At $70.50, Terraform Associate (003) is the cheapest meaningful certification in the DevOps ecosystem. It costs less than most textbooks. It's also the most widely held infrastructure-as-code certification, which creates a useful signal problem: because so many people have it, simply holding Terraform Associate distinguishes you less than it did in 2020. What it still does reliably is validate that you understand how Terraform's state management model works, how the resource lifecycle behaves, and how to write and debug HCL configurations — knowledge that's non-trivial and that candidates who try to fake their way through consistently fail on.
The exam is 57 questions in 60 minutes. The questions that fail candidates aren't the hard ones — they're the ones that require understanding Terraform's behavior in specific edge cases that you only encounter if you've actually run terraform plan on configurations that include non-trivial state interactions.
What Terraform Associate 003 Tests
Terraform Associate (003) — HashiCorp's current version of the Terraform practitioner certification, updated in 2022 to include Terraform CDK and expanded cloud agnostic content.
The six objective domains:
| Domain | Weight | Key Content |
|---|---|---|
| Understand IaC Concepts | 7% | IaC benefits, declarative vs imperative, Terraform vs alternatives |
| Understand Terraform's Purpose | 8% | Provider ecosystem, Terraform Cloud, OSS vs Enterprise |
| Understand Terraform Basics | 35% | HCL syntax, resources, data sources, variables, outputs, locals |
| Use the Terraform CLI | 28% | init, plan, apply, destroy, state, workspace, fmt, validate |
| Interact with Terraform Modules | 13% | Module structure, registry modules, versioning, outputs |
| Implement and Maintain State | 9% | Remote backends, state locking, sensitive values, state commands |
Basics (35%) plus CLI (28%) equals 63% of the exam. Everything else is context. The exam is primarily testing whether you know HCL syntax and how to use Terraform's command-line interface correctly.
The HCL Syntax the Exam Tests
HCL (HashiCorp Configuration Language) — the declarative language used to write Terraform configurations, using blocks, arguments, and expressions.
Resource Blocks and Meta-Arguments
The exam tests meta-arguments — special arguments that modify how Terraform handles a resource regardless of the provider:
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = "t3.micro"
count = var.instance_count
lifecycle {
create_before_destroy = true
prevent_destroy = false
}
depends_on = [aws_security_group.web_sg]
}
count — creates multiple instances of a resource using an integer. The exam tests what happens when you change count from 3 to 2: Terraform destroys aws_instance.web[2] (the last index). If you remove the middle item from the list that sets count values, indices shift — web[1] is destroyed and web[2] becomes the new web[1]. This behavior is why for_each is preferred over count for most resource collections.
for_each — creates multiple instances of a resource using a map or set. The exam tests the key distinction: when you remove a key from a for_each map, only that specific resource is destroyed. Other resources are unaffected. This is the primary exam scenario where for_each is explicitly the correct choice over count.
lifecycle blocks — the exam tests all three lifecycle arguments:
create_before_destroy— creates replacement before destroying original (useful for resources where downtime is unacceptable)prevent_destroy— causesterraform destroyand resource removal to fail with an errorignore_changes— prevents Terraform from detecting changes to specified attributes
Variable Types and Validation
The exam tests variable validation blocks — constraints that Terraform checks before running:
variable "instance_type" {
type = string
default = "t3.micro"
validation {
condition = contains(["t3.micro", "t3.small", "t3.medium"], var.instance_type)
error_message = "Instance type must be t3.micro, t3.small, or t3.medium."
}
}
Variable precedence — the order in which Terraform resolves variable values:
Environment variables (
TF_VAR_instance_type)terraform.tfvarsorterraform.tfvars.json*.auto.tfvarsfiles (alphabetical order)-varand-var-filecommand-line flags (in order specified)Default values in variable blocks
The exam presents scenarios where multiple sources set the same variable and asks which value Terraform uses. Command-line -var flags always win.
State Management: The Highest-Failure-Rate Content
Terraform state — a JSON file (terraform.tfstate) that records the real-world infrastructure Terraform has provisioned, including resource IDs, attribute values, and metadata.
Candidates who've worked with Terraform in a team environment understand state intuitively. Candidates who've only run Terraform locally often struggle with state questions because they haven't encountered the problems state solves.
Remote Backends
Remote backends — storage locations for terraform.tfstate other than the local filesystem, enabling team collaboration and state locking.
