AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248
							######################
# Access keys
#
# For rotation purposes, there are two of these. Delete the oldest one,
# add a new one (with a higher version number), and then update the output.

# ses_user
resource "aws_iam_access_key" "ses_access_key-v2" {
  user     = aws_iam_user.ses_user.name
  provider = aws.ses
}

resource "aws_iam_access_key" "ses_access_key-v3" {
  user     = aws_iam_user.ses_user.name
  provider = aws.ses
}

# This just muddies the output, but is good for troubleshooting, so I'm just
# commenting it out.
#output ses_user_access_keys {
#  value = {
#    "current" = {
#      "aws_access_key_id": aws_iam_access_key.ses_access_key-v1.id
#      "aws_secret_access_key": aws_iam_access_key.ses_access_key-v1.secret
#    },
#    "previous" = {
#      "aws_access_key_id": aws_iam_access_key.ses_access_key-v0.id
#      "aws_secret_access_key": aws_iam_access_key.ses_access_key-v0.secret
#    }
#  }
#}

output ses_user_smtp_username {
  value = aws_iam_access_key.ses_access_key-v3.id
}

output ses_user_smtp_password { 
  value = aws_iam_access_key.ses_access_key-v3.ses_smtp_password_v4
  sensitive = true
}


# dps_portal
resource "aws_iam_access_key" "dps_portal_key-v2" {
  user     = aws_iam_user.dps_portal.name
  provider = aws.ses
}

resource "aws_iam_access_key" "dps_portal_key-v3" {
  user     = aws_iam_user.dps_portal.name
  provider = aws.ses
}

# This just muddies the output, but is good for troubleshooting, so I'm just
# commenting it out.
#output dps_portal_access_keys {
#  value = {
#    "current" = {
#      "aws_access_key_id": aws_iam_access_key.dps_portal_key-v1.id
#      "aws_secret_access_key": aws_iam_access_key.dps_portal_key-v1.secret
#    },
#    "previous" = {
#      "aws_access_key_id": aws_iam_access_key.dps_portal_key-v0.id
#      "aws_secret_access_key": aws_iam_access_key.dps_portal_key-v0.secret
#    }
#  }
#}

output dps_portal_smtp_username {
  value = aws_iam_access_key.dps_portal_key-v3.id
}

output dps_portal_smtp_password { 
  value = aws_iam_access_key.dps_portal_key-v3.ses_smtp_password_v4
  sensitive = true
}

######################
# SES Domain

resource "aws_ses_domain_identity" "public" {
  domain = var.dns_info["public"]["zone"]
  provider = aws.ses
}

resource "aws_route53_record" "amazonses_verification_record" {
  zone_id = var.dns_info["public"]["zone_id"]
  name    = "_amazonses"
  type    = "TXT"
  ttl     = "600"
  records = [ aws_ses_domain_identity.public.verification_token ]
  provider = aws.mdr-common-services-commercial
}

resource "aws_ses_domain_identity_verification" "ses_verification" {
  domain     = aws_ses_domain_identity.public.id
  depends_on = [
    aws_route53_record.amazonses_verification_record,
    aws_route53_record.amazonses_dkim_record,
    aws_route53_record.ses_spf_record,
    aws_route53_record.ses_domain_mail_from_mx,
  ]
  provider = aws.ses
}

######################
# DKIM

resource "aws_ses_domain_dkim" "public" {
  domain = aws_ses_domain_identity.public.domain
  provider = aws.ses
}

resource "aws_route53_record" "amazonses_dkim_record" {
  count   = 3
  zone_id = var.dns_info["public"]["zone_id"]
  name    = "${element(aws_ses_domain_dkim.public.dkim_tokens, count.index)}._domainkey"
  type    = "CNAME"
  ttl     = "600"
  records = [ "${element(aws_ses_domain_dkim.public.dkim_tokens, count.index)}.dkim.amazonses.com" ]
  provider = aws.mdr-common-services-commercial
}

######################
# SPF

resource "aws_route53_record" "ses_spf_record" {
  zone_id = var.dns_info["public"]["zone_id"]
  name    = ""
  type    = "TXT"
  ttl     = "600"
  records = ["v=spf1 include:amazonses.com -all"]
  provider = aws.mdr-common-services-commercial
}

######################
# MAIL FROM

resource "aws_ses_domain_mail_from" "public" {
  domain           = aws_ses_domain_identity.public.domain
  mail_from_domain = "bounce.${aws_ses_domain_identity.public.domain}"
  provider = aws.ses
}

######################
# MX for MAIL FROM
resource "aws_route53_record" "ses_domain_mail_from_mx" {
  zone_id = var.dns_info["public"]["zone_id"]
  name    = aws_ses_domain_mail_from.public.mail_from_domain
  type    = "MX"
  ttl     = "600"
  records = ["10 feedback-smtp.${var.ses_region}.amazonses.com"] 
  provider = aws.mdr-common-services-commercial
}

#-----------------------------------------------
# IAM user for smtp auth
#-----------------------------------------------
resource "aws_iam_user" "ses_user" {
  name     = "ses_user"
  path     = "/service_accounts/"
}

resource "aws_iam_user_policy" "ses_user" {
  name     = "ses_user_policy"
  user     = aws_iam_user.ses_user.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ses:SendRawEmail"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

#-----------------------------------------------
# IAM user for smtp auth for dps-portal
#-----------------------------------------------
resource "aws_iam_user" "dps_portal" {
  name     = "dps_portal"
  path     = "/service_accounts/"
}

resource "aws_iam_user_policy" "dps_portal" {
  name     = "dps_portal_policy"
  user     = aws_iam_user.dps_portal.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ses:SendRawEmail"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

#------------------------------------
# SNS topic for bounce notifications
#------------------------------------
resource "aws_sns_topic" "bounces" {
  name = "ses-notifications"
  provider = aws.ses
}

resource "aws_ses_identity_notification_topic" "bounce_notification" {
  topic_arn         = aws_sns_topic.bounces.arn
  notification_type = "Bounce"
  identity          = aws_ses_domain_identity.public.domain
  provider          = aws.ses
}

resource "aws_ses_identity_notification_topic" "complaint_notification" {
  topic_arn         = aws_sns_topic.bounces.arn
  notification_type = "Complaint"
  identity          = aws_ses_domain_identity.public.domain
  provider          = aws.ses
}
#-----------------------------------------------
# For DPS portal, needs SES connectivity
#-----------------------------------------------
#module "ses_user_for_portal" {
#  source = "../modules/ses_iam_account"
#  username = "dps_portal"
#  pgp_key  = "${path.module}/../../common/duane_waddle.pgp"
#}
#
#output portal_ses_username {
#  value = "${module.ses_user_for_portal.username}"
#}
#
#output portal_ses_password {
#  value = "${module.ses_user_for_portal.password}"
#}