FlashGenius Logo FlashGenius
Terraform Associate 004 · Page 1 of 5

IaC Foundations, Providers & Core Workflow

Terraform Associate 004 · Objectives 1, 2 & 3

IaC · Providers · Version Constraints · Lock File · init · plan · apply · destroy · fmt

Study with Practice Tests →

Overview

What you need to know for Page 1 — Objectives 1, 2 & 3 of the Terraform Associate 004 exam.

Why This Page Matters

Objectives 1–3 form the bedrock of the Terraform Associate exam. They test whether you understand what IaC is, why you'd pick Terraform over other tools, how providers connect Terraform to APIs, and how the everyday Write → Plan → Apply loop works. These concepts appear repeatedly across all other objectives, so a strong foundation here directly benefits your score everywhere else.

60
Minute Exam
$70.50
Exam Fee
1.12
Terraform Version
3
Objectives Covered
3,000+
Available Providers
Infrastructure as Code Declarative HCL Providers required_providers .terraform.lock.hcl terraform init terraform plan terraform apply terraform destroy terraform fmt terraform validate Version Constraints State File DAG
📄

Objective 1: IaC with Terraform

Understand what IaC is, its advantages over manual provisioning, and where Terraform sits relative to tools like Ansible, CloudFormation, and Pulumi. Terraform is declarative and multi-cloud.

🔌

Objective 2: Terraform Fundamentals

Providers, the required_providers block, version constraints including the ~> pessimistic operator, and the .terraform.lock.hcl dependency lock file. State and what it stores.

🔄

Objective 3: Core Terraform Workflow

The Write → Plan → Apply loop. Key commands: init, validate, fmt, plan, apply, destroy. Plan output symbols. The resource dependency graph (DAG).

🌐

Multi-Cloud & Hybrid

One Terraform config can manage AWS, Azure, GCP, and on-prem resources simultaneously using multiple providers. Provider-agnostic HCL keeps syntax consistent across targets.

🔒

Lock File & State

The lock file pins provider versions for reproducible builds — commit it to VCS. The .tfstate file maps config to real-world resources and tracks metadata. Never commit it unencrypted for production.

📊

Plan Symbols

+ create, - destroy, ~ update in-place, -/+ destroy then recreate, <= read data source. Knowing these lets you safely review what Terraform will do before applying.

Exam Snapshot — Terraform Associate 004

The exam is a 1-hour multiple-choice test delivered online through PSI or Pearson VUE for $70.50. It targets Terraform 1.12 and is vendor-neutral (no cloud provider specifics). The exam covers nine objectives; this page addresses objectives 1, 2, and 3.

ObjectiveTopicKey Commands / Concepts
1IaC with TerraformDeclarative, idempotent, multi-cloud, HCL
2Terraform FundamentalsProviders, required_providers, lock file, state
3Core Terraform Workflowinit, validate, fmt, plan, apply, destroy

Concepts

Deep-dive reference for every topic tested in Objectives 1, 2 & 3.

Objective 1 — Infrastructure as Code with Terraform

What Is Infrastructure as Code?

IaC means defining infrastructure (servers, networks, databases, load balancers) in text files rather than through manual clicks or scripts. Those files are version-controlled, peer-reviewed, and applied automatically — making infrastructure reproducible and auditable.

IaC Advantages

  • Automation: provision hundreds of resources in minutes without human intervention
  • Version control: track changes with Git; roll back to any previous state
  • Collaboration: teams review infra changes via pull requests, just like application code
  • Self-documenting: the config files are the living documentation of the infrastructure
  • Idempotent: running the same config multiple times produces the same result
  • Reduces human error: fewer manual steps means fewer mis-clicks or forgotten configs
  • Enables GitOps: merge to main triggers automated infra deployment pipelines

Declarative vs. Procedural

Terraform is declarative: you describe the desired end-state ("I want 3 EC2 instances") and Terraform figures out how to get there. You do not write step-by-step instructions for creating, updating, or deleting resources. This contrasts with procedural tools where you script every action explicitly.

