Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This quickstart describes how to configure vaulted backup for an Azure Kubernetes Service (AKS) cluster using Terraform.
Azure Backup for AKS is a cloud-native, enterprise-ready, application-centric backup service that lets you quickly configure backup for AKS clusters.
Note
Steps included in this article on how to deploy a cluster and protect it with AKS Backup are for evaluation purposes only.
Before deploying a production-ready cluster and utilize advance backup settings, we recommend that you familiarize yourself with our baseline reference architecture to consider how it aligns with your business requirements.
Prerequisites
Things to ensure before you configure AKS backup:
This quickstart assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].
You need an Azure account with an active subscription. If you don't have one, create an account for free.
Note
Ensure that the Terraform version being used is 3.99 or later
Create a random value for the Azure resource group name using random_pet.
Create an Azure resource group using azurerm_resource_group.
Access the configuration of the AzureRM provider to get the Azure Object ID using
azurerm_client_config.Create a Kubernetes cluster using
azurerm_kubernetes_cluster.Create an AzAPI resource using
azapi_resource.Create a Storage Account using
azurerm_storage_account.Create a Blob Container using
azurerm_storage_container.Install Backup Extension in the AKS cluster using
azurerm_kubernetes_cluster_extension`.Create a Backup Vault using
azurerm_data_protection_backup_vault.Create a Backup Policy for AKS cluster using
azurerm_data_protection_backup_vault.Enable Trusted Access between AKS cluster and Backup vault using
azurerm_kubernetes_cluster_trusted_access_role_binding.Enable Role Assignments using
azurerm_role_assignment.Configure Backup for an AKS Cluster using
azurerm_data_protection_backup_policy_kubernetes_cluster.
Log in to Azure account
Log in to your Azure account and authenticate using one of the following methods:
Terraform only supports authenticating to Azure with the Azure CLI. Authenticating using Azure PowerShell isn't supported. Therefore, while you can use the Azure PowerShell module when doing your Terraform work, you first need to authenticate to Azure.
Implement the Terraform code
To implement the Terraform code for AKS backup flow, run the following scripts:
Note
Learn more how to use Terraform sample codes to manage Azure resources.
Create a directory you can use to test the sample Terraform code, and make it your current directory.
Create a file named
providers.tfand insert the following code:terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.99.0" } } } provider "azurerm" { features {} subscription_id = "<azure_subscription_id>" tenant_id = "<azure_subscription_tenant_id>" }Create a file named
main.tfand insert the following code:#Get Subscription and Tenant Id from Config data "azurerm_client_config" "current" { } #Create a Resource Group where Backup Vault and AKS Cluster will be created resource "azurerm_resource_group" "rg" { ___location = var.resource_group_location name = var.resource_group_name } #Create a Resource Group where Storage Account and Snapshots related to backup will be created resource "azurerm_resource_group" "backuprg" { ___location = var.backup_resource_group_location name = var.backup_resource_group_name } #Create an AKS Cluster resource "azurerm_kubernetes_cluster" "akscluster" { resource_group_name = azurerm_resource_group.rg.name name = var.aks_cluster_name ___location = azurerm_resource_group.rg.___location dns_prefix = var.dns_prefix identity { type = "SystemAssigned" } default_node_pool { name = "agentpool" vm_size = "Standard_D2_v2" node_count = var.node_count } network_profile { network_plugin = "kubenet" load_balancer_sku = "standard" } depends_on = [azurerm_resource_group.rg,azurerm_resource_group.backuprg] } #Create a Backup Vault resource "azurerm_data_protection_backup_vault" "backupvault" { name = var.backupvault_name resource_group_name = resource.azurerm_resource_group.rg.name ___location = resource.azurerm_resource_group.rg.