[PRMP-1538] Remove SES execution (#626)

Author: PedroSoaresNHS

infrastructure/dns_email_auth.tf

@@ -1,9 +1,9 @@
-resource "aws_route53_record" "dmarc" {
-  count   = local.is_shared_workspace ? 1 : 0
-  zone_id = module.route53_fargate_ui.zone_id
-  name    = "_dmarc.${var.domain}"
-  type    = "TXT"
-  ttl     = 300
-
-  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
-}
+# resource "aws_route53_record" "dmarc" {
+#   count   = local.is_shared_workspace ? 1 : 0
+#   zone_id = module.route53_fargate_ui.zone_id
+#   name    = "_dmarc.${var.domain}"
+#   type    = "TXT"
+#   ttl     = 300
+#
+#   records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
+# }

infrastructure/iam.tf

@@ -354,37 +354,37 @@ resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda"
   })
 }
 
-data "aws_iam_policy_document" "reporting_ses" {
-  statement {
-    sid    = "SESAccess"
-    effect = "Allow"
-
-    actions = [
-      "ses:SendEmail",
-      "ses:SendRawEmail"
-    ]
-
-    resources = [
-      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
-      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "ses:FromAddress"
-      values   = [local.reporting_ses_from_address_value]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "ses_feedback_s3_put" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "s3:PutObject"
-    ]
-    resources = [
-      "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
-    ]
-  }
-}
+# data "aws_iam_policy_document" "reporting_ses" {
+#   statement {
+#     sid    = "SESAccess"
+#     effect = "Allow"
+#
+#     actions = [
+#       "ses:SendEmail",
+#       "ses:SendRawEmail"
+#     ]
+#
+#     resources = [
+#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
+#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
+#     ]
+#
+#     condition {
+#       test     = "StringEquals"
+#       variable = "ses:FromAddress"
+#       values   = [local.reporting_ses_from_address_value]
+#     }
+#   }
+# }
+#
+# data "aws_iam_policy_document" "ses_feedback_s3_put" {
+#   statement {
+#     effect = "Allow"
+#     actions = [
+#       "s3:PutObject"
+#     ]
+#     resources = [
+#       "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
+#     ]
+#   }
+# }

infrastructure/kms_sns.tf

@@ -4,6 +4,7 @@ module "sns_encryption_key" {
   kms_key_description = "Custom KMS Key to enable server side encryption for sns subscriptions"
   environment         = var.environment
   owner               = var.owner
-  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
+  # service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
   kms_deletion_window = var.kms_deletion_window
 }

infrastructure/lambda-report-distribution.tf

@@ -1,30 +1,30 @@
-module "report-distribution-lambda" {
-  source         = "./modules/lambda"
-  name           = "ReportDistribution"
-  handler        = "handlers.report_distribution_handler.lambda_handler"
-  lambda_timeout = 300
-
-  iam_role_policy_documents = [
-    module.ndr-report-store.s3_read_policy_document,
-    module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
-    data.aws_iam_policy_document.reporting_ses.json,
-    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-  ]
-
-  lambda_environment_variables = {
-    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-    WORKSPACE               = terraform.workspace
-
-    REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
-    CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
-
-    PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
-    SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
-  }
-
-  is_gateway_integration_needed = false
-  is_invoked_from_gateway       = false
-}
+# module "report-distribution-lambda" {
+#   source         = "./modules/lambda"
+#   name           = "ReportDistribution"
+#   handler        = "handlers.report_distribution_handler.lambda_handler"
+#   lambda_timeout = 300
+#
+#   iam_role_policy_documents = [
+#     module.ndr-report-store.s3_read_policy_document,
+#     module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
+#     data.aws_iam_policy_document.reporting_ses.json,
+#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+#   ]
+#
+#   lambda_environment_variables = {
+#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+#     WORKSPACE               = terraform.workspace
+#
+#     REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
+#     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
+#
+#     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
+#     SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
+#     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
+#   }
+#
+#   is_gateway_integration_needed = false
+#   is_invoked_from_gateway       = false
+# }

