AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
							######################
# Access keys
#
# For rotation purposes, there are two of these. Delete the oldest one,
# add a new one (with a higher version number), and then update the output.

# ses_user
resource "aws_iam_access_key" "ses_access_key-v4" {
  user     = aws_iam_user.ses_user.name
  provider = aws.ses
}

resource "aws_iam_access_key" "ses_access_key-v5" {
  user     = aws_iam_user.ses_user.name
  provider = aws.ses
}

# This just muddies the output, but is good for troubleshooting, so I'm just
# commenting it out.
#output ses_user_access_keys {
#  value = {
#    "current" = {
#      "aws_access_key_id": aws_iam_access_key.ses_access_key-v1.id
#      "aws_secret_access_key": aws_iam_access_key.ses_access_key-v1.secret
#    },
#    "previous" = {
#      "aws_access_key_id": aws_iam_access_key.ses_access_key-v0.id
#      "aws_secret_access_key": aws_iam_access_key.ses_access_key-v0.secret
#    }
#  }
#}

output "ses_user_smtp_username" {
  value = aws_iam_access_key.ses_access_key-v5.id
}

output "ses_user_smtp_password" {
  value     = aws_iam_access_key.ses_access_key-v5.ses_smtp_password_v4
  sensitive = true
}


######################
# SES Domain

resource "aws_ses_domain_identity" "public" {
  domain   = var.dns_info["public"]["zone"]
  provider = aws.ses
}

resource "aws_route53_record" "amazonses_verification_record" {
  zone_id  = var.dns_info["public"]["zone_id"]
  name     = "_amazonses"
  type     = "TXT"
  ttl      = "600"
  records  = [aws_ses_domain_identity.public.verification_token]
  provider = aws.mdr-common-services-commercial
}

resource "aws_ses_domain_identity_verification" "ses_verification" {
  domain = aws_ses_domain_identity.public.id
  depends_on = [
    aws_route53_record.amazonses_verification_record,
    aws_route53_record.amazonses_dkim_record,
    aws_route53_record.ses_spf_record,
    aws_route53_record.ses_domain_mail_from_mx,
  ]
  provider = aws.ses
}

######################
# DKIM

resource "aws_ses_domain_dkim" "public" {
  domain   = aws_ses_domain_identity.public.domain
  provider = aws.ses
}

resource "aws_route53_record" "amazonses_dkim_record" {
  count    = 3
  zone_id  = var.dns_info["public"]["zone_id"]
  name     = "${element(aws_ses_domain_dkim.public.dkim_tokens, count.index)}._domainkey"
  type     = "CNAME"
  ttl      = "600"
  records  = ["${element(aws_ses_domain_dkim.public.dkim_tokens, count.index)}.dkim.amazonses.com"]
  provider = aws.mdr-common-services-commercial
}

######################
# SPF

resource "aws_route53_record" "ses_spf_record" {
  zone_id  = var.dns_info["public"]["zone_id"]
  name     = ""
  type     = "TXT"
  ttl      = "600"
  records  = ["v=spf1 include:amazonses.com -all"]
  provider = aws.mdr-common-services-commercial
}

######################
# MAIL FROM

resource "aws_ses_domain_mail_from" "public" {
  domain           = aws_ses_domain_identity.public.domain
  mail_from_domain = "bounce.${aws_ses_domain_identity.public.domain}"
  provider         = aws.ses
}

######################
# MX for MAIL FROM
resource "aws_route53_record" "ses_domain_mail_from_mx" {
  zone_id  = var.dns_info["public"]["zone_id"]
  name     = aws_ses_domain_mail_from.public.mail_from_domain
  type     = "MX"
  ttl      = "600"
  records  = ["10 feedback-smtp.${var.ses_region}.amazonses.com"]
  provider = aws.mdr-common-services-commercial
}

#-----------------------------------------------
# IAM user for smtp auth
#-----------------------------------------------
resource "aws_iam_user" "ses_user" {
  name = "ses_user"
  path = "/service_accounts/"
}

resource "aws_iam_user_policy" "ses_user" {
  name = "ses_user_policy"
  user = aws_iam_user.ses_user.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ses:SendRawEmail"
      ],
      "Effect": "Allow",
      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
      "Resource": "*"
    }
  ]
}
EOF
}

#------------------------------------
# SNS topic for bounce notifications
#------------------------------------
resource "aws_sns_topic" "bounces" {
  name     = "ses-notifications"
  provider = aws.ses
}

resource "aws_ses_identity_notification_topic" "bounce_notification" {
  topic_arn         = aws_sns_topic.bounces.arn
  notification_type = "Bounce"
  identity          = aws_ses_domain_identity.public.domain
  provider          = aws.ses
}

resource "aws_ses_identity_notification_topic" "complaint_notification" {
  topic_arn         = aws_sns_topic.bounces.arn
  notification_type = "Complaint"
  identity          = aws_ses_domain_identity.public.domain
  provider          = aws.ses
}