- (Exam Topic 1)
FILL BLANK
What is the name of the default file where Terraform stores the state?
Type your answer in the field provided. The text field is not case-sensitive and all variations of the correct answer are accepted.
Solution:
"This state is stored by default in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment." https://www.terraform.io/language/state


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 4)
Your risk management organization requires that new AWS S3 buckets must be private and encrypted at rest. How can Terraform Enterprise automatically and proactively enforce this security control?

1. A. With a Sentinel policy, which runs before every apply
2. B. By adding variables to each TFE workspace to ensure these settings are always enabled
3. C. With an S3 module with proper settings for buckets
4. D. Auditing cloud storage buckets with a vulnerability scanning tool

Correct Answer: A
https://docs.hashicorp.com/sentinel/intro/what
https://medium.com/hashicorp-engineering/enforcing-aws-s3-security-best-practice-using-terraform-sentinel-dd

- (Exam Topic 3)
What kind of resource dependency is stored in terraform.tfstate file?

1. A. Both implicit and explicit dependencies are stored in state file.
2. B. Only explicit dependencies are stored in state file.
3. C. Only implicit dependencies are stored in state file.
4. D. No dependency information is stored in state file.

Correct Answer: A
Terraform state captures all dependency information, both implicit and explicit. One purpose for state is to determine the proper order to destroy resources. When resources are created all of their dependency information is stored in the state. If you destroy a resource with dependencies, Terraform can still determine the correct destroy order for all other resources because the dependencies are stored in the state.
https://www.terraform.io/docs/state/purpose.html#metadata

- (Exam Topic 4)
True or False? When using the Terraform provider for Vault, the tight integration between these HashiCorp tools provides the ability to mask secrets in the terraform plan and state files.

1. A. False
2. B. True

Correct Answer: A

Currently, Terraform has no mechanism to redact or protect secrets that are returned via data sources, so secrets read via this provider will be persisted into the Terraform state, into any plan files, and in some cases in the console output produced while planning and applying. These artifacts must, therefore, all be protected accordingly.

- (Exam Topic 3)
When multiple engineers start deploying infrastructure using the same state file, what is a feature of remote state storage that is critical to ensure the state doesn't become corrupt?

1. A. Object Storage
2. B. State Locking
3. C. WorkSpaces
4. D. Encryption

Correct Answer: B
If supported by your backend, Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state.
State locking happens automatically on all operations that could write state. You won't see any message that it is happening. If state locking fails, Terraform will not continue. You can disable state locking for most commands with the -lock flag but it is not recommended.
If acquiring the lock is taking longer than expected, Terraform will output a status message. If Terraform doesn't output a message, state locking is still occurring if your backend supports it.
Not all backends support locking. Please view the list of backend types for details on whether a backend supports locking or not.
https://www.terraform.io/docs/state/locking.html