Terraform vs. Alternatives

ToolStyleScopeKey Difference
TerraformDeclarativeMulti-cloud + on-premProvider-agnostic HCL; 3,000+ providers
AnsibleProceduralConfig managementExecutes ordered playbook tasks; agentless
CloudFormationDeclarativeAWS-onlyNative AWS; no multi-cloud; YAML/JSON
PulumiImperativeMulti-cloudReal programming languages (Python, TypeScript)
ARM / BicepDeclarativeAzure-onlyNative Azure; Bicep is ARM abstraction layer

Multi-Cloud and Hybrid Workflows

A single Terraform configuration can provision resources across AWS, Azure, GCP, and on-premises simultaneously by declaring multiple providers. The HCL syntax remains consistent regardless of target. Hybrid cloud workflows — where some workloads live in the cloud and others in private data centers — are supported through providers for VMware vSphere, Kubernetes, and similar platforms.

Service-Agnostic Reach

Terraform's provider ecosystem includes 3,000+ providers covering SaaS platforms (Datadog, PagerDuty, GitHub), databases (PostgreSQL, MySQL), DNS (Cloudflare, Route 53), identity providers (Okta), and monitoring tools — anything with an API can have a provider.

Objective 2 — Terraform Fundamentals

What Are Providers?

A provider is a plugin that Terraform downloads to interact with a specific API. The AWS provider speaks to AWS APIs; the Kubernetes provider speaks to the Kubernetes API server. Providers are authored and published to registry.terraform.io.

The required_providers Block

You declare which providers your configuration needs inside a terraform block:

terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } kubernetes = { source = "hashicorp/kubernetes" version = ">= 2.20" } } required_version = ">= 1.5" }

Version Constraints

ConstraintMeaningExample Match
= 4.1.2Exactly this version4.1.2 only
!= 3.5.0Any version except this3.4.x, 3.6.x, …
>= 3.0This version or newer3.0, 4.x, 5.x, …
<= 5.0This version or older4.9, 5.0
~> 4.0Pessimistic: >= 4.0, < 5.04.0, 4.99 but not 5.0
~> 4.1.0Pessimistic patch: >= 4.1.0, < 4.24.1.x only

The pessimistic constraint operator ~> is the most exam-tested. It means "allow upgrades within the same leftmost fixed segment." ~> 4.0 allows any 4.x; ~> 4.1.0 allows any 4.1.x.

The Dependency Lock File (.terraform.lock.hcl)

When you run terraform init, Terraform selects a provider version that satisfies your constraints and records the exact version plus cryptographic checksums in .terraform.lock.hcl. On subsequent init runs, Terraform uses the pinned version from the lock file — even if a newer compatible version exists.

Lock File Rules

  • Commit to VCS — ensures every team member and CI pipeline uses identical provider versions
  • Do NOT gitignore it — unlike the .terraform/ directory, which should be gitignored
  • Update the lock file intentionally with terraform init -upgrade
  • Contains checksums for multiple platforms (linux_amd64, darwin_arm64, etc.)

Multiple Providers & Aliases

A single config can use AWS + Kubernetes + Random + Helm simultaneously. To use the same provider twice (e.g., two AWS regions), declare a second provider block with an alias:

provider "aws" { region = "us-east-1" } provider "aws" { alias = "west" region = "us-west-2" }

Terraform State

State is stored in a JSON file (terraform.tfstate) that maps every resource block in your config to a real-world object. State enables drift detection (Terraform can tell if a resource was changed outside Terraform), tracks dependencies and metadata, and is required for plan and apply to work correctly.

State Key Points

  • Local state: stored as terraform.tfstate in the working directory
  • Remote state: stored in S3, GCS, Terraform Cloud, Azure Blob — preferred for teams
  • State locking: prevents concurrent runs from corrupting state
  • Never manually edit the state file; use terraform state subcommands instead
  • Contains sensitive values — encrypt remote backends and restrict access

Objective 3 — Core Terraform Workflow

The 3-Step Loop

✍️

1. Write

Author .tf files in HCL defining the resources you want. Use terraform fmt to canonicalize formatting and terraform validate to catch syntax errors before planning.

🔍

2. Plan

Run terraform plan to preview what Terraform will create, update, or destroy. Review the diff carefully — this is your safety check before making real changes.

3. Apply

Run terraform apply to execute the plan. Terraform prompts for confirmation (type yes) then provisions resources. Use --auto-approve in CI only.

