You Can Pass This Exam For Free
Choose Your Study Path
Limited or no experience with Terraform or IaC tools. You need to build foundational knowledge of cloud infrastructure and Terraform from scratch.
Exam Overview
Format
57 questions, 60 minutes. Multiple choice, multiple answer, and true/false questions. Online proctored.
Scoring
Passing score: 70 out of 100. No penalty for wrong answers — always answer every question.
Domains & Weights
- Infrastructure as Code (IaC) with Terraform8%
- Terraform Fundamentals13%
- Core Terraform Workflow15%
- Terraform Configuration22%
- Terraform Modules12%
- Terraform State Management12%
- Maintain Infrastructure with Terraform8%
- HCP Terraform10%
Registration
$70.5 USD. Online proctored via Certiverse. Available in English only. Exam fee is $70.50 USD plus local taxes. Credential valid for 2 years.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Infrastructure as Code (IaC) with Terraform
This domain covers foundational IaC concepts: why managing infrastructure through code is better than manual processes, declarative vs imperative approaches, idempotency, and how Terraform fits into the IaC ecosystem. While the smallest domain, it establishes the conceptual foundation for everything else.
Key Topics
Must-Know Concepts
- IaC advantages: version control, automation, consistency, repeatability, documentation, collaboration, and disaster recovery
- Declarative vs imperative: Terraform is declarative (you describe desired state, Terraform figures out how to get there). Tools like Ansible scripts are often imperative (step-by-step instructions)
- Idempotency: applying the same configuration multiple times produces the same result. Terraform only makes changes when the desired state differs from the actual state
- Multi-cloud support: Terraform can manage resources across AWS, Azure, GCP, and hundreds of other providers in a single configuration
- Terraform is cloud-agnostic and uses a plugin-based architecture with providers for each platform
Common Exam Traps
Terraform Fundamentals
Covers how Terraform works under the hood: provider architecture, plugin system, state tracking, version constraints, and the dependency lock file. You need to understand how Terraform discovers, downloads, and manages providers, and how it tracks infrastructure through state.
Key Topics
Must-Know Concepts
- Providers are plugins that let Terraform interact with APIs. They are downloaded during terraform init from the Terraform Registry
- The required_providers block in the terraform block specifies which providers are needed, their source, and version constraints
- Version constraint syntax: = (exact), >= (minimum), ~> (pessimistic constraint — allows only rightmost version component to increment), != (exclude)
- The dependency lock file (.terraform.lock.hcl) records exact provider versions and checksums. It SHOULD be committed to version control for reproducible builds
- terraform init -upgrade updates providers to the latest version matching constraints and updates the lock file
- State is how Terraform maps configuration to real-world resources. Without state, Terraform cannot know what it manages
- Terraform uses a plugin-based architecture where the core binary handles workflow and the provider plugins handle API calls
Common Exam Traps
Core Terraform Workflow
The write-init-plan-apply workflow is the heart of using Terraform. This domain tests your understanding of each command, their flags, and how the workflow changes in team and HCP Terraform environments. At 15%, expect about 8-9 questions on workflow mechanics.
Key Topics
Must-Know Concepts
- The core workflow is: Write configuration -> terraform init -> terraform plan -> terraform apply. Optionally terraform destroy to tear down
- terraform init: initializes backend, downloads providers and modules. Must be re-run when adding new providers, modules, or changing backend configuration
- terraform plan: creates an execution plan showing additions (+), modifications (~), and destructions (-). Can save to a file with -out=planfile
- terraform apply: executes changes. Without a plan file, it generates a new plan and asks for confirmation. With a plan file, it applies exactly what was planned
- terraform destroy: creates and executes a plan to destroy all managed resources. Equivalent to terraform apply -destroy
- terraform fmt: formats HCL files to canonical style. Does not change logic. Use -check flag to verify formatting without changing files
- terraform validate: checks syntax and internal consistency without accessing remote services or state
- The -auto-approve flag on apply and destroy skips the confirmation prompt
- The -target flag limits operations to specific resources, but should be used sparingly as it can lead to state inconsistencies
Common Exam Traps
Terraform Configuration
The largest domain at 22% covering everything about writing Terraform HCL: resources, data sources, variables, outputs, expressions, functions, dependencies, lifecycle rules, custom conditions, and sensitive data handling. This is where hands-on experience pays off most.
Key Topics
Must-Know Concepts
- Resource blocks define infrastructure objects. Know meta-arguments: count, for_each, depends_on, provider, and lifecycle
- Data sources (data blocks) read information from existing infrastructure. They are read-only and do not create resources
- Input variables: declared with variable blocks, support types (string, number, bool, list, map, object, tuple, set), default values, validation rules, sensitive flag, and description
- Variable precedence (highest to lowest): -var CLI flag and -var-file, *.auto.tfvars, terraform.tfvars, environment variables (TF_VAR_name), default values. Note: TF_VAR_ env vars are above defaults but below terraform.tfvars
- Output values expose data from a module. Can be marked as sensitive. Used to pass data between modules and display information after apply
- Built-in functions: know common ones like join, split, lookup, merge, length, toset, tolist, file, templatefile, format, upper, lower, coalesce, try, can
- Implicit dependencies: Terraform automatically determines order when one resource references another. Explicit dependencies: use depends_on when there is no reference-based relationship
- Lifecycle meta-argument: create_before_destroy (create replacement before destroying old), prevent_destroy (error on destroy), ignore_changes (ignore specific attribute changes)
- Custom conditions: precondition (validate before create), postcondition (validate after create), check blocks (continuous validation as warnings)
- Ephemeral values and write-only arguments: never persisted to state, solving the problem of sensitive data leaking into terraform.tfstate
Common Exam Traps
Terraform Modules
Modules are reusable packages of Terraform configuration. This domain tests how to use, create, and structure modules, including passing data between modules and using the Terraform Registry. At 12%, expect about 7 questions.