infrastructure/lambda-ses-feedback-monitor.tf

@@ -1,32 +1,32 @@
-module "ses-feedback-monitor-lambda" {
-  source         = "./modules/lambda"
-  name           = "SesFeedbackMonitor"
-  handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
-  lambda_timeout = 60
-
-  iam_role_policy_documents = [
-    data.aws_iam_policy_document.ses_feedback_s3_put.json,
-    data.aws_iam_policy_document.reporting_ses.json,
-    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-  ]
-
-  lambda_environment_variables = {
-    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-    WORKSPACE               = terraform.workspace
-
-    SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
-    SES_FEEDBACK_PREFIX      = "ses-feedback/"
-    PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
-    ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
-  }
-
-  is_gateway_integration_needed = false
-  is_invoked_from_gateway       = false
-
-  depends_on = [
-    module.ses-feedback-store
-  ]
-}
+# module "ses-feedback-monitor-lambda" {
+#   source         = "./modules/lambda"
+#   name           = "SesFeedbackMonitor"
+#   handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
+#   lambda_timeout = 60
+#
+#   iam_role_policy_documents = [
+#     data.aws_iam_policy_document.ses_feedback_s3_put.json,
+#     data.aws_iam_policy_document.reporting_ses.json,
+#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+#   ]
+#
+#   lambda_environment_variables = {
+#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+#     WORKSPACE               = terraform.workspace
+#
+#     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
+#     SES_FEEDBACK_PREFIX      = "ses-feedback/"
+#     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
+#     SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
+#     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
+#   }
+#
+#   is_gateway_integration_needed = false
+#   is_invoked_from_gateway       = false
+#
+#   depends_on = [
+#     module.ses-feedback-store
+#   ]
+# }

infrastructure/modules/sns/README.md

@@ -79,7 +79,6 @@ module "sns_topic" {
 | Name | Type |
 |------|------|
 | [aws_sns_topic.sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.sns_subscription_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.sns_subscription_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 
@@ -90,16 +89,13 @@ module "sns_topic" {
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | Attach delivery or IAM policy. (Legacy name; used as topic policy JSON in this module.) | `string` | n/a | yes |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in notification queue. | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to notification queue. | `bool` | `false` | no |
-| <a name="input_enable_ses_publish"></a> [enable\_ses\_publish](#input\_enable\_ses\_publish) | If true, module appends a statement allowing ses.amazonaws.com to SNS:Publish to this topic. | `bool` | `false` | no |
 | <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | Whether to use the topic\_endpoint\_list instead of a single topic\_endpoint. | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | Whether to enable raw message delivery for the SNS subscription. | `bool` | `false` | no |
-| <a name="input_ses_source_account_id"></a> [ses\_source\_account\_id](#input\_ses\_source\_account\_id) | AWS account ID used in the AWS:SourceAccount condition for SES publishing. | `string` | `""` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | The ARN (or ID) of the KMS key used for encrypting the SNS topic. | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback. | `map(string)` | `{}` | no |
 | <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | A single endpoint (e.g., SQS queue or Lambda function ARN) to subscribe to the topic. | `any` | `null` | no |
 | <a name="input_topic_endpoint_list"></a> [topic\_endpoint\_list](#input\_topic\_endpoint\_list) | A list of endpoints (e.g., SQS ARNs) to subscribe to the topic. | `any` | `[]` | no |
 | <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name) | Name of the SNS topic. | `string` | n/a | yes |
-| <a name="input_topic_policy_json"></a> [topic\_policy\_json](#input\_topic\_policy\_json) | Optional SNS topic access policy JSON. If set, it overrides delivery\_policy. | `string` | `null` | no |
 | <a name="input_topic_protocol"></a> [topic\_protocol](#input\_topic\_protocol) | The protocol to use for the subscription (e.g., 'sqs', 'lambda'). | `string` | n/a | yes |
 
