Get up-to-date Real Exam Questions for VA-002-P UPDATED [2022]
Pass HashiCorp VA-002-P Exam in First Attempt Guaranteed
NEW QUESTION 91
What are the benefits of using Infrastructure as Code? (select five)
- A. Infrastructure as Code provides configuration consistency and standardization among deployments
- B. Infrastructure as Code easily replaces development languages such as Go and .Net for application development
- C. Infrastructure as Code gives the user the ability to recreate an application's infrastructure for disaster recovery scenarios
- D. Infrastructure as Code is relatively simple to learn and write, regardless of a user's prior experience with developing code
- E. Infrastructure as Code allows a user to turn a manual task into a simple, automated deployment
- F. Infrastructure as Code is easily repeatable, allowing the user to reuse code to deploy similar, yet different resources
Answer: A,C,D,E,F
Explanation:
If you are new to infrastructure as code as a concept, it is the process of managing infrastructure in a file or files rather than manually configuring resources in a user interface. A resource in this instance is any piece of infrastructure in a given environment, such as a virtual machine, security group, network interface, etc.
At a high level, Terraform allows operators to use HCL to author files containing definitions of their desired resources on almost any provider (AWS, GCP, GitHub, Docker, etc) and automates the creation of those resources at the time of application.
NEW QUESTION 92
While Terraform is generally written using the HashiCorp Configuration Language (HCL), what another syntax can Terraform be expressed in?
- A. JSON
- B. XML
- C. TypeScript
- D. YAML
Answer: A
Explanation:
The constructs in the Terraform language can also be expressed in JSON syntax, which is harder for humans to read and edit but easier to generate and parse programmatically.
NEW QUESTION 93
Provider dependencies are created in several different ways. Select the valid provider dependencies from the following list: (select three)
- A. Use of any resource belonging to a particular provider in a resource or data block in the configuration.
- B. Existence of any provider plugins found locally in the working directory.
- C. Existence of any resource instance belonging to a particular provider in the current state.
- D. Explicit use of a provider block in configuration, optionally including a version constraint.
Answer: A,C,D
Explanation:
The existence of a provider plugin found locally in the working directory does not itself create a provider dependency. The plugin can exist without any reference to it in the terraform configuration.
https://www.terraform.io/docs/commands/providers.html
NEW QUESTION 94
True or False: You can migrate the Terraform backend but only if there are no resources currently being managed.
- A. True
- B. False
Answer: B
Explanation:
If you are already using Terraform to manage infrastructure, you probably want to transfer to another backend, such as Terraform Cloud, so you can continue managing it. By migrating your Terraform state, you can hand off infrastructure without de-provisioning anything.
NEW QUESTION 95
True or False:
When using the transit secrets engine, setting the min_decryption_version will determine the minimum key length of the data key (i.e., 2048, 4096, etc.)
- A. True
- B. False
Answer: B
Explanation:
The Transit engine supports the versioning of keys. Key versions that are earlier than a key's specified min_decryption_version gets archived, and the rest of the key versions belong to the working set. This is a performance consideration to keep key loading fast, as well as a security consideration: by disallowing decryption of old versions of keys, found ciphertext corresponding to obsolete (but sensitive) data can not be decrypted by most users, but in an emergency, the min_decryption_version can be moved back to allow for legitimate decryption.
Reference link:- https://www.vaultproject.io/docs/secrets/transit
NEW QUESTION 96
You've logged into the Vault CLI and attempted to enable an auth method, but received this error message. What can be done to resolve the error and configure Vault?
Error enabling userpass auth: Post https://127.0.0.1:8200/v1/sys/auth/userpass: http: server gave HTTP response to HTTPS client
- A. ask an admin to grant you permission to enable the userpass auth method
- B. set the VAULT_ADDR environment variable to HTTP
- C. change 'userpass' to 'username and password'
- D. restart the Vault service on this node
Answer: B
Explanation:
If you're running Vault in a non-prod environment, you can configure Vault to disable TLS.
In this case, TLS has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.
To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200".
NEW QUESTION 97
When multiple engineers start deploying infrastructure using the same state file, what is a feature of remote state storage that is critical to ensure the state does not become corrupt?
- A. object storage
- B. workspaces
- C. state locking
- D. encryption
Answer: C
Explanation:
If supported by your backend, Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state.
State locking happens automatically on all operations that could write state. You won't see any message that it is happening. If state locking fails, Terraform will not continue. You can disable state locking for most commands with the -lock flag but it is not recommended.
NEW QUESTION 98
Which of the following is considered a Terraform plugin?
- A. Terraform tooling
- B. Terraform logic
- C. Terraform provider
- D. Terraform language
Answer: C
Explanation:
Terraform is built on a plugin-based architecture. All providers and provisioners that are used in Terraform configurations are plugins, even the core types such as AWS and Heroku. Users of Terraform are able to write new plugins in order to support new functionality in Terraform.
