From 438756e500461bb4858fbd5fbe25b6c0a34d0dfd Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 29 Mar 2021 08:38:50 -0400 Subject: [PATCH 1/5] enable use of mail_from --- CHANGELOG.md | 5 +++++ common/version.tf | 2 +- ses-domain/README.md | 15 ++++++++++----- ses-domain/main.tf | 21 ++++++++++++--------- ses-domain/ses_dns.md.tpl | 10 ++++++++-- ses-domain/variables.tf | 28 ++++++++++++++++++++++------ 6 files changed, 58 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74faa1d..01fe6fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,3 +47,8 @@ * v1.7.4 -- 20210326 - ses-domain - add code to enable move to production, runs aws cli script + +* v1.7.5 -- 20210329 + - ses-domain + - add code to enable mail_from + - change `ses_enable_production` to `enable_production` diff --git a/common/version.tf b/common/version.tf index 4d1d42c..7226ec0 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.7.4" + _module_version = "1.7.5" } diff --git a/ses-domain/README.md b/ses-domain/README.md index bcf41ed..a40c021 100644 --- a/ses-domain/README.md +++ b/ses-domain/README.md @@ -42,8 +42,9 @@ module "ses" { source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" profile = var.profile - ## once validated, get out of sandbox - # ses_enable_production = true + ## once validated, get out of sandbox and set mail from address + # enable_production = true + # enable_mail_from = true ## optional, changing this is not recommended # ses_domain_name = "123456789012.postal.census.gov" @@ -84,7 +85,7 @@ module.ses.aws_ses_domain_identity_verification.this[0]: Creation complete after ## Getting out of the Sandbox Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html -Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this. +Use the variable `enable_production=true` to do this. There is no terraform resource for this. This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise. ```hcl @@ -92,7 +93,8 @@ module "ses" { source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" profile = var.profile - ses_enable_production = true + enable_production = true + enable_mail_from = true } ``` then run `tf-apply` @@ -168,6 +170,7 @@ No modules. | [aws_ses_domain_dkim.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource | | [aws_ses_domain_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource | | [aws_ses_domain_identity_verification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource | +| [aws_ses_domain_mail_from.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource | | [null_resource.this_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.to_production](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | @@ -181,6 +184,8 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [enable\_mail\_from](#input\_enable\_mail\_from) | SES Enable set of Mail From domain ses\_mail\_from.DOMAIN | `bool` | `false` | no | +| [enable\_production](#input\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [profile](#input\_profile) | AWS Config profile (required for calling the aws cli) | `string` | `""` | no | | [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no | @@ -188,7 +193,7 @@ No modules. | [ses\_base\_dkim\_domain\_name](#input\_ses\_base\_dkim\_domain\_name) | SES Base DKIM Domain Name | `string` | `"dkim.amazonses.com"` | no | | [ses\_base\_domain\_name](#input\_ses\_base\_domain\_name) | SES Base Domain Name | `string` | `"aws.mail.census.gov"` | no | | [ses\_domain\_name](#input\_ses\_domain\_name) | SES Fully Qualified Domain Name (default: {account\_id}.aws.mail.census.gov) | `string` | `""` | no | -| [ses\_enable\_production](#input\_ses\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no | +| [ses\_mail\_from](#input\_ses\_mail\_from) | SES mail from domain prepended to ses\_domain\_name. See enable\_mail\_from for enabling this. | `string` | `"bounce"` | no | | [ses\_use\_case\_description](#input\_ses\_use\_case\_description) | SES use case description (for move to production) | `string` | `""` | no | | [ses\_website\_url](#input\_ses\_website\_url) | SES website URL (for move to production) | `string` | `"https://census.gov"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/ses-domain/main.tf b/ses-domain/main.tf index 29273d3..1342b36 100644 --- a/ses-domain/main.tf +++ b/ses-domain/main.tf @@ -43,8 +43,9 @@ * source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" * * profile = var.profile -* ## once validated, get out of sandbox -* # ses_enable_production = true +* ## once validated, get out of sandbox and set mail from address +* # enable_production = true +* # enable_mail_from = true * * ## optional, changing this is not recommended * # ses_domain_name = "123456789012.postal.census.gov" @@ -85,7 +86,7 @@ * ## Getting out of the Sandbox * Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html * -* Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this. +* Use the variable `enable_production=true` to do this. There is no terraform resource for this. * This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise. * * ```hcl @@ -93,7 +94,8 @@ * source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" * * profile = var.profile -* ses_enable_production = true +* enable_production = true +* enable_mail_from = true * } * ``` * then run `tf-apply` @@ -197,10 +199,11 @@ resource "aws_ses_domain_identity_verification" "this" { domain = aws_ses_domain_identity.this.id } -# resource "aws_ses_domain_mail_from" "this" { -# domain = aws_ses_domain_identity.example.domain -# mail_from_domain = "bounce.${aws_ses_domain_identity.example.domain}" -# } +resource "aws_ses_domain_mail_from" "this" { + count = local.enable_mail_from ? 