Terraform Associate (003) Syllabus — Objectives by Domain

Use this syllabus as your source of truth for Terraform Associate (003). Work through each domain in order and drill targeted sets after every section.

What’s covered

• IaC Concepts & Terraform’s Purpose (compare to other tools) (10%)
• HCL Basics & Config Structure (files, blocks, types, functions) (12%)
• Terraform CLI & Core Workflow (init/validate/plan/apply/destroy/import/taint/fmt/console) (18%)
• Providers, Resources & Data Sources (auth, version constraints, schemas) (12%)
• Variables, Locals, Outputs & Expressions (input validation, sensitive values) (10%)
• Modules (use, author, versioning, Registry, composition & reusability) (12%)
• State Management & Backends (remote state, locking, state drift, state mv/rm) (12%)
• Resource Graph & Meta-Arguments (count/for_each, depends_on, lifecycle/replace/ignore_changes) (6%)
• Provisioners, External Data & Templates (last-resort usage, risks, when to avoid) (2%)
• Terraform Cloud/Enterprise (workspaces, VCS-driven runs, RBAC, policies, remote ops) (8%)

IaC Concepts & Terraform’s Purpose (compare to other tools) (10%)

Practice this topic →

IaC Fundamentals & Desired State

• Explain declarative vs imperative configuration and why Terraform is declarative.
• Describe desired state, reconciliation, drift, and idempotency in IaC.
• Differentiate configuration, state, and provider plugins in Terraform.
• Outline typical environments (dev/test/prod) and promotion via VCS.
• Identify benefits: repeatability, auditability, change review, and rollbacks.

Terraform vs Other Tools

• Compare Terraform with cloud-native templates (AWS CloudFormation, ARM/Bicep) and config mgmt (Ansible, Chef).
• Discuss multi-cloud portability and provider ecosystem advantages/limits.
• Identify when Pulumi or cloud-native tools may be preferable.
• Contrast ‘one-time’ scripts with Terraform’s plan/apply workflow.
• Evaluate trade-offs of external orchestration pipelines (CI/CD) with Terraform.

Collaboration, Review & Change Management

• Describe Git-based workflows: branches, PRs, code owners, and plan artifacts.
• Explain tagging, naming, and directory conventions for teams.
• Map tickets/requests to Terraform changes and environment promotion.
• Summarize change windows, approvals, and blast-radius controls.
• Define rollback strategies: plan re-runs, targeted replace, or previous module versions.

Security & Compliance Basics for IaC

• Identify policy-as-code options (Sentinel/OPA) to enforce guardrails.
• Explain secret handling patterns (env vars, Vault/KMS, TFC variable sets).
• Recognize risks of storing credentials in code/state and mitigation steps.
• Describe least-privilege provider credentials and short-lived tokens.
• Outline artifact retention, audit logs, and plan provenance.

HCL Basics & Config Structure (files, blocks, types, functions) (12%)

Practice this topic →

Files, Blocks & Core Constructs

• Identify HCL file roles: *.tf, *.tfvars, override and partial backend files.
• Use core blocks: terraform, provider, resource, data, module, variable, output, locals.
• Explain root vs module directories and loading order.
• Format code with terraform fmt and validate with terraform validate.
• Describe JSON configuration variant and when to use it.

Types, Expressions & Operators

• Define primitive/collection/object types and type constraints.
• Use conditional (?:), logical, arithmetic, and string interpolation.
• Apply null and optional attributes to control presence of arguments.
• Leverage for-expressions and splat syntax for collections.
• Differentiate equality vs identity when comparing values.

Common Functions & Data Transformation

• Apply core functions: length, merge, zipmap, coalesce, try, can.
• Manipulate strings/JSON with regex, replace, jsonencode/jsondecode, templatefile.
• Work with CIDR and IP functions: cidrhost, cidrsubnet, cidrnetmask.
• Handle time/math functions for schedules and naming.
• Create robust expressions with null-coalescing and defaults.

Dynamic Blocks & Advanced Patterns

• Render nested arguments with dynamic blocks and for-each iteration.
• Generate complex structures from maps/lists for security rules or tags.
• Prevent empty/invalid blocks via conditionals and try/can.
• Document assumptions inline using locals and comments.
• Refactor repeated configuration into modules vs dynamic blocks.

Terraform CLI & Core Workflow (init/validate/plan/apply/destroy/import/taint/fmt/console) (18%)

Practice this topic →

Initialize & Dependency Management

• Run terraform init with provider installation and plugin caching.
• Explain dependency lock file (terraform.lock.hcl) and provider checksums.
• Pin providers/modules with version constraints and registry sources.
• Re-init on backend/provider changes; migrate state when prompted.
• Describe -upgrade semantics for provider/module updates.

Validate, Plan & Planfiles

• Validate configuration structure and detect basic type issues.
• Generate plans with refresh behavior and -var/-var-file precedence.
• Save binary planfiles (-out) and apply from planfiles for reviewable changes.
• Diff change types: create, update in-place, replace, destroy.
• Interpret resource addresses and targeting implications.

