Move aws ses dkim keys into terraform

2024-10-22 17:44:00 +02:00 · 2024-10-22 17:44:00 +02:00 · 6f9f888478
commit 6f9f888478
parent e17156a8ca
12 changed files with 95 additions and 20 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,7 @@
 types-dnscontrol.d.ts
 dns/hosts.json
 dns/services.json
+dns/dkim-ses.json

 secrets.auto.tfvars
 .terraform
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -68,6 +68,24 @@ provider "registry.opentofu.org/goauthentik/authentik" {
  ]
 }

+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.72.1"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:ckDAOn6cqqO2pJ226GYs8gIZif9TRmAuQEqnPL+LCgg=",
+    "zh:02ee636137e5f8cc9d6900c55a3f3c85e99166b51d17cf96bd62b27182dc7449",
+    "zh:04877c5ce0a0fef6b355decbfe4941e7d5f22d2b7062cd87f70dafe845d635c7",
+    "zh:3d129024594dcf2edac180b8276decc946f4f33d653f44d3c04c4c28b3f85dab",
+    "zh:6fc7ecf746791211d64a38361ce12303dfc3ddf0e609e6d854bc8f3a7f242234",
+    "zh:8d65352eeba3fef611c90b5161336b0cccf3fed8dc2c710537d6578925e2b189",
+    "zh:9c99b31104c80d885aad1846e2b2f25371cbc9c23281fb0e213be0101a415f2c",
+    "zh:b220737d06dc8ef3a6aa32055c1c633d08c27e046b5fb730f93969ef11abb928",
+    "zh:b741b0e79001765c8d2ffdb569f70c0d8b877b870b660e573f3bb6f42dd55f28",
+    "zh:d2434f271f261ccd28a85aa15627ee9cfc9c319a48eb6c0aeb1ffaf80b6ede20",
+    "zh:df4b2338e3e89d66c1697fae9be378db94cb0d7d309c9dc537024cb755b7e21a",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/random" {
  version = "3.6.3"
  hashes = [
--- a/16
+++ b/16
@ -20,8 +20,7 @@ PWD := $(shell pwd)
 		> ./inventory/group_vars/all/opentofu.yml

 ./dns/hosts.json: .FORCE
-	tofu output --json \
-		| jq 'with_entries(.value |= .value).hosts' \
+	tofu output --json hosts \
 		> ./dns/hosts.json

 ./dns/services.json: ./inventory/group_vars/all/all_services.yml
@ -29,9 +28,16 @@ PWD := $(shell pwd)
 		-e services_json_file=$(PWD)/dns/services.json \
 		playbooks/create_services_for_dnscontrol.yml

+./dns/dkim-ses.json: .FORCE
+	tofu output --json aws_ses_dkim \
+		> ./dns/dkim-ses.json

-output: ./dns/hosts.json ./dns/services.json ./inventory/group_vars/all/opentofu.yml

+output-dns: ./dns/hosts.json ./dns/services.json ./dns/dkim-ses.json
+
+output-ansible: ./inventory/group_vars/all/opentofu.yml
+
+output: output-dns output-ansible

 ./types-dnscontrol.d.ts:
 	dnscontrol write-types
@ -41,10 +47,10 @@ tofu:
 	@printf "\n=====\n\n"
 	$(MAKE) output

-dns: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
+dns: output-dns
 	dnscontrol push

-dns-check: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
+dns-check: output-dns
 	dnscontrol check-creds ovh

 all:
--- a/dnsconfig.js
+++ b/dnsconfig.js
@ -4,6 +4,7 @@
 require('dns/default_records.js');
 require('dns/functions.js');
 var dkim = require('dns/dkim.json');
+var dkim_ses = require('dns/dkim-ses.json');
 var hosts = require('dns/hosts.json');
 var services_json = require('dns/services.json');

@ -47,11 +48,7 @@ D("msrg.cc", REG_OVH, DnsProvider(DSP_OVH),
 	SRV("_xmpps-client._tcp", 0, 20,  443, "xmpps.wiuwiu.de."),
 	TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"),

-	verify_amazon_ses([
-		"rg6sgmw6fr73pucbqz62h25wq2q75iet",
-		"rjczvv7ab3twf6kfjjzmz5fkhpmyc2j5",
-		"bxau47qbno4igiwug2xrmwozzk6vwdyv"
-	]),
+	verify_amazon_ses(dkim_ses["msrg.cc"]),

