From 616788c5ea60fe8d6c6aa054e3f343fd6afc8747 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Tue, 6 May 2025 10:58:37 +0200
Subject: [PATCH] Add aws ses notifications

---
 main.tf                             |  2 ++
 modules/infrastructure/aws-ses.tf   |  4 ---
 modules/infrastructure/aws.tf       | 55 +++++++++++++++++++++++++++++
 modules/infrastructure/variables.tf |  2 ++
 4 files changed, 59 insertions(+), 4 deletions(-)
 delete mode 100644 modules/infrastructure/aws-ses.tf
 create mode 100644 modules/infrastructure/aws.tf

diff --git a/main.tf b/main.tf
index 1f73015..f337364 100644
--- a/main.tf
+++ b/main.tf
@@ -107,6 +107,8 @@ module "infrastructure" {
 
   admin_email = var.admin_email
 
+  aws_region = var.aws_region
+
   scaleway_project_id = var.scaleway_project_id
 
   default_ssh_key = var.default_ssh_key
diff --git a/modules/infrastructure/aws-ses.tf b/modules/infrastructure/aws-ses.tf
deleted file mode 100644
index 8c9a871..0000000
--- a/modules/infrastructure/aws-ses.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-resource "aws_sesv2_email_identity" "domains" {
-  for_each = var.email_domains
-  email_identity = each.value
-}
diff --git a/modules/infrastructure/aws.tf b/modules/infrastructure/aws.tf
new file mode 100644
index 0000000..fd8e1f1
--- /dev/null
+++ b/modules/infrastructure/aws.tf
@@ -0,0 +1,55 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_sns_topic" "ses_topic" {
+  name   = "ses-topic"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id = "notification-policy"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = {
+        Service = "ses.amazonaws.com"
+      }
+      Action    = "SNS:Publish"
+      Resource  = "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:ses-topic"
+      Condition = {
+        StringEquals = {
+          "AWS:SourceAccount" = data.aws_caller_identity.current.account_id
+        }
+        StringLike   = {
+          "AWS:SourceArn" = "arn:aws:ses:*"
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_sns_topic_subscription" "ses_feedback_subscription" {
+  topic_arn = aws_sns_topic.ses_topic.arn
+  protocol  = "email"
+  endpoint  = var.admin_email
+}
+
+resource "aws_sesv2_configuration_set" "default" {
+  configuration_set_name = "default"
+}
+
+resource "aws_sesv2_configuration_set_event_destination" "default_sns" {
+  configuration_set_name = aws_sesv2_configuration_set.default.configuration_set_name
+  event_destination_name = "default_sns"
+
+  event_destination {
+    sns_destination {
+      topic_arn = aws_sns_topic.ses_topic.arn
+    }
+
+    enabled              = true
+    matching_event_types = ["REJECT", "BOUNCE", "COMPLAINT"]
+  }
+}
+
+resource "aws_sesv2_email_identity" "domains" {
+  for_each = var.email_domains
+  email_identity = each.value
+  configuration_set_name = aws_sesv2_configuration_set.default.configuration_set_name
+}
diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf
index 8598789..6ec6c8c 100644
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@@ -1,5 +1,7 @@
 variable "admin_email" {}
 
+variable "aws_region" {}
+
 variable "scaleway_project_id" {
   sensitive = true
 }