VA-002-P Sample Questions Answers

The UI is enabled in the Vault configuration file, not in the CLI.

When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.

Below are links covering details of each option:- https://www.vaultproject.io/docs/concepts/seal

AWS KMS

https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms

Auto-unseal using Transit Secrets Engine

https://learn.hashicorp.com/vault/operations/autounseal-transit

Auto-unseal using Azure Key Vault

https://learn.hashicorp.com/vault/day-one/autounseal-azure-keyvault

Auto-unseal using HSM

https://learn.hashicorp.com/vault/operations/ops-seal-wrap

Key shards don't support auto unseal instead key shards require the user to provide unseal keys to reconstruct the master key

https://www.vaultproject.io/docs/concepts/seal

Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

The policy template makes it very flexible to customize the environment. By using parameters within your template, you can have Vault "insert" a value into the path based upon things like identity values, group membership, and metadata associated with either the user's identity or group they are a member of.

Using the parameter, the path user-kv/data/{{identity.entity.name}}/* converts to user-kv/data/student01/*

All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it.

Reference link:- https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

Replication relies on having a shared keyring between primary and secondaries and a shared understanding of the data store state.

As soon as replication is enabled, all of the secondary's existing data will be destroyed, which is irrevocable.

Generally, activating as a secondary will be the first thing that is done upon setting up a new cluster for replication.

Hence, create a backup first if there is a slight chance that you would need this existing storage in the future.

Reference link:- https://www.hashicorp.com/resources/setting-up-configuring-performance-replication/

You do not need to specify every required argument in the backend configuration. Omitting certain arguments may be desirable to avoid storing secrets, such as access keys, within the main configuration. When some or all of the arguments are omitted, we call this a partial configuration.

With a partial configuration, the remaining configuration arguments must be provided as part of the initialization process. There are several ways to supply the remaining arguments:

Interactively: Terraform will interactively ask you for the required values unless interactive input is disabled. Terraform will not prompt for optional values.

File: A configuration file may be specified via the init command line. To specify a file, use the -backend-config=PATH option when running terraform init. If the file contains secrets it may be kept in a secure data store, such as Vault, in which case it must be downloaded to the local disk before running Terraform.

Command-line key/value pairs: Key/value pairs can be specified via the init command line. Note that many shells retain command-line flags in a history file, so this isn't recommended for secrets. To specify a single key/value pair, use the -backend-config="KEY=VALUE" option when running terraform init.

External Services mode stores the majority of the stateful data used by the instance in an external PostgreSQL database and an external S3-compatible endpoint or Azure blob storage. There are still critical data stored on the instance that must be managed with snapshots. Be sure to check the PostgreSQL Requirements for information that needs to be present for Terraform Enterprise to work. This option is best for users with expertise managing PostgreSQL or users that have access to managed PostgreSQL offerings like AWS RDS.

The Transit engine supports the versioning of keys. Key versions that are earlier than a key's specified min_decryption_version gets archived, and the rest of the key versions belong to the working set. This is a performance consideration to keep key loading fast, as well as a security consideration: by disallowing decryption of old versions of keys, found ciphertext corresponding to obsolete (but sensitive) data can not be decrypted by most users, but in an emergency, the min_decryption_version can be moved back to allow for legitimate decryption.

Reference link:- https://www.vaultproject.io/docs/secrets/transit

Vault creates two default policies; root, and default.

The root policy cannot be deleted or modified.

The default policy is attached to all tokens, by default, however, this action can be modified if needed.

The auth enable command enables an auth method at a given path. If an auth method already exists at the given path, an error is returned.

Command to enable auth method vault auth followed by the name of the auth method.

Additional parameters can be included to specify the name of the mount.

vault login command would be issued to log in to Vault via CLI followed by the type of login.

For example, an LDAP login would use vault login method=ldap username=

To view the paths leading up to the secrets/apps/app1 path in the user interface, the user must have at least LIST permissions to avoid permission denied error in the UI.

Terraform is able to import existing infrastructure. This allows you to take resources you've created by some other means and bring it under Terraform management.

