VA-002-P Questions and Answers

Anyone can develop and distribute their own Terraform providers. (See Writing Custom Providers for more about provider development.) These third-party providers must be manually installed, since terraform init cannot automatically download them.

https://www.terraform.io/docs/configuration/providers.html#third-party-plugins

By default, the state file is stored in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment.

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

- Secret Engines

- Auth Methods

- Policies

- Identities (Entities, Groups)

- Tokens

Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

By default, Vault uses port 8200 for its API and UI.

8201 is used for the cluster to cluster communication,

8300 is used for Consul Server RPC,

8500 is used for the Consul interface,

8600 is used for Consul DNS,

and 8301 is used for its LAN gossip protocol.

When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.

A dynamic block acts much like a for expression but produces nested blocks instead of a complex typed value. It iterates over a given complex value and generates a nested block for each element of that complex value.

Vault secrets engines are used to store, generate, or encrypt data.

The KV secrets engine can store data, AWS can generate credentials, and the transit secret engine can encrypt data.

The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource.

Note that even though the resource will be fully created when the provisioner is run, there is no guarantee that it will be in an operable state - for example, system services such as sshd may not be started yet on compute resources.

To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

The remote-exec provisioner invokes a script on a remote resource after it is created. The remote-exec provisioner supports both ssh and winrm type connections.

All interactions with Vault are done through its pathing structure. If you create a policy with a wildcard, you are giving them access to any path within Vault

The plugin directory is a configuration option of Vault, and can be specified in the configuration file. This setting specifies a directory in which all plugin binaries must live; this value cannot be a symbolic link. A plugin can not be added to Vault unless it exists in the plugin directory. There is no default for this configuration option, and if it is not set plugins can not be added to Vault.

Reference link:- https://www.vaultproject.io/docs/internals/plugins

After authenticating, a client is issued a security token which is associated with a policy. That token is used to make a subsequent request to Vault, such as read, write, etc.

It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

If you're running Vault in a non-prod environment, you can configure Vault to disable TLS.

In this case, TLS has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.

To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200 ".

After initializing, Vault provides the root token to the user, this is the only way to log in to Vault to configure additional auth methods.

HashiCorp style conventions state that you should use 2 spaces between each nesting level to improve the readability of Terraform configurations.

When reading a dynamic secret, such as via vault read, Vault always returns a lease_id. This is the ID used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.

vault lease lookup

Usage: vault lease [options] [args]

This command groups subcommands for interacting with leases. Users can revoke or renew leases.

Renew a lease:

$ vault lease renew database/creds/readonly/2f6a614c...

Revoke a lease:

$ vault lease revoke database/creds/readonly/2f6a614c...

Subcommands:

renew Renews the lease of a secret

revoke Revokes leases and secrets

Reference link:- https://www.vaultproject.io/docs/concepts/lease

Vault supports AWS, Azure, Google Cloud, and Alibaba Cloud out of the box for secrets engines

Replication is not available in open-source versions of Vault. It is an enterprise feature.

Vault creates two default policies; root, and default.

The root policy cannot be deleted or modified.

The default policy is attached to all tokens, by default, however, this action can be modified if needed.

Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without altering the module's own source code, and allowing modules to be shared between different configurations.

The /sys/leader endpoint is used to check the current leader of Vault as well as high availability status.

Terraform supports the #, //, and /*..*/ for commenting Terraform configuration files. Please use them when writing Terraform so both you and others who are using your code have a full understanding of what the code is intended to do.

https://www.terraform.io/docs/configuration/syntax.html#comments

Just to clarify, "HashiCorp supported" means, it is supported by HashiCorp's technical support, it doesn't mean that Vault supports the platform as a storage backend.

For example, DynamoDB is a valid storage backend, but it is not officially supported by HashiCorp technical support but it has got the community support.

In-Memory - HashiCorp Supported

MySQL - Community Supported

Raft - HashiCorp Supported

Dynamo DB - Community Supported

Consul - HashiCorp Supported

Filesystem - HashiCorp Supported

Check more details on below link:- https://www.vaultproject.io/docs/configuration/storage/in-memory