Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Associating a Yandex Cloud Backup policy with a VM automatically using Terraform

Written by
Updated at July 9, 2025

To create a virtual machine automatically associated with a Cloud Backup policy:

  1. Get your cloud ready.
  2. Activate Cloud Backup.
  3. Create your infrastructure.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders.

The infrastructure support cost includes:

Activate Cloud Backup

Note

The minimum folder role required to activate the service is backup.editor (see its description for details).

  1. In the management console, select the folder you want to create a VM with a Cloud Backup connection in.

  2. In the list of services, select Cloud Backup.

  3. If you have not activated Cloud Backup yet, click Activate.

    If there is no Activate button, and you have access to creating a VM with a Cloud Backup connection, it means the service has already been activated. Proceed to the next step.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to activate the service:

    yc backup provider activate --help

  2. Activate the service in the default folder:

    yc backup provider activate --async

    Where --async displays the operation progress info. This is an optional parameter.

    Result:

    id: cdgmnefxiatx********
description: activate provider
created_at: "2024-10-14T09:03:47.960564Z"
created_by: ajec1gaqcmtr********
modified_at: "2024-10-14T09:03:47.960564Z"
done: true
metadata:
  '@type': type.googleapis.com/yandex.cloud.backup.v1.ActivateProviderMetadata
  folder_id: b1go3el0d8fs********
response:
  '@type': type.googleapis.com/google.protobuf.Empty
  value: {}

After activation, the system automatically creates the following backup policies:

  • Default daily: Daily incremental backup with the last 15 backups retained.
  • Default weekly: Weekly incremental backup with the last 15 backups retained.
  • Default monthly: Monthly incremental backup with the last 15 backups retained.

If you prefer not to create them, use the --skip-default-policy parameter.

Create your infrastructure

Note

Associating a Yandex Cloud Backup policy with a VM is available for Terraform provider 0.127.0 and higher.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant articles on the Terraform website or its mirror.

To create an infrastructure using Terraform:

  1. Install Terraform, get the credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).

  2. Set up your infrastructure description files:

    1. Clone the repository with configuration files.

      git clone https://github.com/yandex-cloud-examples/yc-baas-backup-policy-auto-binding

    2. Navigate to the repository directory. Make sure it contains the following files:

      • backup-policy-auto-binding-config.tf: New infrastructure configuration.
      • cloud-init.yaml: VM metadata file.

    1. Create a folder for configuration files.

    2. In the folder, create:

      1. backup-policy-auto-binding-config.tf configuration file:
      backup-policy-auto-binding-config.tf
      # Configuring the provider

terraform {
  required_providers {
    yandex = {
      source = "yandex-cloud/yandex"
    }
  }
  required_version = ">= 0.13"
}

provider "yandex" {
  zone = "ru-central1-a"
}

# Creating a service account

resource "yandex_iam_service_account" "my_sa" {
  name = "backup-sa"
}

# Assigning roles to a service account

resource "yandex_resourcemanager_folder_iam_member" "my_binding" {
  folder_id = yandex_iam_service_account.my_sa.folder_id
  role      = "backup.editor"
  member    = "serviceAccount:${yandex_iam_service_account.my_sa.id}"
}

# Creating a cloud network

resource "yandex_vpc_network" "my_backup_network" {
  name = "cloud-network"
}

# Creating a cloud subnet

resource "yandex_vpc_subnet" "my_backup_subnet" {
  zone           = "ru-central1-a"
  network_id     = yandex_vpc_network.my_backup_network.id
  v4_cidr_blocks = ["192.168.0.0/24"]
}