 	// SendGrid DKIM
 	CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."),
@ -74,11 +71,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
 	acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),

-	verify_amazon_ses([
-		"dd4g333vxgahaf3rh3dafdx6g7kq7t7z",
-		"tbqt7mluvomvsomaj7nuhvs2xl7hd6hg",
-		"tl2n3zn4jxjodumvqj4jqdavfxznivvd"
-	]),
+	verify_amazon_ses(dkim_ses["serguzim.me"]),

 	verify_dmarc_reports([
 		"msrg.cc",
@ -106,11 +99,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH),
 	all_defaults("reitanlage-oranienburg.de", false),

-	verify_amazon_ses([
-		"kseozkz37py4ukzg2h2kx7bua5r4yv2v",
-		"py2qx6nrsfn7r5j4uwwfpc7tgi63u7sn",
-		"hzmi7t2qcycinuy5edmo5uphohgtkefa"
-	]),
+	verify_amazon_ses(dkim_ses["reitanlage-oranienburg.de"]),

 	TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg")
 );
--- a/main.tf
+++ b/main.tf
@ -1,5 +1,9 @@
 terraform {
  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
    contabo = {
      source = "contabo/contabo"
      version = "~> 0.1.26"
@ -69,6 +73,12 @@ terraform {
  }
 }

+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+}
+
 provider "contabo" {
  oauth2_client_id     = var.contabo_client_id
  oauth2_client_secret = var.contabo_client_secret
@ -114,6 +124,7 @@ module "infrastructure" {

  hosts = var.hosts
  services = var.services
+  email_domains = var.email_domains
 }

 provider "authentik" {
--- a/modules/infrastructure/aws-ses.tf
+++ b/modules/infrastructure/aws-ses.tf
@ -0,0 +1,4 @@
+resource "aws_sesv2_email_identity" "domains" {
+  for_each = var.email_domains
+  email_identity = each.value
+}
--- a/modules/infrastructure/main.tf
+++ b/modules/infrastructure/main.tf
@ -1,5 +1,9 @@
 terraform {
  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
    contabo = {
      source = "contabo/contabo"
      version = "~> 0.1.26"
--- a/modules/infrastructure/output.tf
+++ b/modules/infrastructure/output.tf
@ -70,3 +70,10 @@ output "scaleway_registry_endpoint_public" {
 output "scaleway_registry_endpoint_private" {
  value = scaleway_registry_namespace.private.endpoint
 }
+
+output "aws_ses_dkim" {
+  value = {
+    for key, dkim in aws_sesv2_email_identity.domains : key => dkim.dkim_signing_attributes[0].tokens
+  }
+  sensitive = true
+}
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@ -41,3 +41,7 @@ variable "hosts" {
    datacenter = optional(string)
  }))
 }
+
+variable "email_domains" {
+  type = set(string)
+}
--- a/output.tf
+++ b/output.tf
@ -41,3 +41,8 @@ output "scaleway_registry_endpoint_public" {
 output "scaleway_registry_endpoint_private" {
  value = module.infrastructure.scaleway_registry_endpoint_private
 }
+
+output "aws_ses_dkim" {
+  value = module.infrastructure.aws_ses_dkim
+  sensitive = true
+}
--- a/secrets.auto.tfvars.example
+++ b/secrets.auto.tfvars.example
@ -7,6 +7,10 @@ backend_bucket = ""

 authentik_token = ""

+aws_region = ""
+aws_access_key = ""
+aws_secret_key = ""
+
 contabo_client_id = ""
 contabo_client_secret = ""
 contabo_user = ""
@ -30,3 +34,8 @@ scaleway_secret_key = ""

 tailscale_api_key = ""
 tailscale_tailnet = ""
+
+
+email_domains = [
+  "example.com",
+]
--- a/variables.tf
+++ b/variables.tf
@ -32,6 +32,19 @@ variable "authentik_token" {
 }


+variable "aws_region" {
+  default = "eu-north-1"
+}
+
+variable "aws_access_key" {
+  sensitive = true
+}
+
+variable "aws_secret_key" {
+  sensitive = true
+}
+
+
 variable "contabo_client_id" {
  sensitive = true
 }
@ -169,3 +182,7 @@ variable "hosts" {
    datacenter = optional(string)
  }))
 }
+
+variable "email_domains" {
+  type = set(string)
+}