Terraform Associate 004 · HCP Terraform

Objective	Topic	Key Skills
8a	Create infrastructure with HCP Terraform	Run lifecycle, workspace types, remote operations
8b	Collaboration & governance features	Teams, SSO, audit logs, Sentinel, OPA, drift detection
8c	Workspaces & projects	Projects, run triggers, variable sets, workspace variables
8d	Configure HCP Terraform integration	cloud block, terraform login, state migration, CLI workflow

8a — Using HCP Terraform to Create Infrastructure

Workspace Types

Type	Trigger	Use Case
VCS-driven	Push to configured branch in GitHub/GitLab/Bitbucket automatically triggers a plan	Standard GitOps workflow for teams
CLI-driven	Developer runs `terraform apply` locally; execution happens remotely on HCP Terraform	Developer-initiated remote runs
API-driven	Plans/applies triggered via HCP Terraform REST API	CI/CD pipelines, custom automation

Run Lifecycle

Full State Sequence

Pending — run is queued, waiting for a worker
Planning — terraform plan executing on HCP agent; logs streaming
Planned — plan complete; awaits human confirmation (or auto-apply if enabled)
Applying — terraform apply executing; changes being made
Applied — run successful; state updated
Errored / Discarded / Canceled — terminal failure/abort states

Speculative Plans

Triggered by pull requests in VCS-driven workspaces. They show what would change without requiring approval or applying anything. Results post back to the PR as a check. No state is modified.

Remote Operations

Plan & Apply on HCP Agents

When using remote operations, terraform plan and terraform apply execute on HCP Terraform's managed infrastructure — not your local machine. Log output streams back to your browser UI or CLI in real time. Your local machine only needs the cloud block configured and valid credentials via terraform login.

8b — Collaboration & Governance Features

Teams & Access Control

Teams

Groups of users within an HCP Terraform organization. Teams receive workspace-level permissions:

Read — view state, plans, variables
Plan — trigger speculative plans
Write — queue runs, approve plans, manage variables
Admin — full workspace control including settings and team assignments

Enterprise Security

Feature	Detail
SSO	SAML 2.0 / OIDC integration with enterprise identity providers (Okta, Azure AD, etc.)
Audit Logs	Immutable record of all user actions — who did what, when; exportable for compliance
Private Registry	Host private modules and providers; organization-scoped; versioned; same syntax as public registry (`source = "org/module"`)

Policy Enforcement

Sentinel — Policy as Code

HashiCorp's built-in policy framework. Policies are written in the Sentinel language and applied to runs before apply executes.

Enforcement Level	Behavior	Who Can Override?
advisory	Logs a warning; run continues	N/A — no block
soft-mandatory	Blocks run; organization admins can override	Organization admins
hard-mandatory	Blocks run; nobody can override — only policy code change fixes it	Nobody

OPA (Open Policy Agent)

Alternative policy framework. Policies written in Rego language. OPA is a CNCF-graduated project widely used outside HashiCorp tooling. Both Sentinel and OPA policies can be organized into policy sets — collections applied to specific workspaces or all workspaces in an organization.

Health & Drift

Drift Detection

Scheduled checks that compare the Terraform state file to real infrastructure in the cloud. If the two diverge (e.g., someone manually deleted a resource), HCP Terraform alerts on drift without automatically triggering an apply. Part of the broader Health Assessments feature which also runs Sentinel policy checks continuously.

Explorer

Cross-workspace resource inventory built into HCP Terraform. Lets you search and audit resources managed across all workspaces in an organization from a single view — useful for compliance and sprawl management.

8c — Workspaces & Projects

Core Concepts

Concept	Definition	Scopes
Workspace	Isolated unit of Terraform state; has its own variables, run history, and state file	Individual environment (dev, staging, prod)
Project	Logical folder grouping of workspaces; team permissions can be set at the project level	Application, team, or domain

Run Triggers

Workspace-to-Workspace Dependencies

A run trigger causes Workspace B to automatically queue a plan when Workspace A successfully applies. This models infrastructure dependencies — e.g., a networking workspace finishing before application workspaces start. Run triggers chain workspaces without requiring manual intervention.

Variable Sets

Reusable Variable Collections

Variable sets are named collections of Terraform variables and environment variables that can be shared across multiple workspaces, eliminating copy-paste of common config (e.g., AWS credentials, region). Scope options:

Organization-wide — applied automatically to every workspace
Project-scoped — applied to all workspaces within a project
Workspace-specific — applied to designated workspaces only

Precedence: Workspace variables override variable sets. TF_VAR_ environment variables set in workspace settings behave identically to CLI environment variables.

