Automating OCI Volume Group Backup Cleanup Using OCI CLI (Cost Optimization)

-

Overview

In Oracle Cloud Infrastructure (OCI), Block Volume and Volume Group backups are critical for data protection.
However, retaining old backups indefinitely leads to unnecessary storage costs, especially in production and DR environments.

In this post, I demonstrate how to automate the cleanup of OCI Volume Group backups older than 7 days using OCI CLI, with:

  • Safe filtering logic
  • Multi-compartment support
  • Logging and audit-friendly output
  • Optional dry-run mode

⚠️ This demonstration is executed in a personal OCI tenancy using test resources.
The same automation pattern is applicable to enterprise environments without exposing customer data.

Oracle Products Used

  • Oracle Cloud Infrastructure
  • OCI Block Volume
  • Volume Groups
  • OCI CLI
  • IAM
  • OCI Cloud Shell / Linux Compute

Why This Automation Is Needed

Common Problems Observed

  • Backup policies create daily volume group backups
  • Old incremental backups remain unused
  • Manual cleanup is error-prone
  • No centralized visibility across compartments

Benefits of Automation

Reduced Object Storage cost
Consistent retention enforcement
Repeatable and auditable process
Zero manual intervention

OCI CLI    List Compartments

          List Volume Group Backups

          Filter by Creation Date

          Delete Backups Older Than 7 Days

          Log Actions

The script can run from:

OCI Cloud Shell

OCI Compute instance

On-prem system with OCI CLI configured

Prerequisites

IAM Policy

Ensure the executing user or dynamic group has:

Allow group BackupAdmins to manage volume-family in tenancy

Allow group BackupAdmins to inspect compartments in tenancy

Tools Required

  • OCI CLI (v3.x or later)
  • jq
  • Bash shell

OCI Cloud Shell already includes all required tools.

Configuration Parameters

The script uses configurable values to make it reusable:

TENANCY_OCID="ocid1.tenancy.oc1..xxxx"

DAYS_OLD=7

LOG_DIR="$HOME/oci_backup_cleanup_logs"

Script Logic Explained

Step 1: Calculate Cutoff Date

CUTOFF_DATE=$(date -u -d "$DAYS_OLD days ago" +%Y-%m-%dT%H:%M:%SZ)

Only backups created before this timestamp are deleted.

Step 2: Fetch All Compartments

oci iam compartment list \

  --compartment-id $TENANCY_OCID \

  --all \

  --query "data[?\"lifecycle-state\"=='ACTIVE'].id" \

  --raw-output

This ensures full tenancy coverage, including nested compartments.

Step 3: List Volume Group Backups Per Compartment

oci bv volume-group-backup list \

  --compartment-id $COMP_ID \

  --all

Step 4: Filter Backups Older Than 7 Days

jq -r --arg cutoff "$CUTOFF_DATE" '

  .data[] |

  select(.["time-created"] < $cutoff) |

  .id

'

This avoids deleting recent or in-use backups.

Step 5: Delete Eligible Backups

oci bv volume-group-backup delete \

  --volume-group-backup-id $BACKUP_ID \

  --force

Full Production-Ready Script:

#!/bin/bash

TENANCY_OCID="ocid1.tenancy.oc1..xxxx"

DAYS_OLD=7

LOG_DIR="$HOME/oci_backup_cleanup_logs"

LOG_FILE="$LOG_DIR/volume_group_cleanup_$(date +%Y%m%d_%H%M%S).log"

mkdir -p "$LOG_DIR"

touch "$LOG_FILE"

CUTOFF_DATE=$(date -u -d "$DAYS_OLD days ago" +%Y-%m-%dT%H:%M:%SZ)

echo "Cleanup started at $(date)" | tee -a "$LOG_FILE"

echo "Deleting backups older than $CUTOFF_DATE" | tee -a "$LOG_FILE"

COMPARTMENTS=$(oci iam compartment list \

  --compartment-id $TENANCY_OCID \

  --all \

  --query "data[?\"lifecycle-state\"=='ACTIVE'].id" \

  --raw-output)

 for COMP_ID in $COMPARTMENTS; do

  echo "Processing compartment: $COMP_ID" | tee -a "$LOG_FILE"

   BACKUPS=$(oci bv volume-group-backup list \

    --compartment-id $COMP_ID \

    --all \

    | jq -r --arg cutoff "$CUTOFF_DATE" '

      .data[] |

      select(.["time-created"] < $cutoff) |

      .id

    ')

   for BACKUP_ID in $BACKUPS; do

    echo "Deleting backup: $BACKUP_ID" | tee -a "$LOG_FILE"

    oci bv volume-group-backup delete \

      --volume-group-backup-id $BACKUP_ID \

      --force \

      >> "$LOG_FILE" 2>&1

  done

done

echo "Cleanup completed at $(date)" | tee -a "$LOG_FILE"

Sample Log Output

Processing compartment: ocid1.compartment.oc1..aaa

Deleting backup: ocid1.volumegroupbackup.oc1..bbb

Cleanup completed successfully

Logs can be archived or uploaded to Object Storage for audit purposes.

