[PRM-741] Rearchitect SES

Author: chrisbloe

infrastructure/buckets.tf

@@ -527,7 +527,7 @@ module "ses-feedback-store" {
   force_destroy            = local.is_force_destroy
 }
 
-resource "aws_s3_bucket_lifecycle_configuration" "ses_feedback_lifecycle_rules" {
+resource "aws_s3_bucket_lifecycle_configuration" "ses_feedback_store" {
   bucket = module.ses-feedback-store.bucket_id
 
   rule {

infrastructure/iam.tf

@@ -372,7 +372,7 @@ data "aws_iam_policy_document" "reporting_ses" {
     condition {
       test     = "StringEquals"
       variable = "ses:FromAddress"
-      values   = [local.reporting_ses_from_address_value]
+      values   = [module.ses.report_email_address]
     }
   }
 }

infrastructure/lambda-report-distribution.tf

@@ -21,7 +21,7 @@ module "report-distribution-lambda" {
     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
 
     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
+    SES_FROM_ADDRESS      = module.ses.report_email_address
     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
   }
 

infrastructure/lambda-send-feedback.tf

@@ -105,7 +105,7 @@ module "send-feedback-lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.send-feedback-gateway,
-    module.ndr-feedback-mailbox,
+    module.ses,
     module.ndr-app-config
   ]
 }

infrastructure/lambda-ses-feedback-monitor.tf

@@ -19,14 +19,10 @@ module "ses-feedback-monitor-lambda" {
     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
     SES_FEEDBACK_PREFIX      = "ses-feedback/"
     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
+    SES_FROM_ADDRESS         = module.ses.report_email_address
     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
   }
 
   is_gateway_integration_needed = false
   is_invoked_from_gateway       = false
-
-  depends_on = [
-    module.ses-feedback-store
-  ]
 }

infrastructure/modules/ses/main.tf

@@ -1,5 +1,5 @@
 resource "aws_ses_domain_identity" "ndr_ses" {
-  domain = var.domain
+  domain = "${terraform.workspace}.${var.domain}"
   count  = var.enable ? 1 : 0
 }
 
@@ -12,7 +12,7 @@ resource "aws_ses_domain_dkim" "ndr_dkim" {
 
 resource "aws_route53_record" "ndr_ses_dkim_record" {
   zone_id = var.zone_id
-  name    = "${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}._domainkey.${var.domain_prefix}"
+  name    = "${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}._domainkey.${terraform.workspace}"
   type    = "CNAME"
   ttl     = 1800
   records = ["${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}.dkim.amazonses.com"]
@@ -27,3 +27,35 @@ resource "aws_ses_domain_identity_verification" "ndr_ses_domain_verification" {
   count      = var.enable ? 1 : 0
   depends_on = [aws_route53_record.ndr_ses_dkim_record[0]]
 }
+
+resource "aws_ses_domain_mail_from" "reporting" {
+  count            = var.enable ? 1 : 0
+  domain           = module.ses.domain_identity
+  mail_from_domain = "mail.${terraform.workspace}.${var.domain}"
+
+  behavior_on_mx_failure = "UseDefaultValue"
+}
+
+resource "aws_route53_record" "ses_mail_from_mx" {
+  count   = var.enable ? 1 : 0
+  zone_id = module.route53_fargate_ui.zone_id
+  name    = "mail.${terraform.workspace}.${var.domain}"
+  type    = "MX"
+  ttl     = 600
+
+  records = [
+    "10 feedback-smtp.eu-west-2.amazonses.com"
+  ]
+}
+
+resource "aws_route53_record" "ses_mail_from_spf" {
+  count   = var.enable ? 1 : 0
+  zone_id = module.route53_fargate_ui.zone_id
+  name    = "mail.${terraform.workspace}.${var.domain}"
+  type    = "TXT"
+  ttl     = 600
+
+  records = [
+    "v=spf1 include:amazonses.com -all"
+  ]
+}

infrastructure/modules/ses/output.tf

@@ -0,0 +1,3 @@
+output "report_email_address" {
+  value = "ndr-reports@${aws_ses_domain_identity.ndr_ses[0].domain}"
+}

infrastructure/modules/ses/variable.tf

@@ -1,8 +1,3 @@
-variable "domain_prefix" {
-  description = "The subdomain or prefix used to construct the full SES identity domain."
-  type        = string
-}
-
 variable "domain" {
   description = "The root domain name to be registered with SES and used for verification."
   type        = string

infrastructure/modules/sns/README.md

@@ -93,7 +93,6 @@ module "sns_topic" {
 | <a name="input_enable_ses_publish"></a> [enable\_ses\_publish](#input\_enable\_ses\_publish) | If true, module appends a statement allowing ses.amazonaws.com to SNS:Publish to this topic. | `bool` | `false` | no |
 | <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | Whether to use the topic\_endpoint\_list instead of a single topic\_endpoint. | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | Whether to enable raw message delivery for the SNS subscription. | `bool` | `false` | no |
-| <a name="input_ses_source_account_id"></a> [ses\_source\_account\_id](#input\_ses\_source\_account\_id) | AWS account ID used in the AWS:SourceAccount condition for SES publishing. | `string` | `""` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | The ARN (or ID) of the KMS key used for encrypting the SNS topic. | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback. | `map(string)` | `{}` | no |
 | <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | A single endpoint (e.g., SQS queue or Lambda function ARN) to subscribe to the topic. | `any` | `null` | no |

infrastructure/modules/sns/main.tf

@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 locals {
   base_topic_policy_json = var.topic_policy_json != null ? var.topic_policy_json : var.delivery_policy
   base_topic_policy_obj  = jsondecode(local.base_topic_policy_json)
@@ -24,7 +26,7 @@ locals {
     Resource = aws_sns_topic.sns_topic.arn
     Condition = {
       StringEquals = {
-        "AWS:SourceAccount" = var.ses_source_account_id
+        "AWS:SourceAccount" = data.aws_caller_identity.current.account_id
       }
     }
   } : null