10 free, exam-style HCTAO (HCTAO) practice questions with answers and explanations. No signup required. Work through them below, then take the full free HCTAO practice test to study every exam domain.
A configuration creates five S3 buckets using `count` over a list of bucket names. After the second name is removed from the list, `terraform plan` proposes destroying and recreating buckets that were never actually changed. What is the BEST way to avoid this churn?
Correct answer: C - Use `for_each` keyed on the bucket names instead of `count`
A team must bring 12 manually created EC2 instances under Terraform management. The onboarding must be reviewable in a pull request and reproducible across environments. Which approach BEST meets these requirements?
Correct answer: A - Add `import` blocks to the configuration, then run `terraform plan` and `apply`
The variable `region` is set three ways for the same run: `us-west-2` in `terraform.tfvars`, `eu-west-1` via the `TF_VAR_region` environment variable, and `us-east-1` using `-var` on the command line. Which value does Terraform use?
Correct answer: D - us-east-1, because a `-var` flag has the highest precedence
An engineer renames a resource from `aws_instance.app` to `aws_instance.web` in the configuration. `terraform plan` now shows the instance will be destroyed and recreated. Which change preserves the existing instance under its new name?
Correct answer: B - Add a `moved` block from the old address to the new one
In HCP Terraform, a Sentinel policy must block non-compliant runs, but an organization owner needs the ability to override the failure and proceed in exceptional cases. Which enforcement level meets this requirement?
Correct answer: B - soft-mandatory
Configuration B reads from Configuration A's state using a `terraform_remote_state` data source. Which data from Configuration A can Configuration B actually access?
Correct answer: C - Only the values Configuration A declares as outputs
A developer marks a database password variable with `sensitive = true` and concludes the secret is now safe. Which statement accurately describes what `sensitive = true` does?
Correct answer: A - It redacts the value in CLI output, but state still stores it in plaintext
An engineer adds `version = "~> 2.0"` to a `module` block whose `source` is a local path such as `./modules/network`. What is the result?
Correct answer: D - Terraform errors, because version constraints are not valid for local modules
A pipeline runs `terraform plan -out=tfplan`, a reviewer approves, and the pipeline then runs `terraform apply tfplan`. Adding `-var` to the apply step causes Terraform to error. Why?
Correct answer: C - A saved plan already contains the variable values, which cannot be overridden
A configuration applies fine on a developer's macOS laptop, but the Linux CI pipeline fails during `terraform init`, reporting that the dependency lock file is missing the required provider hashes. What is the correct fix?
Correct answer: A - Run `terraform providers lock -platform=...` to record hashes for every target platform
Practice hundreds more HCTAO questions with instant scoring, weak-area drills, and full exam simulations.