0
0
Terraformcloud~20 mins

Check blocks for assertions in Terraform - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Terraform Check Blocks Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Terraform check blocks with assertions
Which of the following Terraform check blocks correctly asserts that an AWS S3 bucket has versioning enabled?
Terraform
check {
  assertions = [
    {
      assert = aws_s3_bucket.example.versioning[0].enabled == true
      error_message = "S3 bucket versioning must be enabled"
    }
  ]
}
A
check {
  assertions = [
    {
      assert = aws_s3_bucket.example.versioning.enabled == true
      error_message = "S3 bucket versioning must be enabled"
    }
  ]
}
B
check {
  assertions = [
    {
      assert = aws_s3_bucket.example.versioning[0].enabled == true
      error_message = "S3 bucket versioning must be enabled"
    }
  ]
}
C
check {
  assertions = [
    {
      assert = aws_s3_bucket.example.versioning[0].status == "Enabled"
      error_message = "S3 bucket versioning must be enabled"
    }
  ]
}
D
check {
  assertions = [
    {
      assert = aws_s3_bucket.example.versioning[0].enabled != false
      error_message = "S3 bucket versioning must be enabled"
    }
  ]
}
Attempts:
2 left
💡 Hint
Remember that versioning is a list with an 'enabled' boolean attribute inside the first element.
Configuration
intermediate
2:00remaining
Detecting open security groups with check blocks
Which check block correctly asserts that no AWS security group allows ingress from 0.0.0.0/0 on port 22?
A
check {
  assertions = [
    {
      assert = alltrue([for rule in aws_security_group.example.ingress : rule.cidr_blocks[0] != "0.0.0.0/0" || rule.from_port != 22])
      error_message = "No ingress from 0.0.0.0/0 on port 22 allowed"
    }
  ]
}
B
check {
  assertions = [
    {
      assert = nonetrue([for rule in aws_security_group.example.ingress : rule.cidr_blocks[0] == "0.0.0.0/0" || rule.from_port == 22])
      error_message = "No ingress from 0.0.0.0/0 on port 22 allowed"
    }
  ]
}
C
check {
  assertions = [
    {
      assert = nonetrue([for rule in aws_security_group.example.ingress : rule.cidr_blocks[0] == "0.0.0.0/0" && rule.from_port == 22])
      error_message = "No ingress from 0.0.0.0/0 on port 22 allowed"
    }
  ]
}
D
check {
  assertions = [
    {
      assert = alltrue([for rule in aws_security_group.example.ingress : rule.cidr_blocks[0] != "0.0.0.0/0" && rule.from_port != 22])
      error_message = "No ingress from 0.0.0.0/0 on port 22 allowed"
    }
  ]
}
Attempts:
2 left
💡 Hint
Use nonetrue to ensure no ingress rule matches both conditions simultaneously.
Architecture
advanced
2:00remaining
Check block to enforce multi-AZ deployment in AWS RDS
Given an AWS RDS instance resource, which check block correctly asserts that multi-AZ deployment is enabled?
A
check {
  assertions = [
    {
      assert = aws_db_instance.example.multi_az == 1
      error_message = "RDS instance must be multi-AZ"
    }
  ]
}
B
check {
  assertions = [
    {
      assert = aws_db_instance.example.multi_az != false
      error_message = "RDS instance must be multi-AZ"
    }
  ]
}
C
check {
  assertions = [
    {
      assert = aws_db_instance.example.multi_az == "true"
      error_message = "RDS instance must be multi-AZ"
    }
  ]
}
D
check {
  assertions = [
    {
      assert = aws_db_instance.example.multi_az == true
      error_message = "RDS instance must be multi-AZ"
    }
  ]
}
Attempts:
2 left
💡 Hint
The multi_az attribute is a boolean, not a string or number.
security
advanced
2:00remaining
Check block to ensure encryption is enabled on AWS EBS volumes
Which check block correctly asserts that all AWS EBS volumes have encryption enabled?
A
check {
  assertions = [
    {
      assert = alltrue([for vol in aws_ebs_volume.example : vol.encrypted == true])
      error_message = "All EBS volumes must be encrypted"
    }
  ]
}
B
check {
  assertions = [
    {
      assert = anytrue([for vol in aws_ebs_volume.example : vol.encrypted == true])
      error_message = "All EBS volumes must be encrypted"
    }
  ]
}
C
check {
  assertions = [
    {
      assert = alltrue([for vol in aws_ebs_volume.example : vol.encrypted != false])
      error_message = "All EBS volumes must be encrypted"
    }
  ]
}
D
check {
  assertions = [
    {
      assert = nonetrue([for vol in aws_ebs_volume.example : vol.encrypted == false])
      error_message = "All EBS volumes must be encrypted"
    }
  ]
}
Attempts:
2 left
💡 Hint
Use alltrue to ensure every volume is encrypted.
service_behavior
expert
2:00remaining
Check block behavior when resource attribute is missing
What error or behavior occurs when a Terraform check block asserts on a resource attribute that does not exist, for example, aws_instance.example.nonexistent_attribute == true?
Terraform
check {
  assertions = [
    {
      assert = aws_instance.example.nonexistent_attribute == true
      error_message = "Attribute must be true"
    }
  ]
}
ATerraform plan fails with an error: "Reference to undeclared resource or attribute"
BTerraform plan succeeds but check block assertion always fails at apply time
CTerraform plan succeeds and check block assertion is ignored silently
DTerraform plan succeeds and assertion evaluates to false without error
Attempts:
2 left
💡 Hint
Terraform validates references during plan phase and errors if attribute is missing.