Command Reference

CommandPurposeKey Flags
terraform initDownloads providers & modules, configures backend, creates .terraform/-upgrade, -backend=false, -migrate-state
terraform validateChecks syntax & internal consistency; no API calls made-json
terraform fmtFormats HCL to canonical style (2-space indent)-recursive, -check, -diff
terraform planCreates execution plan; shows + / - / ~ / -/+ changes-out=plan.tfplan, -var, -target, -refresh=false
terraform applyExecutes plan; prompts for confirmation--auto-approve, plan.tfplan (saved plan file)
terraform destroyDestroys all managed resourcesEquivalent to terraform apply -destroy

Plan Output Symbols

+
Create — resource will be provisioned for the first time
Destroy — resource will be deleted
~
Update in-place — resource will be modified without recreation
-/+
Destroy then recreate — attribute change requires replacement (forces new resource)
<=
Read — data source will be read during apply

Resource Graph (DAG)

Terraform builds a Directed Acyclic Graph (DAG) of all resources based on explicit depends_on declarations and implicit references (e.g., referencing aws_vpc.main.id). Resources with no dependencies between them are provisioned in parallel. The graph ensures correct ordering and enables parallel execution for maximum speed.

terraform init — What It Does

  • Downloads provider plugins listed in required_providers into .terraform/providers/
  • Downloads module sources listed in the config
  • Configures the backend (where state is stored)
  • Creates or updates .terraform.lock.hcl
  • Must be run before any other command in a new working directory

terraform fmt Details

  • Rewrites .tf files to canonical HCL style: 2-space indentation, aligned equals signs
  • -recursive: formats all .tf files in all subdirectories
  • -check: exits non-zero if files need formatting (use in CI to enforce style)
  • -diff: shows the diff without writing files
  • Only formats — does NOT validate logic or catch errors

Memory Hooks

Six mnemonics to lock in the most exam-tested Terraform concepts.

🔄

The WPA Loop

The core Terraform workflow is always the same three steps in the same order. When in doubt, start from the top and work down.

Write → Plan → Apply
🎯

The Pessimistic Constraint

~> keeps you on the same major version, letting minor/patch versions float upward. Think of it as "stay in your lane." ~> 4.0 = any 4.x; ~> 4.1.0 = any 4.1.x.

~> = "same major, latest minor"
📁

Lock File vs. .terraform/

The lock file is tiny and precious — commit it. The .terraform/ directory is large and reproducible — gitignore it. One is your source of truth; the other is a cache.

Lock file = commit it · .terraform/ = gitignore it
🔬

validate vs. plan

validate is a pure offline syntax and logic check — zero API calls, works without credentials. plan reaches out to the real API to calculate a live diff. Both can catch errors, but plan catches more.

validate = syntax check (no API) · plan = preview (API calls)
📊

Plan Symbol Cheat Sheet

Read the plan output left to right: green plus means birth, red minus means death, yellow tilde means change, orange plus-minus means death-and-rebirth, blue arrow means a data read.

+ create · − destroy · ~ update · -/+ replace · <= read
🔌

Provider = Plugin = API Translator

Every provider is just a plugin that translates Terraform HCL into API calls. No provider, no resources. Providers live in registry.terraform.io and are downloaded by terraform init.

Provider = plugin = API translator

Quiz

10 questions covering IaC concepts, providers, version constraints, lock files, and the core workflow. Select your answer for each question, then click Submit.

Question 1 of 10
Which characteristic of Terraform means that running the same configuration multiple times always produces the same infrastructure state?
Question 2 of 10
You want to allow any version of the AWS provider that is >= 5.0 but less than 6.0. Which version constraint expression is correct?
Question 3 of 10
What is the primary purpose of the .terraform.lock.hcl file?
Question 4 of 10
A developer runs terraform plan and sees -/+ next to a resource. What does this symbol indicate?
Question 5 of 10
Which Terraform command checks configuration for syntax errors and internal consistency WITHOUT making any API calls to providers?
Question 6 of 10
You need to run terraform fmt on all .tf files in the current directory AND all subdirectories. Which flag accomplishes this?
Question 7 of 10
How does Terraform differ from Ansible in its approach to managing infrastructure?
Question 8 of 10
What does terraform init do when run in a working directory for the first time?
Question 9 of 10
Which of the following statements about the .terraform.lock.hcl file is CORRECT?
Question 10 of 10
Which data structure does Terraform build internally to determine the correct order of resource provisioning and enable parallel execution where possible?

Quiz Complete!

0/10

Flashcards

Click any card to flip it and reveal the answer. Work through all 8 to test your recall.

