[PRM-741] Rearchitect SES

infrastructure/iam.tf

@@ -355,37 +355,37 @@ resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda"
   })
 }
 
-# data "aws_iam_policy_document" "reporting_ses" {
-#   statement {
-#     sid    = "SESAccess"
-#     effect = "Allow"
-#
-#     actions = [
-#       "ses:SendEmail",
-#       "ses:SendRawEmail"
-#     ]
-#
-#     resources = [
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
-#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
-#     ]
-#
-#     condition {
-#       test     = "StringEquals"
-#       variable = "ses:FromAddress"
-#       values   = [local.reporting_ses_from_address_value]
-#     }
-#   }
-# }
-#
-# data "aws_iam_policy_document" "ses_feedback_s3_put" {
-#   statement {
-#     effect = "Allow"
-#     actions = [
-#       "s3:PutObject"
-#     ]
-#     resources = [
-#       "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
-#     ]
-#   }
-# }
+data "aws_iam_policy_document" "reporting_ses" {
+  statement {
+    sid    = "SESAccess"
+    effect = "Allow"
+
+    actions = [
+      "ses:SendEmail",
+      "ses:SendRawEmail"
+    ]
+
+    resources = [
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
+      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ses:FromAddress"
+      values   = [module.ses.report_email_address]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "ses_feedback_s3_put" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
+    ]
+  }
+}

infrastructure/kms_sns.tf

@@ -4,7 +4,6 @@ module "sns_encryption_key" {
   kms_key_description = "Custom KMS Key to enable server side encryption for sns subscriptions"
   environment         = var.environment
   owner               = var.owner
-  # service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
-  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
   kms_deletion_window = var.kms_deletion_window
 }

infrastructure/lambda-report-distribution.tf

@@ -1,30 +1,30 @@
-# module "report-distribution-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "ReportDistribution"
-#   handler        = "handlers.report_distribution_handler.lambda_handler"
-#   lambda_timeout = 300
-#
-#   iam_role_policy_documents = [
-#     module.ndr-report-store.s3_read_policy_document,
-#     module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
-#     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
-#
-#     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
-#     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-# }
+module "report-distribution-lambda" {
+  source         = "./modules/lambda"
+  name           = "ReportDistribution"
+  handler        = "handlers.report_distribution_handler.lambda_handler"
+  lambda_timeout = 300
+
+  iam_role_policy_documents = [
+    module.ndr-report-store.s3_read_policy_document,
+    module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
+    CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
+
+    PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS      = module.ses.report_email_address
+    SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}

infrastructure/lambda-send-feedback.tf

@@ -105,7 +105,7 @@ module "send-feedback-lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.send-feedback-gateway,
-    module.ndr-feedback-mailbox,
+    module.ses,
     module.ndr-app-config
   ]
 }

infrastructure/lambda-ses-feedback-monitor.tf

@@ -1,32 +1,28 @@
-# module "ses-feedback-monitor-lambda" {
-#   source         = "./modules/lambda"
-#   name           = "SesFeedbackMonitor"
-#   handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
-#   lambda_timeout = 60
-#
-#   iam_role_policy_documents = [
-#     data.aws_iam_policy_document.ses_feedback_s3_put.json,
-#     data.aws_iam_policy_document.reporting_ses.json,
-#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-#   ]
-#
-#   lambda_environment_variables = {
-#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-#     WORKSPACE               = terraform.workspace
-#
-#     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
-#     SES_FEEDBACK_PREFIX      = "ses-feedback/"
-#     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-#     SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
-#     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
-#   }
-#
-#   is_gateway_integration_needed = false
-#   is_invoked_from_gateway       = false
-#
-#   depends_on = [
-#     module.ses-feedback-store
-#   ]
-# }
+module "ses-feedback-monitor-lambda" {
+  source         = "./modules/lambda"
+  name           = "SesFeedbackMonitor"
+  handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
+  lambda_timeout = 60
+
+  iam_role_policy_documents = [
+    data.aws_iam_policy_document.ses_feedback_s3_put.json,
+    data.aws_iam_policy_document.reporting_ses.json,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+
+    SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
+    SES_FEEDBACK_PREFIX      = "ses-feedback/"
+    PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
+    SES_FROM_ADDRESS         = module.ses.report_email_address
+    ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}

