } ``` 1. [ ] Resources get destroyed even though provisioner fails > because if the provisioner fails, the resource will not be destroyed. 1. [ ] A new resource gets created and that provisioner gets executed during its destroy > because if the provisioner fails, no new resources will be created. 1. [ ] Terraform blocks this resource and should be deleted manually from cloud provider console. > because there is no way to block a resource in Terraforom. 1. [x] Terraform will error and rerun the provisioners again on the next terraform apply. > because if the provisioner fails, it will become tainted and attempt to destroy the data in the next apply. Before the resource is destroyed, destroy provisioners are run. If they fail, Terraform will throw an error and the provisioners will be rerun on the next Terraform apply. Because of this behaviour, destroy provisioners should be treated with caution if they are to be run multiple times. > For more information: https://www.terraform.io/docs/provisioners/#destroy-timeprovisioners # A user wants to rename the resource variable from web to webapp, how can this be achieved in terraform efficiently. New name should also get reflected in configuration file? ```terraform resource "aws_instance" "web" { ami = ami-a123456789b instance_type = "t3.micro" } ``` 1. [ ] Manually change the variable to webapp and then run `terraform apply` > because it destroys the resource and then creates a new one with the name webapp as the variable name. 1. [ ] `terraform state mv aws_instance.web aws_instance.webapp` > because it only affects the state file and does not affect the configuration file. 1. [ ] `terraform state mv aws_instance.web aws_instance.webapp` and then run `terraform apply` > because the state file will change, but terraform apply will recreate a resource with the web resource variable. 1. [x] `terraform state mv aws_instance.web aws_instance.webapp` and changing variable name in configuration file > this option will change the state file, but we will have to manually apply the change to the configuration file. To move items in a Terraform state, use the `terraform state mv command`. This command can be used to move individual resources, resource instances, entire modules, and more. > For more information: https://www.terraform.io/docs/commands/state/mv.html # A user wants to list all resources which are deployed using Terraform. How can this be done? 1. [ ] terraform state show > because this command shows the attributes of a single resource in the Terraform state file 1. [x] terraform state list > because the terraform state list command is used to list resources within a Terraform state. 1. [ ] terraform show > because this command produces a humanreadable output of all resources and attributes. 1. [ ] terraform show list > because it attempts to display all of the list file's resources and attributes. The list is used as an input file for the show command in this command. All resources are listed if no addresses are given. The resources are arranged alphabetically after being sorted by module depth. This means that resources in your immediate configuration are listed first, followed by resources that are nested deeper within modules. For complex infrastructures, the state can contain thousands of resources it can filter using the id option. > For more information: https://www.terraform.io/docs/commands/state/list.html # Does terraform refresh modifies the existing infrastructure? 1. [ ] True 1. [x] False (right) > The terraform refresh command is used to reconcile Terraform's current state (as stored in its state file) with the real-world infrastructure. This can be used to detect and update any drift from the last-known state. This does not change the infrastructure, but it changes the state file. > For more information: https://www.terraform.io/docs/commands/refresh.html # When multiple team members are working on same state file, state file gets locke1. How to remove the lock? 1. [x] terraform force-unlock LOCK_ID > force-unlock with LOCK_ID is used to remove lock on state file. 1. [ ] terraform force-unlock STATE_FILE > because the argument should be LOCK ID, not STATE FILE. 1. [ ] terraform unlock LOCK_ID > because the state lock is removed using forceunlock rather than unlock. 1. [ ] terraform force-unlock=true > because force-unlock requires the argument LOCK ID. > For more information: https://www.terraform.io/docs/commands/force-unlock.html # Which of the following backends support state storage with default locking?(SELECT TWO) - [ ] s3 > Because s3 does not have default locking and instead relies on DynomoDB. - [x] azurerm > Because azurerm has default state locking, - [x] gcs > Because gcs has default state locking - [ ] http > because the http endpoint is capable of storing state but lacks a standard locking mechanism. - [ ] artifactory > Because artifactory does not support locking mechanisms, Option E is incorrect. > For more information: https://www.terraform.io/docs/backends/types/index.html # Which of the following is true about local backend? (SELECT TWO) - [x] local backend stores state on the local file system > local backend, which saves state to the local file system. - [x] locks that state using system APIs > because it uses system APIs to lock the state. - [ ] performs operations locally and remotely > operations can only be performed locally, not remotely. - [ ] Data at rest is encrypted by terraform. > Terraform does not encrypt data at rest, so this option is incorrect. - [ ] locks that state using terraform prebuilt APIs > because terraform APIs cannot lock state; only system APIs can do so for local backends. > For more information: > https://www.terraform.io/docs/backends/types/local.html > https://www.terraform.io/docs/backends/index.html # You have been asked to manually taint a resource using terraform command. Which command from below you will use? 1. [ ] `terraform taint -resource-name` 1. [x] `terraform taint type.name` > name of the terraform taint [options] The name argument specifies the name of the tainted resource. This argument has the format TYPE.NAME, such as aws instance.foo. terraform taint command is deprecated now in terraform version 0.15.2 and higher. 1. [ ] `terraform taint = resource.id` 1. [ ] `terraform taint resource.id – name` > http://man.hubwiz.com/docset/Terraform.docset/Contents/Resources/Documents/docs/commands/taint.html # Bob wants to see all the terraform output values stored in terraform.tfstate file. Which of the below commands will do the task? (SELECT THREE) - [x] terraform output (right) > The terraform output command is used to extract the value of an output variable from the state file - [x] terraform show (right) > The terraform show command is used to display the entire tfstate file in human readable form (rather than json), as well as the outputs and other data. - [x] terraform output -state=terraform.tfstate > When you run this command, you will receive a warning because you should provide the full address of the tfstate file rather than just the name of the tfstate file. `Usage: [options] terraform state show ADDRESS` - [ ] terraform state list > The terraform state list command shows the resource type, logical name, and indexing. - [x] terraform show terraform.tfstate (right) > The terraform displays the terraform. The tfstate command is used to display the attributes of a single Terraform resource. > For more information: https://www.terraform.io/docs/cli/commands/state/show.html
> https://www.terraform.io/docs/cli/commands/output.html # What are the two supported backend types in Terraform? - [ ] Remote-backend - [x] Enhanced > Enhanced backends are capable of both storing and performing operations. Only two enhanced backends are available: local and remote. - [ ] Local- backend - [x] Standard > Backends that only store state and rely on the local backend to perform operations are known as standard backends. > https://www.terraform.io/docs/backends/types # A user doesn’t want to store secrets for configuring remote backend. How can he pass the remaining configuration so that terraform can initialize and talk to backend? (SELECT THREE) - [x] Command line key-value pairs. (right) > because the init command allows us to specify a key value pair. - [x] Interactively on command line. (right) > because terraform interactively asks for required values when values are not defined. - [x] use the –backend-config=PATH to specify a separate config file > Because the configuration file can be specified via the init command line, When running terraform init, use the -backend-config=PATH option to specify a file. - [ ] Query for secrets directly from vault > Because we must first download secrets from vault to local disc before running terraform init. In addition, the downloaded secrets must be passed to the init command. In the backend configuration, you don't have to specify every required argument. It may be preferable to omit certain arguments in order to avoid storing secrets, such as access keys, in the main configuration. A partial configuration is when some or all of the arguments are omitted. > For more information: https://www.terraform.io/docs/backends/config.html#partialconfiguration # You have created an ec2 instance on AWS console with the name my-ec2 and instance id as i-123w8766. You are asked to import this instance. Which command would you choose to import? 1. [ ] `terraform import aws_instance i-123w8766` 1. [ ] `terraform import-my-ec2 i-123w8766` 1. [ ] `terraform import i-123w8766 my-ec2` 1. [x] `terrafom import aws_instance.my-ec2 i-123w8766` > Currently, the command can only import one resource at a time. This means that you can't yet use Terraform import to import an entire collection of resources, such as an AWS VPC. > https://www.terraform.io/docs/cli/commands/import.html # You're a new DevOps engineer at your company, and you notice that terraform has been in use for a while. The backend is stored as local in a Git repository, as you can see. What is the most significant disadvantage? 1. [x] Having the backend in a Git repository doesn’t make the collaboration easier between different teams, and keep secret information in your local disk is not a good practice > Remote states are useful for keeping all of your infrastructure's configuration off of your local disc, but this can be a problem if the state is stored in a Git repository and you need to clone/pull from it. In Terraform, keeping secrets in a local state is also not a good idea. 1. [ ] You can’t use locking > because you'll still have locking, but it'll be local. 1. [ ] You can´t access a remote state as a datasource if another Terraform stack needs access to this state > because local backends can still be accessed. 1. [ ] Having a local state stored in Git is a good practice > if you're storing secrets and don't have a Git repository for them. > References: https://www.terraform.io/language/state/remote
