VA-002-P HashiCorp Certified: Vault Associate Questions and Answers

Batch tokens are generally used for encrypting data because they are lightweight and scalable and also include enough information to use with Vault.

The special terraform configuration block type is used to configure some behaviors of Terraform itself, such as requiring a minimum Terraform version to apply your configuration.

The /sys/leader endpoint is used to check the current leader of Vault as well as high availability status.

The Cubbyhole secret engine is a default secrets engine that is enabled by default for each Vault user.

Output values are like the return values of a Terraform module and have several uses such as a child module using those outputs to expose a subset of its resource attributes to a parent module.

Anyone can develop and distribute their own Terraform providers. (See Writing Custom Providers for more about provider development.) These third-party providers must be manually installed, since terraform init cannot automatically download them.

https://www.terraform.io/docs/configuration/providers.html#third-party-plugins

Vault has many secrets engines that can generate dynamic credentials, including AWS, Azure, and database secrets engines. The key/value secret engine is used to store data, and the transit secret engine is used to encrypt data.

For local state, Terraform stores the workspace states in a directory called terraform.tfstate.d.

https://www.terraform.io/docs/state/workspaces.html#workspace-internals

The constructs in the Terraform language can also be expressed in JSON syntax, which is harder for humans to read and edit but easier to generate and parse programmatically.

Reference link:- https://www.vaultproject.io/docs/secrets/pki

Terraform is a cloud-agnostic tool, and therefore isn ' t limited to a single cloud provider, such as AWS CloudFormation or Azure Resource Manager. Terraform supports all of the major cloud providers and allows IT organizations to focus on learning a single tool for deploying its infrastructure, regardless of what platform it ' s being deployed on.

The splat (*) can be used as a wildcard but can only be used at the very end of a path.

The plus sign (+) can be used in the middle of a path to denote a path segment.

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability.

Other Terraform commands that generate Terraform configuration will produce configuration files that conform to the style imposed by terraform fmt, so using this style in your own files will ensure consistency.

Since Vault does not store any data, hence Vault transit secrets engine does not support update activity.

" Deny " capability generally takes precedence over " allow " capability.

Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential

The HTTP request is a GET which corresponds to a read capability. Thus, to grant access to generate database credentials, the policy would grant read access on the appropriate path.

The -prefix flag treats the ID as a prefix instead of an exact lease ID. This can revoke multiple leases simultaneously.

Consul nodes in the same cluster should not be provisioned across multiple data centers or cloud regions due to the low-latency requirements.

It is generally considered a best practice to not persist root tokens. Instead, a root token should be generated using Vault ' s operator generate-root command only when absolutely necessary.

For day-to-day operations, the root token should be deleted after configuring other auth methods which will be used by admins and Vault clients.

Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference-architecture

When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.

Below are links covering details of each option:- https://www.vaultproject.io/docs/concepts/seal

AWS KMS

https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms

Auto-unseal using Transit Secrets Engine

https://learn.hashicorp.com/vault/operations/autounseal-transit

Auto-unseal using Azure Key Vault

https://learn.hashicorp.com/vault/day-one/autounseal-azure-keyvault

Auto-unseal using HSM

https://learn.hashicorp.com/vault/operations/ops-seal-wrap

Key shards don ' t support auto unseal instead key shards require the user to provide unseal keys to reconstruct the master key

https://www.vaultproject.io/docs/concepts/seal

Terraform is built on a plugin-based architecture. All providers and provisioners that are used in Terraform configurations are plugins, even the core types such as AWS and Heroku. Users of Terraform are able to write new plugins in order to support new functionality in Terraform.

The Active Directory secrets engine rotates Active Directory passwords dynamically. It does not, however, dynamically generate the AD account. The AD account must exist prior to configuring it in Vault. If it does not, the configuration will fail, stating that the account doesn ' t exist.

Reference link:- https://www.vaultproject.io/docs/secrets/ad

Dev server mode stores its data in memory, therefore if the Vault service is shut down, any data stored will be lost. Additionally, dev server mode does not use TLS, and all data is sent in cleartext.

Using a tool like Terraform can be advantageous for organizations deploying workloads across multiple public and private cloud environments. Operations teams only need to learn a single tool, single language, and can use the same tooling to enable a DevOps-like experience and workflows.

The UI is enabled in the Vault configuration file, not in the CLI.

Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire.

Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

Plugin backends are the components in Vault that can be implemented separately from Vault ' s built-in backends. These backends can be either authentication or secrets engines. All Vault auth and secret backends are considered plugins. This simple concept allows both built-in and external plugins to be treated like Legos. Any plugin can exist at multiple different locations. Different versions of a plugin may be at each one, with each version differing from Vault ' s version.

Reference links:-

https://www.vaultproject.io/docs/plugin

https://www.vaultproject.io/docs/internals/plugins

Multiple provider blocks can exist if a Terraform configuration is composed of multiple providers, which is a common situation. To add multiple providers in your configuration, declare the providers, and create resources associated with those providers.

Storage backends are not trusted by Vault and are only expected to render durability. The storage backend is configured when starting the Vault server.

