Feature ses sns

CHANGELOG.md

@@ -55,3 +55,7 @@
 
 * v1.8.0 -- 20210329
   - iam-account-settings created
+
+* v1.8.1 -- 20210329
+  - ses-domain
+    - add code for setting up sns event notification for bounce, complaint

common/defaults.tf

@@ -14,6 +14,9 @@ locals {
       "us-west-1" = "027434742980"
       "us-west-2" = "797873946194"
     }
+    "ses" = {
+      "event_types" = ["bounce", "delivery", "complaint"]
+    }
   }
 }
 

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.8.0"
+  _module_version = "1.8.1"
 }

ses-domain/README.md

@@ -45,6 +45,7 @@ module "ses" {
   ## once validated, get out of sandbox and set mail from address
   # enable_production = true
   # enable_mail_from = true
+  # enable_sns_events = true
 
   ## optional, changing this is not recommended
   # ses_domain_name = "123456789012.postal.census.gov"
@@ -95,6 +96,7 @@ module "ses" {
   profile = var.profile
   enable_production = true
   enable_mail_from = true
+  enable_sns_events = true
 }
 ```
 then run `tf-apply`
@@ -171,10 +173,15 @@ No modules.
 | [aws_ses_domain_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource |
 | [aws_ses_domain_identity_verification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource |
 | [aws_ses_domain_mail_from.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource |
+| [aws_ses_identity_notification_topic.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_notification_topic) | resource |
+| [aws_sns_topic.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [null_resource.this_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.to_production](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_alias.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [external_external.ses_dns_txt](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
@@ -186,14 +193,17 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_enable_mail_from"></a> [enable\_mail\_from](#input\_enable\_mail\_from) | SES Enable set of Mail From domain ses\_mail\_from.DOMAIN | `bool` | `false` | no |
 | <a name="input_enable_production"></a> [enable\_production](#input\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no |
+| <a name="input_enable_sns_events"></a> [enable\_sns\_events](#input\_enable\_sns\_events) | SES Enable event notificaton to SNS for bounce, complaint, and/or delivery (specified by ses\_event\_notification\_types). | `bool` | `false` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS Config profile (required for calling the aws cli) | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no |
 | <a name="input_ses_additional_contact_email"></a> [ses\_additional\_contact\_email](#input\_ses\_additional\_contact\_email) | SES Additional Contact email address list (for move to production) | `list(string)` | `[]` | no |
 | <a name="input_ses_base_dkim_domain_name"></a> [ses\_base\_dkim\_domain\_name](#input\_ses\_base\_dkim\_domain\_name) | SES Base DKIM Domain Name | `string` | `"dkim.amazonses.com"` | no |
 | <a name="input_ses_base_domain_name"></a> [ses\_base\_domain\_name](#input\_ses\_base\_domain\_name) | SES Base Domain Name | `string` | `"aws.mail.census.gov"` | no |
 | <a name="input_ses_domain_name"></a> [ses\_domain\_name](#input\_ses\_domain\_name) | SES Fully Qualified Domain Name (default: {account\_id}.aws.mail.census.gov) | `string` | `""` | no |
+| <a name="input_ses_event_notification_types"></a> [ses\_event\_notification\_types](#input\_ses\_event\_notification\_types) | SNS Notification types for SNS.  Valid values are bounce, complaint, and delivery. | `list(string)` | <pre>[<br>  "bounce",<br>  "complaint"<br>]</pre> | no |
 | <a name="input_ses_mail_from"></a> [ses\_mail\_from](#input\_ses\_mail\_from) | SES mail from domain prepended to ses\_domain\_name.  See enable\_mail\_from for enabling this. | `string` | `"bounce"` | no |
+| <a name="input_ses_sns_topic_name"></a> [ses\_sns\_topic\_name](#input\_ses\_sns\_topic\_name) | SNS Topic name for event handling.  The region name will be appended. | `string` | `"inf-ses-events"` | no |
 | <a name="input_ses_use_case_description"></a> [ses\_use\_case\_description](#input\_ses\_use\_case\_description) | SES use case description (for move to production) | `string` | `""` | no |
 | <a name="input_ses_website_url"></a> [ses\_website\_url](#input\_ses\_website\_url) | SES website URL (for move to production) | `string` | `"https://census.gov"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |

ses-domain/main.tf

@@ -46,6 +46,7 @@
 *   ## once validated, get out of sandbox and set mail from address
 *   # enable_production = true
 *   # enable_mail_from = true
+*   # enable_sns_events = true
 *
 *   ## optional, changing this is not recommended
 *   # ses_domain_name = "123456789012.postal.census.gov"
@@ -96,6 +97,7 @@
 *   profile = var.profile
 *   enable_production = true
 *   enable_mail_from = true
+*   enable_sns_events = true
 * }
 * ```
 * then run `tf-apply`
@@ -156,10 +158,13 @@ locals {
 
   ses_available = local.account_environment == "ew" ? length(regexall("us-", local.region)) > 0 : length(regexall("gov-west", local.region)) > 0
 
