How to Pass HashiCorp Terraform Professional (Authoring & Operations) in 2026

# How to Pass HashiCorp Terraform Professional (Authoring & Operations) in 2026 The HashiCorp Certified: Terraform Authoring and Operations Professional is the advanced-tier credential in the HashiCorp certification track. Unlike the Associate exam, this one assumes you already work with Terraform daily and tests whether you can design production-grade infrastructure as code, collaborate at team scale, and handle the sharp corners that come with real-world Terraform usage. If you are serious about a cloud infrastructure or platform engineering career in 2026, this certification is one of the most respected vendor-neutral IaC credentials available. This guide covers every exam domain, the key topics you must master in each one, and a study approach calibrated for professionals who already know the basics. --- ## Exam Facts at a Glance | Detail | Value | |--------|-------| | Exam name | HashiCorp Certified: Terraform Authoring and Operations Professional | | Exam code | TA-003 | | Price | $130 USD | | Questions | ~60 (multiple-choice and multiple-select) | | Duration | 90 minutes | | Passing score | Not published (scaled scoring) | | Delivery | Online proctored (PSI) or authorized testing center | | Validity | 2 years | | Prerequisites | None formal, but Associate recommended | HashiCorp does not publish a raw passing score, but community reports cluster around 70-75% correct answers being required. The exam is proctored and closed-book. You have 90 minutes for roughly 60 questions, which is comfortable if you know the material — the pressure point is accuracy, not time. --- ## Who Should Take This Exam The Professional exam targets practitioners who have moved past "I know how to run `terraform apply`" into territory like: - Designing reusable module libraries for an organization - Managing multi-account or multi-region deployments with provider aliases - Running Terraform in a team through HCP Terraform (formerly Terraform Cloud) or Terraform Enterprise - Implementing policy guardrails with Sentinel or OPA - Debugging complex state drift, import scenarios, and dependency cycles HashiCorp recommends that candidates hold the Associate certification first and have at least six months of hands-on Terraform work before attempting the Professional. That guidance is accurate. Candidates who skip the Associate exam and jump straight to the Professional tend to underestimate how precise the question language is, particularly around lifecycle meta-arguments and provider configuration. --- ## Difference From the Associate Exam The Associate exam (TA-002) validates that you understand core Terraform concepts: how the plan/apply cycle works, how state is managed, basic module usage, and foundational HCP Terraform features. Questions at the Associate level test recognition — can you identify what `terraform init` does, what a backend block configures, what `terraform output` returns. The Professional exam tests design judgment. Questions present architectural scenarios and ask which approach is correct, which would cause an error, or which behavior results from a specific configuration. The distinction matters for study strategy: memorizing command flags is not sufficient. You need to understand the mechanics behind each feature deeply enough to reason through edge cases. Key topic areas that appear at the Professional level but not (or minimally) at the Associate level: - `dynamic` blocks and complex expressions (`for`, splat, conditional) - Variable validation rules and custom error messages - `lifecycle` meta-arguments including `replace_triggered_by` - Provider aliases and the `providers` argument in module calls - Module composition patterns, version constraints, and source types - HCP Terraform teams, permissions, and run triggers - Sentinel and OPA policy enforcement levels - Terraform state manipulation commands (`state mv`, `state rm`, `import`) --- ## Domain Breakdown ### Domain 1: Understand HashiCorp Configuration Language (HCL) for Terraform (23%) This is the largest domain and covers advanced HCL authoring. At the Professional level, you are expected to write and interpret configurations that use dynamic blocks, complex type constraints, custom validations, and non-obvious expression patterns. **Key topics:** - `dynamic` blocks with `for_each`, `iterator`, and nested `content` blocks - `for` expressions in list context (`[for ... : ...]`) vs object context (`{for ... : ... => ...}`) - Splat expressions (`resource.name[*].attribute`) and their limitations with maps - `can()` and `try()` functions for defensive expressions - `nullable` argument on variables and interaction with default values - Variable validation blocks: `condition` using `alltrue`, `anytrue`, `contains`, and regex - Custom error messages in validation blocks - Complex type constraints: `object({})`, `map(type)`, `list(object(...))`, `set(string)` - Sensitive variables and how sensitivity propagates through expressions **Study approach:** Write configurations that use every expression type. Pay special attention to when `for` expressions produce a list versus a map — this distinction is a common exam trap. --- ### Domain 2: Use Terraform Outside of the Core Workflow (19%) The core workflow is plan/apply/destroy. This domain covers everything adjacent to that cycle. **Key topics:** - `terraform import` — importing existing resources into state, and the newer `import` block syntax - `terraform state mv` and `terraform state rm` for refactoring - `terraform workspace` for environment separation and its limitations - `terraform console` for expression testing - Generating configuration with `-generate-config-out` (Terraform 1.5+) - `terraform graph` and understanding resource dependency visualization - `terraform force-unlock` and when it is appropriate **Study approach:** Practice state manipulation commands in a sandbox environment. Run `terraform state mv` and verify the effect in the state file. Understanding the risk surface of state operations is essential for exam questions that ask about safe refactoring workflows. --- ### Domain 3: Interact with Terraform Modules (22%) Module design is central to the Professional exam. Expect questions about module composition, version locking, source types, and how providers are passed to modules. **Key topics:** - Module sources: local paths, Terraform Registry, GitHub, and other VCS sources - Version constraint operators: `=`, `!