Reference link:- https://www.vaultproject.io/docs/internals/architecture

~ > 1.2.0 will match any non-beta version of the provider between > = 1.2.0 and < 1.3.0. For example, 1.2.X

https://www.terraform.io/docs/configuration/modules.html#gt-1-2-0-1

Just to clarify, " HashiCorp supported " means, it is supported by HashiCorp ' s technical support, it doesn ' t mean that Vault supports the platform as a storage backend.

For example, DynamoDB is a valid storage backend, but it is not officially supported by HashiCorp technical support but it has got the community support.

In-Memory - HashiCorp Supported

MySQL - Community Supported

Raft - HashiCorp Supported

Dynamo DB - Community Supported

Consul - HashiCorp Supported

Filesystem - HashiCorp Supported

Check more details on below link:- https://www.vaultproject.io/docs/configuration/storage/in-memory

Vault doesn ' t store the data sent to the secrets engine.

The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as " cryptography as a service " or " encryption as a service " . The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

Lists are defined with [ ], maps are defined with { }.

https://www.terraform.io/docs/configuration/types.html#structural-types

By default, Vault uses port 8200 for its API and UI.

8201 is used for the cluster to cluster communication,

8300 is used for Consul Server RPC,

8500 is used for the Consul interface,

8600 is used for Consul DNS,

and 8301 is used for its LAN gossip protocol.

You can use required_version to ensure that a user deploying infrastructure is using Terraform 0.12 or greater, due to the vast number of changes that were introduced. As a result, many previously written configurations had to be converted or rewritten.

The EC2 instance labeled web_server is the implicit dependency as the aws_eip cannot be created until the aws_instance labeled web_server has been provisioned and the id is available.

Note that aws_s3_bucket.example is an explicit dependency.

The userpass auth method uses a local database that cannot interact with any services outside of the Vault instance.

For replication (port 8201), Vault generates a mutual TLS connection between nodes using self-generated certs/keys (this is different than the TLS you configure in the listener, which is particular to client requests)... server-to-server always uses this mutual TLS, even if you have TLS disabled on the listener.

Reference link:-

https://www.vaultproject.io/docs/configuration/listener/tcp

https://www.vaultproject.io/docs/concepts/ha

The aws_instance will be created first, and then aws_eip will be created second due to the aws_eip ' s resource dependency of the aws_instance id

Providers are plugins released on a separate rhythm from Terraform itself, and so they have their own version numbers. For production use, you should constrain the acceptable provider version via configuration. This helps to ensure that new versions with potentially breaking changes will not be automatically installed by terraform init in the future.

The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource.

Note that even though the resource will be fully created when the provisioner is run, there is no guarantee that it will be in an operable state - for example, system services such as sshd may not be started yet on compute resources.

It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

You can dynamically construct repeatable nested blocks like ingress using a special dynamic block type, which is supported inside resource, data, provider, and provisioner blocks

Each time a new provider is added to configuration -- either explicitly via a provider block or by adding a resource from that provider -- Terraform must initialize the provider before it can be used. Initialization downloads and installs the provider ' s plugin so that it can later be executed.

In this scenario, the key to answering is that there are applications actively running the secondary data center. Because of this, you can deploy Performance Replication and the applications can now use the Vault cluster in their respective data center. This reduces network latency for your applications and provides you with a secondary cluster for redundancy.

For production use, you should constrain the acceptable provider versions via configuration file to ensure that new versions with breaking changes will not be automatically installed by terraform init in the future. When terraform init is run without provider version constraints, it prints a suggested version constraint string for each provider

For example:

terraform {

required_providers {

aws = " > = 2.7.0 "

}

}

Terraform destroy will always prompt for confirmation before executing unless passed the -auto-approve flag.

$ terraform destroy

Do you really want to destroy all resources?

Terraform will destroy all your managed infrastructure, as shown above.

There is no undo. Only ' yes ' will be accepted to confirm.

Enter a value:

Vault creates two default policies; root, and default.

The root policy cannot be deleted or modified.

The default policy is attached to all tokens, by default, however, this action can be modified if needed.

The prefix -/+ means that Terraform will destroy and recreate the resource, rather than updating it in-place. Some attributes and resources can be updated in-place and are shown with the ~ prefix.

Terraform Cloud supports the following VCS providers:

- GitHub

- GitHub.com (OAuth)

- GitHub Enterprise

- GitLab.com

- GitLab EE and CE

- Bitbucket Cloud

- Bitbucket Server

- Azure DevOps Server

- Azure DevOps Services

https://www.terraform.io/docs/cloud/vcs/index.html#supported-vcs-providers

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform ' s state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. The master key is used to decrypt the encryption key which can unencrypt the data on the storage backend.

To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

It is important to consider that Terraform reads from data sources during the plan phase and writes the result into the plan. For something like a Vault token which has an explicit TTL, the apply must be run before the data, or token, in this case, expires, otherwise, Terraform will fail during the apply phase.

Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

The policy template makes it very flexible to customize the environment. By using parameters within your template, you can have Vault " insert " a value into the path based upon things like identity values, group membership, and metadata associated with either the user ' s identity or group they are a member of.

Using the parameter, the path user-kv/data/{{identity.entity.name}}/* converts to user-kv/data/student01/*

github is not a supported backend type.

https://www.terraform.io/docs/backends/types/index.html