VA-002-P Practice Exam Questions with Answers HashiCorp Certified: Vault Associate Certification

The terraform apply command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan execution plan.

This endpoint returns high-quality random bytes of the specified length.

The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource.

Note that even though the resource will be fully created when the provisioner is run, there is no guarantee that it will be in an operable state - for example, system services such as sshd may not be started yet on compute resources.

github is not a supported backend type.

https://www.terraform.io/docs/backends/types/index.html

The Terraform language includes a number of built-in functions that you can call from within expressions to transform and combine values. The Terraform language does not support user-defined functions, and only the functions built into the language are available for use.

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

For production use, you should constrain the acceptable provider versions via configuration file to ensure that new versions with breaking changes will not be automatically installed by terraform init in the future. When terraform init is run without provider version constraints, it prints a suggested version constraint string for each provider

For example:

terraform {

required_providers {

aws = ">= 2.7.0"

}

}

The Consul agent is the core Consul process that runs the Consul service. Everything Consul does is the result of the Consul agent, which can run in either server or client mode.

Reference link:- https://www.consul.io/docs/agent

terraform force-unlock removes the lock on the state for the current configuration.

After authenticating, the UI and CLI automatically assume the token for all subsequent requests. The API, however, requires the user to extract the token from the server response after authenticating in order to send with subsequent requests.

The terraform validate command validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.

Validate runs checks that verify whether a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state. It is thus primarily useful for general verification of reusable modules, including the correctness of attribute names and value types.

Storage backends are not trusted by Vault and are only expected to render durability. The storage backend is configured when starting the Vault server.

Reference link:- https://www.vaultproject.io/docs/internals/architecture

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

The kv metadata command has subcommands for interacting with the metadata and versions for the versioned secrets (K/V Version 2 secrets engine) at the specified path.

The kv metadata delete command deletes all versions and metadata for the provided key.

Reference link:- https://www.vaultproject.io/docs/commands/kv/metadata

It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

The terraform workspace new command is used to create a new workspace. https://www.terraform.io/docs/commands/workspace/new.html

The -force flag is meant for recovery when the secret in the target secrets engine was manually deleted.

Certificates are not a valid unseal option for HashiCorp Vault.

The existence of a provider plugin found locally in the working directory does not itself create a provider dependency. The plugin can exist without any reference to it in the terraform configuration.

https://www.terraform.io/docs/commands/providers.html

To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

A terraform list is a sequence of values identified by consecutive whole numbers starting with zero.

https://www.terraform.io/docs/configuration/types.html#structural-types

In order to renew a token, a user can issue a vault token renew command to extend the TTL. The token can also be renewed using the API

When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.

"Deny" capability generally takes precedence over "allow" capability.

Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential