Create AWS Resources using Azure DevOps

Post Views: 11

✅ Objective:

Create a CloudFormation template that:

Creates an IAM user
Grants access to Amazon RDS
Deploys using Azure DevOps CI/CD pipeline
Uses a preconfigured AWS service connection in Azure DevOps

🧩 PART 1: CloudFormation Template

Create a file named:
iam-user-rds-access.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM user and grant RDS access

Resources:
  MotoshareIAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: motoshare-user
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonRDSFullAccess  # Gives full access to RDS

  IAMUserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref MotoshareIAMUser
      Status: Active

Outputs:
  IAMUserName:
    Description: IAM Username
    Value: !Ref MotoshareIAMUser

  AccessKey:
    Description: IAM Access Key
    Value: !Ref IAMUserAccessKey

  SecretAccessKey:
    Description: Secret Access Key
    Value: !GetAtt IAMUserAccessKey.SecretAccessKey

🔐 This gives the IAM user AmazonRDSFullAccess permission. You can change this to a custom policy ARN if needed.

🧩 PART 2: Azure DevOps Pipeline Configuration

You already have an AWS service connection set up in Azure DevOps (using IAM credentials or AssumeRole). Let’s configure the pipeline to use it.

🔹 Step 1: Create your Azure DevOps repo and push the YAML template

git clone &lt;your-repo>
cd &lt;your-repo>
mkdir cloudformation
mv iam-user-rds-access.yaml cloudformation/
git add .
git commit -m "Add CloudFormation for IAM user and RDS access"
git push

🔹 Step 2: Define Your Azure DevOps Pipeline

Create a file in the root of your repo called:
.azure-pipelines/pipeline.yml

trigger:
  branches:
    include:
      - main

variables:
  stackName: "MotoshareIAMUserStack"
  templateFile: "cloudformation/iam-user-rds-access.yaml"
  region: "us-east-1" # Change if needed

stages:
  - stage: DeployIAMUser
    displayName: "Deploy IAM User to AWS via CloudFormation"
    jobs:
      - job: DeployCF
        displayName: "Run CloudFormation Deployment"
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: AWSCloudFormationCreateOrUpdateStack@1
            name: deployIAM
            inputs:
              awsCredentials: '&lt;Your-AWS-Service-Connection-Name>'
              regionName: $(region)
              stackName: $(stackName)
              templateFile: $(templateFile)
              capabilities: 'CAPABILITY_NAMED_IAM'

Make sure to replace <Your-AWS-Service-Connection-Name> with the exact name of your AWS service connection in Azure DevOps.

🔹 Step 3: Configure Your Azure DevOps Project

Go to your Azure DevOps project
Navigate to Pipelines → Service Connections
Ensure the AWS service connection is created and authorized for all pipelines
Create a new pipeline via YAML
Point it to your repo and select .azure-pipelines/pipeline.yml
Run the pipeline 🚀

✅ What Will Happen?

The pipeline runs when you push to the main branch
It deploys iam-user-rds-access.yaml via CloudFormation
The IAM user is created with full RDS access
The Access Key and Secret are available in Outputs (⚠️ only viewable once)

Error

A task is missing. The pipeline references a task called 'AWSCloudFormationCreateOrUpdateStack'. This usually indicates the task isn't installed, and you may be able to install it from the Marketplace: https://marketplace.visualstudio.com. (Task version 1, job 'DeployCF', step 'deployIAM'.)