-  ses_domain       = var.ses_domain_name != "" ? var.ses_domain_name : format("%v.%v", local.account_id, var.ses_base_domain_name)
-  ses_dns_txt_name = format("_amazonses.%v", aws_ses_domain_identity.this.domain)
-  ses_dns_ttl      = 600
-  ses_dns_value    = aws_ses_domain_identity.this.verification_token
+  ses_domain        = var.ses_domain_name != "" ? var.ses_domain_name : format("%v.%v", local.account_id, var.ses_base_domain_name)
+  ses_dns_txt_name  = format("_amazonses.%v", aws_ses_domain_identity.this.domain)
+  ses_dns_ttl       = 600
+  ses_dns_value     = aws_ses_domain_identity.this.verification_token
+  ses_sns_topic     = format("%v-%v", var.ses_sns_topic_name, local.region)
+  ses_event_types   = [for x in var.ses_event_notification_types : x if contains(lookup(local._defaults["ses"]["event_types"], []), x)]
+  enable_sns_events = var.enable_sns_events && length(local.ses_event_types) > 0
 
   ses_output = templatefile("${path.module}/ses_dns.md.tpl", {
     domain         = local.ses_domain
@@ -241,3 +246,23 @@ resource "null_resource" "to_production" {
     }
   }
 }
+
+resource "aws_sns_topic" "ses_event" {
+  count             = local.enable_sns_events ? 1 : 0
+  name              = local.ses_sns_topic
+  kms_master_key_id = "alias/aws/sns"
+}
+
+resource "aws_sns_topic_policy" "ses_event" {
+  count  = local.enable_sns_events ? 1 : 0
+  arn    = aws_sns_topic.ses_event[0].arn
+  policy = data.aws_iam_policy_document.ses_event.json
+}
+
+resource "aws_ses_identity_notification_topic" "ses_event" {
+  for_each                 = toset(local.ses_event_types)
+  topic_arn                = aws_sns_topic.ses_event[0].arn
+  notification_type        = each.key
+  identity                 = aws_ses_domain_identity.this.domain
+  include_original_headers = true
+}

ses-domain/policies.tf

@@ -0,0 +1,65 @@
+data "aws_kms_alias" "sns" {
+  name = "alias/aws/sns"
+}
+
+data "aws_iam_policy_document" "ses_event" {
+  statement {
+    effect = "Alow"
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+    resources = [data.aws_kms_alias.sns.arn]
+    principals {
+      type        = "Service"
+      identifiers = ["ses.amazonaws.com"]
+    }
+  }
+  statement {
+    effect    = "Alow"
+    actions   = ["sns:Publish"]
+    resources = [aws_sns_topic.ses_event[0].arn]
+    principals {
+      type        = "Service"
+      identifiers = ["ses.amazonaws.com"]
+    }
+  }
+}
+
+# {
+#   "Statement": [{
+#     "Effect": "Allow",
+#     "Action": [
+#       "kms:GenerateDataKey",
+#       "kms:Decrypt"
+#     ],
+#     "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+#   }, {
+#     "Effect": "Allow",
+#     "Action": [
+#       "sns:Publish"
+#     ],
+#     "Resource": "arn:aws:sns:*:123456789012:MyTopic"
+#   }]
+# }
+# Enable compatibility between event sources from AWS services and encrypted topics
+# Several AWS services publish events to Amazon SNS topics. To allow these event sources to work with encrypted topics, you must perform the following steps.
+# 
+# Use a customer managed CMK. For more information, see Creating Keys in the AWS Key Management Service Developer Guide.
+# 
+# To allow the AWS service to have the kms:GenerateDataKey* and kms:Decrypt permissions, add the following statement to the CMK policy.
+# 
+# {
+#   "Statement": [{
+#     "Effect": "Allow",
+#     "Principal": {
+#       "Service": "service.amazonaws.com"
+#     },
+#     "Action": [
+#       "kms:GenerateDataKey*",
+#       "kms:Decrypt"
+#     ],
+#     "Resource": "*"
+#   }]
+# }
+# 

ses-domain/variables.tf

@@ -46,6 +46,17 @@ variable "ses_mail_from" {
   default     = "bounce"
 }
 
+variable "ses_sns_topic_name" {
+  description = "SNS Topic name for event handling.  The region name will be appended."
+  type        = string
+  default     = "inf-ses-events"
+}
+
+variable "ses_event_notification_types" {
+  description = "SNS Notification types for SNS.  Valid values are bounce, complaint, and delivery."
+  type        = list(string)
+  default     = ["bounce", "complaint"]
+}
 
 variable "region" {
   description = "AWS Region (default takes from current executing region)"
@@ -73,3 +84,9 @@ variable "enable_mail_from" {
   type        = bool
   default     = false
 }
+
+variable "enable_sns_events" {
+  description = "SES Enable event notificaton to SNS for bounce, complaint, and/or delivery (specified by ses_event_notification_types)."
+  type        = bool
+  default     = false
+}