Apply, Replace & Destroy

• Apply plans safely with auto-approve gates in CI/CD.
• Use -replace to force recreation (and know legacy taint differences).
• Perform targeted operations cautiously and understand risks to graph.
• Destroy resources or workspaces; protect critical infra with lifecycle.
• Troubleshoot apply failures and partial state updates.

Troubleshooting & Utility Commands

• Inspect state and config with terraform show and console.
• Visualize dependencies with terraform graph for cycle detection.
• Enforce style with terraform fmt and deepen checks with tools (tflint).
• Use detailed logs (TF_LOG) for provider debug sessions.
• Summarize import flows and addressing for pre-existing resources.

Providers, Resources & Data Sources (auth, version constraints, schemas) (12%)

Practice this topic →

Provider Configuration & Authentication

• Configure providers with required_providers and version constraints.
• Authenticate to AWS/Azure/GCP using env vars, profiles, or workload identity.
• Pass provider aliases and region/project settings cleanly.
• Secure credentials via env/secret stores rather than hard-coding.
• Handle multi-account/tenant setups and cross-provider composition.

Resource & Data Source Schemas

• Differentiate arguments, attributes, computed/read-only fields.
• Interpret nested blocks, sets, lists, and maps in schemas.
• Consume data sources and manage data-resource dependencies.
• Apply timeouts, retries, and create-before-destroy effects.
• Read provider docs to map API semantics to Terraform fields.

Versioning, Upgrades & Compatibility

• Lock provider versions in code and in the lock file.
• Plan upgrades with CHANGELOGs and provider breaking changes.
• Use feature flags or beta providers cautiously.
• Test resource behavior in sandboxes before production changes.
• Rollback provider versions and reconcile drift if needed.

Multi-Provider & Cross-Cloud Patterns

• Share inputs/outputs across providers (e.g., DNS + CDN + Storage).
• Design provider alias routing within and across modules.
• Coordinate ordering with depends_on for cross-service glue.
• Handle rate limits and eventual consistency in plans/applies.
• Design abstractions where multi-cloud portability is required.

Variables, Locals, Outputs & Expressions (input validation, sensitive values) (10%)

Practice this topic →

Input Variables & Validation

• Declare variables with type, default, description, and nullable/optional.
• Implement validation blocks with custom error messages.
• Set variables via CLI, env, *.tfvars, and TFC variable sets (at a high level).
• Explain variable precedence and file loading rules.
• Mark sensitive inputs and implications for logs/plan output.

Locals & Expression Composition

• Use locals for naming, tagging, and DRY patterns.
• Compose maps/lists/objects with for-expressions and conditionals.
• Guard expressions with try/can and null coalescing.
• Build reusable naming modules vs locals trade-offs.
• Benchmark readability vs indirection for maintainability.

Outputs & Sensitivity

• Expose outputs from root/modules with descriptions and types.
• Propagate sensitivity to mask in CLI and logs.
• Export structured outputs for pipelines and cross-workspace use.
• Avoid leaking secrets via outputs; prefer IDs/ARNs over keys.
• Use depends_on in outputs when order is required.

Files, Variable Files & Secrets Handling

• Organize *.auto.tfvars and environment-specific tfvars files.
• Ignore secrets with .gitignore and use secret stores for values.
• Template external files via templatefile and jsonencode where needed.
• Document input contracts in README and examples.
• Enforce validation through CI checks before plan.

Modules (use, author, versioning, Registry, composition & reusability) (12%)

Practice this topic →

Using Modules from the Registry

• Locate modules, read inputs/outputs, and evaluate maintenance signals.
• Pin module versions with semantic constraints (>=, ~>, =).
• Override default inputs and wire outputs to consumers.
• Pass provider configurations or aliases into modules.
• Vendor vs fetch modules: trade-offs for air-gapped environments.

Authoring Reusable Modules

• Structure modules with variables.tf, outputs.tf, README, examples.
• Design clear input contracts and sane defaults.
• Expose minimal outputs and preserve encapsulation.
• Support custom tags/labels and naming conventions.
• Document breaking changes and migration steps.

Composition & Abstraction Patterns

• Compose modules to build platforms (network, security, app).
• Balance granularity: fine-grained vs composite modules.
• Use for_each on modules to scale environments/tenants.
• Parameterize providers/regions/projects safely.
• Avoid anti-patterns: over-generic or ‘magic’ modules.

Quality, Testing & Versioning

• Validate modules with terraform validate and example plans.
• Adopt tflint/pre-commit hooks for lint/style checks.
• Test with Terratest or pipelines that run example deployments.
• Version releases with CHANGELOG and semver discipline.
• Deprecate inputs/outputs gracefully and document replacements.

State Management & Backends (remote state, locking, state drift, state mv/rm) (12%)

Practice this topic →

State Fundamentals & Security

• Explain state purpose, resource addressing, and mappings.
• Recognize sensitive data risks inside state and mitigation steps.
• Use state locking to prevent concurrent writes.
• Detect and remediate drift vs refresh and import strategies.
• Back up and protect state with least-privilege access.

