Feature ses mailfrom

CHANGELOG.md

@@ -47,3 +47,8 @@
 * v1.7.4 -- 20210326
   - ses-domain
     - add code to enable move to production, runs aws cli script
+
+* v1.7.5 -- 20210329
+  - ses-domain
+    - add code to enable mail_from
+    - change `ses_enable_production` to `enable_production`

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.7.4"
+  _module_version = "1.7.5"
 }

ses-domain/README.md

@@ -42,8 +42,9 @@ module "ses" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
 
   profile = var.profile
-  ## once validated, get out of sandbox
-  # ses_enable_production = true
+  ## once validated, get out of sandbox and set mail from address
+  # enable_production = true
+  # enable_mail_from = true
 
   ## optional, changing this is not recommended
   # ses_domain_name = "123456789012.postal.census.gov"
@@ -84,15 +85,16 @@ module.ses.aws_ses_domain_identity_verification.this[0]: Creation complete after
 ## Getting out of the Sandbox
 Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
 
-Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this.
+Use the variable `enable_production=true` to do this. There is no terraform resource for this.
 This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise.
 
 ```hcl
 module "ses" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
 
   profile = var.profile
-  ses_enable_production = true
+  enable_production = true
+  enable_mail_from = true
 }
 ```
 then run `tf-apply`
@@ -168,6 +170,7 @@ No modules.
 | [aws_ses_domain_dkim.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource |
 | [aws_ses_domain_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource |
 | [aws_ses_domain_identity_verification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource |
+| [aws_ses_domain_mail_from.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource |
 | [null_resource.this_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.to_production](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -181,14 +184,16 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_mail_from"></a> [enable\_mail\_from](#input\_enable\_mail\_from) | SES Enable set of Mail From domain ses\_mail\_from.DOMAIN | `bool` | `false` | no |
+| <a name="input_enable_production"></a> [enable\_production](#input\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS Config profile (required for calling the aws cli) | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no |
 | <a name="input_ses_additional_contact_email"></a> [ses\_additional\_contact\_email](#input\_ses\_additional\_contact\_email) | SES Additional Contact email address list (for move to production) | `list(string)` | `[]` | no |
 | <a name="input_ses_base_dkim_domain_name"></a> [ses\_base\_dkim\_domain\_name](#input\_ses\_base\_dkim\_domain\_name) | SES Base DKIM Domain Name | `string` | `"dkim.amazonses.com"` | no |
 | <a name="input_ses_base_domain_name"></a> [ses\_base\_domain\_name](#input\_ses\_base\_domain\_name) | SES Base Domain Name | `string` | `"aws.mail.census.gov"` | no |
 | <a name="input_ses_domain_name"></a> [ses\_domain\_name](#input\_ses\_domain\_name) | SES Fully Qualified Domain Name (default: {account\_id}.aws.mail.census.gov) | `string` | `""` | no |
-| <a name="input_ses_enable_production"></a> [ses\_enable\_production](#input\_ses\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no |
+| <a name="input_ses_mail_from"></a> [ses\_mail\_from](#input\_ses\_mail\_from) | SES mail from domain prepended to ses\_domain\_name.  See enable\_mail\_from for enabling this. | `string` | `"bounce"` | no |
 | <a name="input_ses_use_case_description"></a> [ses\_use\_case\_description](#input\_ses\_use\_case\_description) | SES use case description (for move to production) | `string` | `""` | no |
 | <a name="input_ses_website_url"></a> [ses\_website\_url](#input\_ses\_website\_url) | SES website URL (for move to production) | `string` | `"https://census.gov"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |

ses-domain/main.tf

@@ -43,8 +43,9 @@
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
 *
 *   profile = var.profile
-*   ## once validated, get out of sandbox
-*   # ses_enable_production = true
+*   ## once validated, get out of sandbox and set mail from address
+*   # enable_production = true
+*   # enable_mail_from = true
 *
 *   ## optional, changing this is not recommended
 *   # ses_domain_name = "123456789012.postal.census.gov"
@@ -85,15 +86,16 @@
 * ## Getting out of the Sandbox
 * Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
 *
-* Use the variable `ses_enable_production=true` to do this. There is no terraform resource for this.
+* Use the variable `enable_production=true` to do this. There is no terraform resource for this.
 * This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise.
 *
 * ```hcl
 * module "ses" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain"
 *
 *   profile = var.profile
-*   ses_enable_production = true
+*   enable_production = true
+*   enable_mail_from = true
 * }
 * ```
 * then run `tf-apply`
@@ -164,6 +166,8 @@ locals {
     ttl            = local.ses_dns_ttl
     validation_txt = local.ses_dns_value
     dkim_tokens    = aws_ses_domain_dkim.this.dkim_tokens
+    mail_from      = var.ses_mail_from
+    region         = local.region
   })
   ses_domain_ready = data.external.ses_dns_txt.result.value != "" ? true : false
 
@@ -197,16 +201,19 @@ resource "aws_ses_domain_identity_verification" "this" {
   domain = aws_ses_domain_identity.this.id
 }
 
-# resource "aws_ses_domain_mail_from" "this" {
-#   domain           = aws_ses_domain_identity.example.domain
-#   mail_from_domain = "bounce.${aws_ses_domain_identity.example.domain}"
-# }
+resource "aws_ses_domain_mail_from" "this" {
+  count            = var.enable_mail_from ? 1 : 0
+  domain           = aws_ses_domain_identity.this.domain
+  mail_from_domain = format("%v.%v", var.ses_mail_from, aws_ses_domain_identity.this.domain)
+}
 
 resource "null_resource" "this_output" {
   triggers = {
     dns_txt_name    = local.ses_dns_txt_name
     dns_txt_values  = aws_ses_domain_identity.this.verification_token
     dns_dkim_values = join(",", aws_ses_domain_dkim.this.dkim_tokens)
+    dns_mail_from   = var.enable_mail_from ? var.ses_mail_from : ""
+    region          = local.region
   }
   provisioner "local-exec" {
     command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
@@ -217,7 +224,7 @@ resource "null_resource" "this_output" {
 }
 
 resource "null_resource" "to_production" {
-  count = var.ses_enable_production ? 1 : 0
+  count = var.enable_production ? 1 : 0
   triggers = {
     contact_email = length(var.ses_additional_contact_email) > 0 ? join(" ", var.ses_additional_contact_email) : ""
     use_case      = var.ses_use_case_description

ses-domain/ses_dns.md.tpl

@@ -43,11 +43,17 @@ ${dk}._domainkey.${domain}. ${ttl} in cname ${dk}.dkim.amazonses.com.
 
 ## MX Records
 
-Configuration of MX unknown at this time.
+When using a `mail_from` configuration, the MX and SPF records need to be set.
+
+```
+${mail_from}.${domain}. ${ttl} in mx "10 feedback-smtp.${region}.amazonses.com."
+```
 
 ## SPF Records
 
-Configuration of SPF unknown at this time.
+```
+${mail_from}.${domain}. ${ttl} in txt "v=spf1 include:amazonses.com -all"
+```
 
 ## DMARC Records
 

ses-domain/variables.tf

@@ -22,12 +22,6 @@ variable "ses_base_dkim_domain_name" {
   default     = "dkim.amazonses.com"
 }
 
-variable "ses_enable_production" {
-  description = "SES Enable calling of AWS CLI to move from sandbox to production"
-  type        = bool
-  default     = false
-}
-
 variable "ses_additional_contact_email" {
   description = "SES Additional Contact email address list (for move to production)"
   type        = list(string)
@@ -46,6 +40,13 @@ variable "ses_website_url" {
   default     = "https://census.gov"
 }
 
+variable "ses_mail_from" {
+  description = "SES mail from domain prepended to ses_domain_name.  See enable_mail_from for enabling this."
+  type        = string
+  default     = "bounce"
+}
+
+
 variable "region" {
   description = "AWS Region (default takes from current executing region)"
   type        = string
@@ -57,3 +58,18 @@ variable "profile" {
   type        = string
   default     = ""
 }
+
+#--
+# enable flags
+#--
+variable "enable_production" {
+  description = "SES Enable calling of AWS CLI to move from sandbox to production"
+  type        = bool
+  default     = false
+}
+
+variable "enable_mail_from" {
+  description = "SES Enable set of Mail From domain ses_mail_from.DOMAIN"
+  type        = bool
+  default     = false
+}