HashiCorp Terraform Associate (003) Exam Cheat Sheet — 2026

> One-page quick reference for exam day | citadelcloudmanagement.com

---

Exam Overview

• Code: TA-003 | Questions: 57 | Time: 60 minutes | Passing: 70%
• Format: Multiple choice, multiple response, fill-in-the-blank | Cost: $70.50 USD

---

1. IaC Concepts (4-5 questions)

• IaC benefits: version control, automation, consistency, documentation-as-code
• Terraform is declarative (describe desired state, not steps)
• Idempotent: running the same config multiple times produces the same result
• Terraform vs other tools: CloudFormation (AWS-only), Pulumi (general-purpose, imperative), Ansible (config management, not provisioning)

---

2. Terraform Purpose & Workflow (7-8 questions)

Core Workflow: Write → Plan → Apply

terraform init      # Download providers, initialize backend
terraform plan      # Preview changes (dry run)
terraform apply     # Execute changes
terraform destroy   # Tear down all managed resources

Key Commands

• `terraform fmt`: format code to canonical style
• `terraform validate`: check syntax without accessing remote APIs
• `terraform show`: display current state or plan output
• `terraform output`: print output values
• `terraform state list`: list resources in state
• `terraform state show `: show single resource details
• `terraform import`: bring existing infrastructure under Terraform management
• `terraform taint` (deprecated) → `terraform apply -replace=`

---

3. Providers (3-4 questions)

• Providers are plugins that interact with APIs (AWS, Azure, GCP, etc.)
• Declared in `required_providers` block inside `terraform` block
• Version constraints: `= 5.0.0`, `>= 5.0`, `~> 5.0` (allows 5.x, not 6.0)
• `terraform init` downloads providers to `.terraform/providers/`
• Multiple provider configurations use `alias`
• Provider source: `registry.terraform.io//`

---

4. Terraform Configuration (10-12 questions)

Resource Block

resource "aws_instance" "web" {
  ami           = "ami-12345"
  instance_type = "t3.micro"
  tags = { Name = "web-server" }
}

Variables

• `variable` block: declares input variables
• Types: `string`, `number`, `bool`, `list`, `map`, `object`, `tuple`, `set`
• Precedence (highest to lowest): `-var` flag → `*.auto.tfvars` → `terraform.tfvars` → env vars (`TF_VAR_name`) → default value
• `sensitive = true`: redacts value from CLI output

Outputs

• `output` block: expose values after apply
• `sensitive = true`: hides output in CLI
• Referenced by other configs via `terraform_remote_state`

Data Sources

• Read-only queries to fetch existing infrastructure info
• `data "aws_ami" "latest" { ... }`

Locals

• Computed values used within a module: `locals { name = "${var.prefix}-app" }`

Expressions

• String interpolation: `"Hello, ${var.name}"`
• Conditional: `condition ? true_val : false_val`
• For expressions: `[for s in var.list : upper(s)]`
• Splat: `aws_instance.web[*].id`

---

5. State Management (8-10 questions)

• State file (`terraform.tfstate`): maps config to real resources
• Never edit state manually — use `terraform state` commands
• Remote backends: S3 + DynamoDB (locking), Terraform Cloud, Azure Blob, GCS
• State locking prevents concurrent modifications
• `terraform refresh` (deprecated in favor of `terraform plan -refresh-only`)
• Sensitive data IS stored in state — encrypt the state file and restrict access

---

6. Modules (7-8 questions)

• Root module: the directory where you run `terraform` commands
• Child modules: reusable components called with `module` block
• Module sources: local path, Terraform Registry, Git, S3
• Pass data into modules via input variables, get data out via outputs
• `terraform get` downloads modules; `terraform init` downloads modules AND providers
• Module versioning: `version = "~> 3.0"` in `module` block (registry modules only)

---

7. Terraform Cloud & Workspaces (5-6 questions)

Workspaces (CLI)

• Separate state files for same config: `terraform workspace new dev`
• Use `terraform.workspace` to reference current workspace name
• Default workspace cannot be deleted

Terraform Cloud/Enterprise

• Remote execution: plan/apply runs on Terraform Cloud
• VCS integration: auto-trigger on git push
• Sentinel: policy-as-code enforcement
• Private registry: share modules within organization
• Run triggers: chain workspace executions

---

8. Resource Lifecycle & Meta-Arguments (5-6 questions)

Meta-Arguments

• `depends_on`: explicit dependency declaration
• `count`: create multiple instances by index (`count.index`)
• `for_each`: create instances from a map/set (access via `each.key`, `each.value`)
• `provider`: specify non-default provider configuration
• `lifecycle`: customize resource behavior

Lifecycle Block

lifecycle {
  create_before_destroy = true   # Create replacement before destroying original
  prevent_destroy       = true   # Block terraform destroy
  ignore_changes        = [tags] # Don't update on external changes
  replace_triggered_by  = [...]  # Force replacement when referenced changes
}

Provisioners (use as last resort)

• `local-exec`: run command on machine running Terraform
• `remote-exec`: run command on the created resource
• `file`: copy files to remote resource
• HashiCorp recommends user_data/cloud-init over provisioners

---

Exam Tips

1. Know the variable precedence order — it appears in 2-3 questions
2. `count` vs `for_each`: use `for_each` with maps/sets, `count` with simple numbers
3. State questions: always pick "remote backend" over local for team scenarios
4. "Least privilege" for state: encrypt, restrict access, use remote backend with locking
5. Provisioners are a last resort — the exam wants you to know this

---

*Get the full study guide and 17 free courses at citadelcloudmanagement.com*