[PRM-741] Rearchitect SES (#625)

Co-authored-by: robg-test <106234256+robg-test@users.noreply.github.com>

Author: chrisbloe

infrastructure/dns_email_auth.tf

@@ -355,37 +355,37 @@ resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda"
   })
 }
 
-# data "aws_iam_policy_document" "reporting_ses" {
-#   statement {
-#     sid    = "SESAccess"
-#     effect = "Allow"
-#
-#     actions = [
-#       "ses:SendEmail",
-#       "ses:SendRawEmail"
-#     ]
-#
-#     resources = [
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
-#     ]
-#
-#     condition {
-#       test     = "StringEquals"
-#       variable = "ses:FromAddress"
-#       values   = [local.reporting_ses_from_address_value]
-#     }
-#   }
-# }
-#
-# data "aws_iam_policy_document" "ses_feedback_s3_put" {
-#   statement {
-#     effect = "Allow"
-#     actions = [
-#       "s3:PutObject"
-#     ]
-#     resources = [
-#       "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
-#     ]
-#   }
-# }
+data "aws_iam_policy_document" "reporting_ses" {
+  statement {
+    sid    = "SESAccess"
+    effect = "Allow"
+
+    actions = [
+      "ses:SendEmail",
+      "ses:SendRawEmail"
+    ]
+
+    resources = [
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ses:FromAddress"
+      values   = [module.ses.report_email_address]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "ses_feedback_s3_put" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
+    ]
+  }
+}

infrastructure/iam.tf

@@ -4,7 +4,6 @@ module "sns_encryption_key" {
   kms_key_description = "Custom KMS Key to enable server side encryption for sns subscriptions"
   environment         = var.environment
   owner               = var.owner
-  # service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
-  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
   kms_deletion_window = var.kms_deletion_window
 }

infrastructure/kms_sns.tf

@@ -1,30 +1,30 @@
-# module "report-distribution-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "ReportDistribution"
-#   handler        = "handlers.report_distribution_handler.lambda_handler"
-#   lambda_timeout = 300
-#
-#   iam_role_policy_documents = [
-#     module.ndr-report-store.s3_read_policy_document,
-#     module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
-#     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
-#
-#     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
-#     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-# }
+module "report-distribution-lambda" {
+  source         = "./modules/lambda"
+  name           = "ReportDistribution"
+  handler        = "handlers.report_distribution_handler.lambda_handler"
+  lambda_timeout = 300
+
+  iam_role_policy_documents = [
+    module.ndr-report-store.s3_read_policy_document,
+    module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
+    CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
+
+    PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS      = module.ses.report_email_address
+    SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}

infrastructure/lambda-report-distribution.tf

@@ -105,7 +105,7 @@ module "send-feedback-lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.send-feedback-gateway,
-    module.ndr-feedback-mailbox,
+    module.ses,
     module.ndr-app-config
   ]
 }

infrastructure/lambda-send-feedback.tf

@@ -1,32 +1,28 @@
-# module "ses-feedback-monitor-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "SesFeedbackMonitor"
-#   handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
-#   lambda_timeout = 60
-#
-#   iam_role_policy_documents = [
-#     data.aws_iam_policy_document.ses_feedback_s3_put.json,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
-#     SES_FEEDBACK_PREFIX      = "ses-feedback/"
-#     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
-#     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-#
-#   depends_on = [
-#     module.ses-feedback-store
-#   ]
-# }
+module "ses-feedback-monitor-lambda" {
+  source         = "./modules/lambda"
+  name           = "SesFeedbackMonitor"
+  handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
+  lambda_timeout = 60
+
+  iam_role_policy_documents = [
+    data.aws_iam_policy_document.ses_feedback_s3_put.json,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
+    SES_FEEDBACK_PREFIX      = "ses-feedback/"
+    PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS         = module.ses.report_email_address
+    ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}

