diff --git a/CHANGELOG.md b/CHANGELOG.md
index 74faa1d..01fe6fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,3 +47,8 @@
* v1.7.4 -- 20210326
- ses-domain
- add code to enable move to production, runs aws cli script
+
+* v1.7.5 -- 20210329
+ - ses-domain
+ - add code to enable mail_from
+ - change `ses_enable_production` to `enable_production`
diff --git a/common/version.tf b/common/version.tf
index 4d1d42c..7226ec0 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.7.4"
+ _module_version = "1.7.5"
}
diff --git a/ses-domain/README.md b/ses-domain/README.md
index bcf41ed..a40c021 100644
--- a/ses-domain/README.md
+++ b/ses-domain/README.md
@@ -42,8 +42,9 @@ module "ses" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
profile = var.profile
- ## once validated, get out of sandbox
- # ses_enable_production = true
+ ## once validated, get out of sandbox and set mail from address
+ # enable_production = true
+ # enable_mail_from = true
## optional, changing this is not recommended
# ses_domain_name = "123456789012.postal.census.gov"
@@ -84,7 +85,7 @@ module.ses.aws_ses_domain_identity_verification.this[0]: Creation complete after
## Getting out of the Sandbox
Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
-Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this.
+Use the variable `enable_production=true` to do this. There is no terraform resource for this.
This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise.
```hcl
@@ -92,7 +93,8 @@ module "ses" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
profile = var.profile
- ses_enable_production = true
+ enable_production = true
+ enable_mail_from = true
}
```
then run `tf-apply`
@@ -168,6 +170,7 @@ No modules.
| [aws_ses_domain_dkim.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource |
| [aws_ses_domain_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource |
| [aws_ses_domain_identity_verification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource |
+| [aws_ses_domain_mail_from.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource |
| [null_resource.this_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.to_production](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -181,6 +184,8 @@ No modules.
|------|-------------|------|---------|:--------:|
| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [enable\_mail\_from](#input\_enable\_mail\_from) | SES Enable set of Mail From domain ses\_mail\_from.DOMAIN | `bool` | `false` | no |
+| [enable\_production](#input\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [profile](#input\_profile) | AWS Config profile (required for calling the aws cli) | `string` | `""` | no |
| [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no |
@@ -188,7 +193,7 @@ No modules.
| [ses\_base\_dkim\_domain\_name](#input\_ses\_base\_dkim\_domain\_name) | SES Base DKIM Domain Name | `string` | `"dkim.amazonses.com"` | no |
| [ses\_base\_domain\_name](#input\_ses\_base\_domain\_name) | SES Base Domain Name | `string` | `"aws.mail.census.gov"` | no |
| [ses\_domain\_name](#input\_ses\_domain\_name) | SES Fully Qualified Domain Name (default: {account\_id}.aws.mail.census.gov) | `string` | `""` | no |
-| [ses\_enable\_production](#input\_ses\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no |
+| [ses\_mail\_from](#input\_ses\_mail\_from) | SES mail from domain prepended to ses\_domain\_name. See enable\_mail\_from for enabling this. | `string` | `"bounce"` | no |
| [ses\_use\_case\_description](#input\_ses\_use\_case\_description) | SES use case description (for move to production) | `string` | `""` | no |
| [ses\_website\_url](#input\_ses\_website\_url) | SES website URL (for move to production) | `string` | `"https://census.gov"` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/ses-domain/main.tf b/ses-domain/main.tf
index 29273d3..b3a97ef 100644
--- a/ses-domain/main.tf
+++ b/ses-domain/main.tf
@@ -43,8 +43,9 @@
* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
*
* profile = var.profile
-* ## once validated, get out of sandbox
-* # ses_enable_production = true
+* ## once validated, get out of sandbox and set mail from address
+* # enable_production = true
+* # enable_mail_from = true
*
* ## optional, changing this is not recommended
* # ses_domain_name = "123456789012.postal.census.gov"
@@ -85,7 +86,7 @@
* ## Getting out of the Sandbox
* Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
*
-* Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this.
+* Use the variable `enable_production=true` to do this. There is no terraform resource for this.
* This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise.
