Study HashiCorp Terraform 004 Dependencies and Sensitive Data: key concepts, common traps, and exam decision cues.
This lesson covers several of the 004 topics that older notes often skip. HashiCorp explicitly calls out depends_on, create_before_destroy, custom conditions, and newer sensitive-data ideas such as ephemeral values and write-only arguments.
| Need | Strongest first fit |
|---|---|
| normal ordering from references | let Terraform infer dependency |
| hidden dependency Terraform cannot infer | depends_on |
| replacement behavior that should create first | create_before_destroy lifecycle behavior |
| check whether a value or result is acceptable | custom validation or check condition |
| reduce unsafe exposure of sensitive values | sensitive-data handling, Vault-aware patterns, and newer write-only or ephemeral behavior where supported |
| Topic | Exam value |
|---|---|
| explicit dependency | tests whether you know when inference is not enough |
| lifecycle behavior | tests replacement safety reasoning |
| custom conditions | tests validation beyond basic syntax |
| sensitive-data handling | tests safe Terraform behavior, not just raw syntax |
| Trap | Better rule |
|---|---|
using depends_on everywhere |
explicit dependency is for real hidden relationships |
thinking validation means only terraform validate |
custom conditions can validate assumptions inside configuration too |
| storing secrets casually because Terraform uses variables | sensitive input still needs careful handling |
ignoring newer 004 topics because older prep passed before |
current objectives explicitly include them |
This objective is about keeping Terraform safe and predictable. Use explicit dependencies only when Terraform cannot infer them. Use lifecycle behavior like create_before_destroy when replacement order matters. Use validation to catch bad inputs early. Treat sensitive, write-only, and ephemeral data as handling concerns, not as ordinary string variables. The exam wants those lanes kept distinct.