Backends: Local vs Remote

• Configure S3+DynamoDB, GCS, AzureRM, and Terraform Cloud backends.
• Compare encryption, locking, and availability characteristics.
• Pass partial backend config via -backend-config files.
• Migrate state during backend changes with terraform init -migrate-state.
• Troubleshoot backend auth and permissions.

State Operations

• Use terraform state list, show, mv, rm for refactors and cleanup.
• Refactor addresses after resource/module renames safely.
• Import existing resources and verify with show/plan.
• Handle provider source changes (state replace-provider).
• Document state changes clearly in PRs for reviewers.

Sharing & Consuming Remote State

• Expose outputs for downstream consumers and pipelines.
• Use data.terraform_remote_state (or TFC workspace outputs) appropriately.
• Avoid circular dependencies and brittle cross-workspace links.
• Design promotion flows that don’t require manual state edits.
• Adopt naming/versioning to keep consumers stable during refactors.

Resource Graph & Meta-Arguments (count/for_each, depends_on, lifecycle/replace/ignore_changes) (6%)

Practice this topic →

Dependency Graph & Ordering

• Differentiate implicit (references) vs explicit depends_on dependencies.
• Identify and break cycles; use data sources vs resources appropriately.
• Predict apply order from references and graph edges.
• Use terraform graph to visualize complex stacks.
• Avoid hidden dependencies in locals/outputs.

count, for_each & Addressing

• Choose count vs for_each for lists vs maps/sets of objects.
• Address instances with indexes/keys and handle renumbering risks.
• Migrate from count to for_each using state mv.
• Create stable keys for lifecycle safety.
• Combine with dynamic blocks for nested repetitions.

Lifecycle Controls

• Apply create_before_destroy for zero-downtime replacements.
• Prevent accidental deletion with prevent_destroy and policy guardrails.
• Use ignore_changes for drift tolerance on select attributes.
• Trigger replacement with replace_triggered_by when dependencies change.
• Document lifecycle intent to guide reviewers and operators.

Patterns for Robust Composition

• Model optional infrastructure with conditional resources.
• Isolate high-blast-radius components into separate workspaces.
• Use modules to stabilize addresses across refactors.
• Balance explicit ordering vs excessive depends_on usage.
• Audit meta-arguments during post-incident reviews.

Provisioners, External Data & Templates (last-resort usage, risks, when to avoid) (2%)

Practice this topic →

Provisioners: Intent & Cautions

• Describe local-exec and remote-exec mechanics and typical pitfalls.
• Explain why provisioners are last-resort and failure modes (non-idempotent).
• Use on_failure and connection blocks safely if required.
• Prefer cloud-init or platform userdata over provisioners.
• Document when provisioners are justified (e.g., bootstrap gaps).

External Data & Templating

• Consume external data via external data source with scripts.
• Render files with templatefile; avoid the legacy template provider.
• Pass structured data with jsonencode/jsondecode.
• Validate that external calls don’t introduce nondeterminism.
• Cache or pin external results where stability is needed.

Better Alternatives

• Adopt Packer images or pre-baked AMIs for golden images.
• Use configuration-management tools for in-guest changes.
• Leverage cloud-native init scripts and metadata services.
• Move secrets/bootstrap to Vault/Secret Manager integrations.
• Refactor one-off shell to modules or platform features.

Troubleshooting & Cleanup

• Diagnose failing provisioners with detailed logs and retries.
• Ensure idempotency of scripts to avoid perpetual diffs.
• Guard long-running commands with timeouts and checks.
• Remove provisioners post-bootstrap when no longer needed.
• Record residual effects in runbooks and README.

Terraform Cloud/Enterprise (workspaces, VCS-driven runs, RBAC, policies, remote ops) (8%)

Practice this topic →

Workspaces, Variables & VCS-Driven Runs

• Create workspaces and connect to VCS for plan/apply on PR/merge.
• Manage workspace variables, var sets, and sensitive flags.
• Separate environments via workspaces or directories + workspaces.
• Consume outputs between workspaces safely.
• Use run triggers and manual applies for controlled promotion.

RBAC, Teams & Access

• Assign team-based permissions to workspaces and org resources.
• Integrate SSO/SCIM for centralized identity and least privilege.
• Constrain state access and variable visibility by role.
• Audit actions with run history and logs.
• Apply resource-specific permissions for sensitive stacks.

Policies, Cost & Drift

• Enforce guardrails with Sentinel or OPA via Run Tasks.
• Gate changes with mandatory checks (security, cost, lint).
• Interpret cost estimation summaries for budget protection.
• Detect configuration drift and plan remediation paths.
• Standardize tagging, regions, and size classes via policy.

Remote Operations, Agents & Private Registry

• Run remote execution with Terraform Cloud/Enterprise and agents for private nets.
• Publish and consume modules in the Private Module Registry.
• Manage provider/install mirrors for air-gapped environments.
• Handle speculative plans and plan approvals in workflows.
• Design multi-workspace pipelines with minimal coupling.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives within 24–48 hours before moving on.