> https://www.terraform.io/language/state/remote-state-data#exampleusage-local-backend # What is the name of the workspace when you execute "terraform init"? 1. [ ] new 1. [ ] No workspace is created 1. [ ] workspace 1. [x] default > When you initialize working directory, a default workspace is created with the name "default". > Reference: https://www.terraform.io/cli/workspaces#managing-workspaces # You're the DevOps engineer in charge at your company, and you want to make sure that your state is stored securely, that it's encrypted at rest, and that it's protected with TLS in transit. This infrastructure is not something you want to be in charge of. What advice would you give the CTO? 1. [x] Move to Terraform Cloud or Terraform Enterprise depending on the number of members in your organization > One of Hashicorp's best practises and recommendations is to keep the state encrypted and protected in transit using TLS. Terraform Cloud or Terraform Enterprise is the way to go. 1. [ ] Implement a Hashicorp Vault architecture and secure your sensitive data using this architecture > You will need to manage this infrastructure 1. [ ] Create a secure webservice to manage your state > You will need to manage this infrastructure 1. [ ] Use a central server to execute Terraform. Store the states as a local backend in a SFTP server defined by a path > because you must manage the infrastructure, and using a local backend to manage your state is not recommended. > Reference: https://www.terraform.io/language/state/sensitivedata#recommendations # How can you list the attributes of aws_instance.gateway resource already implemented in a state file? 1. [ ] terraform show state aws_instance.gateway > The command should be terraform state show instead. 1. [x] terraform state show aws_instance.gateway > Choose terraform state show to see all the attributes associated with a resource. 1. [ ] terraform state list > because the terraform list only shows the state's resources, not their attributes. 1. [ ] terraform state list aws_instance.gateway > because the terraform list only shows the state's resources, not their attributes. > References: https://www.terraform.io/cli/commands/state/list#usage > https://www.terraform.io/cli/commands/state/show#usage # The terraform state list command displays the state file's resource list. 1. [ ] False 1. [x] True > The "terraform state list" command displays the resources available in a terraform state. > Reference: https://www.terraform.io/docs/cli/commands/state/list.html # Current state and desired state should be in same state all the time? 1. [ ] Yes 1. [x] No > NO is an option. Terraform takes the difference between the previous configuration and the current configuration when we run terraform plan. tfstate file and current configuration from current code, checking for differences such as what resources need to be created, changed, or destroyed. # What is the best way to rename a resource already implemented in a Terraform State? 1. [x] terraform state mv resource.old resource.new > You must use the terraform state subcommand "terraform state mv" to rename a resource within the Terraform State. 1. [ ] terraform mv state resource.old resource.new > because the terraform state mv subcommand, not terraform mv state, must be used to rename a resource. 1. [ ] terraform state replace resource.old resource.new > incorrect because terraform replace does not exist, and executing it will result in a syntax error. 1. [ ] terraform replace state resource.old resource.new > incorrect because terraform replace does not exist, and executing it will result in a syntax error. > Resource: https://www.terraform.io/cli/commands/state/mv#example-rename-aresource # How can you delete the default workspace? 1. [ ] terraform workspace delete default > because the default workspace cannot be deleted. 1. [ ] terraform delete workspace default > incorrect because they have syntax errors and you can't delete the default workspace with those commands. 1. [ ] terraform workspace -rm default > incorrect because they have syntax errors and you can't delete the default workspace with those commands. 1. [x] None of the options are correct > The default workspace cannot be deleted. > Reference: https://www.terraform.io/language/state/workspaces#usingworkspaces
Key aspects of state management in Terraform include:
State file
Terraform uses a state file to store the current state of infrastructure resources. This file contains information about the resources, such as their configurations, dependencies, and metadata.
Remote state management
Terraform supports remote state management, which involves storing the state file in a remote backend, such as Amazon S3, Azure Blob Storage, or HashiCorp Consul
State locking
Terraform supports state locking, which prevents multiple users from modifying the state file at the same time, reducing the risk of conflicts and data corruption
State migration
Terraform supports state migration, which enables users to migrate state files between different backends or to a new version of Terraform
State visualization
Terraform supports state visualization, which enables users to visualize the dependencies between resources and understand the overall structure of their infrastructure.
Overall, state management is a critical component of Terraform that enables users to manage infrastructure resources as code, maintain a consistent and predictable infrastructure state, and collaborate with other team members on infrastructure projects.