VA-002-P HashiCorp Certified: Vault Associate Questions and Answers

The command format for enabling Vault features is vault , therefore the correct answer would be vault secrets enable aws

When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.

To browse Vault paths in the UI, the user must have list permissions on the mount and the paths leading up to the secret.

Multiple provider blocks can exist if a Terraform configuration is composed of multiple providers, which is a common situation. To add multiple providers in your configuration, declare the providers, and create resources associated with those providers.

Seal types, Storage backends, and cluster names are just a few of the configurations done via the configuration file. The others are configured within Vault itself.

Vault Enterprise supports multi-datacenter deployment where you can replicate data across data centers for performance as well as disaster recovery.

In DR replication, secondary clusters do not forward service read or write requests until they are elevated and become a new primary.

DR replicated cluster will replicate all data from the primary cluster, including tokens. A performance replicated cluster, however, will not replicate the tokens from the primary, as the performance replicated cluster will generate its own client tokens for requests made directly to it.

In performance replication, secondaries keep track of their own tokens and leases but share the underlying configuration, policies, and supporting secrets (K/V values, encryption keys for transit, etc).

Note: Failover and Online replication, there is no such replication exist in hashicorp vault.

Check below links for more details:-

https://www.vaultproject.io/docs/enterprise/replication

https://learn.hashicorp.com/vault/operations/ops-disaster-recovery

Storage backends are not trusted by Vault and are only expected to render durability. The storage backend is configured when starting the Vault server.

Reference link:- https://www.vaultproject.io/docs/internals/architecture

When reading a dynamic secret, such as via vault read, Vault always returns a lease_id. This is the ID used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.

vault lease lookup

Usage: vault lease [options] [args]

This command groups subcommands for interacting with leases. Users can revoke or renew leases.

Renew a lease:

$ vault lease renew database/creds/readonly/2f6a614c...

Revoke a lease:

$ vault lease revoke database/creds/readonly/2f6a614c...

Subcommands:

renew Renews the lease of a secret

revoke Revokes leases and secrets

Reference link:- https://www.vaultproject.io/docs/concepts/lease

zipmap constructs a map from a list of keys and a corresponding list of values. A map is denoted by { } whereas a list is donated by [ ].

https://www.terraform.io/docs/configuration/functions/zipmap.html

Vault secrets engines are used to store, generate, or encrypt data.

The KV secrets engine can store data, AWS can generate credentials, and the transit secret engine can encrypt data.

Vault supports AWS, Azure, Google Cloud, and Alibaba Cloud out of the box for secrets engines

The terraform plan command is used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state specified in the configuration files.

After a plan has been run, it can be executed by running a terraform apply

The format of resource block configurations is as follows:

"" ""

Lists are defined with [ ], maps are defined with { }.

https://www.terraform.io/docs/configuration/types.html#structural-types

You can use required_version to ensure that a user deploying infrastructure is using Terraform 0.12 or greater, due to the vast number of changes that were introduced. As a result, many previously written configurations had to be converted or rewritten.

The Vault provider allows Terraform to read from, write to, and configure Harshicorp Vault.

The aws_instance will be created first, and then aws_eip will be created second due to the aws_eip's resource dependency of the aws_instance id

You can use modules from a private registry, like the one provided by Terraform Cloud. Private registry modules have source strings of the form ///. This is the same format as the public registry, but with an added hostname prefix.

The UI is enabled in the Vault configuration file, not in the CLI.

After initializing, Vault provides the root token to the user, this is the only way to log in to Vault to configure additional auth methods.

Most of the important features of Vault are available in the open-source version, however, some of the features which are generally required by large organizations are only available in the Enterprise version such as:-

- MFA - Multi-factor Authentication

- Replication

- Auto unseal with HSM and many more.

Check all the features at the below link.

Reference link:- https://www.hashicorp.com/products/vault/pricing/

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

- Secret Engines

- Auth Methods

- Policies

- Identities (Entities, Groups)

- Tokens

Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

Dev server mode stores its data in memory, therefore if the Vault service is shut down, any data stored will be lost. Additionally, dev server mode does not use TLS, and all data is sent in cleartext.

HashiCorp style conventions suggest you that align the equals sign for consecutive arguments for easing readability for configurations

ami = "abc123"

instance_type = "t2.micro"

Provisioners are used to execute scripts on a local or remote machine as part of resource creation or destruction. Provisioners can be used to bootstrap a resource, cleanup before destroy, run configuration management, etc. Even if the functionality you need is not available in a provider today, HashiCorp suggests that you consider local-exec usage as a temporary workaround and to open an issue in the relevant provider's repo to discuss adding first-class support.

External Services mode stores the majority of the stateful data used by the instance in an external PostgreSQL database and an external S3-compatible endpoint or Azure blob storage. There are still critical data stored on the instance that must be managed with snapshots. Be sure to check the PostgreSQL Requirements for information that needs to be present for Terraform Enterprise to work. This option is best for users with expertise managing PostgreSQL or users that have access to managed PostgreSQL offerings like AWS RDS.

Vault secondary clusters must be manually promoted to a primary.