This is a great way to slowly transition infrastructure to Terraform or to be sure you're confident that you can use Terraform in the future if it currently doesn't support every AWS service or feature you need

today.

Anyone can develop and distribute their own Terraform providers. (See Writing Custom Providers for more about provider development.) These third-party providers must be manually installed, since terraform init cannot automatically download them.

https://www.terraform.io/docs/configuration/providers.html#third-party-plugins

Terraform can limit the number of concurrent operations as Terraform walks the graph using the -parallelism=n argument. The default value for this setting is 10. This setting might be helpful if you're running into API rate limits.

Sentinel is an embedded policy-as-code framework integrated with the HashiCorp Enterprise products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources.

Each time a new provider is added to configuration -- either explicitly via a provider block or by adding a resource from that provider -- Terraform must initialize the provider before it can be used. Initialization downloads and installs the provider's plugin so that it can later be executed.

index finds the element index for a given value in a list starting with index 0.

https://www.terraform.io/docs/configuration/functions/index.html

Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference-architecture

The terraform workspace new command is used to create a new workspace. https://www.terraform.io/docs/commands/workspace/new.html

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

- Secret Engines

- Auth Methods

- Policies

- Identities (Entities, Groups)

- Tokens

Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

Sentinel and Cost Estimation are both available in Terraform Cloud, though not at the free tier level.

The remote-exec provisioner invokes a script on a remote resource after it is created. The remote-exec provisioner supports both ssh and winrm type connections.

Multiple provider blocks can exist if a Terraform configuration is composed of multiple providers, which is a common situation. To add multiple providers in your configuration, declare the providers, and create resources associated with those providers.

It is important to consider that Terraform reads from data sources during the plan phase and writes the result into the plan. For something like a Vault token which has an explicit TTL, the apply must be run before the data, or token, in this case, expires, otherwise, Terraform will fail during the apply phase.

A terraform list is a sequence of values identified by consecutive whole numbers starting with zero.

https://www.terraform.io/docs/configuration/types.html#structural-types

Since Vault does not store any data, hence Vault transit secrets engine does not support update activity.

The /sys/leader endpoint is used to check the current leader of Vault as well as high availability status.

Providers are plugins released on a separate rhythm from Terraform itself, and so they have their own version numbers. For production use, you should constrain the acceptable provider version via configuration. This helps to ensure that new versions with potentially breaking changes will not be automatically installed by terraform init in the future.

For replication (port 8201), Vault generates a mutual TLS connection between nodes using self-generated certs/keys (this is different than the TLS you configure in the listener, which is particular to client requests)... server-to-server always uses this mutual TLS, even if you have TLS disabled on the listener.

Reference link:-

https://www.vaultproject.io/docs/configuration/listener/tcp

https://www.vaultproject.io/docs/concepts/ha

Vault secondary clusters must be manually promoted to a primary.

Sometimes there are dependencies between resources that are not visible to Terraform. The depends_on argument is accepted by any resource and accepts a list of resources to create explicit dependencies for.

A Terraform Enterprise install that is provisioned on a network that does not have Internet access is generally known as an air-gapped install. These types of installs require you to pull updates, providers, etc. from external sources vs. being able to download them directly.

The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault. This secrets engine will be mounted by default. This secrets engine cannot be disabled or moved.

Reference link:- https://www.vaultproject.io/docs/secrets/identity

Information on the default local backend can be found at this link.

Example:

terraform {

backend "local" {

path = "relative/path/to/terraform.tfstate"

}

}

By default, Terraform will clone and use the default branch (referenced by HEAD) in the selected repository. You can override this using the ref argument:

module "vpc" {source = "git::https://wpexpertsupport.com/vpc.git?ref=v1.2.0 "}

The value of the ref argument can be any reference that would be accepted by the git checkout command, including branch and tag names.

https://www.terraform.io/docs/modules/sources.html#selecting-a-revision

Note: (5/27/20) This QUESTION NO: has been recently updated to reflect documentation updates on the HashiCorp website. It seems they have removed the clustering-specific requirements and are now following the standard Enterprise operating system requirements.

