A DevOps team provisions a full production web stack via Terraform, configures granular multi-tier RDS accounts and role-based permissions (app, analytics, admin), then systematically debugs and verifies database connectivity for each configured role to ensure least-privilege access works end-to-end.
This workflow is required when DevOps teams must automate the provisioning of a production web stack while enforcing strict, role-based database access controls. It bridges infrastructure-as-code deployment with granular RDS account configuration and systematic connectivity validation to guarantee least-privilege compliance before production cutover.
main.tf with provider "alicloud" { region = "cn-hangzhou" }. Run terraform init.alicloud_vpc, alicloud_instance (ALinux 3), alicloud_db_instance (MySQL 8.0), and alicloud_oss_bucket. Apply via terraform apply -auto-approve.alicloud_slb_certificate. Attach to alicloud_slb_listener with frontend_port = 443, backend_port = 80, and protocol = "https".alicloud_db_account for app_rw, analytics_ro, and admin. Assign privileges using alicloud_db_account_privilege (ReadWrite, ReadOnly, DBA respectively).alicloud_security_group_rule to allow ECS private IP to RDS port 3306. Update RDS whitelist via alicloud_db_instance ip_list = ["${alicloud_instance.web.private_ip}/32"]. nc -zv <rds_endpoint> 3306 # Verify network reachability
mysql -h <rds_endpoint> -u app_rw -p -e "INSERT INTO logs VALUES(1);" # Expect success
mysql -h <rds_endpoint> -u analytics_ro -p -e "INSERT INTO logs VALUES(1);" # Expect ERROR 1142 (Access denied) curl -X POST "https://rds.aliyuncs.com/?Action=DescribeAccounts&DBInstanceId=<id>&Format=JSON"Cross-reference AccountStatus and AccountPrivilege against expected values.
Terraform orchestrates the entire lifecycle. Inbound HTTPS traffic terminates at an SLB using a CAS-managed certificate, then routes to an ALinux-based ECS cluster. ECS instances serve application logic, fetch static assets from OSS, and execute database queries against RDS. RDS enforces granular, role-based access via dedicated accounts, while VPC routing and security groups isolate compute, storage, and database tiers.
AliyunECSFullAccess, AliyunRDSFullAccess, AliyunOSSFullAccess, and AliyunSLBFullAccessalicloud provider v1.200+.pem/.key)172.16.0.0/16)terraform apply. Always manage ip_list exclusively in Terraform state to prevent connection timeouts.DBA for app accounts violates least-privilege. Explicitly grant SELECT/INSERT/UPDATE via alicloud_db_account_privilege instead of broad presets.listener_forward = "off" and ensure ECS app binds to port 80.max_connections in RDS parameter groups and deploy a connection proxy (e.g., ProxySQL) on ECS.Q: How do I deploy a production stack, configure granular RDS roles, and verify connectivity? A: You automate this workflow by provisioning the infrastructure with Terraform, creating multi-tier RDS accounts with explicit privileges, and validating access from an ECS instance. After running terraform apply, use alicloud_db_account and alicloud_db_account_privilege to assign ReadWrite, ReadOnly, or DBA roles. Finally, SSH into the ECS instance to test port 3306 reachability with nc and execute mysql commands to confirm expected success or access-denied errors.