fix(DMVP-5969): Add SES module

modules/ses/iam.tf

@@ -0,0 +1,40 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "ses_policy" {
+  statement {
+    actions = ["ses:SendEmail", "ses:SendRawEmail"]
+    effect  = "Allow"
+    resources = [
+      "arn:aws:ses:${local.region}:${data.aws_caller_identity.current.account_id}:identity/*"
+    ]
+  }
+}
+
+resource "aws_iam_group" "ses_group" {
+  name = "ses_users"
+  path = "/"
+}
+
+resource "aws_iam_user" "ses_user" {
+  count = length(var.mail_users)
+  name  = "ses_${var.mail_users[count.index]}"
+  path  = "/"
+}
+
+resource "aws_iam_group_membership" "ses_user_group" {
+  name  = "SES users"
+  users = aws_iam_user.ses_user[*].name
+  group = aws_iam_group.ses_group.name
+}
+
+resource "aws_iam_group_policy" "ses_group_policy" {
+  name   = "sendMailSES"
+  group  = aws_iam_group.ses_group.name
+  policy = data.aws_iam_policy_document.ses_policy.json
+}
+
+resource "aws_iam_access_key" "ses_user" {
+  count = length(var.mail_users)
+  user  = aws_iam_user.ses_user[count.index].name
+}

modules/ses/locals.tf

@@ -0,0 +1,24 @@
+locals {
+  dkim_record_0 = {
+    name : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[0]}._domainkey.${var.email_domain}."
+    record : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[0]}.dkim.amazonses.com."
+    type : "CNAME"
+  }
+  dkim_record_1 = {
+    name : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[1]}._domainkey.${var.email_domain}."
+    record : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[1]}.dkim.amazonses.com."
+    type : "CNAME"
+  }
+  dkim_record_2 = {
+    name : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[2]}._domainkey.${var.email_domain}."
+    record : "${aws_ses_domain_dkim.ses_domain.dkim_tokens[2]}.dkim.amazonses.com."
+    type : "CNAME"
+  }
+
+  region = var.region == null ? data.aws_region.current.name : var.region
+}
+
+data "aws_route53_zone" "this" {
+  count = anytrue([var.create_spf_route53, var.create_dkim_route53]) ? 1 : 0
+  name  = var.email_domain
+}

modules/ses/main.tf

@@ -0,0 +1,35 @@
+resource "aws_ses_email_identity" "verified_email" {
+  for_each = { for value in var.verified_email_users : value => value }
+  email    = each.value
+}
+
+resource "aws_ses_domain_identity" "verified_domains" {
+  for_each = { for value in var.verified_domains : value => value }
+  domain   = each.value
+}
+
+resource "aws_ses_domain_identity" "ses_domain" {
+  domain = var.email_domain
+}
+
+resource "aws_ses_domain_dkim" "ses_domain" {
+  domain = var.email_domain
+}
+
+resource "aws_route53_record" "spf" {
+  count   = var.create_spf_route53 ? 1 : 0
+  zone_id = data.aws_route53_zone.this[0].zone_id
+  name    = ""
+  type    = "TXT"
+  records = ["v=spf1 include:amazonses.com ~all"]
+  ttl     = 600
+}
+
+resource "aws_route53_record" "dkim" {
+  count   = var.create_dkim_route53 ? 3 : 0
+  zone_id = data.aws_route53_zone.this[0].zone_id
+  name    = "${element(aws_ses_domain_dkim.ses_domain.dkim_tokens, count.index)}._domainkey.${var.email_domain}"
+  type    = "CNAME"
+  ttl     = 600
+  records = ["${element(aws_ses_domain_dkim.ses_domain.dkim_tokens, count.index)}.dkim.amazonses.com"]
+}

modules/ses/ouputs.tf

@@ -0,0 +1,27 @@
+output "dkim_records" {
+  description = "DNS records for DKIM"
+  value       = [local.dkim_record_0, local.dkim_record_1, local.dkim_record_2]
+}
+
+output "smtp_credentials" {
+  value = { for k, v in aws_iam_access_key.ses_user : k =>
+    {
+      user     = v.user,
+      password = v.ses_smtp_password_v4
+    }
+  }
+  description = "SMTP Username and Passwort"
+  sensitive   = true
+}
+
+output "secret_keys" {
+  value = { for v in aws_iam_access_key.ses_user : v.user =>
+    {
+      user   = v.user,
+      id     = v.id
+      secret = v.secret
+    }
+  }
+  description = "IAM Access Key ID and Secret"
+  sensitive   = true
+}

modules/ses/tests/basic/main.tf

@@ -0,0 +1,6 @@
+module "ses" {
+  source           = "../../"
+  email_domain     = "devops.dasmeta.com"
+  mail_users       = ["prod"]
+  verified_domains = ["devops.dasmeta.com"]
+}

modules/ses/variables.tf

@@ -0,0 +1,39 @@
+variable "region" {
+  type        = string
+  description = "The region where ressources should be managed."
+  default     = null
+}
+
+variable "email_domain" {
+  type        = string
+  description = "For which sender domain SES should be configured."
+}
+
+variable "mail_users" {
+  type        = list(string)
+  description = "User names for mail to create."
+}
+
+variable "create_dkim_route53" {
+  type        = bool
+  description = "If DKIM records should be created in Route 53"
+  default     = false
+}
+
+variable "create_spf_route53" {
+  type        = bool
+  description = "If TXT record for SPF should be created in Route 53"
+  default     = false
+}
+
+variable "verified_email_users" {
+  type        = list(string)
+  default     = []
+  description = "The emails address to assign to SES."
+}
+
+variable "verified_domains" {
+  type        = list(string)
+  default     = []
+  description = "The domain name to assign to SES."
+}