 ## Outputs

infrastructure/modules/sns/main.tf

@@ -1,48 +1,49 @@
-locals {
-  base_topic_policy_json = var.topic_policy_json != null ? var.topic_policy_json : var.delivery_policy
-  base_topic_policy_obj  = jsondecode(local.base_topic_policy_json)
-  normalized_statements = [
-    for s in try(local.base_topic_policy_obj["Statement"], []) : merge(
-      s,
-      {
-        Resource = (
-          try(s["Resource"], null) == "*" || try(s["Resource"], null) == null
-          ? aws_sns_topic.sns_topic.arn
-          : s["Resource"]
-        )
-      }
-    )
-  ]
-
-  ses_publish_statement = var.enable_ses_publish ? {
-    Sid    = "AllowSESPublish"
-    Effect = "Allow"
-    Principal = {
-      Service = "ses.amazonaws.com"
-    }
-    Action   = "SNS:Publish"
-    Resource = aws_sns_topic.sns_topic.arn
-    Condition = {
-      StringEquals = {
-        "AWS:SourceAccount" = var.ses_source_account_id
-      }
-    }
-  } : null
-
-  effective_topic_policy_obj = merge(
-    local.base_topic_policy_obj,
-    {
-      Statement = concat(
-        local.normalized_statements,
-        var.enable_ses_publish ? [local.ses_publish_statement] : []
-      )
-    }
-  )
-  effective_topic_policy_json = jsonencode(local.effective_topic_policy_obj)
-}
+# locals {
+#   base_topic_policy_json = var.topic_policy_json != null ? var.topic_policy_json : var.delivery_policy
+#   base_topic_policy_obj  = jsondecode(local.base_topic_policy_json)
+#   normalized_statements = [
+#     for s in try(local.base_topic_policy_obj["Statement"], []) : merge(
+#       s,
+#       {
+#         Resource = (
+#           try(s["Resource"], null) == "*" || try(s["Resource"], null) == null
+#           ? aws_sns_topic.sns_topic.arn
+#           : s["Resource"]
+#         )
+#       }
+#     )
+#   ]
+#
+#   ses_publish_statement = var.enable_ses_publish ? {
+#     Sid    = "AllowSESPublish"
+#     Effect = "Allow"
+#     Principal = {
+#       Service = "ses.amazonaws.com"
+#     }
+#     Action   = "SNS:Publish"
+#     Resource = aws_sns_topic.sns_topic.arn
+#     Condition = {
+#       StringEquals = {
+#         "AWS:SourceAccount" = var.ses_source_account_id
+#       }
+#     }
+#   } : null
+#
+#   effective_topic_policy_obj = merge(
+#     local.base_topic_policy_obj,
+#     {
+#       Statement = concat(
+#         local.normalized_statements,
+#         var.enable_ses_publish ? [local.ses_publish_statement] : []
+#       )
+#     }
+#   )
+#   effective_topic_policy_json = jsonencode(local.effective_topic_policy_obj)
+# }
 
 resource "aws_sns_topic" "sns_topic" {
   name_prefix                 = "${terraform.workspace}-sns-${var.topic_name}"
+  policy                      = var.delivery_policy
   fifo_topic                  = var.enable_fifo
   content_based_deduplication = var.enable_deduplication
   kms_master_key_id           = var.sns_encryption_key_id
@@ -52,10 +53,10 @@ resource "aws_sns_topic" "sns_topic" {
   sqs_success_feedback_sample_rate = try(var.sqs_feedback.success_sample_rate, null)
 }
 
-resource "aws_sns_topic_policy" "this" {
-  arn    = aws_sns_topic.sns_topic.arn
-  policy = local.effective_topic_policy_json
-}
+# resource "aws_sns_topic_policy" "this" {
+#   arn    = aws_sns_topic.sns_topic.arn
+#   policy = local.effective_topic_policy_json
+# }
 
 resource "aws_sns_topic_subscription" "sns_subscription_single" {
   count                = var.is_topic_endpoint_list ? 0 : 1
@@ -64,7 +65,7 @@ resource "aws_sns_topic_subscription" "sns_subscription_single" {
   endpoint             = var.topic_endpoint
   raw_message_delivery = var.raw_message_delivery
 
-  depends_on = [aws_sns_topic_policy.this]
+  # depends_on = [aws_sns_topic_policy.this]
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription_list" {
@@ -74,7 +75,7 @@ resource "aws_sns_topic_subscription" "sns_subscription_list" {
   endpoint             = each.value
   raw_message_delivery = var.raw_message_delivery
 
-  depends_on = [aws_sns_topic_policy.this]
+  # depends_on = [aws_sns_topic_policy.this]
 }
 
 output "arn" {