Revert "[PRMP-1538] Remove SES execution (#626)"

This reverts commit f511c43.

Author: robg-test

infrastructure/dns_email_auth.tf

@@ -1,9 +1,9 @@
-# resource "aws_route53_record" "dmarc" {
-#   count   = local.is_shared_workspace ? 1 : 0
-#   zone_id = module.route53_fargate_ui.zone_id
-#   name    = "_dmarc.${var.domain}"
-#   type    = "TXT"
-#   ttl     = 300
-#
-#   records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
-# }
+resource "aws_route53_record" "dmarc" {
+  count   = local.is_shared_workspace ? 1 : 0
+  zone_id = module.route53_fargate_ui.zone_id
+  name    = "_dmarc.${var.domain}"
+  type    = "TXT"
+  ttl     = 300
+
+  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
+}

infrastructure/iam.tf

@@ -354,37 +354,37 @@ resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda"
   })
 }
 
-# data "aws_iam_policy_document" "reporting_ses" {
-#   statement {
-#     sid    = "SESAccess"
-#     effect = "Allow"
-#
-#     actions = [
-#       "ses:SendEmail",
-#       "ses:SendRawEmail"
-#     ]
-#
-#     resources = [
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
-#     ]
-#
-#     condition {
-#       test     = "StringEquals"
-#       variable = "ses:FromAddress"
-#       values   = [local.reporting_ses_from_address_value]
-#     }
-#   }
-# }
-#
-# data "aws_iam_policy_document" "ses_feedback_s3_put" {
-#   statement {
-#     effect = "Allow"
-#     actions = [
-#       "s3:PutObject"
-#     ]
-#     resources = [
-#       "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
-#     ]
-#   }
-# }
+data "aws_iam_policy_document" "reporting_ses" {
+  statement {
+    sid    = "SESAccess"
+    effect = "Allow"
+
+    actions = [
+      "ses:SendEmail",
+      "ses:SendRawEmail"
+    ]
+
+    resources = [
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ses:FromAddress"
+      values   = [local.reporting_ses_from_address_value]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "ses_feedback_s3_put" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
+    ]
+  }
+}

infrastructure/kms_sns.tf

@@ -4,7 +4,6 @@ module "sns_encryption_key" {
   kms_key_description = "Custom KMS Key to enable server side encryption for sns subscriptions"
   environment         = var.environment
   owner               = var.owner
-  # service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
-  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
   kms_deletion_window = var.kms_deletion_window
 }

infrastructure/lambda-report-distribution.tf

@@ -1,30 +1,30 @@
-# module "report-distribution-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "ReportDistribution"
-#   handler        = "handlers.report_distribution_handler.lambda_handler"
-#   lambda_timeout = 300
-#
-#   iam_role_policy_documents = [
-#     module.ndr-report-store.s3_read_policy_document,
-#     module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
-#     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
-#
-#     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
-#     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-# }
+module "report-distribution-lambda" {
+  source         = "./modules/lambda"
+  name           = "ReportDistribution"
+  handler        = "handlers.report_distribution_handler.lambda_handler"
+  lambda_timeout = 300
+
+  iam_role_policy_documents = [
+    module.ndr-report-store.s3_read_policy_document,
+    module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
+    CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
+
+    PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
+    SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}

infrastructure/lambda-ses-feedback-monitor.tf

@@ -1,32 +1,32 @@
-# module "ses-feedback-monitor-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "SesFeedbackMonitor"
-#   handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
-#   lambda_timeout = 60
-#
-#   iam_role_policy_documents = [
-#     data.aws_iam_policy_document.ses_feedback_s3_put.json,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
-#     SES_FEEDBACK_PREFIX      = "ses-feedback/"
-#     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
-#     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-#
-#   depends_on = [
-#     module.ses-feedback-store
-#   ]
-# }
+module "ses-feedback-monitor-lambda" {
+  source         = "./modules/lambda"
+  name           = "SesFeedbackMonitor"
+  handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
+  lambda_timeout = 60
+
+  iam_role_policy_documents = [
+    data.aws_iam_policy_document.ses_feedback_s3_put.json,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
+    SES_FEEDBACK_PREFIX      = "ses-feedback/"
+    PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
+    ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+
+  depends_on = [
+    module.ses-feedback-store
+  ]
+}

infrastructure/modules/sns/README.md

@@ -79,6 +79,7 @@ module "sns_topic" {
 | Name | Type |
 |------|------|
 | [aws_sns_topic.sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.sns_subscription_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.sns_subscription_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 
@@ -89,13 +90,16 @@ module "sns_topic" {
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | Attach delivery or IAM policy. (Legacy name; used as topic policy JSON in this module.) | `string` | n/a | yes |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in notification queue. | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to notification queue. | `bool` | `false` | no |
+| <a name="input_enable_ses_publish"></a> [enable\_ses\_publish](#input\_enable\_ses\_publish) | If true, module appends a statement allowing ses.amazonaws.com to SNS:Publish to this topic. | `bool` | `false` | no |
 | <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | Whether to use the topic\_endpoint\_list instead of a single topic\_endpoint. | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | Whether to enable raw message delivery for the SNS subscription. | `bool` | `false` | no |
+| <a name="input_ses_source_account_id"></a> [ses\_source\_account\_id](#input\_ses\_source\_account\_id) | AWS account ID used in the AWS:SourceAccount condition for SES publishing. | `string` | `""` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | The ARN (or ID) of the KMS key used for encrypting the SNS topic. | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback. | `map(string)` | `{}` | no |
 | <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | A single endpoint (e.g., SQS queue or Lambda function ARN) to subscribe to the topic. | `any` | `null` | no |
 | <a name="input_topic_endpoint_list"></a> [topic\_endpoint\_list](#input\_topic\_endpoint\_list) | A list of endpoints (e.g., SQS ARNs) to subscribe to the topic. | `any` | `[]` | no |
 | <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name) | Name of the SNS topic. | `string` | n/a | yes |
+| <a name="input_topic_policy_json"></a> [topic\_policy\_json](#input\_topic\_policy\_json) | Optional SNS topic access policy JSON. If set, it overrides delivery\_policy. | `string` | `null` | no |
 | <a name="input_topic_protocol"></a> [topic\_protocol](#input\_topic\_protocol) | The protocol to use for the subscription (e.g., 'sqs', 'lambda'). | `string` | n/a | yes |
 
