HashiCorp glossary
Key HashiCorp certification terms and acronyms.
Definitions are AI-assisted and reviewed for general accuracy — verify critical details against HashiCorp's official documentation.
ACLAccess Control List
The permission model used in Vault policies; capabilities such as create, read, update, delete, and list are granted per path.
AppRole
A machine-oriented Vault auth method that uses a Role ID and Secret ID pair to authenticate non-human workloads.
Audit Device
A Vault component that logs all authenticated requests and responses to a persistent backend (file, syslog, or socket) for compliance and forensics.
Auth Method
A Vault component responsible for authenticating clients and returning a token; examples include AppRole, AWS, Kubernetes, and LDAP.
Auto-Unseal
A Vault feature that delegates master key unsealing to a trusted external key management service (e.g., AWS KMS, Azure Key Vault) instead of manual key shares.
Cubbyhole
A built-in Vault secrets engine providing a private storage space per token; data is deleted when the token expires and is not shared across tokens.
Data source
A configuration block that retrieves read-only information from a provider or external system for use in other Terraform resources.
DEKData Encryption Key
The AES-256-GCM key Vault generates per storage entry to encrypt data; it is itself encrypted by the master key before being stored.
depends_on
A meta-argument used to declare explicit dependencies between resources when implicit references are insufficient for correct ordering.
Dynamic Secret
A secret generated on-demand by Vault (e.g., temporary database credentials) with a TTL, reducing long-lived credential exposure.
HAHigh Availability
A Vault deployment mode with one active node handling requests and one or more standby nodes that redirect clients and take over on failure.
HCLHashiCorp Configuration Language
The declarative language used to write Terraform configuration files, designed to be human-readable and machine-friendly.
HCP TerraformHashiCorp Cloud Platform Terraform
HashiCorp's managed SaaS platform for collaborative Terraform runs, remote state storage, and policy enforcement (formerly Terraform Cloud).
IaCInfrastructure as Code
The practice of defining and managing infrastructure resources through machine-readable configuration files rather than manual processes.
Implicit dependency
A dependency Terraform infers automatically when one resource references an attribute of another resource in its configuration.
KVKey-Value
A Vault secrets engine that stores arbitrary static secrets as key-value pairs; available in v1 (no versioning) and v2 (versioned) modes.
Lease
Metadata Vault attaches to dynamic secrets specifying their TTL; leases can be renewed or revoked to manage secret lifecycle.
lifecycle
A meta-argument block that customizes how Terraform creates, updates, and destroys a resource using settings such as create_before_destroy.
Lock file
The .terraform.lock.hcl file that records the exact provider versions selected during `terraform init` to ensure consistent installs.
Module
A reusable, self-contained package of Terraform configurations that groups related resources and can be called from other configurations.
Namespace
A Vault Enterprise feature providing isolated, multi-tenant environments within a single cluster, each with its own policies, auth methods, and secrets engines.
Output
A value exported from a Terraform configuration that can be displayed after apply or consumed by other configurations and modules.
PKI EnginePublic Key Infrastructure Engine
A Vault secrets engine that acts as a certificate authority to dynamically issue X.509 certificates with configurable TTLs.
Policy
An HCL or JSON document that defines ACL rules specifying which paths a Vault token is allowed to access and with which capabilities.
Provider
A plugin that implements resource types and data sources for a specific platform or API, such as AWS, Azure, or Google Cloud.
Raft
An integrated storage backend built into Vault that provides consensus-based HA without requiring an external storage system like Consul.
Remote backend
A configuration that stores Terraform state in a remote location such as HCP Terraform, S3, or Azure Blob Storage instead of locally.
Resource
A block in Terraform configuration that declares an infrastructure object to be created, updated, or deleted by a provider.
Response Wrapping
A Vault mechanism that wraps a secret in a single-use token stored in cubbyhole, enabling secure secret delivery to an intended recipient.
Root Token
An initial Vault token with unrestricted privileges generated at initialization; it should be revoked after initial configuration is complete.
Seal/Unseal
Vault starts in a sealed state where data is encrypted and inaccessible; unseal provides key shares to reconstruct the master key and make Vault operational.
Secret
Any sensitive credential or data (password, API key, certificate) that Vault manages, stores, or dynamically generates.
Secrets Engine
A Vault plugin that stores, generates, or encrypts data; engines are mounted at paths and include KV, PKI, AWS, database, and transit.
Sentinel
HashiCorp's policy-as-code framework integrated with HCP Terraform and Terraform Enterprise to enforce governance rules on Terraform runs.
Shamir's Secret Sharing
A cryptographic algorithm Vault uses by default to split the master key into multiple key shares, requiring a threshold number to reconstruct it.
State file
A JSON file (terraform.tfstate) that records the current known state of managed infrastructure, used by Terraform to plan and apply changes.
State locking
A mechanism that prevents concurrent Terraform operations on the same state file, avoiding conflicts and corruption.
terraform apply
The CLI command that executes the actions proposed in a plan to create, update, or destroy infrastructure resources.
terraform destroy
The CLI command that destroys all remote objects managed by a particular Terraform configuration.
terraform fmt
The CLI command that automatically reformats Terraform configuration files to follow the canonical style conventions.
terraform init
The CLI command that initializes a working directory, downloading required provider plugins and configuring the backend.
terraform plan
The CLI command that creates an execution plan showing what changes Terraform will make to reach the desired state without applying them.
Terraform Registry
HashiCorp's public registry (registry.terraform.io) that hosts providers and modules available for use in Terraform configurations.
terraform validate
The CLI command that checks whether configuration files are syntactically valid and internally consistent without accessing remote state or APIs.
Token
The core authentication artifact in Vault; all operations require a valid token that carries policies, TTL, and accessor metadata.
Transit Engine
A Vault secrets engine that provides encryption-as-a-service, allowing applications to encrypt/decrypt data without storing it in Vault.
TTLTime To Live
The duration for which a Vault token or secret lease remains valid before it expires and is automatically revoked.
Variable
An input parameter declared with a variable block that allows configuration values to be passed into a module or root configuration.
Vault
HashiCorp's open-source secrets management tool for securely storing, accessing, and distributing secrets such as tokens, passwords, and certificates.
Workspace
An isolated state environment within a single configuration directory, allowing multiple distinct state files for the same code.