infrastructure/modules/ses/README.md

@@ -42,21 +42,26 @@ module "ses_identity" {
 
 | Name | Type |
 |------|------|
+| [aws_route53_record.dmarc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.ndr_ses_dkim_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.ses_mail_from_mx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.ses_mail_from_spf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_ses_domain_dkim.ndr_dkim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource |
 | [aws_ses_domain_identity.ndr_ses](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource |
 | [aws_ses_domain_identity_verification.ndr_ses_domain_verification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource |
+| [aws_ses_domain_mail_from.reporting](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain"></a> [domain](#input\_domain) | The root domain name to be registered with SES and used for verification. | `string` | n/a | yes |
-| <a name="input_domain_prefix"></a> [domain\_prefix](#input\_domain\_prefix) | The subdomain or prefix used to construct the full SES identity domain. | `string` | n/a | yes |
-| <a name="input_enable"></a> [enable](#input\_enable) | Whether to enable the creation of SES identity, DKIM, and DNS records. | `bool` | n/a | yes |
+| <a name="input_is_sandbox"></a> [is\_sandbox](#input\_is\_sandbox) | Whether the workspace being created is a sandbox. | `bool` | n/a | yes |
 | <a name="input_zone_id"></a> [zone\_id](#input\_zone\_id) | The Route53 hosted zone ID where DNS verification records will be created. | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_report_email_address"></a> [report\_email\_address](#output\_report\_email\_address) | n/a |
 <!-- END_TF_DOCS -->

infrastructure/modules/ses/main.tf

@@ -1,29 +1,65 @@
 resource "aws_ses_domain_identity" "ndr_ses" {
-  domain = var.domain
-  count  = var.enable ? 1 : 0
+  domain = var.is_sandbox ? "${terraform.workspace}.dev.${var.domain}" : "${terraform.workspace}.${var.domain}"
 }
 
 resource "aws_ses_domain_dkim" "ndr_dkim" {
-  domain = aws_ses_domain_identity.ndr_ses[0].domain
+  domain = aws_ses_domain_identity.ndr_ses.domain
 
-  count      = var.enable ? 1 : 0
-  depends_on = [aws_ses_domain_identity.ndr_ses[0]]
+  depends_on = [aws_ses_domain_identity.ndr_ses]
 }
 
 resource "aws_route53_record" "ndr_ses_dkim_record" {
+  count = 3
+
   zone_id = var.zone_id
-  name    = "${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}._domainkey.${var.domain_prefix}"
+  name    = var.is_sandbox ? "${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}._domainkey.${terraform.workspace}.dev" : "${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}._domainkey.${terraform.workspace}"
   type    = "CNAME"
   ttl     = 1800
-  records = ["${aws_ses_domain_dkim.ndr_dkim[0].dkim_tokens[count.index]}.dkim.amazonses.com"]
+  records = ["${aws_ses_domain_dkim.ndr_dkim.dkim_tokens[count.index]}.dkim.amazonses.com"]
 
-  count      = var.enable ? 3 : 0
-  depends_on = [aws_ses_domain_dkim.ndr_dkim[0]]
+  depends_on = [aws_ses_domain_dkim.ndr_dkim]
 }
 
 resource "aws_ses_domain_identity_verification" "ndr_ses_domain_verification" {
-  domain = aws_ses_domain_identity.ndr_ses[0].domain
+  domain = aws_ses_domain_identity.ndr_ses.domain
+
+  depends_on = [aws_route53_record.ndr_ses_dkim_record]
+}
+
+resource "aws_ses_domain_mail_from" "reporting" {
+  domain           = aws_ses_domain_identity.ndr_ses.domain
+  mail_from_domain = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+
+  behavior_on_mx_failure = "UseDefaultValue"
+}
+
+resource "aws_route53_record" "ses_mail_from_mx" {
+  zone_id = var.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "MX"
+  ttl     = 600
+
+  records = [
+    "10 feedback-smtp.eu-west-2.amazonses.com"
+  ]
+}
+
+resource "aws_route53_record" "ses_mail_from_spf" {
+  zone_id = var.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "TXT"
+  ttl     = 600
+
+  records = [
+    "v=spf1 include:amazonses.com -all"
+  ]
+}
+
+resource "aws_route53_record" "dmarc" {
+  zone_id = var.zone_id
+  name    = "_dmarc.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "TXT"
+  ttl     = 300
 
