All backend system functions stored in the sys/ backend.

The system backend is a default backend in Vault that is mounted at the /sys endpoint. This endpoint cannot be disabled or moved, and is used to configure Vault and interact with many of Vault's internal features.

The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.

If you are new to infrastructure as code as a concept, it is the process of managing infrastructure in a file or files rather than manually configuring resources in a user interface. A resource in this instance is any piece of infrastructure in a given environment, such as a virtual machine, security group, network interface, etc.

At a high level, Terraform allows operators to use HCL to author files containing definitions of their desired resources on almost any provider (AWS, GCP, GitHub, Docker, etc) and automates the creation of those resources at the time of application.

The ideal method for a machine to machine authentication is AppRole although it's not the only method. The other options are frequently reserved for human access.

Reference link:- https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle/

The special terraform configuration block type is used to configure some behaviors of Terraform itself, such as requiring a minimum Terraform version to apply your configuration.

"Deny" capability generally takes precedence over "allow" capability.

Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential

The -prefix flag treats the ID as a prefix instead of an exact lease ID. This can revoke multiple leases simultaneously.

All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it.

Reference link:- https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

A provider is responsible for understanding API interactions and exposing resources. Providers generally are an IaaS (e.g., Alibaba Cloud, AWS, GCP, Microsoft Azure, OpenStack), PaaS (e.g., Heroku), or SaaS services (e.g., Terraform Cloud, DNSimple, CloudFlare).

After initializing, Vault provides the root token to the user, this is the only way to log in to Vault to configure additional auth methods.

The Vault provider allows Terraform to read from, write to, and configure Harshicorp Vault.

If a resource successfully creates but fails during provisioning, Terraform will error and mark the resource as "tainted". A resource that is tainted has been physically created, but can't be considered safe to use since provisioning failed.

Terraform also does not automatically roll back and destroy the resource during the apply when the failure happens, because that would go against the execution plan: the execution plan would've said a resource will be created, but does not say it will ever be deleted.

This endpoint returns high-quality random bytes of the specified length.

The plugin directory is a configuration option of Vault, and can be specified in the configuration file. This setting specifies a directory in which all plugin binaries must live; this value cannot be a symbolic link. A plugin can not be added to Vault unless it exists in the plugin directory. There is no default for this configuration option, and if it is not set plugins can not be added to Vault.

Reference link:- https://www.vaultproject.io/docs/internals/plugins

Information on the default local backend can be found at this link.

Example:

terraform {

backend "local" {

path = "relative/path/to/terraform.tfstate"

}

}

To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

If you're running Vault in a non-prod environment, you can configure Vault to disable TLS.

In this case, TLS has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.

To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200 ".

The /sys/leader endpoint is used to check the current leader of Vault as well as high availability status.

The terraform workspace select command is used to choose a different workspace to use for further operations. https://www.terraform.io/docs/commands/workspace/select.html

Wildcards and path segments can be used to allow access to a broader set of secrets rather than having to call out each individual secret itself. None of the other policies will allow a client to actually read the data stored at the path secrets/applications/app01/api_key

Sometimes there are dependencies between resources that are not visible to Terraform. The depends_on argument is accepted by any resource and accepts a list of resources to create explicit dependencies for.

All interactions with Vault are done through its pathing structure. If you create a policy with a wildcard, you are giving them access to any path within Vault

For local state, Terraform stores the workspace states in a directory called terraform.tfstate.d.

https://www.terraform.io/docs/state/workspaces.html#workspace-internals

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply. This command will not modify infrastructure but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated. The next terraform apply will

implement this change.

Vault doesn't store the data sent to the secrets engine.

The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

Reference links:-

https://learn.hashicorp.com/vault/day-one/monitor-replication

https://www.vaultproject.io/docs/internals/replication

Terraform is available for macOS, FreeBSD, OpenBSD, Linux, Solaris, Windows

https://www.terraform.io/downloads.html