8d — Configuring HCP Terraform Integration

The cloud Block

Modern Integration Approach

Replace a backend block with the cloud block inside terraform {} to connect your workspace to HCP Terraform:

terraform {
  cloud {
    organization = "my-org"
    workspaces {
      name = "my-workspace"
    }
  }
}

After adding the block, run terraform init to set up the remote backend and download providers for remote execution. If migrating existing state, terraform init prompts you to confirm the migration.

Authentication

Command	Action	Token Location
`terraform login`	Authenticates CLI with HCP Terraform; opens browser for token generation	`~/.terraform.d/credentials.tfrc.json`
`terraform logout`	Removes stored API token from credentials file	Token deleted from above path

CLI-Driven Workflow

Remote Execution from Local CLI

With the cloud block and a valid token, running terraform plan or terraform apply locally submits the run to HCP Terraform where it executes remotely. Log output streams back to the terminal in real time. Your local .tf files define configuration; HCP Terraform manages state and execution environment.

terraform init — configures remote backend; -upgrade flag upgrades providers to newest allowed versions
Local .tf files are uploaded to HCP Terraform for each run
State never touches your local disk when using remote operations

Memory Hooks — Lock In the Key Facts

These six patterns cover the most-tested HCP Terraform concepts. Memorize the structures — exam questions test recognition of exact states, levels, and scoping rules.

Run Lifecycle Pending → Planning → Planned → Applying → Applied. "Planned" is the checkpoint where a human approves (or auto-apply kicks in). Errored/Discarded/Canceled are terminal failure states.

Sentinel Enforcement Levels advisory (warn) < soft-mandatory (can override) < hard-mandatory (blocked). Think of a traffic signal: yellow = advisory, red = soft (manager can wave you through), wall = hard (nobody passes).

Variable Sets vs Workspace Variables Variable sets = org-wide shared variables; workspace vars override them. Variable sets eliminate copy-paste of credentials across workspaces. Workspace variables always win precedence.

Run Triggers Run triggers = workspace-to-workspace dependency chain. Workspace B queues automatically when Workspace A successfully applies. Models infrastructure dependencies without manual glue.

3 Workspace Types VCS-driven (auto — push to branch triggers plan), CLI-driven (manual — developer runs terraform apply remotely), API-driven (pipeline — triggered via HCP Terraform API).

CLI Authentication & Integration terraform login = store token in ~/.terraform.d/credentials.tfrc.json. cloud block = point CLI at HCP Terraform org + workspace. Add block → terraform init → ready.

Quick-Reference Ladder

Policy Enforcement — Hardness Scale

Level	Blocks Run?	Override Available?	Fix Required?
advisory	No	N/A	No
soft-mandatory	Yes	Yes — org admins only	No (admin can bypass)
hard-mandatory	Yes	No — nobody	Yes — policy must change

Flashcards — Click to Flip

8 cards covering the most exam-critical HCP Terraform concepts. Click any card to reveal the answer.

What does the cloud block look like and where does it go?

Tap to reveal

Inside terraform {}. Uses organization and workspaces { name = "..." }. Replace any existing backend block. Run terraform init after adding it.

What are the three Sentinel enforcement levels and what does each do?

Tap to reveal

advisory — warns, run continues. soft-mandatory — blocks run; org admins can override. hard-mandatory — blocks run; no override possible, policy must change.

What is a speculative plan and when does it apply?

Tap to reveal

A speculative plan is triggered by a pull request in a VCS-driven workspace. It shows proposed changes without requiring approval and never applies — no state is modified. Results post back to the PR.

What is the difference between a workspace and a project in HCP Terraform?

Tap to reveal

A workspace is an isolated state unit with its own variables and run history. A project is a logical folder grouping multiple workspaces — team permissions can be granted at the project level.

What are variable sets and what are the three scopes?

Tap to reveal

Reusable collections of variables/env vars shared across workspaces. Scopes: organization-wide (all workspaces), project-scoped (all workspaces in a project), workspace-specific. Workspace variables override variable sets.

What problem do run triggers solve?

Tap to reveal

Run triggers model dependencies between workspaces. When Workspace A successfully applies, Workspace B automatically queues a plan — enabling infrastructure dependency chains without manual coordination.