=`, `>`, `>=`, `<`, `<=`, `~>` (pessimistic constraint) - Semantic versioning interpretation in the context of module registries - Root modules vs child modules vs published modules - Input variable design: required vs optional, type enforcement, defaults - Output design: which outputs to expose, sensitive outputs - The `providers` meta-argument in module calls for passing provider aliases - Module composition patterns: wrapper modules, feature-flag variables - `depends_on` in module blocks and when it is necessary - No-code modules in HCP Terraform **Study approach:** Build a multi-module project where a root module calls two child modules that each use a different AWS region via provider aliases. This exercise touches nearly every concept in this domain. --- ### Domain 4: Use the Terraform Workflow for Collaborating with Teams (17%) This domain covers the practical mechanics of running Terraform in a team context, primarily through HCP Terraform. **Key topics:** - HCP Terraform workspace types: VCS-driven, CLI-driven, API-driven - Remote backend configuration for state storage and remote runs - Run triggers between workspaces - VCS-driven workspace behavior — what triggers a run and what does not - Speculative plans and their use in pull request workflows - Cost estimation in HCP Terraform - Team management: permissions model, workspace access levels - Variable sets: sharing variables across workspaces - The `TFE_TOKEN` / `TF_TOKEN_*` environment variable pattern for authentication **Study approach:** Set up a free HCP Terraform account and create at least two connected workspaces: one that triggers runs in the other. Understand the difference between a VCS-connected workspace and a CLI-driven workspace in terms of who initiates a run and how. --- ### Domain 5: Implement and Use Terraform Providers (11%) This domain tests deeper provider knowledge than the Associate exam. **Key topics:** - Provider configuration blocks: `alias`, `version` constraints in `required_providers` - The `providers` argument in module blocks and how it maps named aliases - Default vs non-default provider instances in a configuration - Provider meta-arguments and how they interact with `for_each` on modules - Terraform Registry vs private registry for providers - Provider locking with `.terraform.lock.hcl` — what the lock file contains and why it matters - `terraform providers lock` command for cross-platform lock file generation **Study approach:** Configure a Terraform project that deploys to two AWS regions simultaneously using provider aliases. Trace how the alias flows from the root module into a child module via the `providers` argument. --- ### Domain 6: Use and Create Terraform Policy (8%) The smallest domain by weight but high-value: policy questions tend to have precise right/wrong answers. **Key topics:** - Sentinel policy framework: rules, policies, policy sets - Sentinel enforcement levels: `advisory`, `soft-mandatory`, `hard-mandatory` - Open Policy Agent (OPA) as an alternative policy engine in HCP Terraform - Policy sets in HCP Terraform: VCS-connected vs manually uploaded - How policy evaluation fits in the run pipeline (after plan, before apply) - What happens when a `soft-mandatory` policy fails vs a `hard-mandatory` policy **Study approach:** Read the HCP Terraform Sentinel documentation carefully. The distinction between enforcement levels is a guaranteed exam topic. --- ## Hands-On Lab Strategy The Professional exam cannot be passed through reading alone. You need to build things. Here is a minimal lab plan that covers the highest-value topics: 1. **Dynamic block lab** — Create a security group module that uses `dynamic` blocks to generate ingress rules from a list of objects. Test with zero rules, one rule, and multiple rules. 2. **Multi-region provider alias lab** — Deploy an S3 bucket in `us-east-1` and a CloudFront distribution in `us-west-2` from the same root module using provider aliases. Pass both providers into a child module. 3. **State manipulation lab** — Create two resources, move one to a new address with `terraform state mv`, and verify the plan shows no changes. Then remove a resource from state with `terraform state rm` and verify the plan shows it as a new resource. 4. **HCP Terraform workspace chain** — Create two workspaces where workspace B uses a run trigger from workspace A. Watch workspace B's run queue when workspace A completes. 5. **Sentinel policy lab** — Write a simple Sentinel policy that rejects any plan proposing an instance type not in an approved list. Apply it to a workspace at `soft-mandatory` enforcement. Override it. Then change to `hard-mandatory` and verify you cannot override. --- ## Recommended Study Resources - **HashiCorp Developer documentation** — The official Terraform docs are the exam's source of truth. Read the Configuration Language section in full. - **Terraform Up and Running (3rd ed., O'Reilly)** — Best book for module design and production patterns. - **HCP Terraform tutorials on developer.hashicorp.com** — Step through the collaborative workflows section, especially the VCS integration and Sentinel tutorials. - **CertLand Terraform Professional practice exam** — 340 exam-style questions calibrated to the TA-003 domain weights, with detailed explanations for every answer. --- ## Final Advice The Professional exam rewards practitioners who have thought carefully about design trade-offs: when to use workspaces vs separate state files, when `create_before_destroy` is necessary and when it causes problems, when a module should be a thin wrapper and when it should be opinionated. If you can articulate the reasoning behind your infrastructure design decisions in daily work, you are already thinking at the right level. The exam tests whether that reasoning holds up under precise questioning. Schedule the exam when you can confidently write a multi-module configuration from scratch, explain every lifecycle meta-argument from memory, and navigate HCP Terraform's permissions model without looking it up.