1 : 0 + domain = aws_ses_domain_identity.example.domain + mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.example.domain) +} resource "null_resource" "this_output" { triggers = { @@ -217,7 +220,7 @@ resource "null_resource" "this_output" { } resource "null_resource" "to_production" { - count = var.ses_enable_production ? 1 : 0 + count = var.enable_production ? 1 : 0 triggers = { contact_email = length(var.ses_additional_contact_email) > 0 ? join(" ", var.ses_additional_contact_email) : "" use_case = var.ses_use_case_description diff --git a/ses-domain/ses_dns.md.tpl b/ses-domain/ses_dns.md.tpl index a542b71..63c7c57 100644 --- a/ses-domain/ses_dns.md.tpl +++ b/ses-domain/ses_dns.md.tpl @@ -43,11 +43,17 @@ ${dk}._domainkey.${domain}. ${ttl} in cname ${dk}.dkim.amazonses.com. ## MX Records -Configuration of MX unknown at this time. +When using a `mail_from` configuration, the MX and SPF records need to be set. + +``` +${mail_from}.${domain}. ${ttl} in mx "10 feedback-smtp.${region}.amazonses.com." +``` ## SPF Records -Configuration of SPF unknown at this time. +``` +${mail_from}.${domain}. ${ttl} in txt "v=spf1 include:amazonses.com -all" +``` ## DMARC Records diff --git a/ses-domain/variables.tf b/ses-domain/variables.tf index 6f517e6..60ebcc6 100644 --- a/ses-domain/variables.tf +++ b/ses-domain/variables.tf @@ -22,12 +22,6 @@ variable "ses_base_dkim_domain_name" { default = "dkim.amazonses.com" } -variable "ses_enable_production" { - description = "SES Enable calling of AWS CLI to move from sandbox to production" - type = bool - default = false -} - variable "ses_additional_contact_email" { description = "SES Additional Contact email address list (for move to production)" type = list(string) @@ -46,6 +40,13 @@ variable "ses_website_url" { default = "https://census.gov" } +variable "ses_mail_from" { + description = "SES mail from domain prepended to ses_domain_name. See enable_mail_from for enabling this." + type = string + default = "bounce" +} + + variable "region" { description = "AWS Region (default takes from current executing region)" type = string @@ -57,3 +58,18 @@ variable "profile" { type = string default = "" } + +#-- +# enable flags +#-- +variable "enable_production" { + description = "SES Enable calling of AWS CLI to move from sandbox to production" + type = bool + default = false +} + +variable "enable_mail_from" { + description = "SES Enable set of Mail From domain ses_mail_from.DOMAIN" + type = bool + default = false +} From ab89dc7a9a56b2203daae5feef8d8041bbd7591e Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 29 Mar 2021 08:46:11 -0400 Subject: [PATCH 2/5] add mail from to template render, null resource --- ses-domain/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ses-domain/main.tf b/ses-domain/main.tf index 1342b36..4c370da 100644 --- a/ses-domain/main.tf +++ b/ses-domain/main.tf @@ -166,6 +166,7 @@ locals { ttl = local.ses_dns_ttl validation_txt = local.ses_dns_value dkim_tokens = aws_ses_domain_dkim.this.dkim_tokens + mail_from = var.ses_mail_from }) ses_domain_ready = data.external.ses_dns_txt.result.value != "" ? true : false @@ -210,6 +211,7 @@ resource "null_resource" "this_output" { dns_txt_name = local.ses_dns_txt_name dns_txt_values = aws_ses_domain_identity.this.verification_token dns_dkim_values = join(",", aws_ses_domain_dkim.this.dkim_tokens) + dns_mail_from = var.enable_mail_from ? var.ses_mail_from : "" } provisioner "local-exec" { command = "test -d ${path.root}/setup || mkdir ${path.root}/setup" From de43aa5c99ef17aa72e55cb14ec1d8a7e24476ed Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 29 Mar 2021 08:57:56 -0400 Subject: [PATCH 3/5] fix --- ses-domain/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ses-domain/main.tf b/ses-domain/main.tf index 4c370da..e9d6e27 100644 --- a/ses-domain/main.tf +++ b/ses-domain/main.tf @@ -167,6 +167,7 @@ locals { validation_txt = local.ses_dns_value dkim_tokens = aws_ses_domain_dkim.this.dkim_tokens mail_from = var.ses_mail_from + region = local.region }) ses_domain_ready = data.external.ses_dns_txt.result.value != "" ? true : false @@ -212,6 +213,7 @@ resource "null_resource" "this_output" { dns_txt_values = aws_ses_domain_identity.this.verification_token dns_dkim_values = join(",", aws_ses_domain_dkim.this.dkim_tokens) dns_mail_from = var.enable_mail_from ? var.ses_mail_from : "" + region = local.region } provisioner "local-exec" { command = "test -d ${path.root}/setup || mkdir ${path.root}/setup" From e7777af0f6ac5c586f4dbcca67cb704b8eb20e97 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 29 Mar 2021 08:58:39 -0400 Subject: [PATCH 4/5] fix --- ses-domain/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ses-domain/main.tf b/ses-domain/main.tf index e9d6e27..e4841fe 100644 --- a/ses-domain/main.tf +++ b/ses-domain/main.tf @@ -203,8 +203,8 @@ resource "aws_ses_domain_identity_verification" "this" { resource "aws_ses_domain_mail_from" "this" { count = local.enable_mail_from ? 1 : 0 - domain = aws_ses_domain_identity.example.domain - mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.example.domain) + domain = aws_ses_domain_identity.this.domain + mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.this.domain) } resource "null_resource" "this_output" { From 1900f4dbaebccac25b72a28aca64d69381e774aa Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 29 Mar 2021 09:03:23 -0400 Subject: [PATCH 5/5] fix --- ses-domain/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ses-domain/main.tf b/ses-domain/main.tf index e4841fe..b3a97ef 100644 --- a/ses-domain/main.tf +++ b/ses-domain/main.tf @@ -202,7 +202,7 @@ resource "aws_ses_domain_identity_verification" "this" { } resource "aws_ses_domain_mail_from" "this" { - count = local.enable_mail_from ? 1 : 0 + count = var.enable_mail_from ? 1 : 0 domain = aws_ses_domain_identity.this.domain mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.this.domain) }