What does terraform login do and where is the token stored?

Tap to reveal

Authenticates the Terraform CLI with HCP Terraform by opening a browser for API token generation. The token is stored in ~/.terraform.d/credentials.tfrc.json. Use terraform logout to remove it.

How does drift detection differ from a regular apply?

Tap to reveal

Drift detection is a scheduled comparison of state vs. real infrastructure that alerts on drift but does not apply changes. A regular apply actively modifies infrastructure. Drift detection is read-only and non-destructive.

Practice Quiz — Objective 8: HCP Terraform

10 questions · Multiple choice · Select one answer per question

Question 1 of 10

A Sentinel policy must prevent all applies unless a required tag is present. No exception should be possible. Which enforcement level achieves this?

Question 2 of 10

A developer runs terraform apply from their local machine. The plan and apply execute on HCP Terraform's agents, and logs stream to the developer's terminal. Which workspace type is this?

Question 3 of 10

A run has completed its plan. An operator must now approve before infrastructure changes are made. In which run state is the run currently?

Question 4 of 10

A platform team wants to group related workspaces together and manage team access at that group level rather than workspace by workspace. Which HCP Terraform feature should they use?

Question 5 of 10

A team has 20 workspaces that all need the same AWS provider credentials. Rather than setting them in each workspace, what should they create?

Question 6 of 10

Workspace A provisions a VPC. Workspace B provisions application resources inside that VPC. After Workspace A applies successfully, Workspace B should automatically queue a plan. Which feature enables this?

Question 7 of 10

Which command authenticates the Terraform CLI with HCP Terraform, and where is the resulting token stored?

Question 8 of 10

HCP Terraform detects that a resource in the state file no longer exists in the cloud provider — it was deleted manually. What does drift detection do in response?

Question 9 of 10

A team wants to use a policy framework that uses Rego language and is a CNCF-graduated project. Which HCP Terraform-compatible policy option should they choose?

Question 10 of 10

Which of the following is the correct cloud block syntax to connect a workspace named prod-infra in organization acme-corp?

Study Advisor

Select a category to get targeted study guidance for HCP Terraform exam topics.

☁️ HCP Terraform Basics

Know the three workspace types: VCS-driven, CLI-driven, and API-driven — and what triggers each
Memorize all run lifecycle states in order: Pending → Planning → Planned → Applying → Applied
Understand what a speculative plan is: no apply, no state change, triggered by PRs
Know that "Planned" state requires human confirmation before applying (unless auto-apply is on)
Understand remote operations: plan and apply execute on HCP agents, logs stream to your terminal

Exam tip: Questions on workspace types often describe a scenario — match the trigger (push, CLI, API) to the workspace type.

☁️ HCP Terraform Basics

Know the three workspace types: VCS-driven, CLI-driven, and API-driven — and what triggers each
Memorize all run lifecycle states in order: Pending → Planning → Planned → Applying → Applied
Understand what a speculative plan is: no apply, no state change, triggered by PRs
Know that "Planned" state requires human confirmation before applying (unless auto-apply is on)
Understand remote operations: plan and apply execute on HCP agents, logs stream to your terminal

Exam tip: Questions on workspace types often describe a scenario — match the trigger (push, CLI, API) to the workspace type.

🏗️ Workspaces & Projects

A workspace is the isolated state unit — each has its own state file, variables, and run history
Projects are folders for workspaces — set team permissions once at the project level
Run triggers automate workspace-to-workspace dependency chains without scripting
Variable sets eliminate duplicating credentials across workspaces — three scope levels to know
Workspace variables always override variable set values — know the precedence rule

Exam tip: "Projects" is a newer 004 exam objective — expect at least one question distinguishing projects from workspaces and from teams.

👥 Teams & Governance

Teams are groups of users; permissions are applied at the workspace (or project) level
Know the four permission levels: Read, Plan, Write, Admin — and what each allows
SSO uses SAML 2.0 or OIDC — not proprietary HashiCorp auth
Audit logs are immutable — they record every action for compliance purposes
Private Registry hosts org-scoped modules and providers with the same syntax as the public registry
Explorer provides cross-workspace resource inventory — useful for compliance and sprawl

Exam tip: Audit logs + SSO + private registry questions are often paired as "enterprise features" — know all three.

