VA-002-P Practice Exam Questions with Answers HashiCorp Certified: Vault Associate Certification

Infrastructure as Code is not used to develop applications, but it can be used to help deploy or provision those applications to a public cloud provider or on-premises infrastructure.

All of the others are benefits to using Infrastructure as Code over the traditional way of managing infrastructure, regardless if it's public cloud or on-premises.

Output values are like the return values of a Terraform module and have several uses such as a child module using those outputs to expose a subset of its resource attributes to a parent module.

Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference-architecture

Terraform is not a configuration management tool - https://www.terraform.io/intro/vs/chef-puppet.html

Terraform is a declarative language - https://www.terraform.io/docs/configuration/index.html

Terraform supports a syntax that is JSON compatible - https://www.terraform.io/docs/configuration/syntax-json.html

Terraform is primarily designed on immutable infrastructure principles - https://www.hashicorp.com/resources/what-is-mutable-vs-immutable-infrastructure

index finds the element index for a given value in a list starting with index 0.

https://www.terraform.io/docs/configuration/functions/index.html

The Consul agent is the core Consul process that runs the Consul service. Everything Consul does is the result of the Consul agent, which can run in either server or client mode.

Reference link:- https://www.consul.io/docs/agent

The format of resource block configurations is as follows:

"" ""

The Cubbyhole secret engine is a default secrets engine that is enabled by default for each Vault user.

The terraform validate command validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.

Validate runs checks that verify whether a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state. It is thus primarily useful for general verification of reusable modules, including the correctness of attribute names and value types.

Terraform is able to import existing infrastructure. This allows you to take resources you've created by some other means and bring it under Terraform management.

This is a great way to slowly transition infrastructure to Terraform or to be sure you're confident that you can use Terraform in the future if it currently doesn't support every AWS service or feature you need

today.

The aws_instance will be created first, and then aws_eip will be created second due to the aws_eip's resource dependency of the aws_instance id

Reference link:- https://www.vaultproject.io/docs/secrets/pki

Vault Enterprise supports multi-datacenter deployment where you can replicate data across data centers for performance as well as disaster recovery.

In DR replication, secondary clusters do not forward service read or write requests until they are elevated and become a new primary.

DR replicated cluster will replicate all data from the primary cluster, including tokens. A performance replicated cluster, however, will not replicate the tokens from the primary, as the performance replicated cluster will generate its own client tokens for requests made directly to it.

In performance replication, secondaries keep track of their own tokens and leases but share the underlying configuration, policies, and supporting secrets (K/V values, encryption keys for transit, etc).

Note: Failover and Online replication, there is no such replication exist in hashicorp vault.

Check below links for more details:-

https://www.vaultproject.io/docs/enterprise/replication

https://learn.hashicorp.com/vault/operations/ops-disaster-recovery

Replication relies on having a shared keyring between primary and secondaries and a shared understanding of the data store state.

As soon as replication is enabled, all of the secondary's existing data will be destroyed, which is irrevocable.

Generally, activating as a secondary will be the first thing that is done upon setting up a new cluster for replication.

Hence, create a backup first if there is a slight chance that you would need this existing storage in the future.

Reference link:- https://www.hashicorp.com/resources/setting-up-configuring-performance-replication/

route_tables_all is assigned a list of unique route table names filtered from a list of objects describing subnet details, one of those object attributes being route_table_name.

The terraform console command provides an interactive console for evaluating expressions.

https://www.terraform.io/docs/commands/console.html

Terraform can limit the number of concurrent operations as Terraform walks the graph using the -parallelism=n argument. The default value for this setting is 10. This setting might be helpful if you're running into API rate limits.

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

- Secret Engines

- Auth Methods

- Policies

- Identities (Entities, Groups)

- Tokens

Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply. This command will not modify infrastructure but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated. The next terraform apply will

implement this change.

You can use required_version to ensure that a user deploying infrastructure is using Terraform 0.12 or greater, due to the vast number of changes that were introduced. As a result, many previously written configurations had to be converted or rewritten.

Terraform supports the #, //, and /*..*/ for commenting Terraform configuration files. Please use them when writing Terraform so both you and others who are using your code have a full understanding of what the code is intended to do.

https://www.terraform.io/docs/configuration/syntax.html#comments

Be sure to restart your shell after installing autocompletion!

The -prefix flag treats the ID as a prefix instead of an exact lease ID. This can revoke multiple leases simultaneously.

The Vault configuration file supports either JSON or HCL, which is HashiCorp Configuration Language

The terraform workspace select command is used to choose a different workspace to use for further operations. https://www.terraform.io/docs/commands/workspace/select.html

The command format for enabling Vault features is vault , therefore the correct answer would be vault secrets enable aws

Consul nodes in the same cluster should not be provisioned across multiple data centers or cloud regions due to the low-latency requirements.

Sentinel and Cost Estimation are both available in Terraform Cloud, though not at the free tier level.

In this particular question, a VPC endpoint can provide private connectivity to an AWS service without having to traverse the public internet. This way you hit a private endpoint for the service rather than connecting to the public endpoint.

This is more of an AWS-type question, but the underlying premise still holds regardless of where your Vault cluster is deployed. If you use a public cloud KMS solution, such as AWS KMS, Azure Key Vault, GCP Cloud KMS, or AliCloud KMS, your Vault cluster will need the ability to communicate with that service to unseal itself.