-  count      = var.enable ? 1 : 0
-  depends_on = [aws_route53_record.ndr_ses_dkim_record[0]]
+  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
 }

infrastructure/modules/ses/moved-1.6.15.tf

@@ -0,0 +1,14 @@
+moved {
+  from = aws_ses_domain_identity.ndr_ses[0]
+  to   = aws_ses_domain_identity.ndr_ses
+}
+
+moved {
+  from = aws_ses_domain_dkim.ndr_dkim[0]
+  to   = aws_ses_domain_dkim.ndr_dkim
+}
+
+moved {
+  from = aws_ses_domain_identity_verification.ndr_ses_domain_verification[0]
+  to   = aws_ses_domain_identity_verification.ndr_ses_domain_verification
+}

infrastructure/modules/ses/output.tf

@@ -0,0 +1,3 @@
+output "report_email_address" {
+  value = "ndr-reports@${aws_ses_domain_identity.ndr_ses.domain}"
+}

infrastructure/modules/ses/variable.tf

@@ -1,8 +1,3 @@
-variable "domain_prefix" {
-  description = "The subdomain or prefix used to construct the full SES identity domain."
-  type        = string
-}
-
 variable "domain" {
   description = "The root domain name to be registered with SES and used for verification."
   type        = string
@@ -13,7 +8,7 @@ variable "zone_id" {
   type        = string
 }
 
-variable "enable" {
-  description = "Whether to enable the creation of SES identity, DKIM, and DNS records."
+variable "is_sandbox" {
+  description = "Whether the workspace being created is a sandbox."
   type        = bool
 }

infrastructure/modules/sns/README.md

@@ -79,8 +79,10 @@ module "sns_topic" {
 | Name | Type |
 |------|------|
 | [aws_sns_topic.sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.sns_subscription_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.sns_subscription_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 
@@ -89,13 +91,15 @@ module "sns_topic" {
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | Attach delivery or IAM policy. (Legacy name; used as topic policy JSON in this module.) | `string` | n/a | yes |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in notification queue. | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to notification queue. | `bool` | `false` | no |
+| <a name="input_enable_ses_publish"></a> [enable\_ses\_publish](#input\_enable\_ses\_publish) | If true, module appends a statement allowing ses.amazonaws.com to SNS:Publish to this topic. | `bool` | `false` | no |
 | <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | Whether to use the topic\_endpoint\_list instead of a single topic\_endpoint. | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | Whether to enable raw message delivery for the SNS subscription. | `bool` | `false` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | The ARN (or ID) of the KMS key used for encrypting the SNS topic. | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback. | `map(string)` | `{}` | no |
 | <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | A single endpoint (e.g., SQS queue or Lambda function ARN) to subscribe to the topic. | `any` | `null` | no |
 | <a name="input_topic_endpoint_list"></a> [topic\_endpoint\_list](#input\_topic\_endpoint\_list) | A list of endpoints (e.g., SQS ARNs) to subscribe to the topic. | `any` | `[]` | no |
 | <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name) | Name of the SNS topic. | `string` | n/a | yes |
+| <a name="input_topic_policy_json"></a> [topic\_policy\_json](#input\_topic\_policy\_json) | Optional SNS topic access policy JSON. If set, it overrides delivery\_policy. | `string` | `null` | no |
 | <a name="input_topic_protocol"></a> [topic\_protocol](#input\_topic\_protocol) | The protocol to use for the subscription (e.g., 'sqs', 'lambda'). | `string` | n/a | yes |
 
 ## Outputs