📋 Policy Enforcement

Sentinel is HashiCorp's native policy-as-code — written in Sentinel language
OPA uses Rego language and is the CNCF-graduated alternative — both work in HCP Terraform
Memorize all three enforcement levels: advisory, soft-mandatory, hard-mandatory
hard-mandatory = nobody can override — policy code must be changed to fix
soft-mandatory = org admins can override — useful for break-glass scenarios
Policy sets group policies and apply them to workspaces or entire organizations
Drift detection is a health assessment — it alerts but does not apply changes automatically

Exam tip: OPA vs Sentinel is a new 004 focus. The key distinguisher: Rego = OPA, Sentinel language = Sentinel.

🔗 CLI Integration

The cloud block replaces the old backend "remote" — know the correct syntax
terraform login opens browser, generates token, stores in ~/.terraform.d/credentials.tfrc.json
terraform logout removes the stored token from that file
After adding cloud block: run terraform init to initialize remote backend
To migrate existing state: add cloud block → terraform init → confirm migration prompt
terraform init -upgrade upgrades providers to newest allowed versions
CLI-driven workflow: local terraform apply submits run remotely; logs stream to terminal

Exam tip: The token file path is a common trick question — it's credentials.tfrc.json, not token.json or .terraform/.

Quick Reference

Run Lifecycle States

State	Description	Terminal?
Pending	Run queued, waiting for worker	No
Planning	terraform plan executing on HCP agent	No
Planned	Plan complete; awaiting approval	No
Applying	terraform apply executing	No
Applied	Run successful; state updated	Yes (success)
Errored	Plan or apply failed with error	Yes (failure)
Discarded	Operator rejected the plan	Yes (abort)
Canceled	Run was canceled mid-execution	Yes (abort)

Workspace Types Comparison

Type	Trigger	VCS Required?	Typical Use
VCS-driven	Push to configured branch	Yes	Team GitOps workflows
CLI-driven	`terraform plan/apply` from CLI	No	Developer-initiated runs
API-driven	REST API call to HCP Terraform	No	CI/CD pipelines, automation

Sentinel Enforcement Levels

Level	Blocks Run?	Override?	Who?
advisory	No	N/A	N/A
soft-mandatory	Yes	Yes	Org admins only
hard-mandatory	Yes	No	Nobody

Variable Precedence (highest wins)

Priority	Source	Notes
1 (highest)	Workspace variables	Explicitly set on the workspace
2	Variable sets	Project-scoped then org-wide
3 (lowest)	Default values in code	From variable definition blocks

Key Commands

Command	Purpose
`terraform login`	Authenticate CLI with HCP Terraform; stores token
`terraform logout`	Remove stored API token
`terraform init`	Initialize backend; migrate state when cloud block added
`terraform init -upgrade`	Upgrade providers to newest allowed versions
`terraform plan`	In CLI-driven: submits remote plan; streams logs to terminal
`terraform apply`	In CLI-driven: submits remote apply; streams logs to terminal

cloud Block Syntax

terraform {
  cloud {
    organization = "my-org"
    workspaces {
      name = "my-workspace"
    }
  }
}

Token stored at: ~/.terraform.d/credentials.tfrc.json

Feature Summary

Feature	Key Fact
Speculative plans	PR-triggered; no apply; no state change; results post to PR
Projects	Logical workspace groups; team permissions set at project level
Run triggers	Workspace B auto-queues when Workspace A successfully applies
Variable sets	Shared vars across workspaces; workspace vars override
Drift detection	Scheduled; alerts on drift; does NOT auto-apply
Explorer	Cross-workspace resource inventory
Audit logs	Immutable; who did what, when
SSO	SAML 2.0 / OIDC only
OPA	Rego language; CNCF-graduated alternative to Sentinel
Sentinel	HashiCorp-native policy-as-code; Sentinel language

HCP Terraform

SaaS Collaborative Platform

Standard Run States

Full State Sequence

Speculative Plans

Plan & Apply on HCP Agents

Teams

Sentinel — Policy as Code

OPA (Open Policy Agent)

Drift Detection

Explorer

Workspace-to-Workspace Dependencies

Reusable Variable Collections

Modern Integration Approach

Remote Execution from Local CLI

Policy Enforcement — Hardness Scale

☁️ HCP Terraform Basics

☁️ HCP Terraform Basics

🏗️ Workspaces & Projects

👥 Teams & Governance

📋 Policy Enforcement

🔗 CLI Integration

Ready to Pass the Terraform Associate 004?