DevOps & Infrastructure Labs - Terraform Associate

Master Infrastructure as Code with GUI-driven Terraform Cloud labs: workspace configuration, HCL authoring with plan/apply workflows, and state management with drift detection - aligned to the HashiCorp Terraform Associate (003) exam objectives.

These labs cover all DevOps & container certifications including:

KCNA DCA KCSA Terraform Associate CKAD
CKA CKS AWS DevOps Professional Azure DevOps AZ-400 Google Prof. Cloud DevOps

Terraform Associate Labs - Module 4

GUI-first labs with Terraform Cloud console, HCL editor, and state browser - practice real IaC workflows: workspaces, providers, plan/apply, state management, and drift detection.

Lab 10: Terraform Cloud Workspace Console
Terraform / GUI
Scenario: Production Workspace Setup
CloudOps needs to onboard a new production workspace in Terraform Cloud. Your job is to configure the workspace name, execution mode, VCS connection, provider, and set required variables (including a sensitive API key) before queuing the first plan.
Terraform Lab

Learning Objectives:

  • Workspaces: create and configure TFC workspaces
  • Execution modes: remote vs local execution
  • Variables: set terraform and environment variables (sensitive)
  • VCS integration: connect a repo for GitOps-style runs

Step-by-Step Instructions

  1. Step 1: Set workspace name & execution mode
    In the Workspace Console tab, set:
    Workspace Name = prod-infra Execution Mode = Remote
    Then click Create Workspace.
    Tip: Remote execution runs plans and applies in Terraform Cloud, keeping state and secrets off local machines.
  2. Step 2: Connect VCS repository
    Set:
    VCS Provider = GitHub Repository = cloudops/prod-infra
    Then click Connect VCS.
  3. Step 3: Configure provider
    Set:
    Provider = aws Region = us-east-1
    Then click Set Provider.
  4. Step 4: Add environment variable (sensitive)
    Add an environment variable:
    Key = AWS_SECRET_ACCESS_KEY Value = (any value) Sensitive = Yes
    Then click Add Variable.
    Tip: Sensitive variables are write-only in TFC -- once saved, the value cannot be read back.
  5. Step 5: Add terraform variable
    Add a terraform variable:
    Key = instance_type Value = t3.medium Sensitive = No
    Then click Add Variable.
  6. Step 6: Queue first plan
    Click Queue Plan to trigger the first speculative run.
    Tip: In production, plans should run automatically on VCS push (GitOps).

Terraform Cloud

Workspace Console
Terminal
Terraform Cloud Console Organization: cloudops
Workspace Config
Name
Execution
VCS
Provider & Variables
Provider
Env Vars0
TF Vars0
Workspace Setup
Variables
Activity Log
[system]Terraform Cloud console ready. No workspace configured.
user@tfc:~$
Progress: 0/6 tasks completed
Score: 0/100
After Completing All Steps:

1. Validate to see workspace + variable checklist.
2. View Architecture to review the Terraform Cloud workflow.
0%

Lab Completed!

Workspace configured and first plan queued.

Lab 11: IaC Editor + Plan/Apply Workflow
Terraform / GUI + Terminal
Scenario: Deploy a VPC with Subnets
The networking team needs a new VPC with two subnets (public + private). Use the HCL editor to write the configuration, then run terraform plan and terraform apply to provision the infrastructure. Review the plan output before applying.
Terraform Lab

Learning Objectives:

  • HCL syntax: resource blocks, providers, arguments
  • Plan/Apply: two-phase workflow (plan -> review -> apply)
  • Resource dependencies: implicit references between resources
  • Output values: expose VPC and subnet IDs

Step-by-Step Instructions

  1. Step 1: Initialize the project
    In the Terminal tab, run:
    terraform init
    Tip: init downloads provider plugins and sets up the backend.
  2. Step 2: Write the VPC resource in the editor
    Switch to the HCL Editor tab and click Load Template to populate the VPC configuration, then click Save.
  3. Step 3: Run terraform plan
    In the Terminal, run:
    terraform plan
    Tip: Always review the plan carefully before applying. Look for "3 to add, 0 to change, 0 to destroy".
  4. Step 4: Apply the configuration
    Run:
    terraform apply -auto-approve
  5. Step 5: Check outputs
    Run:
    terraform output
  6. Step 6: Review the state
    Run:
    terraform state list

Terraform Workspace

Terminal
HCL Editor
user@tfc:~/prod-infra$
HCL Editor - main.tf Workspace: prod-infra
Plan Summary
To Add0
To Change0
To Destroy0
Apply Status
Resources Created0
State Objects0
AppliedNo
Activity Log
[system]Editor ready. Load template or write HCL config.
Progress: 0/6 tasks completed
Score: 0/100
After Completing All Steps:

1. Validate to see the plan/apply checklist.
2. View Architecture to see the VPC resource topology.
0%

Lab Completed!

VPC deployed and state verified.

Lab 12: State Management & Drift Detection
Terraform / GUI + Terminal
Scenario: State Audit & Drift Remediation
During a security audit, the team discovered that someone manually changed an S3 bucket's ACL outside of Terraform. Use the State Management Dashboard to inspect state, detect drift, import an unmanaged resource, and reconcile the configuration.
Terraform Lab

Learning Objectives:

  • State inspection: terraform state list, state show
  • Drift detection: plan to detect real-world changes
  • Import: bring unmanaged resources under Terraform control
  • Refresh: reconcile state with actual infrastructure

Step-by-Step Instructions

  1. Step 1: List current state resources
    In the Terminal, run:
    terraform state list
  2. Step 2: Show resource details
    Run:
    terraform state show aws_s3_bucket.data
  3. Step 3: Detect drift with plan
    Run:
    terraform plan
    Tip: The plan will show drift -- an ACL change made outside Terraform.
  4. Step 4: Import an unmanaged resource
    Run:
    terraform import aws_s3_bucket.logs prod-logs-bucket
    Tip: After import, you must write the matching HCL resource block to keep config in sync.
  5. Step 5: Refresh state
    Run:
    terraform apply -refresh-only -auto-approve
  6. Step 6: Review State Dashboard
    Switch to the State Dashboard tab to confirm all resources are tracked, drift is resolved, and the imported bucket appears in state.

State Management

Terminal
State Dashboard
user@tfc:~/prod-infra$
Terraform State Dashboard Status: Pending
State Overview
Total Resources2
Imported0
Drift DetectedUnknown
Reconciliation
RefreshedNo
Dashboard ReviewedNo
Final State
Resource State Table
Resource Type ID Drift
aws_s3_bucket.data aws_s3_bucket prod-data-bucket Unknown
aws_s3_bucket_acl.data aws_s3_bucket_acl prod-data-bucket,private Unknown
Activity Log
[system]State dashboard ready. 2 resources in state. Drift status unknown.
Progress: 0/6 tasks completed
Score: 0/100
After Completing All Steps:

1. Validate to see state management + drift checklist.
2. View Architecture to see the state reconciliation flow.
0%

Lab Completed!

State audited, drift resolved, import complete.

Reset Lab?

This will clear all your progress for this lab including terminal history, completed tasks, and dashboard data. This action cannot be undone.