From ab980f2759e7c0928e0bd6853df48b5917c1257f Mon Sep 17 00:00:00 2001 From: Aldo Giambelluca Date: Mon, 10 Sep 2018 12:10:12 +0100 Subject: [PATCH] Imported SES resources for root domain (#162) * added shim SES terraform resources * Imported SES resources for root domain * SES: Don't hardcode number of DNS records used for DKIM verification This could potentially change so it's better to not hardcode it. * Added SES domain identity ARN output This will be handy when I'll create the IAM user to make the IAM policy more specific. The `ses:SendEmail` action in IAM supports the SES domain idenity ARN as resource: https://iam.cloudonaut.io/reference/ses/SendEmail.html --- infra/terraform/global/main.tf | 7 ++++ infra/terraform/global/outputs.tf | 4 ++ infra/terraform/modules/ses_domain/inputs.tf | 3 ++ infra/terraform/modules/ses_domain/main.tf | 37 +++++++++++++++++++ infra/terraform/modules/ses_domain/outputs.tf | 3 ++ 5 files changed, 54 insertions(+) create mode 100644 infra/terraform/modules/ses_domain/inputs.tf create mode 100644 infra/terraform/modules/ses_domain/main.tf create mode 100644 infra/terraform/modules/ses_domain/outputs.tf diff --git a/infra/terraform/global/main.tf b/infra/terraform/global/main.tf index 34b56b4bf..5e6d0312f 100644 --- a/infra/terraform/global/main.tf +++ b/infra/terraform/global/main.tf @@ -125,3 +125,10 @@ module "kubernetes_prune_ebs_snapshots" { lamda_policy = "${data.template_file.lambda_prune_ebs_snapshots_policy.rendered}" environment_variables = "${var.environment_variables}" } + +module "ses_domain" { + source = "../modules/ses_domain" + domain = "${var.xyz_root_domain}" + + aws_route53_zone_id = "${aws_route53_zone.xyz_zone.zone_id}" +} diff --git a/infra/terraform/global/outputs.tf b/infra/terraform/global/outputs.tf index df451f4d5..8c5daed91 100644 --- a/infra/terraform/global/outputs.tf +++ b/infra/terraform/global/outputs.tf @@ -14,6 +14,10 @@ output "xyz_root_domain" { value = "${var.xyz_root_domain}" } +output "xyz_root_domain_ses_identity_arn" { + value = "${module.ses_domain.identity_arn}" +} + output "kops_bucket_name" { value = "${var.kops_bucket_name}" } diff --git a/infra/terraform/modules/ses_domain/inputs.tf b/infra/terraform/modules/ses_domain/inputs.tf new file mode 100644 index 000000000..f8ed8a92c --- /dev/null +++ b/infra/terraform/modules/ses_domain/inputs.tf @@ -0,0 +1,3 @@ +variable "domain" {} + +variable "aws_route53_zone_id" {} diff --git a/infra/terraform/modules/ses_domain/main.tf b/infra/terraform/modules/ses_domain/main.tf new file mode 100644 index 000000000..eeabe6007 --- /dev/null +++ b/infra/terraform/modules/ses_domain/main.tf @@ -0,0 +1,37 @@ +resource "aws_ses_domain_identity" "domain" { + domain = "${var.domain}" +} + +# SES Verification: TXT Record +resource "aws_route53_record" "amazonses_verification_record" { + zone_id = "${var.aws_route53_zone_id}" + + name = "_amazonses.${aws_ses_domain_identity.domain.id}" + + type = "TXT" + ttl = "1800" + + records = [ + "${aws_ses_domain_identity.domain.verification_token}", + ] +} + +resource "aws_ses_domain_identity_verification" "amazonses_verification" { + domain = "${aws_ses_domain_identity.domain.id}" + + depends_on = ["aws_route53_record.amazonses_verification_record"] +} + +# SES Verification: DKIM +resource "aws_ses_domain_dkim" "domain_verification" { + domain = "${aws_ses_domain_identity.domain.domain}" +} + +resource "aws_route53_record" "domain_amazonses_dkim_verification_record" { + count = "${length(aws_ses_domain_dkim.domain_verification.dkim_tokens)}" + zone_id = "${var.aws_route53_zone_id}" + name = "${element(aws_ses_domain_dkim.domain_verification.dkim_tokens, count.index)}._domainkey.${aws_ses_domain_identity.domain.domain}" + type = "CNAME" + ttl = "1800" + records = ["${element(aws_ses_domain_dkim.domain_verification.dkim_tokens, count.index)}.dkim.amazonses.com"] +} diff --git a/infra/terraform/modules/ses_domain/outputs.tf b/infra/terraform/modules/ses_domain/outputs.tf new file mode 100644 index 000000000..25ab03da9 --- /dev/null +++ b/infra/terraform/modules/ses_domain/outputs.tf @@ -0,0 +1,3 @@ +output "identity_arn" { + value = "${aws_ses_domain_identity.domain.arn}" +}