Terraform Enterprise currently supports running under the following operating systems for a Clustered deployment:

- Ubuntu 16.04.3 - 16.04.5 / 18.04

- Red Hat Enterprise Linux 7.4 through 7.7

- CentOS 7.4 - 7.7

- Amazon Linux

- Oracle Linux

Clusters currently don't support other Linux variants.

https://www.terraform.io/docs/enterprise/before-installing/index.html#operating-system-requirements

The terraform refresh command is used to reconcile the state Terraform knows about (via its state file) with the real-world infrastructure. This can be used to detect any drift from the last-known state, and to update the state file.

This does not modify infrastructure but does modify the state file. If the state is changed, this may cause changes to occur during the next plan or apply.

https://www.terraform.io/docs/commands/refresh.html

Vault includes a feature called response wrapping. When requested, Vault can take the response it would have sent to an HTTP client and instead insert it into the cubbyhole of a single-use token, returning that single-use token instead.

Dev server mode stores its data in memory, therefore if the Vault service is shut down, any data stored will be lost. Additionally, dev server mode does not use TLS, and all data is sent in cleartext.

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

Environment variables can be used to set variables. The environment variables must be in the format TF_VAR_name and this will be checked last for a value. For example:

export TF_VAR_region=us-west-1

export TF_VAR_ami=ami-049d8641

export TF_VAR_alist='[1,2,3]'

export TF_VAR_amap='{ foo = "bar", baz = "qux" }'

https://www.terraform.io/docs/commands/environment-variables.html

The command format for enabling Vault features is vault , therefore the correct answer would be vault secrets enable aws

If you are already using Terraform to manage infrastructure, you probably want to transfer to another backend, such as Terraform Cloud, so you can continue managing it. By migrating your Terraform state, you can hand off infrastructure without de-provisioning anything.

Lists are defined with [ ], maps are defined with { }.

https://www.terraform.io/docs/configuration/types.html#structural-types

It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

Storage backends are not trusted by Vault and are only expected to render durability. The storage backend is configured when starting the Vault server.

Reference link:- https://www.vaultproject.io/docs/internals/architecture

Terraform has detailed logs that can be enabled by setting the TF_LOG environment variable to any value. This will cause detailed logs to appear on stderr.

You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN, or ERROR to change the verbosity of the logs. TRACE is the most verbose and it is the default if TF_LOG is set to something other than a log level name.

https://www.terraform.io/docs/internals/debugging.html

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

After initializing, Vault provides the root token to the user, this is the only way to log in to Vault to configure additional auth methods.

The .gitignore file should be configured to ignore Terraform files that either contain sensitive data or aren't required to save.

The terraform.tfstate file contains the terraform state of a specific environment and doesn't need to be preserved in a repo. The terraform.tfvars file may contain sensitive data, such as passwords or IP addresses of an environment that you may not want to share with others.

The kv enable-versioning command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.

Reference link:- https://www.vaultproject.io/docs/commands/kv/enable-versioning

Terraform destroy will always prompt for confirmation before executing unless passed the -auto-approve flag.

$ terraform destroy

Do you really want to destroy all resources?

Terraform will destroy all your managed infrastructure, as shown above.

There is no undo. Only 'yes' will be accepted to confirm.

Enter a value:

A workspace can only be configured to a single VCS repo, however, multiple workspaces can use the same repo, if needed. A good Explanation: of how to configure your code repositories can be found here.

github is not a supported backend type.

https://www.terraform.io/docs/backends/types/index.html

To browse Vault paths in the UI, the user must have list permissions on the mount and the paths leading up to the secret.

The system max TTL, which is 32 days but can be changed in Vault's configuration file.

The max TTL set on a mount using mount tuning. This value is allowed to override the system max TTL -- it can be longer or shorter, and if set this value will be respected.

A value suggested by the auth method that issued the token. This might be configured on a per-role, per-group, or per-user basis. This value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer.

Reference link:- https://www.vaultproject.io/docs/concepts/tokens