Optional Enhancements

  • Dry-run mode (list only)
  • Email notification on deletion
  • Object Storage log archival
  • Cron-based scheduling
  • Tag-based exclusion (e.g., retain=longterm)

Cost Optimization Impact

  • Volume Group backups incur Object Storage charges
  • Cleanup reduces:
    • Storage footprint
    • DR replication costs
    • Long-term archival overhead

In large tenancies, this automation can save thousands per month.

Security & Safety Considerations

  • Uses OCI-native IAM
  • No hardcoded secrets
  • Deterministic date filtering
  • Force flag avoids interactive deletion

Lessons Learned

  • OCI CLI is powerful for governance automation
  • jq simplifies JSON filtering
  • Multi-compartment traversal is essential
  • Logging is critical for audit readiness
  • Automation should enforce—not replace—backup policy design

Conclusion

This demonstration shows how OCI CLI can be leveraged to implement operational governance and cost control in a safe, auditable, and scalable way.

Such automations are essential for production-grade OCI environments and align well with enterprise FinOps and compliance practices.

References

  • OCI Block Volume Documentation
  • OCI CLI Documentation

🔗 About the Author

Debapriya Biswas
Oracle ACE Apprentice | Sr. Consultant – Cloud Technologies
Focused on OCI Automation, Networking, and Hybrid Cloud Architectures

 

Comments

Post a Comment

Popular posts from this blog

Access Oracle OCI Object Storage through GUI Client

-
Image
 As we already know that there are several GUI clients available for Amazon AWS S3 Object storage like - S3 Browser (https://s3browser.com/), CloudBerry Explorer (https://www.msp360.com/explorer/windows/amazon-s3.aspx), CyberDuck (https://cyberduck.io/) etc. Using these tools we can easily connect to the Object Storage service, upload & download "objects" i.e files and folders and also do some advance management like Bucket Policies, Replication, Versioning, lifecycle policies etc. Now these tools can also be used with Oracle OCI Object storage, but there are some prerequisites to get the proper credentials. You need to get following information before you can connect to you OCI Object storage - Object Storage Namespace: REST Endpoint: Access Key: Secret Key ID: How to get these details - Login to your OCI Account, head over to - Hamburger Icon on left hand top corner -> Storage -> Under Object Storage & Archive -> Buckets. It will list all the buckets in thi...
Read more

Instance OS Baseline Configuration Runbook

-
Overview & Scope This runbook defines the standard baseline configuration procedure for new OCI compute instances across five supported operating system families. It is intended for use by Cloud SRE and operations personnel during initial instance provisioning. Objectives Each OS configuration procedure achieves the following baseline state: •        Set system timezone to Asia/Kolkata (IST, UTC+05:30) •        Apply all available OS security and feature updates •        Enable and configure the host-based firewall to permit SSH (Linux) or RDP (Windows) ingress exclusively from the VCN CIDR block •        Enable EPEL repository where applicable (Oracle Linux, Rocky Linux, Alma Linux) •        Create a named administrative user account separate from the default OCI-provisioned user (opc / Administrator) •   ...
Read more

Accessing OCI Compute Instances Using VNC Console (Instance Console Connection)

-
Image
  Overview In Oracle Cloud Infrastructure (OCI), administrators occasionally face scenarios where SSH access to a compute instance is unavailable —for example, due to network misconfiguration, firewall issues, or OS-level boot problems. To handle such situations, OCI provides Instance Console Connection , which enables VNC-based graphical console access and serial console access to compute instances. In this post, I demonstrate how to access an OCI Compute instance using the VNC console , explain when to use it, and highlight best practices for secure and effective troubleshooting. ⚠️ This demonstration is performed in a personal OCI tenancy using test instances. No customer environments or confidential information are exposed. Oracle Products Used Oracle Cloud Infrastructure OCI Compute Instance Console Connection OCI IAM Virtual Cloud Network (VCN) What Is Instance Console Connection? Instance Console Connection provides ou...
Read more