Key Topics
Must-Know Concepts
- Every Terraform configuration has a root module (the directory where you run terraform commands). Child modules are called from the root module
- Module sources: local paths (./modules/vpc), Terraform Registry (hashicorp/consul/aws), GitHub URLs, S3 buckets, GCS buckets, and other supported sources
- Modules accept input variables and expose output values. The calling module passes values via arguments and reads results via module.name.output_name
- Standard module structure: main.tf (resources), variables.tf (input variables), outputs.tf (output values), README.md (documentation)
- Terraform Registry modules use semantic versioning. Always pin module versions in production using the version argument
- Modules encapsulate resources — resources inside a module are not directly accessible from outside. You must expose them via output values
- Provider configuration should NOT be defined inside modules (except in rare cases). Providers should be configured in the root module and passed to child modules
Common Exam Traps
Terraform State Management
State is how Terraform tracks the real-world resources it manages. This domain covers local and remote state storage, state locking, state commands for refactoring, handling resource drift, and the moved block. Mismanaging state is the most common source of production Terraform problems.
Key Topics
Must-Know Concepts
- The state file (terraform.tfstate) maps configuration resources to real-world infrastructure. It is the source of truth for what Terraform manages
- Local state is stored in the current directory as terraform.tfstate. Remote state is stored in backends like S3, GCS, Azure Blob, or HCP Terraform
- State locking prevents concurrent operations from corrupting state. Not all backends support locking — S3 requires DynamoDB for locking
- terraform state list: lists all resources in state. terraform state show: displays attributes of a specific resource
- terraform state mv: moves a resource to a different address (renaming). terraform state rm: removes a resource from state WITHOUT destroying it
- terraform state pull/push: download or upload state manually (push is dangerous and should rarely be used)
- Resource drift: when real infrastructure changes outside Terraform. terraform plan detects drift by comparing state to actual resources
- The moved block in configuration (Terraform 1.1+) declares that a resource has been refactored (renamed/moved) without destroying and recreating it
- terraform import brings existing infrastructure into Terraform state. The import block (1.5+) is the modern approach
Common Exam Traps
Maintain Infrastructure with Terraform
Covers ongoing infrastructure management tasks: importing existing resources, troubleshooting common issues, inspecting state, and debugging Terraform operations. While only 8% of the exam, these are practical skills that often appear in scenario-based questions.
Key Topics
Must-Know Concepts
- terraform import: brings existing infrastructure under Terraform management by adding it to the state file
- Import block (Terraform 1.5+): declarative way to import resources in configuration, can generate configuration automatically
- terraform show: displays the current state or a saved plan file in human-readable format
- terraform output: displays output values from the root module. Use -json for machine-readable format
- TF_LOG environment variable enables debug logging. Levels: TRACE (most verbose), DEBUG, INFO, WARN, ERROR
- TF_LOG_PATH: directs log output to a file instead of stderr
- terraform graph: generates a visual representation of the dependency graph in DOT format
- Troubleshooting workflow: check terraform validate errors, review plan output, enable TF_LOG for detailed logs, check provider documentation
Common Exam Traps
HCP Terraform
HCP Terraform (formerly Terraform Cloud) is HashiCorp's managed service for team collaboration. This domain covers remote state, VCS-driven workflows, workspace management, teams and permissions, policy enforcement, cost estimation, and projects. At 10%, expect about 5-6 questions.
Key Topics
Must-Know Concepts
- HCP Terraform provides remote state storage, remote execution, VCS integration, team collaboration, and governance features
- Workspace types: CLI-driven (runs triggered from local CLI) vs VCS-driven (runs triggered by Git commits/PRs)
- HCP Terraform workspaces are DIFFERENT from CLI workspaces. HCP workspaces have their own state, variables, run history, and access controls
- Remote execution: Terraform runs in HCP Terraform's infrastructure, not on your local machine. Provides consistent environment and audit trail
- Teams and permissions: organizations contain teams, teams are assigned workspace permissions (read, plan, write, admin, custom)
- Sentinel and OPA policies enforce governance rules. Three enforcement levels: advisory (warning), soft-mandatory (overridable by admins), hard-mandatory (cannot be overridden)
- Cost estimation runs between plan and apply, showing estimated monthly costs of infrastructure changes
- Projects organize workspaces into logical groups for management and access control at scale
- Dynamic provider credentials: HCP Terraform can generate short-lived credentials for cloud providers, eliminating the need for static secrets
Common Exam Traps
Terraform Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.