Add aws ses notifications

2025-05-06 10:58:37 +02:00 · 2025-05-06 10:58:37 +02:00 · 616788c5ea
commit 616788c5ea
parent 3cb196f8c7
4 changed files with 59 additions and 4 deletions
--- a/main.tf
+++ b/main.tf
@ -107,6 +107,8 @@ module "infrastructure" {

  admin_email = var.admin_email

+  aws_region = var.aws_region
+
  scaleway_project_id = var.scaleway_project_id

  default_ssh_key = var.default_ssh_key
--- a/modules/infrastructure/aws-ses.tf
+++ b/modules/infrastructure/aws-ses.tf
@ -1,4 +0,0 @@
-resource "aws_sesv2_email_identity" "domains" {
-  for_each = var.email_domains
-  email_identity = each.value
-}
--- a/modules/infrastructure/aws.tf
+++ b/modules/infrastructure/aws.tf
@ -0,0 +1,55 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_sns_topic" "ses_topic" {
+  name   = "ses-topic"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id = "notification-policy"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = {
+        Service = "ses.amazonaws.com"
+      }
+      Action    = "SNS:Publish"
+      Resource  = "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:ses-topic"
+      Condition = {
+        StringEquals = {
+          "AWS:SourceAccount" = data.aws_caller_identity.current.account_id
+        }
+        StringLike   = {
+          "AWS:SourceArn" = "arn:aws:ses:*"
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_sns_topic_subscription" "ses_feedback_subscription" {
+  topic_arn = aws_sns_topic.ses_topic.arn
+  protocol  = "email"
+  endpoint  = var.admin_email
+}
+
+resource "aws_sesv2_configuration_set" "default" {
+  configuration_set_name = "default"
+}
+
+resource "aws_sesv2_configuration_set_event_destination" "default_sns" {
+  configuration_set_name = aws_sesv2_configuration_set.default.configuration_set_name
+  event_destination_name = "default_sns"
+
+  event_destination {
+    sns_destination {
+      topic_arn = aws_sns_topic.ses_topic.arn
+    }
+
+    enabled              = true
+    matching_event_types = ["REJECT", "BOUNCE", "COMPLAINT"]
+  }
+}
+
+resource "aws_sesv2_email_identity" "domains" {
+  for_each = var.email_domains
+  email_identity = each.value
+  configuration_set_name = aws_sesv2_configuration_set.default.configuration_set_name
+}
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@ -1,5 +1,7 @@
 variable "admin_email" {}

+variable "aws_region" {}
+
 variable "scaleway_project_id" {
  sensitive = true
 }