infrastructure/lambda-ses-feedback-monitor.tf

@@ -42,21 +42,26 @@ module "ses_identity" {
 
 | Name | Type |
 |------|------|
+| [aws_route53_record.dmarc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.ndr_ses_dkim_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.ses_mail_from_mx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.ses_mail_from_spf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_ses_domain_dkim.ndr_dkim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource |
 | [aws_ses_domain_identity.ndr_ses](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource |
 | [aws_ses_domain_identity_verification.ndr_ses_domain_verification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource |
+| [aws_ses_domain_mail_from.reporting](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain"></a> [domain](#input\_domain) | The root domain name to be registered with SES and used for verification. | `string` | n/a | yes |
-| <a name="input_domain_prefix"></a> [domain\_prefix](#input\_domain\_prefix) | The subdomain or prefix used to construct the full SES identity domain. | `string` | n/a | yes |
-| <a name="input_enable"></a> [enable](#input\_enable) | Whether to enable the creation of SES identity, DKIM, and DNS records. | `bool` | n/a | yes |
+| <a name="input_is_sandbox"></a> [is\_sandbox](#input\_is\_sandbox) | Whether the workspace being created is a sandbox. | `bool` | n/a | yes |
 | <a name="input_zone_id"></a> [zone\_id](#input\_zone\_id) | The Route53 hosted zone ID where DNS verification records will be created. | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_report_email_address"></a> [report\_email\_address](#output\_report\_email\_address) | n/a |
 <!-- END_TF_DOCS -->

infrastructure/modules/ses/README.md

@@ -1,29 +1,65 @@
 resource "aws_ses_domain_identity" "ndr_ses" {
-  domain = var.domain
-  count  = var.enable ? 1 : 0
+  domain = var.is_sandbox ? "${terraform.workspace}.dev.${var.domain}" : "${terraform.workspace}.${var.domain}"
 }
 
 resource "aws_ses_domain_dkim" "ndr_dkim" {
-  domain = aws_ses_domain_identity.ndr_ses[0].domain
+  domain = aws_ses_domain_identity.ndr_ses.domain
 
-  count      = var.enable ? 1 : 0
-  depends_on = [aws_ses_domain_identity.ndr_ses[0]]
+  depends_on = [aws_ses_domain_identity.ndr_ses]
 }
 
 resource "aws_route53_record" "ndr_ses_dkim_record" {
+  count = 3
+
   zone_id = var.zone_id
-  name    = "${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}._domainkey.${var.domain_prefix}"
+  name    = var.is_sandbox ? "${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}._domainkey.${terraform.workspace}.dev" : "${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}._domainkey.${terraform.workspace}"
   type    = "CNAME"
   ttl     = 1800
-  records = ["${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}.dkim.amazonses.com"]
+  records = ["${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}.dkim.amazonses.com"]
 
-  count      = var.enable ? 3 : 0
-  depends_on = [aws_ses_domain_dkim.ndr_dkim[0]]
+  depends_on = [aws_ses_domain_dkim.ndr_dkim]
 }
 
 resource "aws_ses_domain_identity_verification" "ndr_ses_domain_verification" {
-  domain = aws_ses_domain_identity.ndr_ses[0].domain
+  domain = aws_ses_domain_identity.ndr_ses.domain
+
+  depends_on = [aws_route53_record.ndr_ses_dkim_record]
+}
+
+resource "aws_ses_domain_mail_from" "reporting" {
+  domain           = aws_ses_domain_identity.ndr_ses.domain
+  mail_from_domain = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+
+  behavior_on_mx_failure = "UseDefaultValue"
+}
+
+resource "aws_route53_record" "ses_mail_from_mx" {
+  zone_id = var.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "MX"
+  ttl     = 600
+
+  records = [
+    "10 feedback-smtp.eu-west-2.amazonses.com"
+  ]
+}
+
+resource "aws_route53_record" "ses_mail_from_spf" {
+  zone_id = var.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "TXT"
+  ttl     = 600
+
+  records = [
+    "v=spf1 include:amazonses.com -all"
+  ]
+}
+
+resource "aws_route53_record" "dmarc" {
+  zone_id = var.zone_id
+  name    = "_dmarc.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "TXT"
+  ttl     = 300
 
-  count      = var.enable ? 1 : 0
-  depends_on = [aws_route53_record.ndr_ses_dkim_record[0]]
+  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
 }

infrastructure/modules/ses/main.tf

@@ -0,0 +1,14 @@
+moved {
+  from = aws_ses_domain_identity.ndr_ses[0]
+  to   = aws_ses_domain_identity.ndr_ses
+}
+
+moved {
+  from = aws_ses_domain_dkim.ndr_dkim[0]
+  to   = aws_ses_domain_dkim.ndr_dkim
+}
+
+moved {
+  from = aws_ses_domain_identity_verification.ndr_ses_domain_verification[0]
+  to   = aws_ses_domain_identity_verification.ndr_ses_domain_verification
+}

infrastructure/modules/ses/moved-1.6.15.tf

@@ -0,0 +1,3 @@
+output "report_email_address" {
+  value = "ndr-reports@${aws_ses_domain_identity.ndr_ses.domain}"
+}