Lock File
What is the purpose of .terraform.lock.hcl and should it be committed to VCS?
Answer
It pins the exact provider versions and cryptographic checksums selected by terraform init. YES — commit it to VCS so every developer and CI pipeline uses identical provider versions. The .terraform/ directory should be gitignored, not the lock file.
Version Constraints
What does the ~> pessimistic constraint operator mean? Give an example.
Answer
It allows upgrades within the same leftmost fixed segment. ~> 4.0 allows any 4.x (>=4.0, <5.0). ~> 4.1.0 allows any 4.1.x (>=4.1.0, <4.2.0). Think: "same major, latest minor."
terraform init
Name four things terraform init does when run in a working directory.
Answer
1. Downloads provider plugins into .terraform/providers/. 2. Downloads declared modules. 3. Configures the backend (where state is stored). 4. Creates or updates .terraform.lock.hcl. Must run before plan or apply.
validate vs. plan
What is the key difference between terraform validate and terraform plan?
Answer
validate checks syntax and internal consistency only — it makes NO API calls and requires no credentials. plan contacts the real provider API to compute a live diff. Plan catches more errors but requires valid credentials and network access.
Plan Symbols
What do the symbols +, -, ~, -/+, and <= mean in plan output?
Answer
+ Create (new resource). - Destroy (delete resource). ~ Update in-place (no recreation). -/+ Destroy then recreate (replacement, e.g. immutable attribute changed). <= Read data source during apply.
terraform fmt
What do the -recursive and -check flags do with terraform fmt?
Answer
-recursive formats all .tf files in the current directory AND all subdirectories, not just the current directory. -check exits with a non-zero code if any files are not formatted (used in CI pipelines to enforce style without writing changes).
Provider Alias
When and how do you use a provider alias in Terraform?
Answer
Use an alias when you need multiple instances of the same provider — for example, AWS in two regions. Declare a second provider block with alias = "west", then reference it in resources as provider = aws.west. The unaliased block is the default.
State File
What does Terraform's state file store and why is it critical?
Answer
The state file (terraform.tfstate) maps each resource block to a real-world object, stores resource attributes and metadata, and tracks dependencies. Without it, Terraform cannot determine what exists, detect drift, or compute a correct plan. Protect it — it may contain sensitive values.

Tap a card to flip · Tap again to flip back

Study Advisor

Select a category to get targeted study guidance for each area of Objectives 1–3.

📋 IaC Concepts — Study Guide

What to Master

The exam tests both what IaC is and why it matters. Expect questions that ask you to identify IaC advantages from a list, or distinguish declarative from procedural approaches.

  • IaC advantages: automation, version control, collaboration, idempotency, self-documenting, reduces human error, enables GitOps
  • Declarative = describe desired state; Terraform figures out how to get there
  • Procedural = write every step (Ansible playbooks, shell scripts)
  • Terraform is multi-cloud via providers; CloudFormation is AWS-only; ARM/Bicep is Azure-only
  • Pulumi uses real programming languages (Python, TypeScript); Terraform uses HCL

Likely Exam Angle

You may be given a scenario ("your team wants to manage infrastructure across AWS and Azure with a single tool") and asked which tool is appropriate. The answer is Terraform or Pulumi — but Pulumi is imperative while Terraform is declarative. Know the distinction.

Quick Self-Check

  • Can you name 5 IaC advantages without looking?
  • Can you explain why "idempotent" matters for automation?
  • Do you know which IaC tools are cloud-specific vs. multi-cloud?

🔌 Providers — Study Guide

What to Master

Providers are the integration layer between Terraform and external APIs. The exam frequently tests version constraints — especially the ~> operator — and what required_providers declares.

  • Providers are plugins; sourced from registry.terraform.io by default
  • required_providers declares source and version constraints for each provider
  • ~> 4.0 = any 4.x (>= 4.0, < 5.0)
  • ~> 4.1.0 = any 4.1.x (>= 4.1.0, < 4.2.0)
  • >= 3.0 = 3.x, 4.x, 5.x … (open-ended upper bound)
  • Provider alias allows multiple instances of the same provider type

Common Exam Trap

Students confuse ~> 4.0 (allows any 4.x) with ~> 4.1.0 (allows only 4.1.x). The number of version segments determines the scope of the constraint. Two segments = major pinned; three segments = major + minor pinned.