# Creating a security group
# https://yandex.cloud/ru/docs/backup/concepts/vm-connection#vm-network-access

resource "yandex_vpc_security_group" "my_backup_security_group" {
  name       = "backup-sg"
  network_id = yandex_vpc_network.my_backup_network.id
  egress {
    protocol       = "TCP"
    from_port      = 7770
    to_port        = 7800
    v4_cidr_blocks = ["84.47.172.0/24"]
  }
  egress {
    protocol       = "TCP"
    port           = 443
    v4_cidr_blocks = ["213.180.204.0/24", "213.180.193.0/24", "178.176.128.0/24", "84.201.181.0/24", "84.47.172.0/24"]
  }
  egress {
    protocol       = "TCP"
    port           = 80
    v4_cidr_blocks = ["213.180.204.0/24", "213.180.193.0/24"]
  }
  egress {
    protocol       = "TCP"
    port           = 8443
    v4_cidr_blocks = ["84.47.172.0/24"]
  }
  egress {
    protocol       = "TCP"
    port           = 44445
    v4_cidr_blocks = ["51.250.1.0/24"]
  }
  ingress {
    protocol       = "TCP"
    description    = "ssh"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 22
  }
}

# Getting information about an image for a VM boot disk

data "yandex_compute_image" "ubuntu" {
  family = "ubuntu-2204-lts"
}

# Creating a VM boot disk

resource "yandex_compute_disk" "boot-disk" {
  type     = "network-ssd"
  zone     = "ru-central1-a"
  size     = "20"
  image_id = data.yandex_compute_image.ubuntu.id
}

# Creating a VM

resource "yandex_compute_instance" "my_backup_compute" {
  name               = "backup-instance"
  platform_id        = "standard-v3"
  zone               = "ru-central1-a"
  service_account_id = yandex_iam_service_account.my_sa.id
  network_interface {
    subnet_id          = yandex_vpc_subnet.my_backup_subnet.id
    security_group_ids = [yandex_vpc_security_group.my_backup_security_group.id]
    nat                = true
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk.id
  }

  resources {
    cores  = 2
    memory = 4
  }

  metadata = {
    user-data = "${file("cloud-init.yaml")}"
  }
}

# Creating a backup policy

resource "yandex_backup_policy" "my_policy" {
  name                = "weekly-backup"
  fast_backup_enabled = true
  retention {
    after_backup = false
  }
  reattempts {
    enabled      = true
    interval     = "1m"
    max_attempts = 10
  }
  scheduling {
    scheme            = "ALWAYS_INCREMENTAL"
    weekly_backup_day = "FRIDAY"
    backup_sets {
      execute_by_time {
        repeat_at = ["03:00"]
        type      = "WEEKLY"
        weekdays  = ["FRIDAY"]
      }
    }
  }
  vm_snapshot_reattempts {
    enabled      = true
    interval     = "1m"
    max_attempts = 10
  }
}

# Associating a backup policy with a VM

resource "yandex_backup_policy_bindings" "my_backup_binding" {
  instance_id = yandex_compute_instance.my_backup_compute.id
  policy_id   = yandex_backup_policy.my_policy.id
}
      1. cloud-init.yaml VM metadata file:
      cloud-init.yaml
      #cloud-config
datasource:
 Ec2:
  strict_id: false
ssh_pwauth: no
users:
- name: <username>
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  ssh_authorized_keys:
  - <public_SSH_key>
packages:
  - curl
  - perl
  - jq
runcmd:
  - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash

    Learn more about the properties of Terraform resources in the relevant Terraform guides:

  3. In the cloud-init.yaml file, set the following user-defined properties:

    • name: VM username, e.g., vm-user.
    • ssh_authorized_keys: Contents of the public key file. You need to create a key pair for the SSH connection on your own.

  4. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

Note

When the VM switches to the Running status, the Cloud Backup agent will start installing on it. This may take from 5 to 10 minutes.

A policy is linked asynchronously after you create and initialize a VM, as well as install and configure a Cloud Backup agent. This may take up to 10-15 minutes. As a result, the virtual machine will appear in the list of Cloud Backup VMs and in the list of VMs linked to the weekly-backup policy.

You can monitor the installation progress using the VM serial port in the management console.

How to delete the resources you created

To stop paying for the resources you created:

  1. Open the backup-policy-auto-binding.tf file and delete your infrastructure description from it.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

See also

Previous
Management console, CLI, and API
Next
Overview