VA-002-P HashiCorp Certified: Vault Associate Questions and Answers

By default, the state file is stored in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment.

The kv delete command is like a soft delete which deletes the data for the provided path in the key/value secrets engine. If using K/V Version 2, its versioned data will not be fully removed, but marked as deleted and will no longer be available for normal get requests.

The kv destroy command permanently removes the specified versions' data from the key/value secrets engine. If no key exists at the path, no action is taken. It does not deletes all versions of a secret.

The kv metadata delete command deletes all versions and metadata for the provided key.

storage backend and HTTP API are outside of the security barrier hence can't be protected.

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

- Secret Engines

- Auth Methods

- Policies

- Identities (Entities, Groups)

- Tokens

Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

Infrastructure as Code is not used to develop applications, but it can be used to help deploy or provision those applications to a public cloud provider or on-premises infrastructure.

All of the others are benefits to using Infrastructure as Code over the traditional way of managing infrastructure, regardless if it's public cloud or on-premises.

Terraform destroy will always prompt for confirmation before executing unless passed the -auto-approve flag.

$ terraform destroy

Do you really want to destroy all resources?

Terraform will destroy all your managed infrastructure, as shown above.

There is no undo. Only 'yes' will be accepted to confirm.

Enter a value:

When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.

Certificates are not a valid unseal option for HashiCorp Vault.

Vault secrets engines are used to store, generate, or encrypt data.

The KV secrets engine can store data, AWS can generate credentials, and the transit secret engine can encrypt data.

You can dynamically construct repeatable nested blocks like ingress using a special dynamic block type, which is supported inside resource, data, provider, and provisioner blocks

The ideal method for a machine to machine authentication is AppRole although it's not the only method. The other options are frequently reserved for human access.

Reference link:- https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle/

Vault has three interfaces available.

The API can be used by a user or application, the CLI can be used by a user directly on the Vault server or remotely, and the UI can be used if it's been enabled in the configuration file.

The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten-second interval and are retained for one minute. This telemetry information can be used for debugging or otherwise getting a better view of what Vault is doing.

Telemetry information can be streamed directly from Vault to a range of metrics aggregation solutions as described in the telemetry Stanza documentation.

Reference link:- https://www.vaultproject.io/docs/internals/telemetry

It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

The kv enable-versioning command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.

Reference link:- https://www.vaultproject.io/docs/commands/kv/enable-versioning

Consul nodes in the same cluster should not be provisioned across multiple data centers or cloud regions due to the low-latency requirements.

Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire.

Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

Workspaces, managed with the terraform workspace command, aren't the same thing as Terraform Cloud workspaces.

Terraform Cloud workspaces act more like completely separate working directories.

CLI workspaces(OSS) are just alternate state files.

You can use modules from a private registry, like the one provided by Terraform Cloud. Private registry modules have source strings of the form ///. This is the same format as the public registry, but with an added hostname prefix.

Output values are like the return values of a Terraform module and have several uses such as a child module using those outputs to expose a subset of its resource attributes to a parent module.

Note: (5/27/20) This QUESTION NO: has been recently updated to reflect documentation updates on the HashiCorp website. It seems they have removed the clustering-specific requirements and are now following the standard Enterprise operating system requirements.

Terraform Enterprise currently supports running under the following operating systems for a Clustered deployment:

- Ubuntu 16.04.3 - 16.04.5 / 18.04

- Red Hat Enterprise Linux 7.4 through 7.7

- CentOS 7.4 - 7.7

- Amazon Linux

- Oracle Linux

Clusters currently don't support other Linux variants.

https://www.terraform.io/docs/enterprise/before-installing/index.html#operating-system-requirements

Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference-architecture

Environment variables can be used to set variables. The environment variables must be in the format TF_VAR_name and this will be checked last for a value. For example:

export TF_VAR_region=us-west-1

export TF_VAR_ami=ami-049d8641

export TF_VAR_alist='[1,2,3]'

export TF_VAR_amap='{ foo = "bar", baz = "qux" }'

https://www.terraform.io/docs/commands/environment-variables.html

Once Vault is unsealed, you can run vault login -method=ldap -username=vault and vault kv get kv/apps/app01. The second command assumes that you have authenticated but it cannot be run unless Vault is unsealed. vault status can be run regardless of Vault is sealed or unsealed, and vault operator unseal can only be run when the vault is sealed.

See this page on the purpose of Terraform state and the benefits it provides.

Vault doesn't store the data sent to the secrets engine.

The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.