*
* ```hcl
@@ -93,7 +94,8 @@
* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
*
* profile = var.profile
-* ses_enable_production = true
+* enable_production = true
+* enable_mail_from = true
* }
* ```
* then run `tf-apply`
@@ -164,6 +166,8 @@ locals {
ttl = local.ses_dns_ttl
validation_txt = local.ses_dns_value
dkim_tokens = aws_ses_domain_dkim.this.dkim_tokens
+ mail_from = var.ses_mail_from
+ region = local.region
})
ses_domain_ready = data.external.ses_dns_txt.result.value != "" ? true : false
@@ -197,16 +201,19 @@ resource "aws_ses_domain_identity_verification" "this" {
domain = aws_ses_domain_identity.this.id
}
-# resource "aws_ses_domain_mail_from" "this" {
-# domain = aws_ses_domain_identity.example.domain
-# mail_from_domain = "bounce.${aws_ses_domain_identity.example.domain}"
-# }
+resource "aws_ses_domain_mail_from" "this" {
+ count = var.enable_mail_from ? 1 : 0
+ domain = aws_ses_domain_identity.this.domain
+ mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.this.domain)
+}
resource "null_resource" "this_output" {
triggers = {
dns_txt_name = local.ses_dns_txt_name
dns_txt_values = aws_ses_domain_identity.this.verification_token
dns_dkim_values = join(",", aws_ses_domain_dkim.this.dkim_tokens)
+ dns_mail_from = var.enable_mail_from ? var.ses_mail_from : ""
+ region = local.region
}
provisioner "local-exec" {
command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
@@ -217,7 +224,7 @@ resource "null_resource" "this_output" {
}
resource "null_resource" "to_production" {
- count = var.ses_enable_production ? 1 : 0
+ count = var.enable_production ? 1 : 0
triggers = {
contact_email = length(var.ses_additional_contact_email) > 0 ? join(" ", var.ses_additional_contact_email) : ""
use_case = var.ses_use_case_description
diff --git a/ses-domain/ses_dns.md.tpl b/ses-domain/ses_dns.md.tpl
index a542b71..63c7c57 100644
--- a/ses-domain/ses_dns.md.tpl
+++ b/ses-domain/ses_dns.md.tpl
@@ -43,11 +43,17 @@ ${dk}._domainkey.${domain}. ${ttl} in cname ${dk}.dkim.amazonses.com.
## MX Records
-Configuration of MX unknown at this time.
+When using a `mail_from` configuration, the MX and SPF records need to be set.
+
+```
+${mail_from}.${domain}. ${ttl} in mx "10 feedback-smtp.${region}.amazonses.com."
+```
## SPF Records
-Configuration of SPF unknown at this time.
+```
+${mail_from}.${domain}. ${ttl} in txt "v=spf1 include:amazonses.com -all"
+```
## DMARC Records
diff --git a/ses-domain/variables.tf b/ses-domain/variables.tf
index 6f517e6..60ebcc6 100644
--- a/ses-domain/variables.tf
+++ b/ses-domain/variables.tf
@@ -22,12 +22,6 @@ variable "ses_base_dkim_domain_name" {
default = "dkim.amazonses.com"
}
-variable "ses_enable_production" {
- description = "SES Enable calling of AWS CLI to move from sandbox to production"
- type = bool
- default = false
-}
-
variable "ses_additional_contact_email" {
description = "SES Additional Contact email address list (for move to production)"
type = list(string)
@@ -46,6 +40,13 @@ variable "ses_website_url" {
default = "https://census.gov"
}
+variable "ses_mail_from" {
+ description = "SES mail from domain prepended to ses_domain_name. See enable_mail_from for enabling this."
+ type = string
+ default = "bounce"
+}
+
+
variable "region" {
description = "AWS Region (default takes from current executing region)"
type = string
@@ -57,3 +58,18 @@ variable "profile" {
type = string
default = ""
}
+
+#--
+# enable flags
+#--
+variable "enable_production" {
+ description = "SES Enable calling of AWS CLI to move from sandbox to production"
+ type = bool
+ default = false
+}
+
+variable "enable_mail_from" {
+ description = "SES Enable set of Mail From domain ses_mail_from.DOMAIN"
+ type = bool
+ default = false
+}