NEW QUESTION 99
After executing a terraform apply, you notice that a resource has a tilde (~) next to it. What does this infer?
- A. the resource will be created
- B. the resource will be updated in place
- C. Terraform can't determine how to proceed due to a problem with the state file
- D. the resource will be destroyed and recreated
Answer: B
Explanation:
The prefix -/+ means that Terraform will destroy and recreate the resource, rather than updating it in-place. Some attributes and resources can be updated in-place and are shown with the ~ prefix.
NEW QUESTION 100
True or False:
Once you create a KV v1 secrets engine and place data in it, there is no way to modify the mount to include the features of a KV v2 secrets engine.
- A. True
- B. False
Answer: B
Explanation:
The kv enable-versioning command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.
Reference link:- https://www.vaultproject.io/docs/commands/kv/enable-versioning
NEW QUESTION 101
By default, where does Terraform store its state file?
- A. remotely using Terraform Cloud
- B. shared directory
- C. current working directory
- D. Amazon S3 bucket
Answer: C
Explanation:
By default, the state file is stored in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment.
NEW QUESTION 102
Given the policy below, what would the user be able to access?
1. path "*" {
2. capabilities = ["create", "update", "read", "list", "delete", "sudo"]
3. }
- A. ability to enable a secret engine at the path *
- B. only make changes to policies
- C. nothing, since the policy doesn't specify any specific paths
- D. anything they want to within Vault
Answer: D
Explanation:
All interactions with Vault are done through its pathing structure. If you create a policy with a wildcard, you are giving them access to any path within Vault
NEW QUESTION 103
Which of the following statements best describes the Terraform list(...) type?
- A. a collection of values where each is identified by a string label.
- B. a sequence of values identified by consecutive whole numbers starting with zero.
- C. a collection of named attributes that each have their own type.
- D. a collection of unique values that do not have any secondary identifiers or ordering.
Answer: B
Explanation:
A terraform list is a sequence of values identified by consecutive whole numbers starting with zero.
https://www.terraform.io/docs/configuration/types.html#structural-types
NEW QUESTION 104
What is the Consul Agent?
- A. an agent that runs in the background to provide additional features for Consul
- B. a process that registers services with Consul
- C. the core process of Consul which maintains membership information, manages services, runs checks, responds to queries, and more.
- D. a daemon that Vault uses to register auth methods across all of its clusters to ensure consistency among the data written to disk
Answer: C
Explanation:
The Consul agent is the core Consul process that runs the Consul service. Everything Consul does is the result of the Consul agent, which can run in either server or client mode.
Reference link:- https://www.consul.io/docs/agent
NEW QUESTION 105
When architecting a Vault replication configuration, why should you never terminate TLS on a front-end load balancer?
- A. If Vault detects that the traffic has been unencrypted and re-encrypted, due to the load balancer, it will automatically drop the traffic as it is no longer trusted.
- B. Vault requires that only Consul service discovery can be used to direct traffic to an active Vault node.
- C. Vault generates self-signed mutual TLS for replication. If the LB is performing TLS termination, this will break the mutual TLS between nodes.
- D. Vault replication won't work with the type of certificates that a traditional load balancer uses.
Answer: C
Explanation:
For replication (port 8201), Vault generates a mutual TLS connection between nodes using self-generated certs/keys (this is different than the TLS you configure in the listener, which is particular to client requests)... server-to-server always uses this mutual TLS, even if you have TLS disabled on the listener.
Reference link:-
https://www.vaultproject.io/docs/configuration/listener/tcp
https://www.vaultproject.io/docs/concepts/ha
NEW QUESTION 106
A user has created three workspaces using the command line - prod, dev, and test. The user wants to create a fourth workspace named stage. Which command will the user execute to accomplish this?
- A. terraform workspace -new stage
- B. terraform workspace -create stage
- C. terraform workspace create stage
- D. terraform workspace new stage
Answer: D
Explanation:
The terraform workspace new command is used to create a new workspace. https://www.terraform.io/docs/commands/workspace/new.html
NEW QUESTION 107
In regards to the transit secrets engine, which of the following is true given the following command and output: (select three)
1. $ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121")
2. Key Value
3. --- -----
4. ciphertext vault:v3:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
- A. the transit secrets engine is mounted at the encryption path
- B. there are at least three data keys associated with this keyring
- C. the data was written to the encryption path, which is provided by default when enabling the transit secrets engine
- D. the name of the keyring used to encrypt the data is creditcard
Answer: A,B,D
Explanation:
The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.