___location datastore_type = var.datastore_type redundancy = var.redundancy identity { type = "SystemAssigned" } depends_on = [azurerm_kubernetes_cluster.akscluster] } #Create a Backup Policy with 4 hourly backups and 7 day retention duration resource "azurerm_data_protection_backup_policy_kubernetes_cluster" "policy" { name = var.backuppolicy_name resource_group_name = var.resource_group_name vault_name = var.backupvault_name backup_repeating_time_intervals = ["R/2024-04-14T06:33:16+00:00/PT4H"] default_retention_rule { life_cycle { duration = "P7D" data_store_type = "OperationalStore" } } depends_on = [resource.azurerm_data_protection_backup_vault.backupvault] } #Create a Trusted Access Role Binding between AKS Cluster and Backup Vault resource "azurerm_kubernetes_cluster_trusted_access_role_binding" "trustedaccess" { kubernetes_cluster_id = azurerm_kubernetes_cluster.akscluster.id name = "backuptrustedaccess" roles = ["Microsoft.DataProtection/backupVaults/backup-operator"] source_resource_id = azurerm_data_protection_backup_vault.backupvault.id depends_on = [resource.azurerm_data_protection_backup_vault.backupvault, azurerm_kubernetes_cluster.akscluster] } #Create a Backup Storage Account provided in input for Backup Extension Installation resource "azurerm_storage_account" "backupsa" { name = "tfaksbackup1604" resource_group_name = azurerm_resource_group.backuprg.name ___location = azurerm_resource_group.backuprg.___location account_tier = "Standard" account_replication_type = "LRS" depends_on = [azurerm_kubernetes_cluster_trusted_access_role_binding.trustedaccess] } #Create a Blob Container where backup items will stored resource "azurerm_storage_container" "backupcontainer" { name = "tfbackup" storage_account_name = azurerm_storage_account.backupsa.name container_access_type = "private" depends_on = [azurerm_storage_account.backupsa] } #Create Backup Extension in AKS Cluster resource "azurerm_kubernetes_cluster_extension" "dataprotection" { name = var.backup_extension_name cluster_id = azurerm_kubernetes_cluster.akscluster.id extension_type = var.backup_extension_type configuration_settings = { "configuration.backupStorageLocation.bucket" = azurerm_storage_container.backupcontainer.name "configuration.backupStorageLocation.config.storageAccount" = azurerm_storage_account.backupsa.name "configuration.backupStorageLocation.config.resourceGroup" = azurerm_storage_account.backupsa.resource_group_name "configuration.backupStorageLocation.config.subscriptionId" = data.azurerm_client_config.current.subscription_id "credentials.tenantId" = data.azurerm_client_config.current.tenant_id "configuration.backupStorageLocation.config.useAAD" = true "configuration.backupStorageLocation.config.storageAccountURI" = azurerm_storage_account.backupsa.primary_blob_endpoint } depends_on = [azurerm_storage_container.backupcontainer] } #Assign Role to Extension Identity over Storage Account resource "azurerm_role_assignment" "extensionrole" { scope = azurerm_storage_account.backupsa.id role_definition_name = "Storage Blob Data Contributor" principal_id = azurerm_kubernetes_cluster_extension.dataprotection.aks_assigned_identity[0].principal_id depends_on = [azurerm_kubernetes_cluster_extension.dataprotection] } #Assign Role to Backup Vault over AKS Cluster resource "azurerm_role_assignment" "vault_msi_read_on_cluster" { scope = azurerm_kubernetes_cluster.akscluster.id role_definition_name = "Reader" principal_id = azurerm_data_protection_backup_vault.backupvault.identity[0].principal_id depends_on = [azurerm_kubernetes_cluster.akscluster,resource.azurerm_data_protection_backup_vault.backupvault] } #Assign Role to Backup Vault over Snapshot Resource Group resource "azurerm_role_assignment" "vault_msi_read_on_snap_rg" { scope = azurerm_resource_group.backuprg.id role_definition_name = "Reader" principal_id = azurerm_data_protection_backup_vault.backupvault.identity[0].principal_id depends_on = [azurerm_kubernetes_cluster.akscluster,resource.azurerm_data_protection_backup_vault.backupvault] } #Assign Role to AKS Cluster over Snapshot Resource Group resource "azurerm_role_assignment" "cluster_msi_contributor_on_snap_rg" { scope = azurerm_resource_group.backuprg.id role_definition_name = "Contributor" principal_id = try(azurerm_kubernetes_cluster.akscluster.identity[0].principal_id,null) depends_on = [azurerm_kubernetes_cluster.akscluster,resource.azurerm_kubernetes_cluster.akscluster,resource.azurerm_resource_group.backuprg] } #Create Backup Instance for AKS Cluster resource "azurerm_data_protection_backup_instance_kubernetes_cluster" "akstfbi" { name = "example" ___location = azurerm_resource_group.backuprg.