Bird
Raised Fist0
Terraformcloud~20 mins

Secret management integration (Vault, Secrets Manager) in Terraform - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Secret Management Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
How does AWS Secrets Manager handle secret rotation?

A developer configures AWS Secrets Manager to rotate a database password automatically every 30 days. What happens during the rotation process?

ASecrets Manager only updates the secret value in the console but does not change the database password.
BSecrets Manager deletes the old secret and creates a completely new secret with a new name.
CSecrets Manager creates a new secret version, updates the database with the new password, and marks the new version as current.
DSecrets Manager sends an email notification to the admin but does not change the secret or database password.
Attempts:
2 left
💡 Hint

Think about how the secret and the service using it stay in sync during rotation.

Configuration
intermediate
2:00remaining
Terraform: Correct Vault provider configuration for AWS authentication

Which Terraform configuration snippet correctly sets up the Vault provider to authenticate using AWS IAM role?

A
provider "vault" {
  auth_login {
    path = "auth/aws/login"
    parameters = {
      role = "my-role"
    }
  }
}
B
provider "vault" {
  auth_method = "aws"
  role = "my-role"
}
C
provider "vault" {
  auth {
    method = "aws"
    role = "my-role"
  }
}
D
provider "vault" {
  aws_auth {
    role = "my-role"
  }
}
Attempts:
2 left
💡 Hint

Look for the correct block and keys used in Vault provider for AWS login.

Architecture
advanced
2:00remaining
Designing secure secret access for microservices using Vault

You have multiple microservices running in Kubernetes that need to access different secrets stored in Vault. Which architecture ensures least privilege and automatic secret renewal?

AEmbed Vault root token in each microservice container environment variables for easy access.
BAssign each microservice a unique Vault Kubernetes service account role with policies scoped to only required secrets, and use Vault Agent sidecar for automatic token renewal.
CStore secrets in Kubernetes ConfigMaps and let microservices read them directly without Vault integration.
DUse a single Vault token shared by all microservices with full access to all secrets, and manually update tokens when expired.
Attempts:
2 left
💡 Hint

Think about security best practices for secret access and token management.

security
advanced
2:00remaining
Identifying security risk in secret management configuration

Which Terraform snippet introduces a security risk when managing AWS Secrets Manager secrets?

resource "aws_secretsmanager_secret" "db_password" {
  name = "db_password"
}

resource "aws_secretsmanager_secret_version" "db_password_version" {
  secret_id     = aws_secretsmanager_secret.db_password.id
  secret_string = var.db_password
}
ANot specifying a KMS key for encryption, so AWS uses default encryption.
BUsing <code>secret_string</code> instead of <code>secret_binary</code> for the secret value.
CNot tagging the secret resource with environment metadata.
DStoring the secret value directly in Terraform variable <code>var.db_password</code> which may be logged or stored in state files.
Attempts:
2 left
💡 Hint

Consider where secret values are stored and risks of exposure.

Best Practice
expert
2:00remaining
Choosing the best secret injection method for serverless functions

You deploy AWS Lambda functions that require database credentials stored in AWS Secrets Manager. Which approach follows best practices for secret injection and minimizes cold start latency?

AConfigure Lambda environment variables with the secret ARN and fetch secrets at runtime using AWS SDK with caching inside the function.
BHardcode the database credentials inside the Lambda function code for faster access.
CFetch the secret from Secrets Manager on every function invocation without caching.
DStore the secret in an S3 bucket and read it from Lambda at runtime.
Attempts:
2 left
💡 Hint

Think about balancing security, performance, and cold start impact.

Practice

(1/5)
1. What is the main purpose of integrating Terraform with a secret management tool like Vault or AWS Secrets Manager?
easy
A. To securely store and access sensitive data like passwords and API keys outside the code
B. To speed up Terraform plan and apply operations
C. To automatically generate Terraform configuration files
D. To monitor cloud resource usage and billing

Solution

  1. Step 1: Understand secret management purpose

    Secret management tools keep sensitive data safe and separate from code to reduce risk.

  2. Step 2: Connect to Terraform integration goal

    Terraform uses these tools to fetch secrets securely during infrastructure deployment without hardcoding them.

  3. Final Answer:

    To securely store and access sensitive data like passwords and API keys outside the code -> Option A

  4. Quick Check:

    Secret management = Secure external storage [OK]
Hint: Secrets keep sensitive data out of code [OK]
Common Mistakes:
  • Thinking secret managers speed up Terraform
  • Confusing secret management with billing tools
  • Assuming secret managers generate configs
2. Which Terraform block correctly configures AWS Secrets Manager to read a secret named db_password?
easy
A. variable "db_password" { default = "aws_secretsmanager_secret.db_password" }
B. resource "aws_secretsmanager_secret" "example" { name = "db_password" }
C. provider "aws" { secret_name = "db_password" }
D. data "aws_secretsmanager_secret_version" "example" { secret_id = "db_password" }

Solution

  1. Step 1: Identify correct Terraform data source for reading secret

    Terraform uses data "aws_secretsmanager_secret_version" to read secret values from AWS Secrets Manager.

  2. Step 2: Check syntax correctness

    The block uses secret_id = "db_password" to specify the secret name, which is correct for reading.

  3. Final Answer:

    data "aws_secretsmanager_secret_version" "example" { secret_id = "db_password" } -> Option D

  4. Quick Check:

    Read secret = data source block [OK]
Hint: Use data block to read secrets, not resource [OK]
Common Mistakes:
  • Using resource block to read secrets
  • Putting secret name in provider block
  • Assigning secret as variable default incorrectly
3. Given this Terraform snippet using Vault provider:
data "vault_generic_secret" "db" {
  path = "secret/data/database"
}

output "db_password" {
  value = data.vault_generic_secret.db.data["password"]
}

What will be the output if the secret at secret/data/database contains {"password": "pass123"}?
medium
A. "data.vault_generic_secret.db.data[\"password\"]"
B. "pass123"
C. Error: secret not found
D. null

Solution

  1. Step 1: Understand Vault data source usage

    The vault_generic_secret data source reads secrets at the given path and stores them in data map.

  2. Step 2: Access the password key in output

    The output accesses data.vault_generic_secret.db.data["password"], which matches the secret's password value "pass123".

  3. Final Answer:

    "pass123" -> Option B

  4. Quick Check:

    Output secret value = "pass123" [OK]
Hint: Access secret data map keys directly [OK]
Common Mistakes:
  • Expecting error if secret exists
  • Outputting the literal string instead of value
  • Confusing data structure keys
4. You wrote this Terraform code to read a secret from AWS Secrets Manager:
data "aws_secretsmanager_secret_version" "db" {
  secret_id = aws_secretsmanager_secret.db.name
}

resource "aws_secretsmanager_secret" "db" {
  name = "my_db_password"
}

Terraform plan fails with error: Reference to undeclared resource. What is the problem?
medium
A. The resource block is missing required parameters
B. The secret_id should be a string, not a resource attribute
C. The data source references the resource before it is declared
D. Terraform cannot read secrets from AWS Secrets Manager

Solution

  1. Step 1: Analyze resource and data source order

    The data source references aws_secretsmanager_secret.db.name before the resource is declared, causing a dependency error.

  2. Step 2: Understand Terraform resource referencing rules

    Terraform requires resources to be declared before referencing them in data sources to resolve dependencies correctly.

  3. Final Answer:

    The data source references the resource before it is declared -> Option C

  4. Quick Check:

    Reference order matters in Terraform [OK]
Hint: Declare resources before referencing them [OK]
Common Mistakes:
  • Using resource attributes as string literals
  • Ignoring declaration order
  • Assuming Terraform can't read AWS secrets
5. You want to securely pass a database password stored in Vault to an AWS RDS instance using Terraform. Which approach follows best practices?
hard
A. Use vault_generic_secret data source to fetch password, then pass it as password argument in aws_db_instance resource without storing it in Terraform state
B. Hardcode the password in Terraform variables and update Vault manually
C. Store the password in a local file and read it in Terraform
D. Create the RDS instance first, then manually update password in Vault

Solution

  1. Step 1: Identify secure secret retrieval method

    Using vault_generic_secret data source fetches the password securely at runtime without hardcoding.

  2. Step 2: Pass secret directly to resource without storing in state

    Passing the secret as an argument avoids exposing it in Terraform files or state, following best practices.

  3. Final Answer:

    Use vault_generic_secret data source to fetch password, then pass it as password argument in aws_db_instance resource without storing it in Terraform state -> Option A

  4. Quick Check:

    Fetch secrets dynamically and avoid hardcoding [OK]
Hint: Fetch secrets dynamically, never hardcode passwords [OK]
Common Mistakes:
  • Hardcoding secrets in variables
  • Storing secrets in local files
  • Manual secret updates outside Terraform