Linking a Yandex Cloud Backup policy to a VM automatically using Terraform
To create a virtual machine with automatic linking to a Cloud Backup policy:
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for VM computing resources (see Yandex Compute Cloud pricing).
- Fee for VM disks (see Yandex Compute Cloud pricing).
- Fee for using a dynamic external IP address (see Yandex Virtual Private Cloud pricing).
- Fee for VMs connected to Cloud Backup and the backup size (see Yandex Cloud Backup pricing).
Activate the service
Note
The minimum folder role required to activate the service is backup.editor
(see its description for details).
-
In the management console
, select the folder you want to create a VM with a Cloud Backup connection in. -
In the list of services, select Cloud Backup.
-
If you have not activated Cloud Backup yet, click Activate.
If there is no Activate button, and you have access to creating a VM with a Cloud Backup connection, it means the service has already been activated. Proceed to the next step.
Create an infrastructure
Note
Linking a Yandex Cloud Backup policy to a VM is available for Terraform provider0.127.0
or higher.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).
-
Prepare files with the infrastructure description:
Ready-made configurationManually-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-baas-backup-policy-auto-binding
-
Go to the directory with the repository. Make sure it contains the following files:
backup-policy-auto-binding-config.tf
: New infrastructure configuration.cloud-init.yaml
: VM metadata file.
-
Create a folder for configuration files.
-
In the folder, create:
backup-policy-auto-binding-config.tf
configuration file:
backup-policy-auto-binding-config.tf
# Configuring a provider terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } required_version = ">= 0.13" } provider "yandex" { zone = "ru-central1-a" } # Creating a service account resource "yandex_iam_service_account" "my_sa" { name = "backup-sa" } # Assigning roles to a service account resource "yandex_resourcemanager_folder_iam_member" "my_binding" { folder_id = yandex_iam_service_account.my_sa.folder_id role = "backup.editor" member = "serviceAccount:${yandex_iam_service_account.my_sa.id}" } # Creating a cloud network resource "yandex_vpc_network" "my_backup_network" { name = "cloud-network" } # Creating a cloud subnet resource "yandex_vpc_subnet" "my_backup_subnet" { zone = "ru-central1-a" network_id = yandex_vpc_network.my_backup_network.id v4_cidr_blocks = ["192.168.0.0/24"] } # Creating a security group # https://yandex.cloud/ru/docs/backup/concepts/vm-connection#vm-network-access resource "yandex_vpc_security_group" "my_backup_security_group" { name = "backup-sg" network_id = yandex_vpc_network.my_backup_network.id egress { protocol = "TCP" from_port = 7770 to_port = 7800 v4_cidr_blocks = ["84.47.172.0/24"] } egress { protocol = "TCP" port = 443 v4_cidr_blocks = ["213.180.204.0/24", "213.180.193.0/24", "178.176.128.0/24", "84.201.181.0/24", "84.47.172.0/24"] } egress { protocol = "TCP" port = 80 v4_cidr_blocks = ["213.180.204.0/24", "213.180.193.0/24"] } egress { protocol = "TCP" port = 8443 v4_cidr_blocks = ["84.47.172.0/24"] } egress { protocol = "TCP" port = 44445 v4_cidr_blocks = ["51.250.1.0/24"] } ingress { protocol = "TCP" description = "ssh" v4_cidr_blocks = ["0.0.0.0/0"] port = 22 } } # Getting information about an image for a VM boot disk data "yandex_compute_image" "ubuntu" { family = "ubuntu-2204-lts" } # Creating a VM boot disk resource "yandex_compute_disk" "boot-disk" { type = "network-ssd" zone = "ru-central1-a" size = "20" image_id = data.yandex_compute_image.ubuntu.id } # Creating a VM resource "yandex_compute_instance" "my_backup_compute" { name = "backup-instance" platform_id = "standard-v3" zone = "ru-central1-a" service_account_id = yandex_iam_service_account.my_sa.id network_interface { subnet_id = yandex_vpc_subnet.my_backup_subnet.id security_group_ids = [yandex_vpc_security_group.my_backup_security_group.id] nat = true } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } resources { cores = 2 memory = 4 } metadata = { user-data = "${file("cloud-init.yaml")}" } } # Creating backup policies resource "yandex_backup_policy" "my_policy" { name = "weekly-backup" fast_backup_enabled = true retention { after_backup = false } reattempts { enabled = true interval = "1m" max_attempts = 10 } scheduling { scheme = "ALWAYS_INCREMENTAL" weekly_backup_day = "FRIDAY" backup_sets { execute_by_time { repeat_at = ["03:00"] type = "WEEKLY" weekdays = ["FRIDAY"] } } } vm_snapshot_reattempts { enabled = true interval = "1m" max_attempts = 10 } } # Linking a backup policy to a VM resource "yandex_backup_policy_bindings" "my_backup_binding" { instance_id = yandex_compute_instance.my_backup_compute.id policy_id = yandex_backup_policy.my_policy.id }
cloud-init.yaml
VM metadata file:
cloud-init.yaml
#cloud-config datasource: Ec2: strict_id: false ssh_pwauth: no users: - name: <username> sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash ssh_authorized_keys: - <public_SSH_key> packages: - curl - perl - jq runcmd: - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
For more information about the parameters of resources used in Terraform, see the provider documentation:
- Service account: yandex_iam_service_account
. - Assigning a role to a service account: yandex_resourcemanager_folder_iam_member
. - Network: yandex_vpc_network
. - Subnets: yandex_vpc_subnet
. - Security group: yandex_vpc_security_group
. - VM image data: yandex_compute_image
. - VM boot disk: yandex_compute_disk
. - VM instance: yandex_compute_instance
. - Backup policy: yandex_backup_policy
. You can create a new policy or use one of those generated automatically upon service activation. - Linking a backup policy to a VM: yandex_backup_policy_bindings
. To link one of the backup policies generated automatically upon service activation, get its ID.
-
-
In the
cloud-init.yaml
file, set the following user-defined parameters:name
: VM username, e.g.,vm-user
.ssh_authorized_keys
: Contents of the public key file. You need to create a key pair for the SSH connection yourself.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
Note
When the VM switches to the Running
status, a Cloud Backup agent will start installing on it. This may take from 5 to 10 minutes.
A policy is linked asynchronously after you create and initialize a VM, as well as install and configure a backup agent. This may take up to 10-15 minutes. As a result, the virtual machine will appear in the list of Cloud Backup VMs and in the list of VMs linked to the weekly-backup
policy.
You can monitor the installation progress using the VM serial port in the management console.
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
backup-policy-auto-binding.tf
configuration file and delete the description of the new infrastructure from it. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-