HashiCorp VA-002-P HashiCorp Certified: Vault Associate Exam Practice Test

This endpoint returns high-quality random bytes of the specified length.

By default, Terraform will clone and use the default branch (referenced by HEAD) in the selected repository. You can override this using the ref argument:

module "vpc" {source = "git::https://wpexpertsupport.com/vpc.git?ref=v1.2.0 "}

The value of the ref argument can be any reference that would be accepted by the git checkout command, including branch and tag names.

https://www.terraform.io/docs/modules/sources.html#selecting-a-revision

count is a reserved word. The count parameter on resources can simplify configurations and let you scale resources by simply incrementing a number.

https://www.terraform.io/intro/examples/count.html

Multiple provider blocks can exist if a Terraform configuration is composed of multiple providers, which is a common situation. To add multiple providers in your configuration, declare the providers, and create resources associated with those providers.

The current implementation of Terraform import can only import resources into the state. It does not generate a configuration. Because of this, and prior to running terraform import, it is necessary to manually write a resource configuration block for the resource to which the imported object will be mapped.

First, add the resources to the configuration file:

resource "aws_instance" "example" {

# ...instance configuration...

}

Then run the following command:

$ terraform import aws_instance.example i-abcd1234

Terraform requires some sort of database to map Terraform config to the real world. When you have a resource in your configuration, Terraform uses this map to know how that resource is represented. Therefore, to map configuration to resources in the real world, Terraform uses its own state structure.

Terraform Cloud supports the following VCS providers:

- GitHub

- GitHub.com (OAuth)

- GitHub Enterprise

- GitLab.com

- GitLab EE and CE

- Bitbucket Cloud

- Bitbucket Server

- Azure DevOps Server

- Azure DevOps Services

https://www.terraform.io/docs/cloud/vcs/index.html#supported-vcs-providers

Terraform is able to import existing infrastructure. This allows you to take resources you've created by some other means and bring it under Terraform management.

This is a great way to slowly transition infrastructure to Terraform or to be sure you're confident that you can use Terraform in the future if it currently doesn't support every AWS service or feature you need

today.

Within each datacenter, we have a mixture of clients and servers. It is expected that there be between three to five servers. This strikes a balance between availability in the case of failure and performance, as consensus gets progressively slower as more machines are added. However, there is no limit to the number of clients, and they can easily scale into the thousands or tens of thousands.

Server or Leader - It indicates whether the agent is running in server or client mode. Server nodes participate in the consensus quorum, storing cluster state, and handling queries. At any given time, the peer set elects a single node to be the leader. The leader is responsible for ingesting new log entries, replicating to followers, and managing when an entry is considered committed.

Client or Follower - Client nodes make up the majority of the cluster, and they are very lightweight as they interface with the server nodes for most operations and maintain a very little state of their own.

Reference link:- https://www.consul.io/docs/internals/architecture.html

Terraform has detailed logs that can be enabled by setting the TF_LOG environment variable to any value. This will cause detailed logs to appear on stderr.

You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN, or ERROR to change the verbosity of the logs. TRACE is the most verbose and it is the default if TF_LOG is set to something other than a log level name.

The -prefix flag treats the ID as a prefix instead of an exact lease ID. This can revoke multiple leases simultaneously.

Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

The policy template makes it very flexible to customize the environment. By using parameters within your template, you can have Vault "insert" a value into the path based upon things like identity values, group membership, and metadata associated with either the user's identity or group they are a member of.

Using the parameter, the path user-kv/data/{{identity.entity.name}}/* converts to user-kv/data/student01/*

Everything in Vault is path-based including policies. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

Policies are deny by default, so an empty policy grants no permission in the system.

The terraform apply command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan execution plan.

storage backend and HTTP API are outside of the security barrier hence can't be protected.

The remote-exec provisioner invokes a script on a remote resource after it is created. The remote-exec provisioner supports both ssh and winrm type connections.

The ideal method for a machine to machine authentication is AppRole although it's not the only method. The other options are frequently reserved for human access.

Reference link:- https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle/

A dynamic block acts much like a for expression but produces nested blocks instead of a complex typed value. It iterates over a given complex value and generates a nested block for each element of that complex value.

Dev server mode stores its data in memory, therefore if the Vault service is shut down, any data stored will be lost. Additionally, dev server mode does not use TLS, and all data is sent in cleartext.

HashiCorp style conventions suggest you that align the equals sign for consecutive arguments for easing readability for configurations

ami = "abc123"

instance_type = "t2.micro"

The terraform console command provides an interactive console for evaluating expressions.

https://www.terraform.io/docs/commands/console.html

Sentinel and Cost Estimation are both available in Terraform Cloud, though not at the free tier level.

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire.

Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

Vault doesn't store the data sent to the secrets engine.

The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

Reference link:- https://www.vaultproject.io/docs/secrets/transit

The terraform fmt command is used to rewrite Terraform configuration files to a canonical format and style. This command applies a subset of the Terraform language style conventions, along with other minor adjustments for readability.

Other Terraform commands that generate Terraform configuration will produce configuration files that conform to the style imposed by terraform fmt, so using this style in your own files will ensure consistency.

Providers are plugins released on a separate rhythm from Terraform itself, and so they have their own version numbers. For production use, you should constrain the acceptable provider version via configuration. This helps to ensure that new versions with potentially breaking changes will not be automatically installed by terraform init in the future.

Environment variables can be used to set variables. The environment variables must be in the format TF_VAR_name and this will be checked last for a value. For example:

export TF_VAR_region=us-west-1

export TF_VAR_ami=ami-049d8641

export TF_VAR_alist='[1,2,3]'

export TF_VAR_amap='{ foo = "bar", baz = "qux" }'

https://www.terraform.io/docs/commands/environment-variables.html

Terraform state can contain sensitive data, depending on the resources in use and your definition of "sensitive." The state contains resource IDs and all resource attributes. For resources such as databases, this may contain initial passwords.

When using local state, state is stored in plain-text JSON files.

If you manage any sensitive data with Terraform (like database passwords, user passwords, or private keys), treat the state itself as sensitive data.

Storing Terraform state remotely can provide better security. As of Terraform 0.9, Terraform does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.

The Cubbyhole secret engine is a default secrets engine that is enabled by default for each Vault user.