The exam tests backend configuration:
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/vpc/terraform.tfstate"
region = "us-east-1"
dynamodb_table = "terraform-locks"
encrypt = true
}
}
State locking — the mechanism preventing concurrent terraform apply operations from corrupting state. The DynamoDB table in the S3 backend example provides locking. The exam tests: what happens if two engineers run terraform apply simultaneously with locking configured? One succeeds; the other receives an error and must wait.
The terraform state Commands
The exam tests specific terraform state subcommands:
| Command | What It Does | When to Use |
|---|---|---|
terraform state list |
Lists all resources in state | Auditing what's tracked |
terraform state show |
Shows attributes of a specific resource | Inspecting current state values |
terraform state mv |
Moves/renames a resource in state | Refactoring without destroy/recreate |
terraform state rm |
Removes a resource from state | Decoupling without destroying infrastructure |
terraform state pull |
Downloads remote state to stdout | Inspection or backup |
terraform state rm is a common exam scenario: "A resource was deleted manually outside of Terraform. The next terraform plan shows a change to recreate it, but you don't want Terraform to manage this resource anymore. What command removes it from state without destroying the infrastructure?" Answer: terraform state rm <resource_address>.
Modules: What the Exam Actually Tests
Terraform modules — containers for multiple resources used together, enabling reuse and encapsulation. A module is any directory containing .tf files.
The exam tests module source types:
# Local path module
module "vpc" {
source = "./modules/vpc"
}
# Registry module
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"
}
# GitHub module
module "vpc" {
source = "github.com/hashicorp/example"
}
Version constraints — the exam tests constraint syntax:
~> 5.0— allows 5.x but not 6.0 (compatible version constraint)>= 5.0, < 6.0— explicit range= 5.0.0— exact version!= 5.1.0— exclude specific version
The ~> operator specifically causes confusion: ~> 5.0 means >= 5.0, < 6.0, while ~> 5.0.0 means >= 5.0.0, < 5.1.0. The minor-vs-patch distinction is tested.
Preparation Strategy
Hands-on practice is mandatory — 63% of the exam tests CLI usage and HCL syntax. Candidates who only read documentation and watch videos fail on questions that require understanding how Terraform behaves in specific scenarios. You need to run terraform plan, read the output, understand what will happen, and learn from the cases where the output surprises you.
HashiCorp Learn (developer.hashicorp.com/terraform/tutorials) — free tutorials covering every exam objective. The "Get Started — AWS" track is the most used and covers the majority of exam domains.
Study sequence:
Complete HashiCorp Learn's "Get Started" tutorial (3-4 hours)
Read the exam objectives PDF and map each objective to a HCL construct or CLI command you can demonstrate
Build 3-5 Terraform configurations with different complexity levels (single resource → modules → remote state with locking)
Practice state manipulation: intentionally remove a resource from state and verify the plan behavior
Take Whizlabs or Bryan Krausen's Udemy practice exams; score 80%+ consistently before booking
"The people who fail Terraform Associate are almost always the ones who watched three hours of tutorials and then thought they were ready. The exam is specifically designed to test whether you understand what happens in the edge cases — what happens when count changes, what happens when you refactor a resource name, what happens to state when you switch backends. You only understand those cases if you've experienced them." — Yevgeniy Brikman, co-founder of Gruntwork and author of Terraform: Up & Running
Terraform Cloud and Enterprise: What the Exam Tests
Terraform Cloud — HashiCorp's SaaS platform for collaborative Terraform management, providing remote state storage, remote runs, team access controls, and Sentinel policy enforcement.
Terraform Enterprise — the self-hosted version of Terraform Cloud for organizations with air-gapped environments or specific data residency requirements.
The exam distinguishes between Terraform OSS (open source), Terraform Cloud (Free), Terraform Cloud (Plus), and Terraform Enterprise features. Specific exam topics:
| Feature | OSS | Cloud Free | Cloud Plus | Enterprise |
|---|---|---|---|---|
| Remote state | ❌ (local only) | ✓ | ✓ | ✓ |
| Remote plan/apply | ❌ | ✓ | ✓ | ✓ |
| Sentinel policy | ❌ | ❌ | ✓ | ✓ |
| Team access controls | ❌ | Limited | ✓ | ✓ |
| Audit logs | ❌ | ❌ | ❌ | ✓ |
| Self-hosted | ✓ | ❌ | ❌ | ✓ |
Sentinel — HashiCorp's policy-as-code framework that enforces governance rules on Terraform runs before apply executes. Available in Terraform Cloud Plus and Enterprise.
