HashiCorp VA-002-P HashiCorp Certified: Vault Associate Exam Practice Test

The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault. This secrets engine will be mounted by default. This secrets engine cannot be disabled or moved.

Reference link:- https://www.vaultproject.io/docs/secrets/identity

The splat (*) can be used as a wildcard but can only be used at the very end of a path.

The plus sign (+) can be used in the middle of a path to denote a path segment.

Sentinel is an embedded policy-as-code framework integrated with the HashiCorp Enterprise products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources.

API and CLI access are managed with API tokens, which can be generated in the Terraform Cloud UI. Each user can generate any number of personal API tokens, which allow access with their own identity and permissions. Organizations and teams can also generate tokens for automating tasks that aren't tied to an individual user.

When data is encrypted using Vault, the resulting ciphertext is prepended by the version of the key used to encrypt it. In this case, the version is v2, which means that the encryption key was rotated at least one time. Any data that was encrypted with the original key would have been prepended with vault:v1

To rotate a key, use the command vault write -f transit/keys//rotate

Reference link:- https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

You do not need to specify every required argument in the backend configuration. Omitting certain arguments may be desirable to avoid storing secrets, such as access keys, within the main configuration. When some or all of the arguments are omitted, we call this a partial configuration.

With a partial configuration, the remaining configuration arguments must be provided as part of the initialization process. There are several ways to supply the remaining arguments:

Interactively: Terraform will interactively ask you for the required values unless interactive input is disabled. Terraform will not prompt for optional values.

File: A configuration file may be specified via the init command line. To specify a file, use the -backend-config=PATH option when running terraform init. If the file contains secrets it may be kept in a secure data store, such as Vault, in which case it must be downloaded to the local disk before running Terraform.

Command-line key/value pairs: Key/value pairs can be specified via the init command line. Note that many shells retain command-line flags in a history file, so this isn't recommended for secrets. To specify a single key/value pair, use the -backend-config="KEY=VALUE" option when running terraform init.

HashiCorp style conventions suggest you that align the equals sign for consecutive arguments for easing readability for configurations

ami = "abc123"

instance_type = "t2.micro"

The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten-second interval and are retained for one minute. This telemetry information can be used for debugging or otherwise getting a better view of what Vault is doing.

Telemetry information can be streamed directly from Vault to a range of metrics aggregation solutions as described in the telemetry Stanza documentation.

Reference link:- https://www.vaultproject.io/docs/internals/telemetry

When assigning a value to an argument, it must be enclosed in quotes ("...") unless it is being generated programmatically.

The terraform show command is used to provide human-readable output from a state or plan file. This can be used to inspect a plan to ensure that the planned operations are expected, or to inspect the current state as Terraform sees it.

Machine-readable output can be generated by adding the -json command-line flag.

Note: When using the -json command-line flag, any sensitive values in Terraform state will be displayed in plain text.

Everything in Vault is path-based including policies. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

Policies are deny by default, so an empty policy grants no permission in the system.

Environment variables can be used to set variables. The environment variables must be in the format TF_VAR_name and this will be checked last for a value. For example:

export TF_VAR_region=us-west-1

export TF_VAR_ami=ami-049d8641

export TF_VAR_alist='[1,2,3]'

export TF_VAR_amap='{ foo = "bar", baz = "qux" }'

https://www.terraform.io/docs/commands/environment-variables.html

The Terraform language includes a number of built-in functions that you can call from within expressions to transform and combine values. The Terraform language does not support user-defined functions, and only the functions built into the language are available for use.

The lease command groups subcommands for interacting with leases attached to secrets.

Subcommands:

renew Renews the lease of a secret

revoke Revokes leases and secrets

Using the '-prefix' flag allows you to revoke the entire tree of secrets.

The terraform console command provides an interactive console for evaluating expressions.

https://www.terraform.io/docs/commands/console.html

Businesses are making a transition where traditionally-managed infrastructure can no longer meet the demands of today's businesses. IT organizations are quickly adopting the public cloud, which is predominantly API-driven.

To meet customer demands and save costs, application teams are architecting their applications to support a much higher level of elasticity, supporting technology like containers and public cloud resources. These resources may only live for a matter of hours; therefore the traditional method of raising a ticket to request resources is no longer a viable option Pointing and clicking in a management console is NOT scale and increases the change of human error.

tostring is not a string function, it is a type conversion function. tostring converts its argument to a string value. https://www.terraform.io/docs/configuration/functions/tostring.html

A workspace can only be configured to a single VCS repo, however, multiple workspaces can use the same repo, if needed. A good Explanation: of how to configure your code repositories can be found here.

HashiCorp style conventions state that you should use 2 spaces between each nesting level to improve the readability of Terraform configurations.

A terraform list is a sequence of values identified by consecutive whole numbers starting with zero.

https://www.terraform.io/docs/configuration/types.html#structural-types

Anyone can develop and distribute their own Terraform providers. (See Writing Custom Providers for more about provider development.) These third-party providers must be manually installed, since terraform init cannot automatically download them.

https://www.terraform.io/docs/configuration/providers.html#third-party-plugins

Since Vault does not store any data, hence Vault transit secrets engine does not support update activity.

Terraform Cloud supports the following VCS providers:

- GitHub

- GitHub.com (OAuth)

- GitHub Enterprise

- GitLab.com

- GitLab EE and CE

- Bitbucket Cloud

- Bitbucket Server

- Azure DevOps Server

- Azure DevOps Services

https://www.terraform.io/docs/cloud/vcs/index.html#supported-vcs-providers

The Active Directory secrets engine rotates Active Directory passwords dynamically. It does not, however, dynamically generate the AD account. The AD account must exist prior to configuring it in Vault. If it does not, the configuration will fail, stating that the account doesn't exist.

Reference link:- https://www.vaultproject.io/docs/secrets/ad

This endpoint returns high-quality random bytes of the specified length.

When reading a dynamic secret, such as via vault read, Vault always returns a lease_id. This is the ID used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.

vault lease lookup

Usage: vault lease [options] [args]

This command groups subcommands for interacting with leases. Users can revoke or renew leases.

Renew a lease:

$ vault lease renew database/creds/readonly/2f6a614c...

Revoke a lease:

$ vault lease revoke database/creds/readonly/2f6a614c...

Subcommands:

renew Renews the lease of a secret

revoke Revokes leases and secrets

Reference link:- https://www.vaultproject.io/docs/concepts/lease

The constructs in the Terraform language can also be expressed in JSON syntax, which is harder for humans to read and edit but easier to generate and parse programmatically.

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

The root token should never be used on a day-to-day basis and should always be revoked once a permanent auth method has been configured.