 ## Outputs

infrastructure/modules/sns/main.tf

@@ -1,49 +1,48 @@
-# locals {
-#   base_topic_policy_json = var.topic_policy_json != null ? var.topic_policy_json : var.delivery_policy
-#   base_topic_policy_obj  = jsondecode(local.base_topic_policy_json)
-#   normalized_statements = [
-#     for s in try(local.base_topic_policy_obj["Statement"], []) : merge(
-#       s,
-#       {
-#         Resource = (
-#           try(s["Resource"], null) == "*" || try(s["Resource"], null) == null
-#           ? aws_sns_topic.sns_topic.arn
-#           : s["Resource"]
-#         )
-#       }
-#     )
-#   ]
-#
-#   ses_publish_statement = var.enable_ses_publish ? {
-#     Sid    = "AllowSESPublish"
-#     Effect = "Allow"
-#     Principal = {
-#       Service = "ses.amazonaws.com"
-#     }
-#     Action   = "SNS:Publish"
-#     Resource = aws_sns_topic.sns_topic.arn
-#     Condition = {
-#       StringEquals = {
-#         "AWS:SourceAccount" = var.ses_source_account_id
-#       }
-#     }
-#   } : null
-#
-#   effective_topic_policy_obj = merge(
-#     local.base_topic_policy_obj,
-#     {
-#       Statement = concat(
-#         local.normalized_statements,
-#         var.enable_ses_publish ? [local.ses_publish_statement] : []
-#       )
-#     }
-#   )
-#   effective_topic_policy_json = jsonencode(local.effective_topic_policy_obj)
-# }
+locals {
+  base_topic_policy_json = var.topic_policy_json != null ? var.topic_policy_json : var.delivery_policy
+  base_topic_policy_obj  = jsondecode(local.base_topic_policy_json)
+  normalized_statements = [
+    for s in try(local.base_topic_policy_obj["Statement"], []) : merge(
+      s,
+      {
+        Resource = (
+          try(s["Resource"], null) == "*" || try(s["Resource"], null) == null
+          ? aws_sns_topic.sns_topic.arn
+          : s["Resource"]
+        )
+      }
+    )
+  ]
+
+  ses_publish_statement = var.enable_ses_publish ? {
+    Sid    = "AllowSESPublish"
+    Effect = "Allow"
+    Principal = {
+      Service = "ses.amazonaws.com"
+    }
+    Action   = "SNS:Publish"
+    Resource = aws_sns_topic.sns_topic.arn
+    Condition = {
+      StringEquals = {
+        "AWS:SourceAccount" = var.ses_source_account_id
+      }
+    }
+  } : null
+
+  effective_topic_policy_obj = merge(
+    local.base_topic_policy_obj,
+    {
+      Statement = concat(
+        local.normalized_statements,
+        var.enable_ses_publish ? [local.ses_publish_statement] : []
+      )
+    }
+  )
+  effective_topic_policy_json = jsonencode(local.effective_topic_policy_obj)
+}
 
 resource "aws_sns_topic" "sns_topic" {
   name_prefix                 = "${terraform.workspace}-sns-${var.topic_name}"
-  policy                      = var.delivery_policy
   fifo_topic                  = var.enable_fifo
   content_based_deduplication = var.enable_deduplication
   kms_master_key_id           = var.sns_encryption_key_id
@@ -53,10 +52,10 @@ resource "aws_sns_topic" "sns_topic" {
   sqs_success_feedback_sample_rate = try(var.sqs_feedback.success_sample_rate, null)
 }
 
-# resource "aws_sns_topic_policy" "this" {
-#   arn    = aws_sns_topic.sns_topic.arn
-#   policy = local.effective_topic_policy_json
-# }
+resource "aws_sns_topic_policy" "this" {
+  arn    = aws_sns_topic.sns_topic.arn
+  policy = local.effective_topic_policy_json
+}
 
 resource "aws_sns_topic_subscription" "sns_subscription_single" {
   count                = var.is_topic_endpoint_list ? 0 : 1
@@ -65,7 +64,7 @@ resource "aws_sns_topic_subscription" "sns_subscription_single" {
   endpoint             = var.topic_endpoint
   raw_message_delivery = var.raw_message_delivery
 
-  # depends_on = [aws_sns_topic_policy.this]
+  depends_on = [aws_sns_topic_policy.this]
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription_list" {
@@ -75,7 +74,7 @@ resource "aws_sns_topic_subscription" "sns_subscription_list" {
   endpoint             = each.value
   raw_message_delivery = var.raw_message_delivery
 
-  # depends_on = [aws_sns_topic_policy.this]
+  depends_on = [aws_sns_topic_policy.this]
 }
 
 output "arn" {