Deploy Stack, Lock Down DB, Verify Connectivity

Scenario

This workflow is required when DevOps teams must automate the provisioning of a production web stack while enforcing strict, role-based database access controls. It bridges infrastructure-as-code deployment with granular RDS account configuration and systematic connectivity validation to guarantee least-privilege compliance before production cutover.

Integration steps

1. Initialize Terraform & Provider: Create main.tf with provider "alicloud" { region = "cn-hangzhou" }. Run terraform init.
2. Provision Core Stack: Define alicloud_vpc, alicloud_instance (ALinux 3), alicloud_db_instance (MySQL 8.0), and alicloud_oss_bucket. Apply via terraform apply -auto-approve.
3. Bind CAS SSL to SLB: Upload your CAS certificate using alicloud_slb_certificate. Attach to alicloud_slb_listener with frontend_port = 443, backend_port = 80, and protocol = "https".
4. Create Multi-Tier RDS Accounts: Provision accounts via alicloud_db_account for app_rw, analytics_ro, and admin. Assign privileges using alicloud_db_account_privilege (ReadWrite, ReadOnly, DBA respectively).
5. Lock Down Network Access: Define alicloud_security_group_rule to allow ECS private IP to RDS port 3306. Update RDS whitelist via alicloud_db_instance ip_list = ["${alicloud_instance.web.private_ip}/32"].
6. Verify & Debug Connectivity: SSH into ECS. Test each role sequentially:

``bash nc -zv <rds_endpoint> 3306 # Verify network reachability mysql -h <rds_endpoint> -u app_rw -p -e "INSERT INTO logs VALUES(1);" # Expect success mysql -h <rds_endpoint> -u analytics_ro -p -e "INSERT INTO logs VALUES(1);" # Expect ERROR 1142 (Access denied) ``

7. Automate API Validation: Query RDS API to confirm state:

``bash curl -X POST "https://rds.aliyuncs.com/?Action=DescribeAccounts&DBInstanceId=<id>&Format=JSON" ` Cross-reference AccountStatus and AccountPrivilege` against expected values.

Architecture

Terraform orchestrates the entire lifecycle. Inbound HTTPS traffic terminates at an SLB using a CAS-managed certificate, then routes to an ALinux-based ECS cluster. ECS instances serve application logic, fetch static assets from OSS, and execute database queries against RDS. RDS enforces granular, role-based access via dedicated accounts, while VPC routing and security groups isolate compute, storage, and database tiers.

Prerequisites

• Alibaba Cloud RAM user with AliyunECSFullAccess, AliyunRDSFullAccess, AliyunOSSFullAccess, and AliyunSLBFullAccess
• Terraform CLI v1.5+ and alicloud provider v1.200+
• Valid CAS-issued SSL certificate (.pem/.key)
• SSH key pair for ECS bastion access
• Pre-allocated VPC CIDR (e.g., 172.16.0.0/16)

Common pitfalls

• RDS Whitelist Drift: Manual IP additions get overwritten on terraform apply. Always manage ip_list exclusively in Terraform state to prevent connection timeouts.
• Over-Privileged Roles: Using DBA for app accounts violates least-privilege. Explicitly grant SELECT/INSERT/UPDATE via alicloud_db_account_privilege instead of broad presets.
• SSL Health Check Failures: If SLB terminates TLS but backend expects HTTP, health probes fail. Set listener_forward = "off" and ensure ECS app binds to port 80.
• Connection Exhaustion: Role isolation doesn't limit concurrent sessions. Tune max_connections in RDS parameter groups and deploy a connection proxy (e.g., ProxySQL) on ECS.

Typical questions

• deploy production stack configure DB roles then verify connectivity
• terraform provision full stack set up RDS permissions and debug connections
• configure granular database accounts then test ECS to RDS connectivity
• deploy stack lock down database then troubleshoot permission denied errors
• Terraform部署后配置多级RDS权限并排查连接问题
• provision infra configure role-based DB access then debug connectivity
• set up production RDS accounts per service then verify each connection
• 部署生产环境配置数据库角色后验证连通性