The exam tests the Sentinel workflow: policies are defined in Sentinel language, attached to policy sets, and applied to workspaces. A Sentinel policy can be advisory (logs violation but allows run), soft-mandatory (blocks run but allows override by administrators), or hard-mandatory (blocks run with no override option).
Candidates frequently miss the tier distinctions. Remembering that Sentinel requires Plus or Enterprise tier and that free Terraform Cloud only provides remote state and runs covers the most common exam questions on this topic.
The Exam Environment: What to Expect
Exam format details: the exam is delivered through the PSI Online Proctoring platform. The proctor connects via webcam, performs a room scan, and monitors your session. No additional materials beyond the allowed HashiCorp documentation (embedded in the exam environment for specific question types — check the current exam guide, as this varies by version).
Question format: majority are multiple choice with a single correct answer. Some questions are multiple-select where you must identify all correct answers. Multiple-select questions don't indicate how many options to select — you must determine the correct number from your knowledge.
Time management: 57 questions in 60 minutes is approximately 63 seconds per question. Terraform Associate is not typically time-constrained for candidates who are prepared. Most candidates finish with 10-15 minutes remaining. If you're spending more than 90 seconds on a question, mark it and move on.
See also: CKA exam guide: the kubectl commands you must know cold, AWS DevOps Engineer Professional: the CI/CD and infrastructure domains
References
HashiCorp. Terraform Associate (003) Exam Objectives. HashiCorp, 2024. https://developer.hashicorp.com/certifications/infrastructure-automation (Official exam guide)
Brikman, Yevgeniy. Terraform: Up & Running, 3rd Edition. O'Reilly Media, 2022. ISBN: 978-1098116743. (Comprehensive Terraform reference, author quoted in article)
HashiCorp. Terraform Language Documentation — HCL Reference. HashiCorp, 2024. https://developer.hashicorp.com/terraform/language (Primary reference for HCL syntax exam content)
HashiCorp. HashiCorp Learn — Terraform Tutorials. HashiCorp, 2024. https://developer.hashicorp.com/terraform/tutorials (Free hands-on tutorials aligned to exam objectives)
Krausen, Bryan. HashiCorp Certified: Terraform Associate Practice Exam. Udemy, 2024. (Most widely used third-party practice exam for Terraform Associate)
HashiCorp. Terraform Registry — Public Module Library. HashiCorp, 2024. https://registry.terraform.io (Module registry referenced in exam module content)
Frequently Asked Questions
What is the passing score for Terraform Associate?
HashiCorp doesn't publish an official passing score for Terraform Associate. Community consensus and HashiCorp's guidance suggests approximately 70% correct answers. The exam has 57 questions with a 60-minute time limit. At $70.50, it's one of the most affordable IT certifications — and includes one free retake within 14 days if you don't pass.
What is the difference between count and for_each in Terraform?
Both create multiple resource instances, but count uses integer indices while for_each uses map or set keys. The critical exam distinction: removing an item from a count-indexed list shifts all subsequent indices and causes destruction/recreation of the shifted resources. Removing a key from a for_each map only destroys that specific resource. for_each is the correct choice when resources may be independently added or removed.
How long does it take to prepare for Terraform Associate?
2-4 weeks for candidates actively using Terraform. 4-6 weeks for candidates with minimal Terraform exposure. Hands-on practice is essential — 63% of the exam tests CLI usage and HCL syntax that requires running terraform plan and apply in real configurations. HashiCorp Learn tutorials are free and aligned to exam objectives. Score 80%+ on Whizlabs or Krausen practice exams before scheduling.
What changed from Terraform Associate 002 to 003?
Terraform Associate 003 (released 2023) added Terraform CDK (Cloud Development Kit) content, allowing infrastructure definition in TypeScript/Python/Java/C# rather than HCL. It also expanded cloud-agnostic content and updated some provider-specific examples. The core exam domains (Basics, CLI usage) remained. Candidates studying from 002 materials miss approximately 5-10% of 003 content, primarily around CDK.
What is terraform state rm used for?
terraform state rm removes a resource from Terraform's state file without destroying the actual infrastructure. Common use cases: decoupling a resource from Terraform management (when another team takes ownership), after manually deleting infrastructure that Terraform tracked, or during module refactoring when a resource address changes. After state rm, terraform plan shows the resource as a new resource to create.