Quick Self-Check

  • Write the correct constraint to allow only 5.x versions of a provider
  • Where are providers downloaded from by default?
  • What HCL block declares provider requirements?

🔄 Workflow Commands — Study Guide

What to Master

The exam tests not just which commands exist, but what each one does — and what it does NOT do. Pay close attention to the differences between validate, fmt, and plan.

  • init: downloads providers & modules, configures backend, creates lock file
  • validate: syntax + logic check; NO API calls; works offline
  • fmt: formatting only; does NOT validate logic or contact APIs
  • plan: live diff; contacts API; requires credentials and initialized directory
  • apply: executes plan; prompts for confirmation; --auto-approve skips prompt
  • destroy: deletes all managed resources; equivalent to apply -destroy

Key Flags to Know

  • terraform plan -out=plan.tfplan — saves plan to file for later apply
  • terraform apply plan.tfplan — applies exact saved plan (no re-planning)
  • terraform fmt -recursive -check — CI style enforcement
  • terraform init -upgrade — allows upgrading locked provider versions

🗺️ Plan & Apply — Study Guide

What to Master

Plan output symbols are heavily tested. You need to instantly recognize what each symbol means and know when Terraform uses each one — particularly the difference between ~ (update) and -/+ (replace).

  • + green — resource being created for the first time
  • - red — resource being deleted
  • ~ yellow — resource being modified without recreation
  • -/+ orange — resource must be destroyed then recreated (immutable attribute changed)
  • <= blue — data source being read (read-only, no side effects)

When Does -/+ Happen?

Certain resource attributes are immutable once created (e.g., an EC2 instance AMI ID, an S3 bucket name). Changing these forces Terraform to destroy the existing resource and create a new one. The plan annotates such attributes with # forces replacement.

Resource Graph (DAG)

  • Terraform automatically builds a dependency graph from resource references
  • Resources with no dependencies are provisioned in parallel
  • Use depends_on for explicit ordering when implicit references aren't enough
  • Use terraform graph to visualize the DAG in DOT format

📁 State Basics — Study Guide

What to Master

State is Terraform's memory. Understand what it stores, why it's required, and the basic operational rules around managing it safely.

  • State maps config resource blocks to real-world objects (resource IDs, attributes)
  • Enables drift detection — Terraform knows what it created vs. what exists now
  • Tracks dependencies and metadata between resources
  • Local state: terraform.tfstate in working directory (default)
  • Remote state: S3, GCS, Azure Blob, Terraform Cloud — enables collaboration and locking

State Safety Rules

  • Never manually edit terraform.tfstate — use terraform state subcommands
  • Enable state locking to prevent concurrent apply operations from corrupting state
  • State files may contain sensitive values (passwords, keys) — restrict access and encrypt
  • Do NOT commit state files to public repos; use remote state backends

Quick Self-Check

  • What happens if you delete the state file and run terraform plan?
  • Why is remote state preferred over local state for teams?
  • Which command is used to manipulate state without editing the file directly?

Resources

Official and community resources to deepen your Terraform Associate 004 preparation.

Official

HashiCorp Terraform Associate 004 Study Guide

Official exam objectives, study guide, and sample questions from HashiCorp for the Terraform Associate (004) certification.


developer.hashicorp.com →
Documentation

Terraform Language Documentation

Complete reference for HCL syntax, providers, resources, data sources, modules, and backend configuration.


developer.hashicorp.com/terraform/language →
Documentation

Terraform CLI Commands

Full documentation for every CLI command including all flags for init, plan, apply, fmt, validate, destroy, and more.


developer.hashicorp.com/terraform/cli →
Registry

Terraform Registry

Browse 3,000+ providers and modules. Essential for understanding provider sourcing, versioning, and the required_providers block in practice.


registry.terraform.io →
Tutorials

HashiCorp Learn: Get Started with Terraform

Hands-on tutorials covering the core workflow on AWS, Azure, GCP, and Docker — the fastest way to build practical intuition.


developer.hashicorp.com/tutorials →
Practice

FlashGenius Practice Tests

Timed practice exams with detailed explanations, covering all nine Terraform Associate 004 objectives to simulate exam conditions.


flashgenius.net →

Ready to Pass the Terraform Associate 004?

Practice with full-length timed exams, detailed explanations, and all 9 objectives covered.

Start Practice Tests → Create Free Account