NEW QUESTION 108
When using constraint expressions to signify a version of a provider, which of the following are valid provider versions that satisfy the expression found in the following code snippet: (select two)
1. terraform {
2. required_providers {
3. aws = "~> 1.2.0"
4. }
5. }
- A. 1.2.9
- B. 1.3.0
- C. 1.3.1
- D. 1.2.3
Answer: A,D
Explanation:
~> 1.2.0 will match any non-beta version of the provider between >= 1.2.0 and < 1.3.0. For example, 1.2.X
https://www.terraform.io/docs/configuration/modules.html#gt-1-2-0-1
NEW QUESTION 109
In regards to Terraform state file, select all the statements below which are correct: (select four)
- A. storing state remotely can provide better security
- B. the Terraform state can contain sensitive data, therefore the state file should be protected from unauthorized access
- C. when using local state, the state file is stored in plain-text
- D. the state file is always encrypted at rest
- E. Terraform Cloud always encrypts state at rest
- F. using the mask feature, you can instruct Terraform to mask sensitive data in the state file
Answer: A,B,C,E
Explanation:
Terraform state can contain sensitive data, depending on the resources in use and your definition of "sensitive." The state contains resource IDs and all resource attributes. For resources such as databases, this may contain initial passwords.
When using local state, state is stored in plain-text JSON files.
If you manage any sensitive data with Terraform (like database passwords, user passwords, or private keys), treat the state itself as sensitive data.
Storing Terraform state remotely can provide better security. As of Terraform 0.9, Terraform does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.
NEW QUESTION 110
After encrypting data using the transit secrets engine, you've received the following output. Which of the following is true based upon the output?
1. Key Value
2. --- -----
3. ciphertext vault:v2:45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3
- A. similar to the KV secrets engine, the transit secrets engine was enabled using the transit v2 option
- B. this is the second version of the encrypted data
- C. the original encryption key has been rotated at least once
- D. the data is stored in Vault using a KV v2 secrets engine
Answer: C
Explanation:
When data is encrypted using Vault, the resulting ciphertext is prepended by the version of the key used to encrypt it. In this case, the version is v2, which means that the encryption key was rotated at least one time. Any data that was encrypted with the original key would have been prepended with vault:v1 To rotate a key, use the command vault write -f transit/keys/<key name>/rotate Reference link:- https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit
NEW QUESTION 111
Select all Operating Systems that Terraform is available for. (select five)
- A. Unix
- B. FreeBSD
- C. Windows
- D. Solaris
- E. Linux
- F. macOS
Answer: B,C,D,E,F
Explanation:
Terraform is available for macOS, FreeBSD, OpenBSD, Linux, Solaris, Windows
https://www.terraform.io/downloads.html
NEW QUESTION 112
You've hit the URL for the Vault UI, but you're presented with this screen. Why doesn't Vault present you with a way to log in?
- A. vault needs to be initialized before it can be used
- B. the vault configuration file has an incorrect configuration
- C. the consul storage backend was not configured correctly
- D. a vault policy is preventing you from logging in
Answer: A
Explanation:
Before Vault can be used, it must be initialized and unsealed. This screen indicates that Vault has not been initialized yet and is offering you a way to do so.
NEW QUESTION 113
In regards to using a K/V v2 secrets engine, select the three correct statements below: (select three)
- A. issuing a vault kv destroy statement deletes all versions of a secret
- B. issuing a vault kv delete statement performs a soft delete
- C. issuing a vault kv destroy statement permanently deletes a single version of a secret
- D. issuing a vault kv delete statement permanently deletes the secret
- E. issuing a vault kv metadata delete statement permanently deletes the secret
Answer: B,C,E
Explanation:
The kv delete command is like a soft delete which deletes the data for the provided path in the key/value secrets engine. If using K/V Version 2, its versioned data will not be fully removed, but marked as deleted and will no longer be available for normal get requests.
The kv destroy command permanently removes the specified versions' data from the key/value secrets engine. If no key exists at the path, no action is taken. It does not deletes all versions of a secret.
The kv metadata delete command deletes all versions and metadata for the provided key.
NEW QUESTION 114
Using the Vault CLI, what command is used to authenticate to Vault?
- A. vault login
- B. vault auth
- C. vault user
- D. vault creds
Answer: A
Explanation:
vault login command would be issued to log in to Vault via CLI followed by the type of login.
For example, an LDAP login would use vault login method=ldap username=<user>
NEW QUESTION 115
Which of the following variable declarations is going to result in an error?
- A. variable "example" {
description = "This is a test"
type = map
default = {"one" = 1, "two" = 2, "Three" = "3"}
} - B. variable "example" {
description = "This is a variable description"
type = list(string)
default = {}
} - C. variable "example" {
type = object({})
} - D. variable "example" {}
Answer: D
Explanation:
Lists are defined with [ ], maps are defined with { }.
https://www.terraform.io/docs/configuration/types.html#structural-types
NEW QUESTION 116
......
HashiCorp VA-002-P Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
HashiCorp VA-002-P Study Guide Archives : https://certmagic.surepassexams.com/VA-002-P-exam-bootcamp.html