The constructs in the Terraform language can also be expressed in JSON syntax, which is harder for humans to read and edit but easier to generate and parse programmatically.

Replication is not available in open-source versions of Vault. It is an enterprise feature.

Terraform requires some sort of database to map Terraform config to the real world. When you have a resource in your configuration, Terraform uses this map to know how that resource is represented. Therefore, to map configuration to resources in the real world, Terraform uses its own state structure.

The kv enable-versioning command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.

Reference link:- https://www.vaultproject.io/docs/commands/kv/enable-versioning

All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it.

Reference link:- https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

count is a reserved word. The count parameter on resources can simplify configurations and let you scale resources by simply incrementing a number.

https://www.terraform.io/intro/examples/count.html

Businesses are making a transition where traditionally-managed infrastructure can no longer meet the demands of today's businesses. IT organizations are quickly adopting the public cloud, which is predominantly API-driven.

To meet customer demands and save costs, application teams are architecting their applications to support a much higher level of elasticity, supporting technology like containers and public cloud resources. These resources may only live for a matter of hours; therefore the traditional method of raising a ticket to request resources is no longer a viable option Pointing and clicking in a management console is NOT scale and increases the change of human error.

The TOTP secrets engine generates time-based credentials according to the TOTP standard. The secrets engine can also be used to generate a new key and validate passwords generated by that key.

The TOTP secrets engine can act as both a generator (like Google Authenticator) and a provider (like the Google.com sign-in service).

As a Generator

The TOTP secrets engine can act as a TOTP code generator. In this mode, it can replace traditional TOTP generators like Google Authenticator. It provides an added layer of security since the ability to generate codes is guarded by policies and the entire process is audited.

Reference link:- https://www.vaultproject.io/docs/secrets/totp

Terraform analyses any expressions within a resource block to find references to other objects and treats those references as implicit ordering requirements when creating, updating, or destroying resources.

https://www.terraform.io/docs/configuration/resources.html

External Services mode stores the majority of the stateful data used by the instance in an external PostgreSQL database and an external S3-compatible endpoint or Azure blob storage. There are still critical data stored on the instance that must be managed with snapshots. Be sure to check the PostgreSQL Requirements for information that needs to be present for Terraform Enterprise to work. This option is best for users with expertise managing PostgreSQL or users that have access to managed PostgreSQL offerings like AWS RDS.

When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.

Below are links covering details of each option:- https://www.vaultproject.io/docs/concepts/seal

AWS KMS

https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms

Auto-unseal using Transit Secrets Engine

https://learn.hashicorp.com/vault/operations/autounseal-transit

Auto-unseal using Azure Key Vault

https://learn.hashicorp.com/vault/day-one/autounseal-azure-keyvault

Auto-unseal using HSM

https://learn.hashicorp.com/vault/operations/ops-seal-wrap

Key shards don't support auto unseal instead key shards require the user to provide unseal keys to reconstruct the master key

https://www.vaultproject.io/docs/concepts/seal

While there are a ton of features that are available to open source users, many features that are part of the Enterprise offering are geared towards larger teams and enterprise functionality.

Lists are defined with [ ], maps are defined with { }.

https://www.terraform.io/docs/configuration/types.html#structural-types

For replication (port 8201), Vault generates a mutual TLS connection between nodes using self-generated certs/keys (this is different than the TLS you configure in the listener, which is particular to client requests)... server-to-server always uses this mutual TLS, even if you have TLS disabled on the listener.

Reference link:-

https://www.vaultproject.io/docs/configuration/listener/tcp

https://www.vaultproject.io/docs/concepts/ha

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

In order to renew a token, a user can issue a vault token renew command to extend the TTL. The token can also be renewed using the API

The terraform refresh command is used to reconcile the state Terraform knows about (via its state file) with the real-world infrastructure. This can be used to detect any drift from the last-known state, and to update the state file.

This does not modify infrastructure but does modify the state file. If the state is changed, this may cause changes to occur during the next plan or apply.

https://www.terraform.io/docs/commands/refresh.html

By default, Vault uses port 8200 for its API and UI.

8201 is used for the cluster to cluster communication,

8300 is used for Consul Server RPC,

8500 is used for the Consul interface,

8600 is used for Consul DNS,

and 8301 is used for its LAN gossip protocol.

By default, terraform init downloads plugins into a subdirectory of the working directory, .terraform/plugins, so that each working directory is self-contained.

Service Tokens

Service tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.

Batch Tokens

Batch tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result, they are extremely lightweight and scalable but lack most of the flexibility and features of service tokens.

Reference link:- https://www.vaultproject.io/docs/concepts/tokens

Most of the important features of Vault are available in the open-source version, however, some of the features which are generally required by large organizations are only available in the Enterprise version such as:-

- MFA - Multi-factor Authentication

- Replication

- Auto unseal with HSM and many more.

Check all the features at the below link.

Reference link:- https://www.hashicorp.com/products/vault/pricing/

The terraform apply command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan execution plan.

When Vault is sealed, the only two options available are, viewing the vault status and unsealing Vault. All the other actions performed after the Vault is unsealed and the user is authenticated.

Batch tokens are generally used for encrypting data because they are lightweight and scalable and also include enough information to use with Vault.

Before Vault can be used, it must be initialized and unsealed. This screen indicates that Vault has not been initialized yet and is offering you a way to do so.

You can dynamically construct repeatable nested blocks like ingress using a special dynamic block type, which is supported inside resource, data, provider, and provisioner blocks