___location vault_id = azurerm_data_protection_backup_vault.backupvault.id kubernetes_cluster_id = azurerm_kubernetes_cluster.akscluster.id snapshot_resource_group_name = azurerm_resource_group.backuprg.name backup_policy_id = azurerm_data_protection_backup_policy_kubernetes_cluster.policy.id backup_datasource_parameters { excluded_namespaces = [] excluded_resource_types = [] cluster_scoped_resources_enabled = true included_namespaces = [] included_resource_types = [] label_selectors = [] volume_snapshot_enabled = true } depends_on = [ resource.azurerm_data_protection_backup_vault.backupvault, azurerm_data_protection_backup_policy_kubernetes_cluster.policy, azurerm_role_assignment.extensionrole, azurerm_role_assignment.vault_msi_read_on_cluster, azurerm_role_assignment.vault_msi_read_on_snap_rg, azurerm_role_assignment.cluster_msi_contributor_on_snap_rg ] }Create a file named
variables.tfand insert the following code:variable "aks_cluster_name" { type = string default = "Contoso_AKS_TF" description = "Name of the AKS Cluster." } variable "backup_extension_name" { type = string default = "azure-aks-backup" description = "Name of the AKS Cluster Extension." } variable "backup_extension_type" { type = string default = "microsoft.dataprotection.kubernetes" description = "Type of the AKS Cluster Extension." } variable "dns_prefix" { type = string default = "contoso-aks-dns-tf" description = "DNS Name of AKS Cluster made with Terraform" } variable "node_count" { type = number description = "The initial quantity of nodes for the node pool." default = 3 } variable "resource_group_location" { type = string default = "eastus" description = "Location of the resource group." } variable "backup_resource_group_name" { type = string default = "Contoso_TF_Backup_RG" description = "Location of the resource group." } variable "backup_resource_group_location" { type = string default = "eastus" description = "Location of the resource group." } variable "resource_group_name" { type = string default = "Contoso_TF_RG" description = "Location of the resource group." } variable "cluster_id" { type = string default = "/subscriptions/c3d3eb0c-9ba7-4d4c-828e-cb6874714034/resourceGroups/Contoso_TF_RG/providers/Microsoft.ContainerService/managedClusters/Contoso_AKS_TF" description = "Location of the resource group." } variable "backupvault_name" { type = string default = "BackupVaultTF" description = "Name of the Backup Vault" } variable "datastore_type" { type = string default = "OperationalStore" } variable "redundancy" { type = string default = "LocallyRedundant" } variable "backuppolicy_name" { type = string default = "aksbackuppolicytfv1" }Create a file named
outputs.tfand insert the following code:output "aks_resource_group" { value = azurerm_resource_group.rg.name } output "snapshot_resource_group" { value = azurerm_resource_group.backuprg.name } output "kubernetes_cluster_name" { value = azurerm_kubernetes_cluster.akscluster.name } output "backup_vault_name" { value = azurerm_data_protection_backup_vault.backupvault.name } output "backup_instance_id" { value = azurerm_data_protection_backup_instance_kubernetes_cluster.akstfbi.id }
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
terraform init -upgrade
Key points:
- The
-upgradeparameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
Create a Terraform execution plan
Run terraform plan to create an execution plan.
terraform plan -out main.tfplan
Key points:
- The
terraform plancommand creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-outparameter allows you to specify an output file for the plan. Using the-outparameter ensures that the plan you reviewed is exactly what is applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.
terraform apply main.tfplan
Key points:
- The example
terraform applycommand assumes you previously ranterraform plan -out main.tfplan. - If you specified a different filename for the
-outparameter, use that same filename in the call toterraform apply. - If you didn't use the
-outparameter, callterraform applywithout any parameters.
Troubleshoot Terraform on Azure
When you use Terraform on Azure, you can encounter common issues. Learn how to troubleshoot.
Next step
In this quickstart, you learned how to deploy a Kubernetes cluster, create a Backup vault, and configure backup for the Kubernetes cluster.
Learn more about: