ACAI VECTO Deployment

VECTO Version: 1.1.0

Duration: 1 hour

Prerequisites

AWS Side: - Select one AWS account of your AWS Organization as the Core IaC CI/CD account - Nominate this account as delegated administrator for CloudFormation

Azure DevOps Side: - Administrator access to the Azure DevOps (ADO) project for managing the AWS Core Accounts

Your local machine: - Git client installed - Azure DevOps CLI installed

VECTO Setup Preparation

Manual Resource Creation

In this step you will create the following resources:

AWS Side (via CloudFormation): - IAM User with CLI Credentials - S3 bucket for VECTO Setup Terraform state

Azure DevOps Side: - Personal Access Token (PAT) - Pipeline Library Variable Group - Service Connection AWS - VECTO Module Repository (optional) - VECTO Setup Pipeline Repository - VECTO Setup Pipeline

VECTO-PREPARATION-OVERVIEW

Setup Preparation - AWS Side

This preparation step creates the following AWS resources using a CloudFormation template:

IAM User with CLI credentials
S3 bucket for VECTO Setup Terraform state

Step 1 – Create VECTO Setup CloudFormation Stack

Login to the Core IaC CI/CD AWS account and navigate to CloudFormation
Select Create stack → With new resources

VECTO-PREPARATION-AWS-CF

Step 2 – Configure Stack Template

Apply the shown settings and paste this URL as Amazon S3 URL:

https://acai-solutions-public-381492174777-euc1.s3.eu-central-1.amazonaws.com/vecto/setup.yaml

Step 3 – Specify Stack Details

Specify a stack name (e.g., vecto-setup-preparation)
For the parameter S3BucketName, ensure you provide a globally unique name (e.g., by adding the account ID as suffix)

VECTO-PREPARATION-AWS-CF-2

Step 4 – Configure Stack Options

VECTO-PREPARATION-AWS-CF-3

Step 5 – Review and Create

VECTO-PREPARATION-AWS-CF-4

Step 6 – View Stack Outputs

After the CloudFormation stack deployment completes, navigate to the Outputs tab to view the created resources.

VECTO-PREPARATION-AWS-CF-COMPLETED

Note the TerraformStateBucketName value from the outputs - you'll need this later
Navigate to AWS Secrets Manager and locate the secret named vecto_setup_tf_provisioner_access_keys
Retrieve the secret value to obtain the AccessKeyId and SecretAccessKey for the created IAM user

Setup Preparation - Azure DevOps Side

In this preparation, the following ADO resources will be created manually:

Personal Access Token (PAT)
Pipeline Library Variable Group
Service Connection AWS
VECTO Module Repository
VECTO Setup Pipeline Repository
VECTO Setup Pipeline

Login to your Azure DevOps project for managing the AWS Core Accounts with administrator permissions.

Personal Access Token (PAT)

VECTO needs a Personal Access Token to create and manage repositories and pipelines in your Azure DevOps project.

The general procedure for working with PATs is described in the Microsoft documentation:
Use personal access tokens to authenticate

Step 1 – Open the Personal Access Tokens page

Navigate to the PAT management page:

https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME>/_usersSettings/tokens

Step 2 – Create a new PAT

Select + New Token
Fill in the form and choose Create:

Field	Value / Action
Name	`VECTO_ADO_MANAGEMENT_ACCESS`
Organization	Select the organization that hosts the Azure DevOps project
Expiration	Pick a validity period (maximum 1 year)
Scopes	Choose Full access. It is recommended to restrict the scope (e.g., Project & Team → Read) when the VECTO setup tasks are completed.

VECTO-PREPARATION-ADO-PAT-2

Step 3 – Store the token securely

Copy the generated token and keep it in a secure location
You will reference it when creating the Pipeline Library variable group in the next step

Service Connection – AWS

Create an Azure DevOps Service Connection so the VECTO Setup pipeline can authenticate with AWS.

Step 1 – Open the Service connections page

Navigate to Project Settings → Pipelines → Service connections:

https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME>/<YOUR_ADO_PROJECT_NAME>/_settings/adminservices

VECTO-PREPARATION-ADO-SERVICE-CONNECTION-1

Step 2 – Start the wizard

Choose + New service connection
Select AWS and click Next

VECTO-PREPARATION-ADO-SERVICE-CONNECTION-2

Step 3 – Configure the AWS connection

Complete the form and click Save:

Field	Value / Description
Access Key ID	Access key ID of the IAM user created by the CloudFormation stack (stored in AWS Secrets Manager)
Secret Access Key	Secret access key of the same IAM user (stored in AWS Secrets Manager)
Service Connection Name	`vecto-setup-provisioner`
Description	`Allows the VECTO setup pipeline to access AWS.`

VECTO-PREPARATION-ADO-SERVICE-CONNECTION-3

Retrieve the credentials from AWS Secrets Manager:
VECTO-PREPARATION-ADO-SERVICE-CONNECTION-4

Clone the VECTO Module Repository

The VECTO Terraform module lives in the acai-consulting GitHub organization. Import it into your Azure DevOps project as follows:

Step 1 – Create an empty repository

# Prerequisite: Azure DevOps CLI with the 'azure-devops' extension
az extension add --name azure-devops

Windows PowerShellBash

# Configure organization and project defaults
az devops configure --defaults `
    organization=https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME> `
    project=<YOUR_ADO_PROJECT_NAME>

# Create the target repository
az repos create --name terraform-aws-acai-vecto

# Configure organization and project defaults
az devops configure --defaults \
    organization=https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME> \
    project=<YOUR_ADO_PROJECT_NAME>

# Create the target repository
az repos create --name terraform-aws-acai-vecto

Step 2 – Import from ACAI GitHub Repository

Windows PowerShellBash

# Supply your GitHub PAT with read access to the ACAI repos
$Env:AZURE_DEVOPS_EXT_GIT_SOURCE_PASSWORD_OR_PAT = '<GitHub PAT with ACAI repo access>'

# Import the module from GitHub into the newly created Azure DevOps repo
az repos import create `
    --repository terraform-aws-acai-vecto `
    --git-source-url https://github.com/acai-consulting/terraform-aws-acai-vecto.git `
    --requires-authorization `
    --user-name github-acai-access

# Supply your GitHub PAT with read access to the ACAI repos
export AZURE_DEVOPS_EXT_GIT_SOURCE_PASSWORD_OR_PAT='<GitHub PAT with ACAI repo access>'

# Import the module from GitHub into the newly created Azure DevOps repo
az repos import create \
    --repository terraform-aws-acai-vecto \
    --git-source-url https://github.com/acai-consulting/terraform-aws-acai-vecto.git \
    --requires-authorization \
    --user-name github-acai-access

Clone the VECTO Setup Pipeline Repository

The template for the VECTO Setup pipeline repository lives in the acai-consulting GitHub organization:

https://github.com/acai-consulting/terraform-aws-acai-vecto-setup-pipeline.git

Import it into your Azure DevOps project as follows:

Step 1 – Create an empty repository

# Prerequisite: Azure DevOps CLI with the 'azure-devops' extension
az extension add --name azure-devops

Windows PowerShellBash

# Configure organization and project defaults
az devops configure --defaults `
    organization=https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME> `
    project=<YOUR_ADO_PROJECT_NAME>

# Create the target repository
az repos create --name Pipeline--VECTO-Setup

# Configure organization and project defaults
az devops configure --defaults \
    organization=https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME> \
    project=<YOUR_ADO_PROJECT_NAME>

# Create the target repository
az repos create --name Pipeline--VECTO-Setup

Step 2 – Import from ACAI GitHub Repository

Windows PowerShellBash

# Import the module from GitHub into the newly created Azure DevOps repo
az repos import create `
    --repository Pipeline--VECTO-Setup `
    --git-source-url https://github.com/acai-consulting/terraform-aws-acai-vecto-setup-pipeline.git `
    --user-name github-acai-access

# Import the module from GitHub into the newly created Azure DevOps repo
az repos import create \
    --repository Pipeline--VECTO-Setup \
    --git-source-url https://github.com/acai-consulting/terraform-aws-acai-vecto-setup-pipeline.git \
    --user-name github-acai-access

Create VECTO Setup Pipeline

Step 1 – Open the Pipelines page

Navigate to Pipelines and click New pipeline:

https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME>/<YOUR_ADO_PROJECT_NAME>/_build

Step 2 – Where is your code?

Choose Azure Repos Git
Select Pipeline--VECTO-Setup as repository

VECTO-PREPARATION-ADO-PIPELINES-2

Step 3 – Configure your pipeline

Select the YAML file.
VECTO-PREPARATION-ADO-PIPELINES-3

Step 4 – Save the pipeline

Save the pipeline.
VECTO-PREPARATION-ADO-PIPELINES-4

Pipeline Library – Variable Group

The VECTO Setup and the VECTO pipelines require a Personal Access Token to create and manage Azure DevOps repositories and pipelines.

Store this PAT in a Pipeline Library Variable Group.

Step 1 – Open Pipelines > Library

Navigate to the Variable Groups page:

https://dev.azure.com/<YOUR_ADO_ORGANIZATION_NAME>/<YOUR_ADO_PROJECT_NAME>/_library?itemType=VariableGroups

Step 2 – Create the Variable Group

Select + Variable group
Complete the form and click Save:

Field	Value / Action
Variable group name	`VECTO_ACCESS_TOKEN`
Description	`Used by VECTO to manage Azure DevOps resources for the AWS Core pipelines.`
Variable 1 Name	`PAT-VECTO_REPO_ACCESS`
Variable 1 Value	If you host the VECTO repo in the same Azure DevOps project (default), you can use the PAT you generated earlier (see section Personal Access Token)
Variable 1 Value Lock	Enable the lock icon to protect the PAT
Variable 2 Name	`PAT-VECTO_ADO_MANAGEMENT_ACCESS`
Variable 2 Value	Paste the PAT you generated earlier (see section Personal Access Token)
Variable 2 Value Lock	Enable the lock icon to protect the PAT

VECTO-PREPARATION-ADO-VARGROUP-2

Step 3 – Grant access to the VECTO Setup Pipeline

Click Pipeline permissions
Click + and add the Pipeline--VECTO-Setup pipeline

VECTO-PREPARATION-ADO-VARGROUP-3

VECTO Setup

Running the VECTO Setup Pipeline will deploy the VECTO Solution with the following resources on the AWS and Azure DevOps side:

OIDC connection from Azure DevOps to the Core IaC CI/CD AWS account
AWS IAM Role for VECTO provisioning: vecto-provisioner-role
Azure DevOps pipeline-repo and pipelines for VECTO provisioning. Two pipelines will be provisioned, one for provisioning the AWS-part and one for provisioning the ADO-part segregated from each other

VECTO-PREPARATION-ADO-OIDC

Run VECTO Setup Pipeline

Step 1 – Open the Pipelines page

In the Pipeline section, select All pipelines
Choose the Pipeline--VECTO-Setup
Provide the correct bucket name for the parameter awsVectoTfStateBucketName
When you have a local repo of VECTO, update the vectoRepo section
Click Run and the Terraform stages will be executed

VECTO-PREPARATION-ADO-SETUP-PIPELINE-RUN-1

Cleanup VECTO Preparation Stage

With the OIDC connection established between Azure DevOps and the Core IaC CI/CD AWS account, the AWS IAM User can now be disabled (see section Setup Preparation - AWS Side).

Step 1 – Update VECTO Setup CloudFormation Stack

Login to the Core IaC CI/CD AWS account and navigate to CloudFormation
Select the stack vecto-setup-preparation

VECTO-PREPARATION-AWS-CF-DISABLE-USER-1

Step 2 – Update stack

Click Update Stack → Make a direct update.

VECTO-PREPARATION-AWS-CF-DISABLE-USER-2

Step 3 – Specify the update

Keep Use existing template and click Next

VECTO-PREPARATION-AWS-CF-DISABLE-USER-3

Change EnableIamUserPermissions to false

VECTO-PREPARATION-AWS-CF-DISABLE-USER-4

Click Submit

VECTO-PREPARATION-AWS-CF-DISABLE-USER-5

IAM User has no permissions anymore

VECTO-PREPARATION-AWS-CF-DISABLE-USER-SUCCESS